Skip to Content.
Sympa Menu

grouper-users - [grouper-users] Had a mass attribute delete this morning in production pspng

Subject: Grouper Users - Open Discussion List

List archive

[grouper-users] Had a mass attribute delete this morning in production pspng


Chronological Thread 
  • From: "Crawford, Jeffrey" <>
  • To: Grouper Users <>
  • Subject: [grouper-users] Had a mass attribute delete this morning in production pspng
  • Date: Tue, 13 Aug 2019 19:29:51 +0000
  • Arc-authentication-results: i=1; mx.microsoft.com 1;spf=pass smtp.mailfrom=it.ucla.edu;dmarc=pass action=none header.from=it.ucla.edu;dkim=pass header.d=it.ucla.edu;arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=zj4MPIA5zhnPDKqPyKSU6jNCr/KrzGSf5KNVIkbqErQ=; b=etdBPDL2/zHiUz8i+Ic1HCM0BGjprKWI/Rz65/TUb/rENhfDQsfX9BOdBi3H7l2Exo8tcB/Scp9XshL7qG4XSYjBoI1Vf2EYaW8SOY97glK6wClZ+BcjZn8hFMrNXfDo+qFqAVGHlDn4y9MGMAj0OBrwtpSqM/J4fMD+Q3Unf0TpvXKOQLwP+mN32CsRGCaLPcEdwo71HBb2Wab3SGkZ76Aigolv+QcGwQ1SY0Bwz4CQg7RuHVg44HiSEDsqn2y036jQyVsKeGp2JbbC3FpqgkvJFYgmsvf0dtVX4Grlb0w9rXLLw/jIaqsHHMJqbkuL87Lp8ieGjzkErQwoPQ72og==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=A+QWDfCwtFr5fX+ZXHknOg++n47z+kz7OXUqhnWFHwQ6dZ4TE/k4lBOMMy1VaIf22ViM6IBynhF+sdZPWV4I4QLZZERv0x2LXOk/OLU7VMAvmUA30x2xqhLv+++ias5l3PCw59nGq2FS88DCNosJWuxntCobvrikxAm/Lb7LTPE5/7ohh98kOiN2EuO0UeiZjhZxs6xkxwa8rcutNXv8orO/642OtP0W2buVNAwlhv9UvEIJWVjjh5RN7EShb3X970PjPI8NpbQ4wl4KdXWlffdCdr07j0Zb7ZScWl6Ku7dkFkoDu1H7A7TtZMAB9evTVpsAk+2FabvexPfgi2W3Vg==

Hello,

 

We just recovered from a pretty strange occurrence and it might be a bug. I was working in an area of grouper we were setting up for a new service, I created a folder and a group, then decided it would fit better somewhere else. I deleted the newly created folder and group and the grouper-loader started getting messages like the following:

 

2019-08-13 07:24:03,319: [DefaultQuartzScheduler_Worker-2] INFO  Provisioner.processIncrementalSyncEvent(1164) -  - pspng_iamucla_entl: Group has been deleted from grouper. Checking to see if it was provisioned to target system

pspng_iamucla_role: Group has been deleted from grouper. Checking to see if it was provisioned to target system

2019-08-13 07:24:03,460: [DefaultQuartzScheduler_Worker-3] INFO  Provisioner.processIncrementalSyncEvent(1164) -  - pspng_cisco_sparkeligible: Group has been deleted from grouper. Checking to see if it was provisioned to target system

 

After it had logged those messages I started to see:

2019-08-13 07:24:03,826: [DefaultQuartzScheduler_Worker-8] WARN  PspUtils.hibernateRefresh(305) -  - Unable to refresh object from database, probably because it has been deleted: Group[name=ucla:app:campus-vpn:group:its:etc:auto,uuid=4f2896570b1b40f69c8cb8

4151aa4804]

2019-08-13 07:24:03,830: [DefaultQuartzScheduler_Worker-2] INFO  LdapProvisioner.fetchTargetSystemUsers(141) -  - Read 50 user objects from directory

2019-08-13 07:24:03,831: [DefaultQuartzScheduler_Worker-3] INFO  LdapAttributeProvisioner.purgeAttributeValue(270) -  - pspng_cisco_sparkeligible: There are 373 ldap objects with attribute value=urn:mace:ucla.edu:entitlement:cisco-spark-eigible

2019-08-13 07:24:03,832: [DefaultQuartzScheduler_Worker-3] INFO  LdapAttributeProvisioner.scheduleUserModification(71) -  - Will change LDAP: REMOVE urn:mace:ucla.edu:entitlement:cisco-spark-eigible from eduPersonEntitlement of LdapUser[ldap=LdapObject[id=163533,dn=uclappid=urn:mace:ucla.edu:ppid:person:4d26f82dc42f4311bc8f8f7ed6f92db1,ou=people,dc=ucla,dc=edu,provisioner=LdapAttributeProvisioner[pspng_cisco_sparkeligible],attributesRequested=[dn]]]

2019-08-13 07:24:03,832: [DefaultQuartzScheduler_Worker-3] INFO  LdapProvisioner.scheduleLdapModification(263) -  - pspng_cisco_sparkeligible: Scheduling ldap modification: [org.ldaptive.ModifyRequest@926346189::modifyDn=uclappid=urn:mace:ucla.edu:ppid:person:4d26f82dc42f4311bc8f8f7ed6f92db1,ou=people,dc=ucla,dc=edu, attrMods=[[org.ldaptive.AttributeModification@227410408::attrMod=REMOVE, attribute=[eduPersonEntitlement[urn:mace:ucla.edu:entitlement:cisco-spark-eigible]]]], controls=null, referralHandler=null, intermediateResponseHandlers=null]

2019-08-13 07:24:03,832: [DefaultQuartzScheduler_Worker-3] INFO  LdapAttributeProvisioner.scheduleUserModification(71) -  - Will change LDAP: REMOVE urn:mace:ucla.edu:entitlement:cisco-spark-eigible from eduPersonEntitlement of LdapUser[ldap=LdapObject[id=163534,dn=uclappid=urn:mace:ucla.edu:ppid:person:569d56af316e4b2aa9443f86f1db009a,ou=people,dc=ucla,dc=edu,provisioner=LdapAttributeProvisioner[pspng_cisco_sparkeligible],attributesRequested=[dn]]]

2019-08-13 07:24:03,832: [DefaultQuartzScheduler_Worker-3] INFO  LdapProvisioner.scheduleLdapModification(263) -  - pspng_cisco_sparkeligible: Scheduling ldap modification: [org.ldaptive.ModifyRequest@365004994::modifyDn=uclappid=urn:mace:ucla.edu:ppid:person:569d56af316e4b2aa9443f86f1db009a,ou=people,dc=ucla,dc=edu, attrMods=[[org.ldaptive.AttributeModification@436588274::attrMod=REMOVE, attribute=[eduPersonEntitlement[urn:mace:ucla.edu:entitlement:cisco-spark-eigible]]]], controls=null, referralHandler=null, intermediateResponseHandlers=null]

 

However the above messages were in error since there were members in the group but pspng removed all of them. I later noticed that pspng configs that had variable group names and the provision_to attribute was assigned on a folder were all fine. However configs that were one to one attribute value to group mappings and had the provision_to attribute assigned to a group had the attributes all removed.

 

### The following configs that had variables in the name and are assigned to folders, remained untouched.:

changeLog.consumer.pspng_iamucla_entl.class = edu.internet2.middleware.grouper.pspng.PspChangelogConsumerShim

changeLog.consumer.pspng_iamucla_entl.type = edu.internet2.middleware.grouper.pspng.LdapAttributeProvisioner

changeLog.consumer.pspng_iamucla_entl.quartzCron = 0 * * * * ?

changeLog.consumer.pspng_iamucla_entl.retryOnError = true

changeLog.consumer.pspng_iamucla_entl.ldapPoolName = personLdap

changeLog.consumer.pspng_iamucla_entl.provisionedAttributeName = eduPersonEntitlement

changeLog.consumer.pspng_iamucla_entl.provisionedAttributeValueFormat = urn:mace:ucla.edu:${group.name.replaceFirst("ucla:iamucla:", "")}

changeLog.consumer.pspng_iamucla_entl.userSearchBaseDn = ou=people,dc=ucla,dc=edu

changeLog.consumer.pspng_iamucla_entl.userSearchFilter = uclaPPID=${subject.id}

changeLog.consumer.pspng_iamucla_entl.userSearchAttributes = dn,cn,uid,mail,samAccountName,uidNumber,objectClass,uclaPPID

 

### The following configs that have static names and are assigned directly to groups, had all the attributes removed:

changeLog.consumer.pspng_cisco_sparkeligible.class = edu.internet2.middleware.grouper.pspng.PspChangelogConsumerShim

changeLog.consumer.pspng_cisco_sparkeligible.type = edu.internet2.middleware.grouper.pspng.LdapAttributeProvisioner

changeLog.consumer.pspng_cisco_sparkeligible.quartzCron = 0 * * * * ?

changeLog.consumer.pspng_cisco_sparkeligible.retryOnError = true

changeLog.consumer.pspng_cisco_sparkeligible.ldapPoolName = personLdap

changeLog.consumer.pspng_cisco_sparkeligible.provisionedAttributeName = eduPersonEntitlement

changeLog.consumer.pspng_cisco_sparkeligible.provisionedAttributeValueFormat = urn:mace:ucla.edu:entitlement:cisco-spark-eigible

changeLog.consumer.pspng_cisco_sparkeligible.userSearchBaseDn = ou=people,dc=ucla,dc=edu

changeLog.consumer.pspng_cisco_sparkeligible.userSearchFilter = uclaPPID=${subject.id}

changeLog.consumer.pspng_cisco_sparkeligible.userSearchAttributes = dn,cn,uid,mail,samAccountName,uidNumber,objectClass,uclaPPID

 

I don’t know if the culprit is the static value in “AttributeValueFormat” or if it’s because those were assigned directly to groups and not folders. However that is the only two difference between them conceptually. I will note that our production is on pspng patch 3, and all of the other environments are on patch 8. We are scheduled to upgrade to patch 8 on Aug 27. So I’m not sure if this had been fixed already, but if not then I wanted to make sure I reported it.

 

I was able to fix the groups by configuring and running the FullSyncer:

#otherJob.<nameOfJob>_full.class = edu.internet2.middleware.grouper.pspng.FullSyncStarter

#otherJob.<nameOfJob>_full.quartzCron = 59 59 23 31 12 ? 2099

 

With the appropriate name and cron entry modified, I didn’t modify any group memberships between the attribute values being removed and running the FullSyncer.

 

Thanks

Jeffrey C.




Archive powered by MHonArc 2.6.19.

Top of Page