Skip to Content.
Sympa Menu

grouper-users - Re: [grouper-users] Had a mass attribute delete this morning in production pspng

Subject: Grouper Users - Open Discussion List

List archive

Re: [grouper-users] Had a mass attribute delete this morning in production pspng


Chronological Thread 
  • From: "Crawford, Jeffrey" <>
  • To: "Bee-Lindgren, Bert" <>, Grouper Users <>
  • Subject: Re: [grouper-users] Had a mass attribute delete this morning in production pspng
  • Date: Wed, 14 Aug 2019 14:05:49 +0000
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=it.ucla.edu; dmarc=pass action=none header.from=it.ucla.edu; dkim=pass header.d=it.ucla.edu; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=2dmuBGnEaqMmVSWiYLYvj572ZrHaiVyqRXTJ2krZgQ0=; b=EBbJRfVw59/NhP8FPouLxC+FPCfNeuVG2FolMiPzul7z0JM0TjUkCPqKNQC/RYpY0GP5MMFoCuE0i92cpFh0wc1fvEyT2UCg7MCw2NCxUCHMAIgjuIGFDPGiFgDDMnhn2h/YwRbU21B3kS4A25ntvsukTGHDlTJ/xzsokI/ErbeTBNNVaEYE5qr5x11bl/2KMi0mFo+QB/uh9rGC+ihIdiIdudvhIVRqcMp+WKn1R9FJxKOdo0358F0fX58b6HwXbBo4hP4nj2+DmuPE/BA+evBUxsTJVVHnAfnlx5x2gNVj0o4sxoba6FJ6KhAYNnw5WMM/PdJAPyMtq64LmTJ+hQ==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=jH+VD67Lje9YcimD0iSqeg4033gqcZuaV1tWEfKRG0KNJdHmRScKCF+1OZaie1/FcV6ZOYXdS52F8ynLKsNU3qh0pgnzq99H9rbbMnijaxpZxYIJ5RivrFeuezTlIsz8Exnyx2qGct3lYLC6NMiFMR+wIT4uoeEOw0xQZcZE8BmPa1dNrinMzJp/yfHX1+FWF3Ha5ErlIVhErBkZYQOc3Q7kQODY1gTC30O1omfmamVUh+0/FaJeBrwJ1s0klOdX7HchvPERh53uCVs9oGSwAaTHcmnQMwE1YbErC4Ql6UY/EXzbylYNeh2TNHJXdA2L3HusopPA2qIX+r9xXdA+Zw==

Almost 😊. If you change the:

Provisioning of ucla:app:cmp-vpn:entitlement is wiped out.

 

To -> Provisioning of a completely unrelated stem of ucla:org:itservices:app:vpn:entitlement:eligible is wiped out of the LDAP instance when we have pspng_provision_to assigned to the group with the static value of urn:mace:ucla.edu:entitlement:itservices:vpn:eligible (one to one mapping)

 

Then setting up otherJob to FullSyncer to that same ucla:org:itservices:app:vpn:entitlement:eligible to urn:mace:ucla.edu:entitlement:itservices:vpn:eligible. It puts the correct attribute back into the people records.

 

I’ll work on the logs

 

Thanks

Jeffrey C.

 

From: "Bee-Lindgren, Bert" <>
Date: Wednesday, August 14, 2019 at 2:16 AM
To: Grouper Users <>, "Crawford, Jeffrey" <>
Subject: Re: [grouper-users] Had a mass attribute delete this morning in production pspng

 

Jeffrey,

 

[Outdated paragraph asking for more logs (see below)... but I'm keeping it here as it maybe helpful.]

 

I appreciate your details, and I'll work on duplicating this. In the meantime, can you tweak your log4j settings as follows and then share an INFO level log the problem.

Add %X{why}%X{who}%X{what}%X{step}  before the '%x - %m' part of your message format. For example,

ConversionPattern  = %d{ISO8601}: %X{pspng.threadid} [%t] %-5p [%c{1}] %X{why}%X{who}%X{what}%X{step} - %x - %m%n

 

I also have some questions as I try to isolate this problem. Does this rewrite of your description look correct:

 

Long term, stable:

ucla:app:cmp-vpn:entitlement [Group, provision_to=pspng_entitlement]

 

Created:

ucla:app:cmp-vpn:group:its:etc [Folder, no pspng settings]

ucla:app:cmp-vpn:group:its:etc:auto [Group, no pspng settings]

 

Deleted:

ucla:app:cmp-vpn:group:its:etc:auto [Group, never provisioned of course]

 

Provisioning of ucla:app:cmp-vpn:entitlement is wiped out.

 

I've re-re-read your report, and, yes, I think the problem has to do with the static attribute-value-format because the quick group-was-deleted check actually finds attributes provisioned for the never-selected-for-provisioning, deleted group, because _all_ groups have the same attribute! I thought group-selection problems were limited to performance and log-noise and, therefore, could wait until pspng was using the new attribute values, but this is too big a problem to wait.

 

I'm working on this now.

 

Sincerely,

  Bert

 


From: <> on behalf of Crawford, Jeffrey <>
Sent: Tuesday, August 13, 2019 4:49 PM
To: Grouper Users <>
Subject: Re: [grouper-users] Had a mass attribute delete this morning in production pspng

 

I was just able to reproduce this in test, which is on pspng patch 8

 

I have a group that has provision_to=pspng_entitlement “ucla:app:cmp-vpn:entitlement

 

I then created a folder and group “ucla:app:cmp-vpn:group:its:etc:auto”

 

I then deleted the “:etc:auto” folder and group which is outside the provision_to folder

 

It triggered the same update we saw in prod and started removing attributes from groups that are still populated. However in test the attribute removed seem more random. Again simply scheduling the FullSyncer on that config, corrects the attribute. There was no change in group memberships in the few minutes between the removal and full sync.

 

Jeffrey C.

 

From: <> on behalf of "Crawford, Jeffrey" <>
Reply-To: "Crawford, Jeffrey" <>
Date: Tuesday, August 13, 2019 at 12:30 PM
To: Grouper Users <>
Subject: [grouper-users] Had a mass attribute delete this morning in production pspng

 

Hello,

 

We just recovered from a pretty strange occurrence and it might be a bug. I was working in an area of grouper we were setting up for a new service, I created a folder and a group, then decided it would fit better somewhere else. I deleted the newly created folder and group and the grouper-loader started getting messages like the following:

 

2019-08-13 07:24:03,319: [DefaultQuartzScheduler_Worker-2] INFO  Provisioner.processIncrementalSyncEvent(1164) -  - pspng_iamucla_entl: Group has been deleted from grouper. Checking to see if it was provisioned to target system

pspng_iamucla_role: Group has been deleted from grouper. Checking to see if it was provisioned to target system

2019-08-13 07:24:03,460: [DefaultQuartzScheduler_Worker-3] INFO  Provisioner.processIncrementalSyncEvent(1164) -  - pspng_cisco_sparkeligible: Group has been deleted from grouper. Checking to see if it was provisioned to target system

 

After it had logged those messages I started to see:

2019-08-13 07:24:03,826: [DefaultQuartzScheduler_Worker-8] WARN  PspUtils.hibernateRefresh(305) -  - Unable to refresh object from database, probably because it has been deleted: Group[name=ucla:app:campus-vpn:group:its:etc:auto,uuid=4f2896570b1b40f69c8cb8

4151aa4804]

2019-08-13 07:24:03,830: [DefaultQuartzScheduler_Worker-2] INFO  LdapProvisioner.fetchTargetSystemUsers(141) -  - Read 50 user objects from directory

2019-08-13 07:24:03,831: [DefaultQuartzScheduler_Worker-3] INFO  LdapAttributeProvisioner.purgeAttributeValue(270) -  - pspng_cisco_sparkeligible: There are 373 ldap objects with attribute value=urn:mace:ucla.edu:entitlement:cisco-spark-eigible

2019-08-13 07:24:03,832: [DefaultQuartzScheduler_Worker-3] INFO  LdapAttributeProvisioner.scheduleUserModification(71) -  - Will change LDAP: REMOVE urn:mace:ucla.edu:entitlement:cisco-spark-eigible from eduPersonEntitlement of LdapUser[ldap=LdapObject[id=163533,dn=uclappid=urn:mace:ucla.edu:ppid:person:4d26f82dc42f4311bc8f8f7ed6f92db1,ou=people,dc=ucla,dc=edu,provisioner=LdapAttributeProvisioner[pspng_cisco_sparkeligible],attributesRequested=[dn]]]

2019-08-13 07:24:03,832: [DefaultQuartzScheduler_Worker-3] INFO  LdapProvisioner.scheduleLdapModification(263) -  - pspng_cisco_sparkeligible: Scheduling ldap modification: [org.ldaptive.ModifyRequest@926346189::modifyDn=uclappid=urn:mace:ucla.edu:ppid:person:4d26f82dc42f4311bc8f8f7ed6f92db1,ou=people,dc=ucla,dc=edu, attrMods=[[org.ldaptive.AttributeModification@227410408::attrMod=REMOVE, attribute=[eduPersonEntitlement[urn:mace:ucla.edu:entitlement:cisco-spark-eigible]]]], controls=null, referralHandler=null, intermediateResponseHandlers=null]

2019-08-13 07:24:03,832: [DefaultQuartzScheduler_Worker-3] INFO  LdapAttributeProvisioner.scheduleUserModification(71) -  - Will change LDAP: REMOVE urn:mace:ucla.edu:entitlement:cisco-spark-eigible from eduPersonEntitlement of LdapUser[ldap=LdapObject[id=163534,dn=uclappid=urn:mace:ucla.edu:ppid:person:569d56af316e4b2aa9443f86f1db009a,ou=people,dc=ucla,dc=edu,provisioner=LdapAttributeProvisioner[pspng_cisco_sparkeligible],attributesRequested=[dn]]]

2019-08-13 07:24:03,832: [DefaultQuartzScheduler_Worker-3] INFO  LdapProvisioner.scheduleLdapModification(263) -  - pspng_cisco_sparkeligible: Scheduling ldap modification: [org.ldaptive.ModifyRequest@365004994::modifyDn=uclappid=urn:mace:ucla.edu:ppid:person:569d56af316e4b2aa9443f86f1db009a,ou=people,dc=ucla,dc=edu, attrMods=[[org.ldaptive.AttributeModification@436588274::attrMod=REMOVE, attribute=[eduPersonEntitlement[urn:mace:ucla.edu:entitlement:cisco-spark-eigible]]]], controls=null, referralHandler=null, intermediateResponseHandlers=null]

 

However the above messages were in error since there were members in the group but pspng removed all of them. I later noticed that pspng configs that had variable group names and the provision_to attribute was assigned on a folder were all fine. However configs that were one to one attribute value to group mappings and had the provision_to attribute assigned to a group had the attributes all removed.

 

### The following configs that had variables in the name and are assigned to folders, remained untouched.:

changeLog.consumer.pspng_iamucla_entl.class = edu.internet2.middleware.grouper.pspng.PspChangelogConsumerShim

changeLog.consumer.pspng_iamucla_entl.type = edu.internet2.middleware.grouper.pspng.LdapAttributeProvisioner

changeLog.consumer.pspng_iamucla_entl.quartzCron = 0 * * * * ?

changeLog.consumer.pspng_iamucla_entl.retryOnError = true

changeLog.consumer.pspng_iamucla_entl.ldapPoolName = personLdap

changeLog.consumer.pspng_iamucla_entl.provisionedAttributeName = eduPersonEntitlement

changeLog.consumer.pspng_iamucla_entl.provisionedAttributeValueFormat = urn:mace:ucla.edu:${group.name.replaceFirst("ucla:iamucla:", "")}

changeLog.consumer.pspng_iamucla_entl.userSearchBaseDn = ou=people,dc=ucla,dc=edu

changeLog.consumer.pspng_iamucla_entl.userSearchFilter = uclaPPID=${subject.id}

changeLog.consumer.pspng_iamucla_entl.userSearchAttributes = dn,cn,uid,mail,samAccountName,uidNumber,objectClass,uclaPPID

 

### The following configs that have static names and are assigned directly to groups, had all the attributes removed:

changeLog.consumer.pspng_cisco_sparkeligible.class = edu.internet2.middleware.grouper.pspng.PspChangelogConsumerShim

changeLog.consumer.pspng_cisco_sparkeligible.type = edu.internet2.middleware.grouper.pspng.LdapAttributeProvisioner

changeLog.consumer.pspng_cisco_sparkeligible.quartzCron = 0 * * * * ?

changeLog.consumer.pspng_cisco_sparkeligible.retryOnError = true

changeLog.consumer.pspng_cisco_sparkeligible.ldapPoolName = personLdap

changeLog.consumer.pspng_cisco_sparkeligible.provisionedAttributeName = eduPersonEntitlement

changeLog.consumer.pspng_cisco_sparkeligible.provisionedAttributeValueFormat = urn:mace:ucla.edu:entitlement:cisco-spark-eigible

changeLog.consumer.pspng_cisco_sparkeligible.userSearchBaseDn = ou=people,dc=ucla,dc=edu

changeLog.consumer.pspng_cisco_sparkeligible.userSearchFilter = uclaPPID=${subject.id}

changeLog.consumer.pspng_cisco_sparkeligible.userSearchAttributes = dn,cn,uid,mail,samAccountName,uidNumber,objectClass,uclaPPID

 

I don’t know if the culprit is the static value in “AttributeValueFormat” or if it’s because those were assigned directly to groups and not folders. However that is the only two difference between them conceptually. I will note that our production is on pspng patch 3, and all of the other environments are on patch 8. We are scheduled to upgrade to patch 8 on Aug 27. So I’m not sure if this had been fixed already, but if not then I wanted to make sure I reported it.

 

I was able to fix the groups by configuring and running the FullSyncer:

#otherJob.<nameOfJob>_full.class = edu.internet2.middleware.grouper.pspng.FullSyncStarter

#otherJob.<nameOfJob>_full.quartzCron = 59 59 23 31 12 ? 2099

 

With the appropriate name and cron entry modified, I didn’t modify any group memberships between the attribute values being removed and running the FullSyncer.

 

Thanks

Jeffrey C.




Archive powered by MHonArc 2.6.19.

Top of Page