[AAA-121] Deleting a user and recreating it fails using the aaa-cli-jar Created: 04/Apr/17  Updated: 21/Mar/19  Resolved: 05/Apr/17

Status: Resolved
Project: aaa
Component/s: General
Affects Version/s: None
Fix Version/s: None

Type: Bug
Reporter: Tim Rozet Assignee: Michael Vorburger
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

Operating System: All
Platform: All

Attachments: Text File aaa_bug.txt    
External issue ID: 8157

 Description   

Creating a user, delete the user, and recreate the same user fails with:

Aborting due to IDMStoreException (use -X to see full stack trace): org.opendaylight.aaa.h2.persistence.StoreException: SQL Exception : org.h2.jdbc.JdbcSQLException: Unique index or primary key violation: "PRIMARY_KEY_7 ON PUBLIC.GRANTS(GRANTID) VALUES ('tim@sdn@user@sdn@sdn', 1)"; SQL statement:
insert into grants (grantid,domainid,userid,roleid) values(?,?,?,?) [23505-191]

Please see attachment for full trace.

 Comments   
Comment by Tim Rozet [ 04/Apr/17 ]

Attachment aaa_bug.txt has been added with description: log

Comment by Michael Vorburger [ 05/Apr/17 ]

+Ryan

Confirming (just reproduced) that this appears to be a bug in AAA

It's not actually in the ("my") aaa-cli-jar code, but in the underlying aaa-h2-store code that calls into... it looks like users actually aren't cleaned out properly on delete - the entry/ies in the grant table would have to be deleted too?

I'll try to propose a change that fixes this...

Comment by Michael Vorburger [ 05/Apr/17 ]

> in the underlying aaa-h2-store code that calls into... it looks like
> users actually aren't cleaned out properly on delete - the entry/ies

turns out this was kinda specific to aaa-cli-jar actually... the aaa-cli for the Karaf commands is slightly "lower level", and while its remove-user would suffer from the same exception, the design choice there seems to be to let administrators have to do remove-grant manually.

In aaa-cli-jar this is, intentionally, simplified (you just say -a to get an admin user, without being exposed to grants & roles), it made sense to make the --deleteUser automatically clear out the role grants, because the --newUser originally implicitly created them also.

https://wiki.opendaylight.org/view/AAA:Changing_Account_Passwords#aaa-cli-jar

> I'll try to propose a change that fixes this...

==> https://git.opendaylight.org/gerrit/#/c/54350/

Generated at Wed Feb 07 19:08:41 UTC 2024 using Jira 8.20.10#820010-sha1:ace47f9899e9ee25d7157d59aa17ab06aee30d3d.