[midPoint] Connector reference goes missing

Mikko Pekkarinen mikko.pekkarinen at datactica.fi
Mon Mar 19 12:17:21 CET 2018 

Hello,


we finally figured out the problem. For the record:


Background: We've defined an admin role with limited authorizations. Such admins can do little more than assign/unassign roles to users. The roles induce some

group memberships in LDAP. The "Connector reference missing" error occurred whenever an admin tried to assign roles to anyone in the midPoint GUI. Assignment through the REST API has worked fine all the time.


Fix/workaround: added the following authorization for the admin:


   <authorization id="9">
      <name>read-resource-and-connector</name>
      <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</action>
      <object>
         <type>ResourceType</type>
      </object>
      <object>
         <type>ConnectorType</type>
      </object>
   </authorization>


(Access to ConnectorType is not strictly needed, but it seems that without that midPoint creates a new connector instance as it cannot resolve the reference in the resource configuration. Authorization for execution phase only does not suffice, but request phase is also needed here.


I have no time to bisect our history to see which configuration change has made this autz necessary.)



Pondering: it seems that midPoint cannot read the resource and/or connector due to the authorizations, and then goes on to update some cache with information "there is no connectorRef in this Resource". This smells like a bug in midPoint 3.5: one failed authorization should just yield an "access denied" response instead of taking the whole installation into unusable state.



Mikko Pekkarinen





________________________________
Lähettäjä: midPoint <midpoint-bounces at lists.evolveum.com> käyttäjän puolestaPertti Kellomäki <pertti.kellomaki at datactica.fi>
Lähetetty: 22. helmikuuta 2018 15:56
Vastaanottaja: midpoint at lists.evolveum.com
Aihe: [midPoint] Connector reference goes missing


Hi all,


Bit of a long shot I know, but has anyone encountered connector references going missing all of a sudden? It has started to happen in our test environment seemingly out of the blue. Livesyncing the resource works without problems until the connector reference goes missing and we get errors like the following in idm.log. The resource shows in the Resources list as "null(FATAL_ERROR)". The connector does show up in Configuration -> Repository objects -> connector, however.


The java process does grow very large, almost 2 gigabytes. Could this be a problem? I don't see anything relevant in the logs though.


TIA,


Pertti


2018-02-22 13:22:26,667 [] [midPointScheduler_Worker-6] ERROR (com.evolveum.midpoint.provisioning.impl.ProvisioningServiceImpl): Synchronization error: configuration problem: Connector reference missing in the resource resource:a6cd7bc2-de59-11e6-a6a9-10bf4876d25a(null)
com.evolveum.midpoint.util.exception.ConfigurationException: Connector reference missing in the resource resource:a6cd7bc2-de59-11e6-a6a9-10bf4876d25a(null)
        at com.evolveum.midpoint.provisioning.impl.ProvisioningContext.getConnectorInstance(ProvisioningContext.java:274) ~[provisioning-impl-3.5.jar:na]
        at com.evolveum.midpoint.provisioning.impl.ProvisioningContext.getConnector(ProvisioningContext.java:184) ~[provisioning-impl-3.5.jar:na]
        at com.evolveum.midpoint.provisioning.impl.ResourceObjectConverter.fetchChanges(ResourceObjectConverter.java:1573) ~[provisioning-impl-3.5.jar:na]
        at com.evolveum.midpoint.provisioning.impl.ShadowCache.synchronize(ShadowCache.java:1239) ~[provisioning-impl-3.5.jar:na]
        at com.evolveum.midpoint.provisioning.impl.ProvisioningServiceImpl.synchronize(ProvisioningServiceImpl.java:426) ~[provisioning-impl-3.5.jar:na]
        at com.evolveum.midpoint.model.impl.sync.LiveSyncTaskHandler.runInternal(LiveSyncTaskHandler.java:197) [model-impl-3.5.jar:na]
        at com.evolveum.midpoint.model.impl.sync.LiveSyncTaskHandler.run(LiveSyncTaskHandler.java:84) [model-impl-3.5.jar:na]
        at com.evolveum.midpoint.task.quartzimpl.execution.JobExecutor.executeHandler(JobExecutor.java:648) [task-quartz-impl-3.5.jar:na]
        at com.evolveum.midpoint.task.quartzimpl.execution.JobExecutor.executeRecurrentTask(JobExecutor.java:528) [task-quartz-impl-3.5.jar:na]
        at com.evolveum.midpoint.task.quartzimpl.execution.JobExecutor.execute(JobExecutor.java:171) [task-quartz-impl-3.5.jar:na]
        at org.quartz.core.JobRunShell.run(JobRunShell.java:202) [quartz-2.2.3.jar:na]
        at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:573) [quartz-2.2.3.jar:na]
Caused by: com.evolveum.midpoint.util.exception.ObjectNotFoundException: Connector reference missing in the resource resource:a6cd7bc2-de59-11e6-a6a9-10bf4876d25a(null)
        at com.evolveum.midpoint.provisioning.impl.ConnectorManager.getConnectorTypeReadOnly(ConnectorManager.java:205) ~[provisioning-impl-3.5.jar:na]
        at com.evolveum.midpoint.provisioning.impl.ConnectorManager.createConfiguredConnectorInstance(ConnectorManager.java:150) ~[provisioning-impl-3.5.jar:na]
        at com.evolveum.midpoint.provisioning.impl.ConnectorManager.getConfiguredConnectorInstance(ConnectorManager.java:134) ~[provisioning-impl-3.5.jar:na]
        at com.evolveum.midpoint.provisioning.impl.ProvisioningContext.getConnectorInstance(ProvisioningContext.java:265) ~[provisioning-impl-3.5.jar:na]
        ... 11 common frames omitted
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20180319/f752ae3a/attachment.htm>

More information about the midPoint mailing list