[midPoint] Debugging assignment's referential integrity issues

Rodrigo Yanis ryanis at identicum.com
Wed Feb 1 21:25:41 CET 2017


Hello Martin,

You've got yourself an Argentinian Asado on your next trip to Buenos Aires!
;-)

Worked perfectly!

Thanks,



*Rodrigo Yanis.*
Identicum S.A.
Jorge Newbery 3226
Tel: +54 (11) 4824-9971
ryanis at identicum.com
www.identicum.com

2017-02-01 16:33 GMT-03:00 Martin Lízner - AMI Praha a.s. <
martin.lizner at ami.cz>:

> Hi, auto clean works just for projections, Im not sure whether it is
> supposed to work for assignments and inducements too. In order to clean
> missing assignments to roles and orgs I coded following custom task. M.
>
> <c:task xmlns:c="http://midpoint.evolveum.com/xml/ns/public/
> common/common-3" xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"
> xmlns:xsd="http://www.w3.org/2001/XMLSchema">
> <c:name>Purge user assignments (roles, orgs)</c:name>
> <c:description>This tasks removes from users all targetRef assignments
> (roles and orgs) that cannot be resolved. E.g. assigned role object has
> been deleted and user object points to its OID.</c:description>
> <c:extension>
> <scext:executeScript xmlns:scext="http://midpoint.
> evolveum.com/xml/ns/public/model/scripting/extension-3">
> <s:pipeline xmlns:s="http://midpoint.evolveum.com/xml/ns/public/
> model/scripting-3">
>    <s:expression xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> xsi:type="s:SearchExpressionType">
>        <s:type>UserType</s:type>
>        <s:query>
>         <q:filter>
>         <q:equal>
>         <q:path>name</q:path>
>         <q:value>user12345</q:value>
>         </q:equal>
>         </q:filter>
>        </s:query>
>    </s:expression>
>   <s:expression xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> xsi:type="s:ActionExpressionType">
>        <s:type>execute-script</s:type>
>        <s:parameter>
>            <s:name>script</s:name>
>            <c:value xsi:type="c:ScriptExpressionEvaluatorType" xmlns:c="
> http://midpoint.evolveum.com/xml/ns/public/common/common-3">
>                <c:code>
>                 import com.evolveum.midpoint.xml.ns._
> public.common.common_3.*
>                 import com.evolveum.midpoint.prism.delta.builder.*
>                 import com.evolveum.midpoint.model.api.*
>
>                 def assignmentsToDel = []
>
>                 for (a in input.assignment) {
>                 if (a.targetRef == null) {
>                 continue; // this is resource assignment construction, we
> are interested in roles and orgs only
>                 }
>                 ObjectType ot = midpoint.resolveReferenceIfExists(a.
> targetRef)
>                 //log.info ("OID is: {}, resolving to: {}",
> a.targetRef?.oid, ot);
>                 if (ot == null) {
>                 def removeAssignment = new AssignmentType()
>                       removeAssignment.targetRef = a.targetRef.clone() //
> we need to construct new assignment to avoid metadata and order disturbing
> stuff
>                 assignmentsToDel.add(removeAssignment.
> asPrismContainerValue())
>                 log.info('User: {}, going to purge assignment: {}',
> input.name, a.targetRef?.oid)
>                 }
>  }
>
>  def delta = DeltaBuilder.deltaFor(FocusType.class, prismContext)
>                     .item(FocusType.F_ASSIGNMENT).delete(assignmentsToDel)
>                     .asObjectDelta(input.oid)
>
>                   midpoint.modifyObject(delta,
> ModelExecuteOptions.createRaw())
>                </c:code>
>            </c:value>
>        </s:parameter>
>    </s:expression>
> </s:pipeline>
> </scext:executeScript>
> </c:extension>
> <c:taskIdentifier>1474775896757:987750751</c:taskIdentifier>
> <c:ownerRef oid="00000000-0000-0000-0000-000000000002"/>
> <c:executionStatus>runnable</c:executionStatus>
> <c:category>BulkActions</c:category>
> <c:handlerUri>http://midpoint.evolveum.com/xml/ns/public/
> model/scripting/handler-3</c:handlerUri>
> <c:recurrence>single</c:recurrence>
> </c:task>
>
> Martin Lízner
> solution architect
>
> gsm: [+420] 737 745 571
> e-mail: martin.lizner at ami.cz
>
>
> AMI Praha a.s.
> Pláničkova 11
> 162 00 Praha 6
> tel.: [+420] 274 783 239
> web: www.ami.cz
>
>
>
> [image: AMI Praha a.s.] <http://www.skyidentity.com/>
>
> Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá za
> společnost AMI Praha a.s.
> jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít výhradně
> písemnou formu.
>
>
> 2017-02-01 20:12 GMT+01:00 Nicolas Rossi <nrossi at identicum.com>:
>
>> Hi guys, it is also happening in midPoint 3.5. We tried running Cleanup
>> and Validity Scanner tasks but the reference is still there. Is there any
>> way to fix this references ?
>>
>> Thanks in advance !
>>
>>
>>
>>
>>
>>
>> Ing Nicolás Rossi
>> Identicum S.A.
>> Jorge Newbery 3226
>> Tel: +54 (11) 4552-3050 <+54%2011%204552-3050>
>> www.identicum.com
>>
>> On Mon, Jan 16, 2017 at 1:01 PM, Rodrigo Yanis <ryanis at identicum.com>
>> wrote:
>>
>>> Hello all,
>>>
>>> We've come across the following case involving issues in how midpoint
>>> handles referential integrity in assignments and inducements. As for
>>> version 3.4.1, the case is the following:
>>> 1. An object "A" is created and assigned / induced into another object
>>> "B"
>>> 2. Object "A" is then deleted from midpoint
>>> 3. Object "B" keeps the reference to object's "A" oid, even though it
>>> doesn't exist anymore.
>>> We replicated this in role to user assignments, role to role
>>> assignments, role to role inducements.
>>> Is there any automatic native mechanism for resolving this referential
>>> errors?
>>> If not, is there a way to attack the issue through the use of tasks?
>>>
>>> Thanks,
>>>
>>> *Rodrigo Yanis.*
>>> Identicum S.A.
>>> Jorge Newbery 3226
>>> Tel: +54 (11) 4824-9971 <+54%2011%204824-9971>
>>> ryanis at identicum.com
>>> www.identicum.com
>>>
>>> _______________________________________________
>>> midPoint mailing list
>>> midPoint at lists.evolveum.com
>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>>
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20170201/834960ee/attachment.htm>


More information about the midPoint mailing list