[midPoint] Google connector and removal of final group member

Ethan Kromhout ethan at unc.edu
Wed Mar 18 19:00:09 CET 2020 

We are just rolling out the Google connector, and I noticed an odd 
behavior in my testing that the removal of the final member of a group 
returns success, but does not actually remove that final member from the 
group in Google. It appears in tracing com.google.api, that on this 
final member removal, the Google API is never called. Other membership 
additions and removals seem to be working fine.

I think I may have figured out why this happens in my installation, 
which is the latest 1.4.2.20-SNAPSHOT connector running on midPoint 4.0.2.

When the last member is removed, the connector is invoked by ConnId as 
follows:


update(ObjectClass: __GROUP__, Attribute: {Name=__UID__, 
Value=[030j0zll2pgui3t], NameHint=Attribute: {Name=__NAME__, 
Value=[test-midpoint-role3 at test.unc.edu]}}, [Attribute: 
{Name=__MEMBERS__, Value=null}], OperationOptions: {})


So  MEMBERS is set to null, rather than and empty String. In the 
connector code,  on update to the GROUP objectClass, there is a check:


if (null != members && null != members.getValue()) {


And if that check isn't passed, it falls all the way through its update 
code, and calls:


objectsCache.markGroupAsUpdatedNow(uidAfterUpdate.getUidValue())


and returns. Thus telling ConnId that the update was successful, and 
logging nothing at all.


I imagine the fix would be to modify the connector behavior to treat the 
null as "", or maybe you could work around this with a dummy member like 
we do for openldap. I'd like to hear other folks input and any danger in 
treating null as "", or if there is something that should be done so 
that ConnId isn't invoked as null in the first place.

Curious of other people have observed the same behavior, and if not any 
suggestions for configuration that might be related. I'd also welcome 
thoughts on whether the suggested change to the connector seems 
reasonable, or in any way risky.


Thanks,

Ethan

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200318/6fb6d11b/attachment.htm>

More information about the midPoint mailing list