search

WrenSecurity / wrenam

Community fork of OpenAM, an authentication and authorization system originally developed by ForgeRock.
Other
43 stars 27 forks source link

Replication failure when creating realm in HA environment #114

Closed karelmaxa closed 1 year ago

karelmaxa commented 1 year ago

I got with the following error when I was trying to create a realm in the HA deployment (two nodes with Wren:DS replication enabled):

ERROR: SMSLdapObject.create() Error in creating: ou=1.0,ou=sunEntitlementService,ou=services,o=bo,ou=services,ou=wrenam,ou=wrensecurity,c=org By Principal: cn=dsameuser,ou=DSAME Users,ou=wrenam,ou=wrensecurity,c=org
org.forgerock.opendj.ldap.ConstraintViolationException: Entry Already Exists: The entry ou=1.0,ou=sunEntitlementService,ou=services,o=bo,ou=services,ou=wrenam,ou=wrensecurity,c=org cannot be added because an entry with that name already exists
    at org.forgerock.opendj.ldap.LdapException.newLdapException(LdapException.java:166)
    at org.forgerock.opendj.ldap.spi.ResultLdapPromiseImpl.setResultOrError(ResultLdapPromiseImpl.java:132)
    at org.forgerock.opendj.grizzly.LDAPClientFilter$ClientResponseHandler.addResult(LDAPClientFilter.java:98)
    at org.forgerock.opendj.io.LDAPReader.readAddResult(LDAPReader.java:163)
    at org.forgerock.opendj.io.LDAPReader.readProtocolOp(LDAPReader.java:561)
    at org.forgerock.opendj.io.LDAPReader.readMessage(LDAPReader.java:122)
    at org.forgerock.opendj.grizzly.LDAPClientFilter.handleRead(LDAPClientFilter.java:438)
    at org.glassfish.grizzly.filterchain.ExecutorResolver$9.execute(ExecutorResolver.java:119)
    at org.glassfish.grizzly.filterchain.DefaultFilterChain.executeFilter(DefaultFilterChain.java:284)
    at org.glassfish.grizzly.filterchain.DefaultFilterChain.executeChainPart(DefaultFilterChain.java:201)
    at org.glassfish.grizzly.filterchain.DefaultFilterChain.execute(DefaultFilterChain.java:133)
    at org.glassfish.grizzly.filterchain.DefaultFilterChain.process(DefaultFilterChain.java:112)
    at org.glassfish.grizzly.ProcessorExecutor.execute(ProcessorExecutor.java:77)
    at org.glassfish.grizzly.nio.transport.TCPNIOTransport.fireIOEvent(TCPNIOTransport.java:526)
    at org.glassfish.grizzly.strategies.AbstractIOStrategy.fireIOEvent(AbstractIOStrategy.java:112)
    at org.glassfish.grizzly.strategies.WorkerThreadIOStrategy.run0(WorkerThreadIOStrategy.java:117)
    at org.glassfish.grizzly.strategies.WorkerThreadIOStrategy.access$100(WorkerThreadIOStrategy.java:56)
    at org.glassfish.grizzly.strategies.WorkerThreadIOStrategy$WorkerThreadRunnable.run(WorkerThreadIOStrategy.java:137)
    at org.glassfish.grizzly.threadpool.AbstractThreadPool$Worker.doWork(AbstractThreadPool.java:593)
    at org.glassfish.grizzly.threadpool.AbstractThreadPool$Worker.run(AbstractThreadPool.java:573)
    at java.base/java.lang.Thread.run(Thread.java:833)

ERROR: DefaultUrlResourceTypeGenerator.loadDefaultServices. Exception in loading default services 
com.sun.identity.entitlement.EntitlementException: Resource Type UrlResourceType already exists
    at org.forgerock.openam.entitlement.service.ResourceTypeServiceImpl.saveResourceType(ResourceTypeServiceImpl.java:56)
    at org.forgerock.openam.entitlement.service.DefaultUrlResourceTypeGenerator.loadDefaultResourceType(DefaultUrlResourceTypeGenerator.java:82)
    at org.forgerock.openam.entitlement.service.DefaultUrlResourceTypeGenerator.organizationConfigChanged(DefaultUrlResourceTypeGenerator.java:74)
    at com.sun.identity.sm.ServiceConfigManagerImpl.notifyOrgConfigChange(ServiceConfigManagerImpl.java:505)
    at com.sun.identity.sm.ServiceConfigManagerImpl.objectChanged(ServiceConfigManagerImpl.java:465)
    at com.sun.identity.sm.SMSNotificationManager.sendNotifications(SMSNotificationManager.java:294)
    at com.sun.identity.sm.SMSNotificationManager$LocalChangeNotifcationTask.run(SMSNotificationManager.java:370)
    at org.forgerock.openam.audit.context.AuditRequestContextPropagatingRunnable.run(AuditRequestContextPropagatingRunnable.java:42)
    at com.iplanet.am.util.ThreadPool$WorkerThread.run(ThreadPool.java:314)

The sequence of events is as follows:

  1. Realm created in the first node
  2. Realm creation replicated to the second node
  3. Both nodes are creating realm sub configurations
  4. Entry Already Exists error occurs during sub configuration replication

The duplicate configuration is created during the process of generating default UrlResourceTypes because the create-realm operation triggers organizationConfigChanged event.

karelmaxa commented 1 year ago

Fixed in #115.