search

canonical / identity-platform-admin-ui

Admin UI for the Canonical identity broker and identity provider solution
Other
5 stars 4 forks source link

Deleted roles can't be created again #285

Closed vladimir-cucu closed 2 months ago

vladimir-cucu commented 2 months ago

If we delete my-role-id role by accessing the DELETE */roles/my-role-id endpoint, then we are not able to create it back with the POST */roles endpoint. We get the following error:

Unable to create role: Write validation error for POST Write with body {"code":"write_failed_due_to_invalid_input","message":"cannot write a tuple which already exists: user: 'user:shipperizer', relation: 'assignee', object: 'role:my-role-id': invalid write input"} with error code write_failed_due_to_invalid_input error message: cannot write a tuple which already exists: user: 'user:shipperizer', relation: 'assignee', object: 'role:my-role-id': invalid write input

Looked into all the available created tuples using fga tuple read --simple-output --api-url http://127.0.0.1:8080 --store-id $STORE_ID and there is one tuple related to my-role-id that was not removed:

{
  "object":"role:my-role-id",
  "relation":"assignee",
  "user":"user:shipperizer"
}

Spoke with @shipperizer earlier today and it is confirmed that this is a bug, cause, in DeleteRole, we remove only privileged tuple and all those assigned to role:x#assignee not simple assignee.

Note: This issue might be present for groups as well, but haven't tested it there.

syncronize-issues-to-jira[bot] commented 2 months ago

Thank you for reporting us your feedback!

The internal ticket has been created: https://warthogs.atlassian.net/browse/IAM-848.

This message was autogenerated