Defect #1388
closed
Password is not sent when retrying Create operation
Added by Alena Peterová about 6 years ago.
Updated about 6 years ago.
Description
Affected version: 9.3.0
When Create operation with generated password is not successful at the first attempt (e.g. the system is read-only, or some other exception occurs on the system), the operation stays in the provisioning queue. When it's retried, it's sent with empty password.
Steps to reproduce:
- Create system "Atabulka" with password column "password", default password policy, create a role "Atabulka" which assigns this system
- Set the system to read-only
- Assign the role Atabulka to a user
- The Create operation is not executed, see the provisioning queue (screenshot 1)
- Set the system to read-write and retry the Create operation.
- The password was sent empty (see screenshot 2 of the archive, see screenshot 3 with the system)
- When I delete the account and create it again directly, the password is sent correctly, see screenshot 4.
Files
Maybe duplicate with #1238?
I don't think so, this can be reproduced without cancelling operations in the queue, #1238 happened only when the previous operation was cancelled. Also I'm 95 % sure this issue didn't happen in previous versions.
Also this has higher priority, because it brings problems in the systems:
- if the system enables empty password, then the account without password is created and anybody can log into it
- if it's AD connector, then the account in AD is created, but the connector isn't able to set password to it so the operation returns error. The result is inconsistent state of accounts.
- Related to Defect #1238: When account creation is cancelled from the provisioning queue, then next account creation doesn't send password for the account added
- Status changed from New to In Progress
- % Done changed from 0 to 10
Alca I confirm the issue. The problem is by get value from confidential storage and transform it back to password Attribute. Thanks for report this issue.
- % Done changed from 10 to 70
After consult I add newly generated password also into account object not only in connector object (in frontend detail it is left and right side table in provisioning operation detail).
Next information:
- generated password/s will be still stored in confidential storage,
- transformation for password is done only once, during init the provisioning operation,
- in confidential storage is created two records for one password attribute (with these keys: sys:connector:: and sys:account::),
- in account object exists ConfidetialString that contains key for confidential storage,
- in connector object exists instance of guarded string with transformed password,
- password change works same.
Tests missing.
- Status changed from In Progress to Needs feedback
- Assignee changed from Ondřej Kopr to Vít Švanda
- Priority changed from High to Normal
- Target version set to Opal (9.4.0-rc.1)
- % Done changed from 70 to 90
- Related to Defect #1392: Audit can't be viewed after retrying a password change or account create added
It works now correctly, thank you.
- Status changed from Needs feedback to Resolved
- Assignee changed from Vít Švanda to Ondřej Kopr
- % Done changed from 90 to 100
I did review and tested it. Works fine, thanks for that.
- Status changed from Resolved to Closed
Also available in: Atom
PDF
