Project

General

Profile

Actions

Task #2053

closed

IdentityRoleExpirationTaskExecutor fails if HrEndContractProcess removes the identity role first (and vice versa)

Added by Tomáš Doischer about 4 years ago. Updated almost 4 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Radek Tomiška
Category:
Long running task
Target version:
Start date:
02/12/2020
Due date:
% Done:

100%

Estimated time:
Owner:

Description

A user's contract ended and their identity roles were removed by HrEndContractProcess (as they should be). Shortly after that, IdentityRoleExpirationTaskExecutor tried to remove the same roles, which led to IdentityRoleExpirationTaskExecutor failing because HrEndContractProcess removes identity roles asynchronously.

In log, it looks like this:

2020-01-18 00:15:39.187 ERROR 16191 --- [task-executor-4] e.b.i.c.a.e.AbstractEntityEventProcessor : [core:EVENT_EXECUTE_PROCESSOR_FAILED:34605c7f-2e40-4d3a-93b7-828655ede582] Event [ca3865f8-f83a-49f3-bcb6-c5015236a356] failed in processor [role-request-realization-processor]. ({eventId=ca3865f8-f83a-49f3-bcb6-c5015236a356, processor=role-request-realization-processor})
org.hibernate.StaleStateException: Batch update returned unexpected row count from update [0]; actual row count: 0; expected: 1

The IdentityRoleExpirationTaskExecutor and HrEndContractProcess shouldn't fail if the identity role it tries to remove no longer exists. Also, we don't think that automatic roles need to be processed by IdentityRoleExpirationTaskExecutor.


Related issues

Related to IdStory Identity Manager - Defect #2637: LRT: IdentityRoleExpirationTaskExecutor process duplicate assigned roles (duplicate role requests are created in the cycle)ClosedRadek Tomiška01/11/2021

Actions
Actions #1

Updated by Radek Tomiška about 4 years ago

  • Target version set to 10.2.0

I will add check for already deleted role, if this tasks are scheduled and running simultaneously.

Note: "Also, we don't think that automatic roles need to be processed by IdentityRoleExpirationTaskExecutor" - This is ok, automatic roles are removed this way (no other place exist - I've added better javadoc).

Actions #2

Updated by Radek Tomiška about 4 years ago

  • Status changed from New to In Progress
Actions #3

Updated by Radek Tomiška about 4 years ago

  • Tracker changed from Defect to Task
  • Status changed from In Progress to Needs feedback
  • Assignee changed from Radek Tomiška to Vít Švanda
  • % Done changed from 0 to 90

I improved LRT IdentityRoleExpirationTaskExecutor:
- task is statefull now and will continue on exception (queue is not supported, can be executed without rescheduling)
- asynchronous role requests are used now (the same as HrEndContractProcess) - requests are marked with owner entity to prevent it will be processed simultaneously (this solve simultaneously scheduled LRT and online user changes too)
- LRT localization added

I improved LRT IdentityContractExpirationTaskExecutor:
- asynchronous role requests are used now (the same as HrEndContractProcess) - requests are marked with owner entity to prevent it will be processed simultaneously (this solve simultaneous scheduled LRT and online user changes too)
- LRT localization added

Commit:
https://github.com/bcvsolutions/CzechIdMng/commit/16c03eda9621a57853e56016a695aabbffa74341

Could you provide me a feedback, please?

Note: One of IdentityContractExpirationTaskExecutor vs. HrEndContractProcess should be configured on project. IdentityContractExpirationTaskExecutor was created before HrEndContractProcess and checks dates only (project without HR can use this LRT).

Actions #4

Updated by Vít Švanda almost 4 years ago

  • Status changed from Needs feedback to Resolved
  • Assignee changed from Vít Švanda to Radek Tomiška
  • Priority changed from Normal to Low
  • % Done changed from 90 to 100
Actions #5

Updated by Vít Švanda almost 4 years ago

  • Status changed from Resolved to Needs feedback
  • Assignee changed from Radek Tomiška to Vít Švanda
  • Priority changed from Low to Normal
  • % Done changed from 100 to 90
Actions #6

Updated by Vít Švanda almost 4 years ago

  • Status changed from Needs feedback to In Progress
  • Assignee changed from Vít Švanda to Radek Tomiška

I did review and test.

I found one problem with "IdentityRoleExpirationTaskExecutor":

  • I have two expired identity-roles.
  • I added throw runtime exception to the identity-role-delete-processor.
    if (true) {
                throw new RuntimeException("buum!!!!!!!!");
            }
    
  • I expect that the LRT will completed two items with exception, but only first item was created and after that whole LRT ended with exception:
org.springframework.transaction.UnexpectedRollbackException: Transaction silently rolled back because it has been marked as rollback-only
    at org.springframework.transaction.support.AbstractPlatformTransactionManager.processCommit(AbstractPlatformTransactionManager.java:755)
    at org.springframework.transaction.support.AbstractPlatformTransactionManager.commit(AbstractPlatformTransactionManager.java:714)
    at org.springframework.transaction.support.TransactionTemplate.execute(TransactionTemplate.java:152)
    at eu.bcvsolutions.idm.core.scheduler.api.service.AbstractSchedulableStatefulExecutor.processItemInternalNewTransaction(AbstractSchedulableStatefulExecutor.java:273)
    at eu.bcvsolutions.idm.core.scheduler.api.service.AbstractSchedulableStatefulExecutor.processCandidate(AbstractSchedulableStatefulExecutor.java:263)
    at eu.bcvsolutions.idm.core.scheduler.api.service.AbstractSchedulableStatefulExecutor.executeProcess(AbstractSchedulableStatefulExecutor.java:211)
    at eu.bcvsolutions.idm.core.scheduler.api.service.AbstractSchedulableStatefulExecutor.process(AbstractSchedulableStatefulExecutor.java:77)
    at eu.bcvsolutions.idm.core.scheduler.api.service.AbstractSchedulableStatefulExecutor.process(AbstractSchedulableStatefulExecutor.java:1)
    at eu.bcvsolutions.idm.core.scheduler.api.service.AbstractLongRunningTaskExecutor.call(AbstractLongRunningTaskExecutor.java:212)
    at java.util.concurrent.FutureTask.run(FutureTask.java:266)
    at org.springframework.security.concurrent.DelegatingSecurityContextRunnable.run(DelegatingSecurityContextRunnable.java:84)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
    at java.lang.Thread.run(Thread.java:748)
Actions #7

Updated by Radek Tomiška almost 4 years ago

  • Status changed from In Progress to Needs feedback
  • Assignee changed from Radek Tomiška to Vít Švanda

I suppose you have disabled asynchronous processing (by configuration 'idm.sec.core.event.asynchronous.enabled=false').
I improved transactional LRT processing to cover this synchronous UC too (i't was not supported, but now it is :)).

Commit:
https://github.com/bcvsolutions/CzechIdMng/commit/f842cb56b2a16cd6eca0ea70baf3e041a53af7a4

Could you do a feedback again, please?

Note: When asynchronous processing is enabled, then roles are removed by asynchronous role request, you will see error in role request agenda only.

Actions #8

Updated by Vít Švanda almost 4 years ago

  • Status changed from Needs feedback to Resolved
  • Assignee changed from Vít Švanda to Radek Tomiška
  • % Done changed from 90 to 100

I did review and test. Works fine in synchronous mode now. Thanks for this.

Actions #9

Updated by Radek Tomiška almost 4 years ago

  • Status changed from Resolved to Closed
Actions #10

Updated by Radek Tomiška about 3 years ago

  • Related to Defect #2637: LRT: IdentityRoleExpirationTaskExecutor process duplicate assigned roles (duplicate role requests are created in the cycle) added
Actions

Also available in: Atom PDF