Project

General

Profile

Actions

Defect #2393

closed

One user action with the same user transactionId has two different logged users in audit ([SYSTEM] in audit field)

Added by Vít Švanda over 4 years ago. Updated over 4 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Vít Švanda
Category:
Authentication / Authorization
Target version:
Start date:
07/16/2020
Due date:
% Done:

100%

Estimated time:

Description

Fix from the #2364 doesn't work.


Files

transaction.png (196 KB) transaction.png Ondřej Kopr, 07/16/2020 11:24 AM
vsRequest-audit.png (169 KB) vsRequest-audit.png Vít Švanda, 07/17/2020 02:55 PM

Related issues

Is duplicate of IdStory Identity Manager - Defect #2364: Authentication: System user change normal user authentication ([SYSTEM] in audit field).ClosedRadek Tomiška07/03/2020

Actions
Actions #1

Updated by Vít Švanda over 4 years ago

  • Is duplicate of Defect #2364: Authentication: System user change normal user authentication ([SYSTEM] in audit field). added
Actions #2

Updated by Vít Švanda over 4 years ago

  • Description updated (diff)
Actions #3

Updated by Vít Švanda over 4 years ago

  • Status changed from New to In Progress
  • Assignee changed from Vít Švanda to Vladimír Kotýnek

Please add some UC, screenshots, anything that will help identify the problem on your project.

Actions #4

Updated by Vít Švanda over 4 years ago

  • Assignee changed from Vladimír Kotýnek to Vít Švanda
Actions #5

Updated by Ondřej Kopr over 4 years ago

There is one transaction with changes that isn't definitely from same modifier

Maybe possible hit is run some planned task from scheduler and then run another task (bul operation). When both tasks will use same task thread result may be same. Try it!

Actions #6

Updated by Vít Švanda over 4 years ago

  • Target version changed from 10.4.2 to 10.5.0
Actions #7

Updated by Vít Švanda over 4 years ago

  • % Done changed from 0 to 10

Locally, I can simulate one scenario where there is a wrong user in the audit record.

User A starts activating 10 identities. At the same time, User B starts the same operation for another 10 identities.

The resulting audit will contain audit records for the same transaction, where the second user will be the modifier.

After deeper debugging, this issue is tied to provisioning only. In this case, only the VsRequest records that are generated within separate threads (futureTask) are incorrect.

So far, I haven't been able to resolve this issue. One possibility is the problematic use of the MODE_INHERITABLETHREADLOCAL strategy in an environment where pools are used. However, using MODE_THREADLOCAL in combination with DelegatingSecurityContextRunnable did not help.

The result of the debug is: The SecurityContext is set correctly when the thread is started. The problem only occurs in the IdmAuditListener / AuditableEntityListener, where there is already another user for the same thread.

Actions #8

Updated by Vít Švanda over 4 years ago

Actions #9

Updated by Vít Švanda over 4 years ago

  • % Done changed from 10 to 50

I found solution for second scenario, where same transaction ID was use in another action.

It looks like, the main problem was in using of InheritableThreadLocal<TransactionContext> for combination with a pools. I implemented DelegatingTransactionContextRunnable for propagate the transaction context to child threads.

Now it works, but I need to more testing it.

Actions #10

Updated by Vít Švanda over 4 years ago

  • Status changed from In Progress to Needs feedback
  • Assignee changed from Vít Švanda to Radek Tomiška
  • % Done changed from 50 to 80

I fixed both scenarios (I hope).

First:
It looks like the instance of Security context was shared betweed more threads. If SecurityService.setAuthentication method was called, then the contex was changed, but same instance was use in old threads too (Delegation wrapper dosesn't clear the context). As result name of logged user was changed in more then current thread.
I fixed that with call SecurityContextHolder.clearContext() in SecurityService.setAuthentication method.

Second:
It looks like, the main problem was in using of InheritableThreadLocal<TransactionContext> for combination with a thread pools. I implemented DelegatingTransactionContextRunnable for propagate the transaction context to child threads.

This fix needs more testing and consultations. This is the reason why I commited this fix to the 10.5.0 instead to the hotfix.

Commit: https://github.com/bcvsolutions/CzechIdMng/commit/47d33033b97e29ba9e74be6f67e10cdd135324c4

Actions #11

Updated by Radek Tomiška over 4 years ago

  • Status changed from Needs feedback to Closed
  • Assignee changed from Radek Tomiška to Vít Švanda
  • % Done changed from 80 to 100
  • Affected versions Rhyolite (9.7.0), Rhyolite (9.7.2), Rhyolite (9.7.3), Rhyolite (9.7.4), Rhyolite (9.7.5), Rhyolite (9.7.6), Rhyolite (9.7.7), Rhyolite (9.7.8), Rhyolite (9.7.9), Rhyolite (9.7.10), Rhyolite (9.7.11), Rhyolite (9.7.12), Rhyolite (9.7.13), 10.0.0, Rhyolite (9.7.14), 10.0.1, 10.1.0, Rhyolite (9.7.15), Rhyolite (9.7.16), 10.2.0, 10.0.2, 10.3.0, 10.3.1, 10.3.2, Rhyolite (9.7.17), 10.3.3, 10.4.0 added

I did test and code review, it's awesome! I did not found a broken UC.

Actions

Also available in: Atom PDF