11 Replies Latest reply: May 17, 2012 1:41 PM by Jan Vervecken RSS

    OPSS : addMembersToApplicationRole : The search for role failed

    Jan Vervecken
      hi

      (If this is not the correct forum for OPSS questions, please point me to the correct forum.)

      Please consider the example application
      at http://www.consideringred.com/files/oracle/2011/SQLAuthenticatorApp-v0.03.zip

      It allows for the setup of a SQLAuthenticator (see README.txt for details), but in short : run Ant target "wlst.create-domain" (possibly preceded by Ant target "delete.domain-dir"), Ant target "create.wls-start-stop-bat-files", run wls-start.bat, setup tables TS_USER, TS_GROUP and TS_GROUPMEMBER, Ant target "wlst.create-datasource", Ant target "wlst.create-authentication-provider", run wls-stop.bat, run wls-start.bat, Ant target "wlst.create-user", Ant target "wlst.create-group.sqla-groupname", Ant target "wlst.add-user-member-to-group", deploy SQLAuthenticatorApp (using JDeveloper or otherwise), try http://localhost:7001/sqlauthenticatorweb , try to authenticate using tsusertwo/welcome1

      After that, adding a SQLAuthenticator group as member to an application role seems to be a problem, while it works for a DefaultAuthenticator group (a.k.a enterprise role).

      So, running the Ant target "wlst.opss.addentrolemembertoapplicationrole.sqla-groupname" results in output like this:
      wlst.opss.addentrolemembertoapplicationrole:
           [wlst] [target wlst.opss.addentrolemembertoapplicationrole script-begin]
           [wlst] [version = WebLogic Server 10.3.5.0  Fri Apr 1 20:20:06 PDT 2011 1398638 ]
           [wlst] Connecting to t3://localhost:7001 with userid weblogic ...
           [wlst] Successfully connected to Admin Server 'AdminServer' that belongs to domain 'mystuffdomain'.
      ...
           [wlst] [print gifap] : group tsgrouptwo found in MySQLAuthenticator
           [wlst] [print gifap] : group tsgrouptwo NOT found in DefaultAuthenticator
           [wlst] [print gifap] : group tsgrouptwo NOT found in DefaultIdentityAsserter
      ...
           [wlst] [print mfar] : in SQLAuthenticatorApp#V2.0 the application role approle-green has members entrole-green
           [wlst] [adding member : vAppStripe = SQLAuthenticatorApp#V2.0, vApplicationRoleName = approle-green, vRoleMemberName = tsgrouptwo]
      ...
           [wlst] java.lang.RuntimeException: java.lang.RuntimeException: failed, th = javax.management.MBeanException: The search for role tsgrouptwo failed., th info = javax.management.MBeanException: The search for role tsgrouptwo failed., caused by oracle.as.jmx.framework.exceptions.ManagementException: The search for role tsgrouptwo failed.
      ...
      BUILD FAILED
      Note that the SQLAuthenticator group does exist, but still "The search for role tsgrouptwo failed " is reported.

      For a DefaultAuthenticator group (after running the Ant target "wlst.create-group.da-groupname") Ant target "wlst.opss.addentrolemembertoapplicationrole.da-groupname" results in output like this:
      wlst.opss.addentrolemembertoapplicationrole:
           [wlst] [target wlst.opss.addentrolemembertoapplicationrole script-begin]
           [wlst] [version = WebLogic Server 10.3.5.0  Fri Apr 1 20:20:06 PDT 2011 1398638 ]
           [wlst] Connecting to t3://localhost:7001 with userid weblogic ...
           [wlst] Successfully connected to Admin Server 'AdminServer' that belongs to domain 'mystuffdomain'.
      ...
           [wlst] [print gifap] : group entrole-darkgreen NOT found in MySQLAuthenticator
           [wlst] [print gifap] : group entrole-darkgreen found in DefaultAuthenticator
           [wlst] [print gifap] : group entrole-darkgreen NOT found in DefaultIdentityAsserter
      ...
           [wlst] [print mfar] : in SQLAuthenticatorApp#V2.0 the application role approle-green has members entrole-green
           [wlst] [adding member : vAppStripe = SQLAuthenticatorApp#V2.0, vApplicationRoleName = approle-green, vRoleMemberName = entrole-darkgreen]
           [wlst] [print mfar] : in SQLAuthenticatorApp#V2.0 the application role approle-green has members entrole-green, entrole-darkgreen
           [wlst] [target wlst.opss.addentrolemembertoapplicationrole script-end]
      
      BUILD SUCCESSFUL
      So, no problem. As can also be verified using the Ant target "wlst.opss.printmembersforallapplicationroles".

      But, when using the Enterprise Manager it is no problem to add a SQLAuthenticator group as member to an application role,
      as shown in scenario (sc1) in the screencast at http://screencast.com/t/FMKbBQYnU

      question:
      - (q1) Why does adding a SQLAuthenticator group as member to an application role result in a ManagementException, "The search for role tsgrouptwo failed" when using the OPSS MBean API?

      many thanks
      Jan Vervecken

      edit on Aug 11, 2011 : fixed Ant target name to "wlst.opss.addentrolemembertoapplicationrole.sqla-groupname"
        • 1. Re: OPSS : addMembersToApplicationRole : The search for role failed
          Jan Vervecken
          fyi

          In the context of service request 3-4124753004 a bug has been filed:
          bug 12864498, "OPSS : ADDMEMBERSTOAPPLICATIONROLE : THE SEARCH FOR ROLE FAILED"

          regards
          Jan
          • 2. Re: OPSS : addMembersToApplicationRole : The search for role failed
            Jan Vervecken
            fyi

            In service request 3-4124753004 I got the feedback
            "... This is not a supported usecase (use enterprise role from the DB, and add the enterprise role to approle). ..."
            and bug 12864498 currently has "Status 32 - Not a Bug. To Filer ".

            When I asked for documentation that confirms/explains about the unsupported use-case (and why this is not a bug), I got referred to section "F.2.3 LDAP Identity Store Properties "
            at http://download.oracle.com/docs/cd/E21764_01/core.1111/e10043/jpsprops.htm#JISEC3159
            There was also a mention (without specific details) of a workaround using "Oracle OVD" (Oracle Virtual Directory) or "Oracle libOVD".

            Currently I am trying to understand what it is that is not supported.
            For that I already asked a question in forum thread "ADF Security : identity store : tables in a SQL database "
            at ADF Security : identity store : tables in a SQL database
            where I got this feedback ...
            Frank Nimphius wrote:
            ... ADF Security delegates authentication to WebLogic Server and for this reason works with any authentication provider supported by OPSS: LDAP, OID, OVP, SQL Authentication Provider, Active Directory and custom JAAS LoginModules wrapped in custom authentication providers ...
            ... from which I would conclude that using a SQLAuthenticator type Authentication Provider in WebLogic Server is supported for ADF Security authentication.

            regards
            Jan Vervecken
            • 3. Re: OPSS : addMembersToApplicationRole : The search for role failed
              Jan Vervecken
              fyi

              In the same service request 3-4124753004 (about bug 12864498) the support engineer wrote the same feedback as I got (in the forum thread "ADF Security : identity store : tables in a SQL database") on Thu. 13-10 (from a user "skt" signing "HTH"),
              at Re: ADF Security : identity store : tables in a SQL database

              regards
              Jan
              • 4. Re: OPSS : addMembersToApplicationRole : The search for role failed
                Jan Vervecken
                fyi

                I just noticed that bug 12864498, "OPSS : ADDMEMBERSTOAPPLICATIONROLE : THE SEARCH FOR ROLE FAILED", no longer has "Status 32 - Not a Bug. To Filer" but now has "Status 11 - Code Bug (Response/Resolution)", so I wonder if there is still an "unsupported use-case" related to what I am trying to do.

                regards
                Jan
                • 5. Re: OPSS : addMembersToApplicationRole : The search for role failed
                  Jan Vervecken
                  fyi

                  I noticed that bug 12864498, "OPSS : ADDMEMBERSTOAPPLICATIONROLE : THE SEARCH FOR ROLE FAILED", no longer has "Status 11 - Code Bug (Response/Resolution)" but now has "Status 15 - To Internal (Oracle) Review". I don't know what that means in this case.

                  regards
                  Jan
                  • 6. Re: OPSS : addMembersToApplicationRole : The search for role failed
                    Jan Vervecken
                    hi

                    Today I noticed that "bug" 12864498, "OPSS : ADDMEMBERSTOAPPLICATIONROLE : THE SEARCH FOR ROLE FAILED", now has "Type E - Enhancement".
                    I don't know when that changed to be an enhancement request instead of a bug.

                    - (q2) Why has "bug" 12864498 become an enhancement request and is it no longer a bug?

                    many thanks
                    Jan
                    • 7. Re: OPSS : addMembersToApplicationRole : The search for role failed
                      Jan Vervecken
                      hi

                      - about (q2) I got this feedback in SR 3-4124753004:

                      "This bug basically requires the support of using DB as JPS identity store service. As of today, LDAP is the common store provider for U/R API (supports LDAP and XML) and IGF (supports LDAP and DB but DB is not exposed by JPS). So this ER requirement means a change to JPS which is not light, and requires the change in U/R API and IGF. "

                      So, I asked "Can you please explain the exact meaning of "U/R API" and "IGF" in this feedback? ", and got this reply:

                      "This bug basically requires the support of using DB as JPS identity store service. As of today, LDAP is the common store provider for your API (supports LDAP and XML) and Identity Governance Framework (supports LDAP and DB but DB is not exposed by JPS). So this ER requirement means quite a fundamental change to JPS. "

                      (hmm)

                      But, today I noticed that "bug" 12864498, "OPSS : ADDMEMBERSTOAPPLICATIONROLE : THE SEARCH FOR ROLE FAILED", now again has "Type B - Defect" and also again "Status 11 - Code Bug (Response/Resolution)".
                      This must be a recent change.

                      - (q3) Why has "bug" 12864498 become a bug and is it no longer an enhancement request?

                      All very confusing!

                      regards
                      Jan
                      • 8. Re: OPSS : addMembersToApplicationRole : The search for role failed
                        Jan Vervecken
                        fyi

                        Feedback I got in SR 3-4124753004 :
                        Thanks for your patience. U/R API - User and Role API.

                        Please review all the DEV's responses posted in this bug and specifically update "*** SHUANGXI 10/25/11 12:10 pm RESPONSE

                        This is an enhancement request because the requested feature is not supported and because it is too risky to make major code changes with out doing a complete re-testing of the whole product.
                        my reply :
                        - about "U/R API - User and Role API."
                        -- (q4) What is the User and Role API (U/R API) you refer to exactly, and how is it related to my original question (q1)?
                        -- (q5) What is the Identity Governance Framework (IGF) you refer to exactly, and how is it related to my original question (q1)?

                        - about "Please review all the DEV's responses posted in this bug and specifically update "*** SHUANGXI 10/25/11 12:10 pm RESPONSE"
                        -- It is hard for me to review any respones in bug 12864498 because I only see dates and times,
                        see the screenshot at http://www.consideringred.com/files/oracle/img/2011/bug12864498-20111229.png

                        - about (q2) and (q3) and your feedback "This is an enhancement request because the requested feature is not supported and because it is too risky to make major code changes with out doing a complete re-testing of the whole product."
                        -- It looks like currently bug 12864498 has again "Type E - Enhancement" and "Status 15 - To Internal (Oracle) Review".
                        -- If bug 12864498 would be an enhancement request instead of a bug (which I am still trying to understand), why is it that I am amble to add a SQLAuthenticator group as member to an application role using the Enterprise Manager, which is what I am looking for (using an API) and what you say is not supported?
                        See also scenario (sc1) in the screencast at http://screencast.com/t/FMKbBQYnU .
                        -- (q6) Is adding a SQLAuthenticator group as member to an application role using the Enterprise Manager (as in scenario (sc1)) a bug?

                        So, given your feedback:
                        - on (q1) as : because it is not supported
                        - on (q2) as : (no feedback on why Type changed)
                        - on (q3) as : (no feedback on why Type changed) but currently you say it should be an enhancement request
                        The remaining questions are (q4), (q5) and (q6).

                        And why has this service request currently "Status Development Working"?
                        regards
                        Jan
                        • 9. Re: OPSS : addMembersToApplicationRole : The search for role failed
                          Jan Vervecken
                          fyi

                          Feedback in SR 3-4124753004 :

                          "If the you want to use DB as the identity store, then the supported way is to buy OVD server license and configure DB adapter in OVD and then configure an OVD authenticator in Weblogic. SQLAuthenticator will not be used as identity store. And, we do not recommend to use LibOVD for DB identity store. OVD server is the recommended and supported way. "

                          regards
                          Jan
                          • 10. Re: OPSS : addMembersToApplicationRole : The search for role failed
                            Jan Vervecken
                            fyi

                            In the context of service request 3-5312742911 the following bug was filed:
                            - bug 13876651, "FMW CONTROL SHOULD NOT ALLOW MANAGING USERS GROUPS FROM SQL AUTHENTICATOR"

                            (note that although it has "Created Mar 22, 2012" it currently has "Status 16 - Bug Screening/Triage")

                            regards
                            Jan

                            edit : feedback also welcome at http://java.net/jira/browse/ADFEMG-10
                            • 11. Re: OPSS : addMembersToApplicationRole : The search for role failed
                              Jan Vervecken
                              fyi

                              Today I got confirmation in SR 3-5312742911 that bug 13876651 is a bug (and it currently has "Status 11 - Code Bug (Response/Resolution)").

                              regards
                              Jan