You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When a readonly LDAP user store is configured as the primary user store in the deployment.toml file with the create_admin_account set to false, the WSO2 IS startup fails with the following error during the initial startup (note that the user and the role is already available in the userstore).
[2024-05-14 19:29:37,383] [] DEBUG {org.wso2.carbon.user.core.common.DefaultRealm} - Cannot create org.wso2.carbon.user.core.ldap.UniqueIDReadOnlyLDAPUserStoreManager java.lang.reflect.InvocationTargetException
at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
at java.base/jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.base/java.lang.reflect.Constructor.newInstance(Constructor.java:490)
at org.wso2.carbon.user.core.common.DefaultRealm.createObjectWithOptions(DefaultRealm.java:356)
at org.wso2.carbon.user.core.common.DefaultRealm.initializeObjects(DefaultRealm.java:231)
at org.wso2.carbon.user.core.common.DefaultRealm.init(DefaultRealm.java:136)
at org.wso2.carbon.user.core.common.DefaultRealmService.initializeRealm(DefaultRealmService.java:276)
at org.wso2.carbon.user.core.common.DefaultRealmService.<init>(DefaultRealmService.java:102)
at org.wso2.carbon.user.core.common.DefaultRealmService.<init>(DefaultRealmService.java:115)
at org.wso2.carbon.user.core.internal.Activator.startDeploy(Activator.java:80)
at org.wso2.carbon.user.core.internal.BundleCheckActivator.start(BundleCheckActivator.java:61)
at org.eclipse.osgi.internal.framework.BundleContextImpl$3.run(BundleContextImpl.java:842)
at org.eclipse.osgi.internal.framework.BundleContextImpl$3.run(BundleContextImpl.java:1)
at java.base/java.security.AccessController.doPrivileged(Native Method)
at org.eclipse.osgi.internal.framework.BundleContextImpl.startActivator(BundleContextImpl.java:834)
at org.eclipse.osgi.internal.framework.BundleContextImpl.start(BundleContextImpl.java:791)
at org.eclipse.osgi.internal.framework.EquinoxBundle.startWorker0(EquinoxBundle.java:1013)
at org.eclipse.osgi.internal.framework.EquinoxBundle$EquinoxModule.startWorker(EquinoxBundle.java:365)
at org.eclipse.osgi.container.Module.doStart(Module.java:598)
at org.eclipse.osgi.container.Module.start(Module.java:462)
at org.eclipse.osgi.container.ModuleContainer$ContainerStartLevel$1.run(ModuleContainer.java:1820)
at org.eclipse.osgi.internal.framework.EquinoxContainerAdaptor$2$1.execute(EquinoxContainerAdaptor.java:150)
at org.eclipse.osgi.container.ModuleContainer$ContainerStartLevel.incStartLevel(ModuleContainer.java:1813)
at org.eclipse.osgi.container.ModuleContainer$ContainerStartLevel.incStartLevel(ModuleContainer.java:1770)
at org.eclipse.osgi.container.ModuleContainer$ContainerStartLevel.doContainerStartLevel(ModuleContainer.java:1735)
at org.eclipse.osgi.container.ModuleContainer$ContainerStartLevel.dispatchEvent(ModuleContainer.java:1661)
at org.eclipse.osgi.container.ModuleContainer$ContainerStartLevel.dispatchEvent(ModuleContainer.java:1)
at org.eclipse.osgi.framework.eventmgr.EventManager.dispatchEvent(EventManager.java:234)
at org.eclipse.osgi.framework.eventmgr.EventManager$EventThread.run(EventManager.java:345)
Caused by: org.wso2.carbon.user.core.UserStoreException: Admin role can not be created in primary user store. Add-Admin has been set to false. Please pick a Role name which is exist in the primary user store as Admin Role
at org.wso2.carbon.user.core.common.AbstractUserStoreManager.addInitialAdminData(AbstractUserStoreManager.java:9978)
at org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager.<init>(ReadOnlyLDAPUserStoreManager.java:265)
at org.wso2.carbon.user.core.ldap.UniqueIDReadOnlyLDAPUserStoreManager.<init>(UniqueIDReadOnlyLDAPUserStoreManager.java:182)
... 30 more
During this scenario, WSO2 IS will validate whether the user exists in the user store [1] and whether the defined admin role exists in the UM_HYBRID_ROLE table [2] [3]. The UM_HYBRID_ROLE table is empty by default during the first startup, causing WSO2 IS to fail to find the role, resulting in the error [4] above being thrown by WSO2 IS.
In cases where you have disabled group role separation and set the read_group parameter of the user store configuration to true, the role search will be performed in the user store itself [5], resolving the error. However, disabling group role separation should be done after assessing the use cases relevant to the customer’s business requirements.
This can be resolved by setting create_admin_account to true since it will create the configured role in the UM_HYBRID_ROLE [6]. Afterward, it will extract the group from the user store [7], update the group list of the hybrid role [8], and finally update the hybrid role list of the user [9].
However, when the user store is read-only, we should ideally perform the task mentioned in the above paragraph by default.
If the group-role separation is enabled, regardless of whether create_admin_account is enabled, we must create the admin role in the system and establish the necessary user associations. This is because roles are managed separately in the system database after the group-role separation.
Environment information
Product Version: IS 7.0.0
OS: Ubuntu 22.04.2 LTS
Database: H2
Userstore: JDBC
The text was updated successfully, but these errors were encountered:
Describe the issue:
When a readonly LDAP user store is configured as the primary user store in the deployment.toml file with the create_admin_account set to false, the WSO2 IS startup fails with the following error during the initial startup (note that the user and the role is already available in the userstore).
During this scenario, WSO2 IS will validate whether the user exists in the user store [1] and whether the defined admin role exists in the UM_HYBRID_ROLE table [2] [3]. The UM_HYBRID_ROLE table is empty by default during the first startup, causing WSO2 IS to fail to find the role, resulting in the error [4] above being thrown by WSO2 IS.
In cases where you have disabled group role separation and set the read_group parameter of the user store configuration to true, the role search will be performed in the user store itself [5], resolving the error. However, disabling group role separation should be done after assessing the use cases relevant to the customer’s business requirements.
This can be resolved by setting create_admin_account to true since it will create the configured role in the UM_HYBRID_ROLE [6]. Afterward, it will extract the group from the user store [7], update the group list of the hybrid role [8], and finally update the hybrid role list of the user [9].
However, when the user store is read-only, we should ideally perform the task mentioned in the above paragraph by default.
[1] - https://github.com/wso2/carbon-kernel/blob/v4.10.9/core/org.wso2.carbon.user.core/src/main/java/org/wso2/carbon/user/core/common/AbstractUserStoreManager.java#L9821-L9837
[2] - https://github.com/wso2/carbon-kernel/blob/v4.10.9/core/org.wso2.carbon.user.core/src/main/java/org/wso2/carbon/user/core/common/AbstractUserStoreManager.java#L9810-L9819
[3] - https://github.com/wso2/carbon-kernel/blob/v4.10.9/core/org.wso2.carbon.user.core/src/main/java/org/wso2/carbon/user/core/hybrid/HybridRoleManager.java#L312-L347
[4] - https://github.com/wso2/carbon-kernel/blob/v4.10.9/core/org.wso2.carbon.user.core/src/main/java/org/wso2/carbon/user/core/common/AbstractUserStoreManager.java#L9973-L9982
[5] - https://github.com/wso2/carbon-kernel/blob/v4.10.9/core/org.wso2.carbon.user.core/src/main/java/org/wso2/carbon/user/core/common/AbstractUserStoreManager.java#L9801-L9808
[6] - https://github.com/wso2/carbon-kernel/blob/v4.10.9/core/org.wso2.carbon.user.core/src/main/java/org/wso2/carbon/user/core/common/AbstractUserStoreManager.java#L9924-L9928
[7] - https://github.com/wso2/carbon-kernel/blob/v4.10.9/core/org.wso2.carbon.user.core/src/main/java/org/wso2/carbon/user/core/common/AbstractUserStoreManager.java#L9934-L9937
[8] - https://github.com/wso2/carbon-kernel/blob/v4.10.9/core/org.wso2.carbon.user.core/src/main/java/org/wso2/carbon/user/core/common/AbstractUserStoreManager.java#L9953-L9955
[9] - https://github.com/wso2/carbon-kernel/blob/v4.10.9/core/org.wso2.carbon.user.core/src/main/java/org/wso2/carbon/user/core/common/AbstractUserStoreManager.java#L9987-L9992
How to reproduce:
Expected behavior:
If the group-role separation is enabled, regardless of whether create_admin_account is enabled, we must create the admin role in the system and establish the necessary user associations. This is because roles are managed separately in the system database after the group-role separation.
Environment information
The text was updated successfully, but these errors were encountered: