You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ambari.apache.org by Keta Patel <ke...@gmail.com> on 2016/02/19 00:27:08 UTC

sync LDAP behavior

Hello all,
What is the expected behavior of "ambari-server sync-ldap --all" on the 2nd
or later calls?

Thank you!
Keta

Re: sync LDAP behavior

Posted by Keta Patel <ke...@gmail.com>.
Hello Robert,
Thank you for pointing out the Jira. This patch resolved the issue I was
facing.

Thank you,
Keta

On Fri, Feb 19, 2016 at 5:02 AM, Robert Levas <rl...@hortonworks.com>
wrote:

> Hi Keta…
>
> What version of Ambari are you using? My guess is 2.2.0.  If so, I think
> you may have bumped into the bug fixed in
> https://issues.apache.org/jira/browse/AMBARI-15031, which will be
> released in Ambari version 2.2.2 - I am not sure of the release date for
> that.
>
> Unfortunately, to perform subsequent sync-all operations with your current
> version, you will need to clear out the imported LDAP groups and associated
> metadata from the Ambari database.  Else you will be able to sync an
> explicit set of groups using the —group option.
>
> To clear out the imported groups and associated metadata from the Ambari
> database (after backing up your database), you will need to delete all
> groups from the `groups` table where `ldap_group`=1.  You will also need to
> remove all records from the `adminprincipal` table where the `principal_id`
> equals the `groups.principal_id` for the relevant records.  So something
> like this should do the trick.
>
>         DELETE FROM adminprincipal WHERE principal_id IN (SELECT
> principal_id FROM groups WHERE ldap_group=1);
>         DELETE FROM groups WHERE ldap_group=1;
>
>
> Rob
>
>
>
>
>
> On 2/18/16, 8:00 PM, "Keta Patel" <ke...@gmail.com>
> wrote:
>
> >Adding more detail to my question:
> >
> >The following is what I see when I perform sync-ldap consecutively.
> >*The very 1st call:*
> >>>ambari-server sync-ldap --all
> >
> >*Result:*
> >Using python  /usr/bin/python2
> >Syncing with LDAP...
> >Enter Ambari Admin login: admin
> >Enter Ambari Admin password:
> >Syncing all...
> >
> >Completed LDAP Sync.
> >Summary:
> >  memberships:
> >    removed = 0
> >    created = 0
> >  users:
> >    updated = 0
> >    removed = 0
> >    created = 0
> >  groups:
> >    updated = 0
> >    removed = 0
> >    created = 2
> >
> >Ambari Server 'sync-ldap' completed successfully.
> >
> >
> >
> >
> >*The 2nd time I call:*
> >>>ambari-server sync-ldap --all
> >
> >*Result:*
> >Using python  /usr/bin/python2
> >Syncing with LDAP...
> >Enter Ambari Admin login: admin
> >Enter Ambari Admin password:
> >Syncing all...ERROR: Exiting with exit code 1.
> >REASON: Caught exception running LDAP sync. Exception [EclipseLink-4002]
> >(Eclipse Persistence Services - 2.5.2.v20140319-9ad6abd):
> >org.eclipse.persistence.exceptions.DatabaseException
> >Internal Exception: java.sql.BatchUpdateException: Batch entry 0 INSERT
> >INTO groups (group_id, group_name, ldap_group, principal_id) VALUES (524,
> >'sheetsg9', 1, 5527) was aborted.  Call getNextException to see the cause.
> >Error Code: 0
> >Call: INSERT INTO groups (group_id, group_name, ldap_group, principal_id)
> >VALUES (?, ?, ?, ?)
> >    bind => [4 parameters bound]
> >
> >
> >
> >The only difference I found with the LDAP group "sheetsg9" when compared
> to
> >the other LDAP groups was that *it had no users associated with it.*
> >The workaround involves deleting that group from the "groups" table in the
> >DB and syncing again. The sync goes through fine after that.
> >
> >Is this the expected behavior of "sync-ldap --all" or is the case of
> >handling groups with no users not handled properly?
> >
> >On Thu, Feb 18, 2016 at 3:27 PM, Keta Patel <
> >keta.mahendrakumar.patel@gmail.com> wrote:
> >
> >> Hello all,
> >> What is the expected behavior of "ambari-server sync-ldap --all" on the
> >> 2nd or later calls?
> >>
> >> Thank you!
> >> Keta
> >>
>

Re: sync LDAP behavior

Posted by Robert Levas <rl...@hortonworks.com>.
Hi Keta…

What version of Ambari are you using? My guess is 2.2.0.  If so, I think you may have bumped into the bug fixed in https://issues.apache.org/jira/browse/AMBARI-15031, which will be released in Ambari version 2.2.2 - I am not sure of the release date for that. 

Unfortunately, to perform subsequent sync-all operations with your current version, you will need to clear out the imported LDAP groups and associated metadata from the Ambari database.  Else you will be able to sync an explicit set of groups using the —group option. 

To clear out the imported groups and associated metadata from the Ambari database (after backing up your database), you will need to delete all groups from the `groups` table where `ldap_group`=1.  You will also need to remove all records from the `adminprincipal` table where the `principal_id` equals the `groups.principal_id` for the relevant records.  So something like this should do the trick.

	DELETE FROM adminprincipal WHERE principal_id IN (SELECT principal_id FROM groups WHERE ldap_group=1);
	DELETE FROM groups WHERE ldap_group=1;


Rob





On 2/18/16, 8:00 PM, "Keta Patel" <ke...@gmail.com> wrote:

>Adding more detail to my question:
>
>The following is what I see when I perform sync-ldap consecutively.
>*The very 1st call:*
>>>ambari-server sync-ldap --all
>
>*Result:*
>Using python  /usr/bin/python2
>Syncing with LDAP...
>Enter Ambari Admin login: admin
>Enter Ambari Admin password:
>Syncing all...
>
>Completed LDAP Sync.
>Summary:
>  memberships:
>    removed = 0
>    created = 0
>  users:
>    updated = 0
>    removed = 0
>    created = 0
>  groups:
>    updated = 0
>    removed = 0
>    created = 2
>
>Ambari Server 'sync-ldap' completed successfully.
>
>
>
>
>*The 2nd time I call:*
>>>ambari-server sync-ldap --all
>
>*Result:*
>Using python  /usr/bin/python2
>Syncing with LDAP...
>Enter Ambari Admin login: admin
>Enter Ambari Admin password:
>Syncing all...ERROR: Exiting with exit code 1.
>REASON: Caught exception running LDAP sync. Exception [EclipseLink-4002]
>(Eclipse Persistence Services - 2.5.2.v20140319-9ad6abd):
>org.eclipse.persistence.exceptions.DatabaseException
>Internal Exception: java.sql.BatchUpdateException: Batch entry 0 INSERT
>INTO groups (group_id, group_name, ldap_group, principal_id) VALUES (524,
>'sheetsg9', 1, 5527) was aborted.  Call getNextException to see the cause.
>Error Code: 0
>Call: INSERT INTO groups (group_id, group_name, ldap_group, principal_id)
>VALUES (?, ?, ?, ?)
>    bind => [4 parameters bound]
>
>
>
>The only difference I found with the LDAP group "sheetsg9" when compared to
>the other LDAP groups was that *it had no users associated with it.*
>The workaround involves deleting that group from the "groups" table in the
>DB and syncing again. The sync goes through fine after that.
>
>Is this the expected behavior of "sync-ldap --all" or is the case of
>handling groups with no users not handled properly?
>
>On Thu, Feb 18, 2016 at 3:27 PM, Keta Patel <
>keta.mahendrakumar.patel@gmail.com> wrote:
>
>> Hello all,
>> What is the expected behavior of "ambari-server sync-ldap --all" on the
>> 2nd or later calls?
>>
>> Thank you!
>> Keta
>>

Re: sync LDAP behavior

Posted by Keta Patel <ke...@gmail.com>.
Adding more detail to my question:

The following is what I see when I perform sync-ldap consecutively.
*The very 1st call:*
>>ambari-server sync-ldap --all

*Result:*
Using python  /usr/bin/python2
Syncing with LDAP...
Enter Ambari Admin login: admin
Enter Ambari Admin password:
Syncing all...

Completed LDAP Sync.
Summary:
  memberships:
    removed = 0
    created = 0
  users:
    updated = 0
    removed = 0
    created = 0
  groups:
    updated = 0
    removed = 0
    created = 2

Ambari Server 'sync-ldap' completed successfully.




*The 2nd time I call:*
>>ambari-server sync-ldap --all

*Result:*
Using python  /usr/bin/python2
Syncing with LDAP...
Enter Ambari Admin login: admin
Enter Ambari Admin password:
Syncing all...ERROR: Exiting with exit code 1.
REASON: Caught exception running LDAP sync. Exception [EclipseLink-4002]
(Eclipse Persistence Services - 2.5.2.v20140319-9ad6abd):
org.eclipse.persistence.exceptions.DatabaseException
Internal Exception: java.sql.BatchUpdateException: Batch entry 0 INSERT
INTO groups (group_id, group_name, ldap_group, principal_id) VALUES (524,
'sheetsg9', 1, 5527) was aborted.  Call getNextException to see the cause.
Error Code: 0
Call: INSERT INTO groups (group_id, group_name, ldap_group, principal_id)
VALUES (?, ?, ?, ?)
    bind => [4 parameters bound]



The only difference I found with the LDAP group "sheetsg9" when compared to
the other LDAP groups was that *it had no users associated with it.*
The workaround involves deleting that group from the "groups" table in the
DB and syncing again. The sync goes through fine after that.

Is this the expected behavior of "sync-ldap --all" or is the case of
handling groups with no users not handled properly?

On Thu, Feb 18, 2016 at 3:27 PM, Keta Patel <
keta.mahendrakumar.patel@gmail.com> wrote:

> Hello all,
> What is the expected behavior of "ambari-server sync-ldap --all" on the
> 2nd or later calls?
>
> Thank you!
> Keta
>