2

I'm working in a Grails application that uses a remote Rice 2.3.6 (embedded in Kuali Coeus 5.2.1) as an IAM backend. Many aspects of this are successful! But this one is not:

org.kuali.rice.kim.api.role.RoleService kimRoleServiceClient

...

kimRoleServiceClient.assignPrincipalToRole(
            principalId,
            role.namespace,
            role.name,
            qualifiers)

kimRoleServiceClient.principalHasRole(
            principalId,
            [kimRoleServiceClient.getRoleIdByNamespaceCodeAndName(
                role.namespace,
                role.name)],
            qualifiers) // returns true, as expected

kimRoleServiceClient.removePrincipalFromRole(
            principalId,
            role.namespace,
            role.name,
            qualifiers)

kimRoleServiceClient.principalHasRole(
            principalId,
            [kimRoleServiceClient.getRoleIdByNamespaceCodeAndName(
                role.namespace,
                role.name)],
            qualifiers) // returns true (unexpected behavior)

No error is returned, either as a result of the call or as an exception logged in the remote KC catalina.out. I can verify in the KC UI that the role is still assigned, and it's not a caching issue between the two calls -- I can wait a respectable amount of time and the role is still assigned.

Any clues?

EDIT:

It was suggested on the rice.collab mailing list that the problem may be related to KULRICE-9835: removePrincipalFromRole uses attribute id instead of attribute name in qualifier, which is marked as fixed in Rice 2.5.1. This might present a further hurdle, but at the moment this call fails even for roles with no qualifier, i.e. when qualifiers in the call above is an empty Map.

Dan Percival
  • 293
  • 2
  • 8

1 Answers1

2

Your edit comments that you are not passing qualifiers however the code throws an exception in this case looking at the code ? Could this be your issue ?

./rice-middleware/kim/kim-impl/src/main/java/org/kuali/rice/kim/impl/role/RoleServiceImpl.java

@Override
    public void removePrincipalFromRole(String principalId, String namespaceCode, String roleName,
            Map<String, String> qualifier) throws RiceIllegalArgumentException {
        if (StringUtils.isBlank(principalId)) {
            throw new RiceIllegalArgumentException("principalId is null");
        }

        if (StringUtils.isBlank(namespaceCode)) {
            throw new RiceIllegalArgumentException("namespaceCode is null");
        }

        if (StringUtils.isBlank(roleName)) {
            throw new RiceIllegalArgumentException("roleName is null");
        }

        if (qualifier == null) {
            throw new RiceIllegalArgumentException("qualifier is null");
        }...
Ronald Gouldner Jr
  • 331
  • 1
  • 14
  • If this were the issue, the first call would fail and Dan would not have asserted that the second call returns true. – Ken Geis Feb 19 '16 at 19:32
  • I'm passing an empty qualifier Map (Groovy's `[:]`), not `null`, so I should be good here. I do the same when using `assignPrincipalToRole`, with no problems; I'll edit the question to make that clearer. – Dan Percival Feb 19 '16 at 19:33
  • I wonder who voted the answer up since it ins't correct ? Sorry Ken, I missed Dan's comment that the second call returns true and I don't know how I would know if that call was passed any qualifiers since it isn't the api call I was addressing. I might be complete missing your point as well but I was just looking at the code and thought it could be the case based on the comment. – Ronald Gouldner Jr Feb 20 '16 at 23:33