Bug 41694 - concurrent name change and group update causes no groups update
concurrent name change and group update causes no groups update
Product: UCS
Classification: Unclassified
Component: UDM (Generic)
UCS 4.2
Other Linux
: P5 normal with 2 votes (vote)
: UCS 4.4-0-errata
Assigned To: Florian Best
Arvid Requate
: 31781 (view as bug list)
Depends on:
Blocks: 18479 45079
  Show dependency treegraph
Reported: 2016-06-29 00:41 CEST by Florian Best
Modified: 2019-05-15 14:52 CEST (History)
3 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?: 2: Will only affect a few installed domains
How will those affected feel about the bug?: 2: A Pain – users won’t like this once they notice it
User Pain: 0.114
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional): API change
Max CVSS v3 score:
best: Patch_Available+

patch (944 bytes, patch)
2016-06-29 00:41 CEST, Florian Best
Details | Diff
patch (7.75 KB, patch)
2017-06-26 15:55 CEST, Florian Best
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Florian Best univentionstaff 2016-06-29 00:41:31 CEST
Created attachment 7773 [details]

Changing the name and e.g. the groups of a computer at the same time causes that the groups aren't correctly updated.

I added a testscript to ucs-test which nicely demonstrates this:

The problem is generic because ldap_post_modify uses the old DN instead of the new one. The new dn is not known by any of the handlers due to not assigning it.
The attached patch makes sure self.dn is set to the correct new dn. After this all _ldap_post_modify() handlers must be adapted to use the correct dn.
I would suggest to add self.old_dn (in save()) so that one can access the old DN.

You can nicely see that the old dn is printed instead of the new one when doing:
> udm computers/ubuntu modify --dn cn=foobar,dc=base --set name=something
> object modified: cn=foobar,dc=base
Comment 1 Florian Best univentionstaff 2016-06-29 00:47:05 CEST
Also broken for all handlers is modifying the name + --police-(de-)reference'ing the object. The old dn is also used there. This is also fixed by the attached patch.
Comment 2 Philipp Hahn univentionstaff 2016-06-30 12:51:34 CEST
This also breaks udm-test (univention/testing/udm.py):
237         for line in stdout.splitlines():  # :pylint: disable-msg=E1103
238             if line.startswith('Object modified: '):
239                 dn = line.split('Object modified: ', 1)[-1]
240                 if dn != kwargs.get('dn'):
241                     print 'modrdn detected: %r ==> %r' % (kwargs.get('dn'), dn)

As udm still returns the old DN, no MODRDN is detected and renamed objects are not cleaned up properly and survive tests.
Comment 3 Florian Best univentionstaff 2016-07-08 13:12:56 CEST
*** Bug 31781 has been marked as a duplicate of this bug. ***
Comment 4 Florian Best univentionstaff 2017-06-26 15:55:54 CEST
Created attachment 8968 [details]
Comment 5 Florian Best univentionstaff 2017-07-26 17:15:09 CEST
Every object type except container/cn and container/ou is affected:
# udm groups/group create --set name=group1
# python
>>> import univention.admin
>>> univention.admin.modules.update()
>>> g=univention.admin.modules.get('groups/group')
>>> lo,po=univention.admin.uldap.getAdminConnection()
>>> x = g.object(None, lo, po, 'cn=group1,dc=demo,dc=univention,dc=de')
>>> x['name'] = 'Group2'
>>> x.modify()
>>> x.dn
→ wrong DN

The two hunks in the patch which remove the self.move() call in the container/* handlers needs to be removed.
Comment 6 Lukas Oyen univentionstaff 2017-08-16 17:26:42 CEST
Please revert r82215 and r82209 (workarround for wrong DN on modify() in {s4c,adc}-test: 50{0,1}_test_{user,group}_sync.py.
Comment 7 Florian Best univentionstaff 2019-04-30 12:10:03 CEST
Rebased patch in fbest/41694-update-self-dn-after-rename.
Comment 8 Florian Best univentionstaff 2019-05-02 11:39:39 CEST
Failed tests when testing branch via branch tests:
Comment 9 Florian Best univentionstaff 2019-05-09 16:11:16 CEST
The branch has been merged.

univention-directory-manager-modules (14.0.12-30)
35724dc78562 | Bug #41694: Merge branch 'fbest/41694-update-self-dn-after-rename' into 4.4-0
80523ab49e52 | Bug #41694: update self.dn after renaming an object
Comment 10 Arvid Requate univentionstaff 2019-05-09 19:55:24 CEST
* Code review: Ok
* Functional test: Ok
* Test case: Ok
* Advisory: Ok

The old test case did not work, because the udm test methods currently don't wait for the connector. Quick changes of group membership apparently still cause issues (see Bug 35336 for the generic issue and e.g. Bug 46692 also looks a bit like that).
Comment 11 Florian Best univentionstaff 2019-05-10 09:44:05 CEST
The test case 52_s4connector.174sync_create_nested_ucs_groups.master071c fails:
(2019-05-10 02:54:16.776169) info 2019-05-10 02:54:16	 EXECUTING: udm-test 'groups/group' modify --dn "cn=stkhcgrb,cn=groups,dc=autotest071c,dc=local" --remove memberOf=cn=cebdcgrd,cn=groups,dc=autotest071c,dc=local
[2019-05-10 02:54:16.874060] Traceback (most recent call last):
[2019-05-10 02:54:16.874111]   File "/usr/share/univention-directory-manager-tools/univention-cli-server", line 218, in doit
[2019-05-10 02:54:16.874138]     output = univention.admincli.admin.doit(arglist)
[2019-05-10 02:54:16.874159]   File "/usr/lib/pymodules/python2.7/univention/admincli/admin.py", line 408, in doit
[2019-05-10 02:54:16.874180]     out = _doit(arglist)
[2019-05-10 02:54:16.874200]   File "/usr/lib/pymodules/python2.7/univention/admincli/admin.py", line 904, in _doit
[2019-05-10 02:54:16.874217]     dn = object.modify()
[2019-05-10 02:54:16.874237]   File "/usr/lib/pymodules/python2.7/univention/admin/handlers/__init__.py", line 642, in modify
[2019-05-10 02:54:16.874257]     dn = self._modify(modify_childs, ignore_license=ignore_license, response=response)
[2019-05-10 02:54:16.874276]   File "/usr/lib/pymodules/python2.7/univention/admin/handlers/__init__.py", line 1316, in _modify
[2019-05-10 02:54:16.874291]     self._ldap_post_modify()
[2019-05-10 02:54:16.874311]   File "/usr/lib/pymodules/python2.7/univention/admin/handlers/groups/group.py", line 646, in _ldap_post_modify
[2019-05-10 02:54:16.874332]     self.__update_membership()
[2019-05-10 02:54:16.874352]   File "/usr/lib/pymodules/python2.7/univention/admin/handlers/groups/group.py", line 772, in __update_membership
[2019-05-10 02:54:16.874416]     newmembers = self.__case_insensitive_remove_from_list(self.old_dn, newmembers)
[2019-05-10 02:54:16.874441]   File "/usr/lib/pymodules/python2.7/univention/admin/handlers/groups/group.py", line 793, in __case_insensitive_remove_from_list
[2019-05-10 02:54:16.874461]     list.remove(remove_element)
[2019-05-10 02:54:16.874481] UnboundLocalError: local variable 'remove_element' referenced before assignment
(2019-05-10 02:54:16.880974) info 2019-05-10 02:54:16	 failed modifying groups/group object stkhcgrb
Comment 12 Florian Best univentionstaff 2019-05-10 09:53:19 CEST
Fixed by checking if it is part of the list (as it is done prior for both DN's):

univention-directory-manager-modules (14.0.12-33)
56ee710c9d2c | Bug #41694: check if dn is in list before removing it
Comment 13 Arvid Requate univentionstaff 2019-05-15 14:12:06 CEST
There were two additional commits:

30b4137529 | optimize performance
05eff751f3 | fixup

Jenkins test looks good.
Advisory: Ok
Comment 14 Arvid Requate univentionstaff 2019-05-15 14:52:12 CEST