54051 – Ability to manage the role "ucsschoolAdministrator" with Kelvin API

Bug 54051 - Ability to manage the role "ucsschoolAdministrator" with Kelvin API

Summary: Ability to manage the role "ucsschoolAdministrator" with Kelvin API

Status:	CLOSED FIXED

Alias:	None

Product:	UCS@school
Classification:	Unclassified
Component:	HTTP-API (Kelvin)
Version:	UCS@school 5.0
Hardware:	Other Linux

Importance:	P5 normal
Target Milestone:	---
Assignee:	Sönke Schwardt-Krummrich
QA Contact:	Ole Schwiegert

URL:	https://git.knut.univention.de/univen...
Keywords:

Depends on:
Blocks:

Reported:	2021-11-11 09:34 CET by Dirk Ahrnke
Modified:	2025-09-02 16:29 CEST (History)
CC List:	11 users (show)

See Also:
What kind of report is it?:	Bug Report
What type of bug is this?:	2: Improvement: Would be a product improvement
Who will be affected by this bug?:	3: Will affect average number of installed domains
How will those affected feel about the bug?:	3: A User would likely not purchase the product
User Pain:	0.103
Enterprise Customer affected?:
School Customer affected?:	Yes
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:	2022050321000557, 2023090421000297, 2025042221000161
Bug group (optional):	Role and Access Model
Customer ID:	27658, 57195
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Dirk Ahrnke

2021-11-11 09:34:54 CET

The current role model in UCS@school has been enhanced with the dedicated "ucsschoolAdministrator"-Role a while ago. 
At this time the Kelvin API can only detect the role "school_admin" (Bug #51509) but it is not possible to administer the role through the API. 
The ability to manage the role might be a requirement in several key scenarios.

Comment 1 Anne Hanekop

2022-05-03 16:30:20 CEST

Added additional information and set Waiting Support together with Dirk Schnick.

Comment 5 Dirk Ahrnke

2025-03-10 14:39:22 CET

Stumbled across this problem again today. 

The new integration for Bildungslogin requested for the license-admin an user-object in the cn=admins container of a school. I thought it is a good idea to use the "ucsschoolAdministrator" for this account. 

The BiLo-SaaS application tries to evaluate the object through Kelvin-API. 

The log shows:
2025-03-10 05:06:21 WARNING [224][a2de61874d] UDM object 'uid=redacted,cn=admins,cn=users,ou=esg,dc=schule-univention,dc=de' does not correspond to a Python class in the UCS school lib.
2025-03-10 05:06:21 WARNING [224][a2de61874d] No ImportUser with name=None dn='uid=redacted,cn=admins,cn=users,ou=esg,dc=schule-univention,dc=de' and school=None found.
2025-03-10 05:06:21 INFO  [224][a2de61874d] 172.17.42.1:45600 - "GET /ucsschool/kelvin/v1/users/redacted HTTP/1.1" 404
2025-03-10 05:06:21 WARNING [224][a2de61874d] kelvin_app.ucsschool.kelvin.routers.user.get - 0.174 s - ['http_status:404', 'http_method:GET', 'time:wall']
2025-03-10 05:06:21 WARNING [224][a2de61874d] kelvin_app.ucsschool.kelvin.routers.user.get - 0.052 s - ['http_status:404', 'http_method:GET', 'time:cpu']

As a workaround I had to add the objectClass "ucsschoolTeacher". Added the proper ucsschoolRole string and the group membership.

Comment 6 Mirac Erdemiroglu

2025-04-25 12:11:03 CEST

Another customer affected 2025042221000161

2025-04-24 17:49:43 WARNING [226][e23dfcacc6] main.timing:91  kelvin_app.ucsschool.kelvin.main.login_for_access_token - 4.109 s - ['http_status:200', 'http_method:POST', 'time:wall']
2025-04-24 17:49:43 WARNING [226][e23dfcacc6] main.timing:91  kelvin_app.ucsschool.kelvin.main.login_for_access_token - 0.091 s - ['http_status:200', 'http_method:POST', 'time:cpu']
2025-04-24 17:49:43 DEBUG [226][231386985b] base.from_dn:1172  Looking up ImportUser with dn 'uid=test-user-cont,cn=users,ou=DEMOSCHOOL,dc=ucs,dc=test,dc=myschool,dc=univention,dc=de'
2025-04-24 17:49:43 DEBUG [226][231386985b] base_http.call_openapi:464  'get' 'users/user' -> udm_users_user_object_with_http_info(**{'dn': 'uid=test-user-cont,cn=users,ou=DEMOSCHOOL,dc=ucs,dc=test,dc=myschool,d
c=univention,dc=de'}) -> UsersUser('uid=test-user-cont,cn=users,ou=DEMOSCHOOL,dc=ucs,dc=test,dc=myschool,dc=univention,dc=de') [200]
2025-04-24 17:49:43 WARNING [226][231386985b] base.from_udm_obj:1083  UDM object 'uid=test-user-cont,cn=users,ou=DEMOSCHOOL,dc=ucs,dc=test,dc=myschool,dc=univention,dc=de' does not correspond to a Python class in the UCS school lib.
2025-04-24 17:49:43 WARNING [226][231386985b] base.get_lib_obj:89  No ImportUser with name=None dn='uid=test-user-cont,cn=users,ou=DEMOSCHOOL,dc=ucs,dc=test,dc=myschool,dc=univention,dc=de' and school=None found.
2025-04-24 17:49:43 INFO  [226][231386985b] h11_impl.send:473  172.17.42.1:44368 - "GET /ucsschool/kelvin/v1/users/test-user-cont HTTP/1.1" 404
2025-04-24 17:49:43 WARNING [226][231386985b] main.timing:91  kelvin_app.ucsschool.kelvin.routers.user.get - 0.200 s - ['http_status:404', 'http_method:GET', 'time:wall']
2025-04-24 17:49:43 WARNING [226][231386985b] main.timing:91  kelvin_app.ucsschool.kelvin.routers.user.get - 0.055 s - ['http_status:404', 'http_method:GET', 'time:cpu']

Comment 7 Daniela Grebe

2025-06-27 12:00:45 CEST

Changed this to bug from feature request for the following reasons:
* The ucsschoolAdministrator role already exists in UCS@school and is meant to be used like other roles.
* The Kelvin REST API is expected to provide full support for UCS@school roles, including creation, modification, and querying. The lack of support for ucsschoolAdministrator is an inconsistency within an existing system: a clear indication of a missing implementation in a critical component.
* Workarounds (e.g., adding unrelated object classes like ucsschoolTeacher) are needed to achieve functionality that should be natively supported.

Comment 9 Jürn Brodersen

2025-09-02 16:28:59 CEST

UCS@school Kelvin REST API 3.0.0 has been released.

https://docs.software-univention.de/ucsschool-kelvin-rest-api/changelog.html#v3-0-0-2025-09-02

If this error occurs again, please clone this bug.