Univention Bugzilla – Bug 54258
Kelvin API not working after removing a school server
Last modified: 2021-12-20 11:05:02 CET
After removing a school server the kelvin api is not working anymore. This traceback is shown, because the ou is still present but without an educational server. Unfortunately the educational server could not be added again. The ou needs to be removed and added with the server again. 2021-12-17 12:41:41 INFO 172.17.42.1:54254 - "GET /ucsschool/kelvin/v1/schools/?name=%2A HTTP/1.1" 401 2021-12-17 12:42:29 INFO 172.17.42.1:54264 - "GET /ucsschool/kelvin/v1/schools/%2A HTTP/1.1" 401 2021-12-17 12:42:49 INFO 172.17.42.1:54272 - "POST /ucsschool/kelvin/token HTTP/1.1" 200 2021-12-17 12:43:02 INFO 172.17.42.1:54276 - "GET /ucsschool/kelvin/v1/schools/?name=%2A HTTP/1.1" 500 2021-12-17 12:43:03 ERROR Exception in ASGI application Traceback (most recent call last): File "/usr/lib/python3.8/site-packages/uvicorn/protocols/http/h11_impl.py", line 373, in run_asgi result = await app(self.scope, self.receive, self.send) File "/usr/lib/python3.8/site-packages/uvicorn/middleware/proxy_headers.py", line 75, in __call__ return await self.app(scope, receive, send) File "/usr/lib/python3.8/site-packages/fastapi/applications.py", line 199, in __call__ await super().__call__(scope, receive, send) File "/usr/lib/python3.8/site-packages/starlette/applications.py", line 111, in __call__ await self.middleware_stack(scope, receive, send) File "/usr/lib/python3.8/site-packages/starlette/middleware/errors.py", line 181, in __call__ raise exc from None File "/usr/lib/python3.8/site-packages/starlette/middleware/errors.py", line 159, in __call__ await self.app(scope, receive, _send) File "/usr/lib/python3.8/site-packages/starlette/exceptions.py", line 82, in __call__ raise exc from None File "/usr/lib/python3.8/site-packages/starlette/exceptions.py", line 71, in __call__ await self.app(scope, receive, sender) File "/usr/lib/python3.8/site-packages/starlette/routing.py", line 566, in __call__ await route.handle(scope, receive, send) File "/usr/lib/python3.8/site-packages/starlette/routing.py", line 227, in handle await self.app(scope, receive, send) File "/usr/lib/python3.8/site-packages/starlette/routing.py", line 41, in app response = await func(request) File "/usr/lib/python3.8/site-packages/fastapi/routing.py", line 201, in app raw_response = await run_endpoint_function( File "/usr/lib/python3.8/site-packages/fastapi/routing.py", line 148, in run_endpoint_function return await dependant.call(**values) File "/kelvin/kelvin-api/ucsschool/kelvin/routers/school.py", line 233, in search return [await SchoolModel.from_lib_model(school, request, udm) for school in schools] File "/kelvin/kelvin-api/ucsschool/kelvin/routers/school.py", line 233, in <listcomp> return [await SchoolModel.from_lib_model(school, request, udm) for school in schools] File "/kelvin/kelvin-api/ucsschool/kelvin/routers/base.py", line 167, in from_lib_model kwargs = await cls._from_lib_model_kwargs(obj, request, udm) File "/kelvin/kelvin-api/ucsschool/kelvin/routers/school.py", line 91, in _from_lib_model_kwargs kwargs["class_share_file_server"] = await cls.computer_dn2name(udm, obj.class_share_file_server) File "/kelvin/kelvin-api/ucsschool/kelvin/routers/school.py", line 103, in computer_dn2name obj = await udm.obj_by_dn(dn) File "/usr/lib/python3.8/site-packages/udm_rest_client/udm.py", line 185, in obj_by_dn object_type = await self.session.get_object_type(dn) File "/usr/lib/python3.8/site-packages/udm_rest_client/base_http.py", line 330, in get_object_type body = await self.get_json(url, allow_redirects=True) File "/usr/lib/python3.8/site-packages/udm_rest_client/base_http.py", line 316, in get_json raise NoObject( udm_rest_client.exceptions.NoObject: UDM REST API returned status 404, reason 'Not Found' for URL 'https://dc01.schein.qa/univention/udm/object/cn=slave-03,cn=dc,cn=computers,dc=schein,dc=qa'. 2021-12-17 12:43:13 INFO 172.17.42.1:54300 - "GET /ucsschool/kelvin/v1/schools/%2A HTTP/1.1" 404 Easy to reproduce. Add an ou with a server and remove the server via udm or UMC computers. Then use swagger → schools → get /ucschool/kelvin/v1/school/search curl -X 'GET' \ 'https://dc01.schein.qa/ucsschool/kelvin/v1/schools/?name=%2A' \ -H 'accept: application/json' \ -H 'Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOnsidXNlcm5hbWUiOiJBZG1pbmlzdHJhdG9yIiwia2VsdmluX2FkbWluIjp0cnVlLCJzY2hvb2xzIjpbXSwicm9sZXMiOltdfSwiZXhwIjoxNjM5NzQ0OTY5fQ.4880GTAoVqLTDw3lCeYpIH8dNgLVzy-J1rO8Q0L2SPQ' The impact is, that no new data from the id-connector can be received
Addition: The customer tries to rejoin the school server, but is now not in the right position below the OU. Is there any other way than deleting the OU?
The school server *must not* be remove from the OU. If the customer uses the schools-UMC-modules and tries it, it will deny the action with the message: -------------------------------------------------------------------------------- Server for class shares: An empty value is not allowed. Server for Windows home directories: An empty value is not allowed. -------------------------------------------------------------------------------- It is also not possible to create an OU without an educational school server. Manually tinkering with UCS@school objects will result in inconsistent LDAP data and operational problems like the above.
> Addition: The customer tries to rejoin the school server, but is now not in the right position below the OU. > > Is there any other way than deleting the OU? Safest would be to delete it and recreate it. But you can try: 1. Create the computer object. If possible immediately in the correct place: cn=dc,cn=server,cn=computers,$OU,$LDAPBASE. If not, move it there afterwards. 3. Make sure the computer objects DN is exactly like the old one. 3. Make sure the computer object is intact (objectClass=ucsschoolServer, ucsschoolRole, etc... compare with other school server), fix manually. 4. Then the OU-object may have to be fixed. Take a look at other OU objects with "udm container/ou list": * ucsschoolClassShareFileServer=cn=$HOSTNAME,cn=dc,cn=server,cn=computers,ou=$OU,$LDAPBASE * ucsschoolHomeShareFileServer=cn=$HOSTNAME,cn=dc,cn=server,cn=computers,ou=$OU,$LDAPBASE It is possible, that the properties are still set like this, even when the computer was deleted. The DN should then be correct now. 4. Rejoin the server. No guarantees...
(In reply to Daniel Tröder from comment #2) > The school server *must not* be remove from the OU. > > If the customer uses the schools-UMC-modules and tries it, it will deny the > action with the message: > > ----------------------------------------------------------------------------- > --- > Server for class shares: An empty value is not allowed. Server for Windows > home directories: An empty value is not allowed. > ----------------------------------------------------------------------------- > --- > > It is also not possible to create an OU without an educational school server. > > Manually tinkering with UCS@school objects will result in inconsistent LDAP > data and operational problems like the above. You always have the possibility to remove a server in UMC computers. Maybe there could be a hint like, "this is a school server and *must not* be deleted".
(In reply to Christina Scheinig from comment #4) > You always have the possibility to remove a server in UMC computers. Maybe > there could be a hint like, "this is a school server and *must not* be > deleted". Hm... we cannot change other UMC modules like that... maybe with a UDM hook... but that could prevent a desired deletion of the OU... not easy, but I also think some kind of warning for the user would be good.