Currently we get a 400 Bad Request if we try to add a user to a second school in the provisioning API. User auf Broker: ```shell root@dc0:~# udm users/user list --filter uid=test-stud1 | sort accountActivationDate: None birthday: None city: None country: None departmentNumber: test-school1 description: None disabled: 0 displayName: Stud 1 DN: uid=test-stud1,cn=schueler,cn=users,ou=test-school1,dc=realm4,dc=intranet employeeNumber: None employeeType: None firstname: Stud gecos: Stud 1 gidNumber: 5113 groups: cn=Domain Users test-school1,cn=groups,ou=test-school1,dc=realm4,dc=intranet groups: cn=schueler-test-school1,cn=groups,ou=test-school1,dc=realm4,dc=intranet homedrive: None homeShare: None homeSharePath: None idBrokerPseudonym0001: None [...] initials: None jpegPhoto: None lastbind: None lastname: 1 locked: 0 lockedTime: 0 mailForwardCopyToSelf: 0 mailHomeServer: None mailPrimaryAddress: None organisation: None overridePWHistory: None overridePWLength: None password: {crypt}$6$mK/rKP3NFNUk9YZM$LtCJYzByksPXfQ.1.UJvLs.3KX8tOvFcx4kws2LscwJkJrYtWjqCGfCTgtIc5sFOpY3kUiiLYTZyhez915/e1/ passwordexpiry: None physicalDeliveryOfficeName: None postcode: None preferredDeliveryMethod: None preferredLanguage: None primaryGroup: cn=Domain Users test-school1,cn=groups,ou=test-school1,dc=realm4,dc=intranet profilepath: %LOGONSERVER%\%USERNAME%\windows-profiles\default pwdChangeNextLogin: None sambahome: \\dc-3632233996\test-stud1 sambaLogonHours: None sambaRID: 5038 school: test-school1 scriptpath: None shell: /bin/bash street: None title: None ucsschoolPurgeTimestamp: None ucsschoolRecordUID: stud1 ucsschoolRole: student:school:test-school1 ucsschoolSourceUID: test uidNumber: 2019 uid=test-stud1 unixhome: /home/test-school1/schueler/test-stud1 unlock: None unlockTime: None userexpiry: None username: test-stud1 ``` PUT request ```shell curl -X 'PUT' \ 'http://10.200.6.140/ucsschool/apis/provisioning/v1/test/users/stud1' \ -H 'accept: application/json' \ -H 'Authorization: Bearer TOKEN' \ -H 'Content-Type: application/json' \ -d '{ "id": "stud1", "first_name": "Stud", "last_name": "1", "user_name": "stud1", "context": { "school1": { "classes": ["1a"], "roles": ["student"] }, "school2": { "classes": [ "1a" ], "roles": [ "student" ] } } }' ``` UCS@school APIs log ```shell 2022-02-23 11:12:54 DEBUG session.request:182 PUT 'https://dc0.realm4.intranet/ucsschool/kelvin/v1/users/test-stud1' (**{'json': {'name': 'test-stud1', 'ucsschool_roles': ['student:school:test-school1'], 'udm_properties': {'idBrokerPseudonym0001': None, 'idBrokerPseudonym0002': None, 'idBrokerPseudonym0003': None, 'idBrokerPseudonym0004': None, 'idBrokerPseudonym0005': None, 'idBrokerPseudonym0006': None, 'idBrokerPseudonym0007': None, 'idBrokerPseudonym0008': None, 'idBrokerPseudonym0009': None, 'idBrokerPseudonym0010': None, 'idBrokerPseudonym0011': None, 'idBrokerPseudonym0012': None, 'idBrokerPseudonym0013': None, 'idBrokerPseudonym0014': None, 'idBrokerPseudonym0015': None, 'idBrokerPseudonym0016': None, 'idBrokerPseudonym0017': None, 'idBrokerPseudonym0018': None, 'idBrokerPseudonym0019': None, 'idBrokerPseudonym0020': None, 'idBrokerPseudonym0021': None, 'idBrokerPseudonym0022': None, 'idBrokerPseudonym0023': None, 'idBrokerPseudonym0024': None, 'idBrokerPseudonym0025': None, 'idBrokerPseudonym0026': None, 'idBrokerPseudonym0027': None, 'idBrokerPseudonym0028': None, 'idBrokerPseudonym0029': None, 'idBrokerPseudonym0030': None}, 'school': 'https://dc0.realm4.intranet/ucsschool/kelvin/v1/schools/test-school1', 'firstname': 'Stud', 'lastname': '1', 'birthday': None, 'disabled': False, 'email': None, 'expiration_date': None, 'password': None, 'record_uid': 'stud1', 'roles': ['https://dc0.realm4.intranet/ucsschool/kelvin/v1/roles/student'], 'schools': ['https://dc0.realm4.intranet/ucsschool/kelvin/v1/schools/test-school1', 'https://dc0.realm4.intranet/ucsschool/kelvin/v1/schools/test-school2'], 'school_classes': {'test-school1': ['1a'], 'test-school2': ['1a']}, 'source_uid': 'test'}, 'timeout': 240, 'headers': {'accept': 'application/json', 'Authorization': 'Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOnsidXNlcm5hbWUiOiJ1Y3NzYy0wMjUyMTg1MiQiLCJrZWx2aW5fYWRtaW4iOnRydWUsInNjaG9vbHMiOltdLCJyb2xlcyI6WyJtZW1iZXJzZXJ2ZXI6c2Nob29sOi0iXX0sImV4cCI6MTY0NTYxNDU5NH0._nBTBGB8eyZNFxqF4e5cdD80jzxm3h_UZFspChWH5AI', 'Content-Type': 'application/json'}}) -> 400 'Bad Request' ({'school_classes': ["School 'test-school2' in 'school_classes' is missing in the users 'school(s)' attributes."]}) 2022-02-23 11:12:54 INFO h11_impl.send:429 172.17.42.1:54546 - "PUT /ucsschool/apis/provisioning/v1/test/users/stud1 HTTP/1.1" 400 ```
Fix in https://git.knut.univention.de/univention/ucsschool/-/commits/jkeiser/54481_kelvin_multiple_schools Changes: It is now possible to modify multiple schools via PUT and PATCH You could already create a user with multiple schools via POST (but not modify the schools) Not providing 'school' to a PUT request was not possible even when 'schools' was provided. You would always get "New 'school' None not in current or future 'schools'." This is now fixed When only providing 'school' to PUT, 'schools' would be set to [school] automatically. PATCH now has the same behaviour to prevent unintuitive edge cases with 3+ shools. (See comment in "partial_update") I had problems with the pre-commit hooks, so the black formatting has to still be done
Please review my comments in https://git.knut.univention.de/univention/ucsschool/-/commit/f82456a40de3170447113cb417488903e9f2d1dd
The fix was done in the Kelvin REST API - not the Provisioning API, as that was where the problem lay. This bug may also be the reason for bug #54411. That still has to be verified. A Test for Kelvin was fixed in ucs-test-ucsschool version 7.3.36 ("ucsschool" git repository): [5.0] 116038bc3 Bug #54547: fix Kelvin test It was the only test that failed in the last Jenkins run. I have started a new one: https://univention-dist-jenkins.k8s.knut.univention.de/job/UCSschool-5.0/job/kelvin%20API/7/ I have QAed positively Johannes commits for code review, manual and automatic tests: [jkeiser/54481_kelvin_multiple_schools] f82456a40 Bug #54481: allow modifying multiple schools [jkeiser/54481_kelvin_multiple_schools] 837dd21c7 Bug #54481: changelog My comments from comment#2 have been integrated in my commits: [jkeiser/54481_kelvin_multiple_schools] bb5a9a6c2 Bug #54481: fix build instructions [jkeiser/54481_kelvin_multiple_schools] 658b0b9da Bug #54481: small improvements The tests did also fail, because changes for bug #54575 had introduced an error such that the init scripts "stop" method did not work anymore. Thus "restart" didn't work and the tests that rely on changing the configuration failed. This was fixed in: [jkeiser/54481_kelvin_multiple_schools] a6349e80a Bug #54481: fix init script The Docker image has been built and pushed to the test appcenter, alongside the other appcenter files (settings, README, ...). Someone else take over the QA role for my commits.
The test seems very flaky -> of this doesn't change, please open a new bug as this is another issue. The code was merged + build again (from feature/kelvin) 1.5.4: digest: sha256:8fa625a024164e73a47459dea3b00d8c017445bab52634418fb2f5ce718bddb5 size: 3460
There is still one use case that is failing. New test that fails in https://git.knut.univention.de/univention/ucsschool/-/tree/jkeiser/bug54481
The fix for the remaining issue was done in the context of Bug 54690.
With the fixed Kelvin REST API in version 1.5.4 adding and removing additional OUs works now.
The Kelvin REST API version 1.5.4 has been released. https://appcenter.software-univention.de/univention-repository/4.4/maintained/component/ucsschool-kelvin-rest-api_20220322152801/README_UPDATE_DE If this error occurs again, please clone this bug.
*** Bug 54513 has been marked as a duplicate of this bug. ***