July 12, 2017 at 11:06 am #18048
I have found a bug in openam ui.
1. Click: Realm -> Autorization -> Policies -> New policy
2. Enter a policy name with slash like “my/path” and description with the same text.
3. Entern url as any url pattern
4. Click [Save].
…And see nothing! I’ve expected to see the created policy settings but see nothing. Yes, I see the page with menus etc but instead of the settings form I see an empty grey canvas.
I cannot edit or delete this policy using web ui. I can click [X] button in the policy list and confirm deletion in the pop-up window but without any result.July 12, 2017 at 11:32 am #18049
The same behaviour is present in 13.5. The workaround, don’t use a slash in a policy set, is obvious, but somewhat after the fact!
AndyJuly 12, 2017 at 12:29 pm #18058
Can I remove this buggy policies other way? Using any cli tool or a http request?July 12, 2017 at 2:32 pm #18059
There’s a bug (OPENAM-5151) that is showing as unresolved that looks similar, but refers to ‘\’ rather than ‘/’. The symptoms are the same, though.
You should be able to remove the policy set using the ssoadm cli tool, something like:
.ssoadm delete-appls \
–realm my realm \
–adminid amadmin \
–password-file /path/to/password.txt \
However, I’m getting
com.sun.identity.cli.CLIException: com.sun.identity.entitlement.EntitlementException: Permission deniedfrom this, for no reason I can determine. I’m getting the same on ‘normal’ policies too, so this maybe an issue just for my system. Worth trying the ssoadm command yourself, let us know…
AndyJuly 12, 2017 at 3:02 pm #18062
The same error:
[email protected]:~/build/sso-adm/openam/bin# ./ssoadm delete-appls –realm / –adminid amadmin –password-file /tmp/adm.txt –names “/odoutgoing/”
com.sun.identity.entitlement.EntitlementException: Permission denied.July 12, 2017 at 3:24 pm #18066
I’ve not tried deleting policy sets with ssoadm before, maybe this is expected – but the ‘amadmin’ user should be able to do pretty much everything, I would have thought.
How brave are you feeling? And/or, how disposable is the server? You could delve into the internal configuration store using Apache Directory Studio and edit the policy set ID by hand to remove the slash. It should be referenced somewhere like this:
dn: ou=my/path,ou=registeredApplications,ou=default,ou=OrganizationConfig,ou=1.0,ou=sunEntitlementService,ou=services,ou=services,dc=amconfig,dc=example,dc=comJuly 12, 2017 at 3:24 pm #18067
That didn’t format very well…
dn: ou=my/path,ou=registeredApplications,ou=default,ou=OrganizationConfig,ou=1.0,ou=sunEntitlementService,ou=services,ou=services,dc=amconfig,dc=example,dc=comJuly 12, 2017 at 3:54 pm #18068
I surrender and roll back data from backup.July 12, 2017 at 4:13 pm #18070
Good plan! I do wonder why the ssoadm delete of the policy set didn’t work for either of us though…
You must be logged in to reply to this topic.