Bug: openam v13.0 / (slash) in the policy name.

This topic has 8 replies, 2 voices, and was last updated 4 years, 11 months ago by Andy Cory.

  • Author
    Posts
  • #18048
     skiller
    Participant

    Hi!
    I have found a bug in openam ui.
    1. Click: Realm -> Autorization -> Policies -> New policy
    2. Enter a policy name with slash like “my/path” and description with the same text.
    3. Entern url as any url pattern
    4. Click [Save].
    …And see nothing! I’ve expected to see the created policy settings but see nothing. Yes, I see the page with menus etc but instead of the settings form I see an empty grey canvas.

    I cannot edit or delete this policy using web ui. I can click [X] button in the policy list and confirm deletion in the pop-up window but without any result.

    #18049
     Andy Cory
    Participant

    The same behaviour is present in 13.5. The workaround, don’t use a slash in a policy set, is obvious, but somewhat after the fact!

    Andy

    #18058
     skiller
    Participant

    Can I remove this buggy policies other way? Using any cli tool or a http request?

    #18059
     Andy Cory
    Participant

    There’s a bug (OPENAM-5151) that is showing as unresolved that looks similar, but refers to ‘\’ rather than ‘/’. The symptoms are the same, though.

    You should be able to remove the policy set using the ssoadm cli tool, something like:

    .ssoadm delete-appls \
    –realm my realm \
    –adminid amadmin \
    –password-file /path/to/password.txt \
    –names “my/path”

    However, I’m getting com.sun.identity.cli.CLIException: com.sun.identity.entitlement.EntitlementException: Permission denied from this, for no reason I can determine. I’m getting the same on ‘normal’ policies too, so this maybe an issue just for my system. Worth trying the ssoadm command yourself, let us know…

    Andy

    #18062
     skiller
    Participant

    The same error:

    [email protected]:~/build/sso-adm/openam/bin# ./ssoadm delete-appls –realm / –adminid amadmin –password-file /tmp/adm.txt –names “/odoutgoing/”

    com.sun.identity.entitlement.EntitlementException: Permission denied.

    #18066
     Andy Cory
    Participant

    I’ve not tried deleting policy sets with ssoadm before, maybe this is expected – but the ‘amadmin’ user should be able to do pretty much everything, I would have thought.

    How brave are you feeling? And/or, how disposable is the server? You could delve into the internal configuration store using Apache Directory Studio and edit the policy set ID by hand to remove the slash. It should be referenced somewhere like this:

    dn: ou=my/path,ou=registeredApplications,ou=default,ou=OrganizationConfig,ou=1.0,ou=sunEntitlementService,ou=services,ou=services,dc=amconfig,dc=example,dc=com

    #18067
     Andy Cory
    Participant

    That didn’t format very well…

    dn: ou=my/path,ou=registeredApplications,ou=default,ou=OrganizationConfig,ou=1.0,ou=sunEntitlementService,ou=services,ou=services,dc=amconfig,dc=example,dc=com

    #18068
     skiller
    Participant

    I surrender and roll back data from backup.

    #18070
     Andy Cory
    Participant

    Good plan! I do wonder why the ssoadm delete of the policy set didn’t work for either of us though…

Viewing 9 posts - 1 through 9 (of 9 total)

You must be logged in to reply to this topic.

©2022 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?