Knowledge Partner
Knowledge Partner
642 views

RRSD throwing Java Null Pointer Exception on Role Revoke

I dropped in to hunting a problem where a user should have been removed from a downstream system, but was not. The setup is pretty straightforward, with a Null driver doing role grant / role revoke based on an HR attribute change. employeeStatus => Terminate, and it revokes the role. That seems to be working, I can see it doing so in the driver trace, in the UserApp log file, and in RRSD.

There is a Role with three Resources. When I looked at it first, the Role had been removed from the user, as had one of the resources, but the other two were still present. So, with the resource still there, the user doesn't get removed from the downstream system. That part makes sense.

We repeatedly activated / terminated the user (employeeStatus => Active. employeeStatus => Terminate) while testing. What we found was that the Role grant works fine. The Role revoke removes one of the three Resources, then dies with a NullPointerException.

There’s nothing obviously good in the driver trace, just the <status> and eventual ending of:


[05/24/18 11:34:42.132]:Role and Resource Service Driver ST:
DirXML Log Event -------------------
Driver: \TREE\org\services\IDM\IDV\Role and Resource Service Driver
Channel: Subscriber
Status: Error
Message: Unable to remove assigned role from identity
Role: o=org\OU=services\OU=IDM\CN=IDV\CN=UserApp\CN=AppConfig\CN=RoleConfig\CN=RoleDefs\CN=Level30\CN=ROLENAME
Identity: o=org\OU=users\CN=username
Reason: java.lang.NullPointerException
[05/24/18 11:34:42.144]:Role and Resource Service Driver ST:Processing operation <status> for .
[05/24/18 11:34:42.144]:Role and Resource Service Driver ST:
DirXML Log Event -------------------
Driver: \TREE\org\services\IDM\IDV\Role and Resource Service Driver
Channel: Subscriber
Status: Success
Message: Transitioned request status from 30 to 80
DN: o=org\OU=services\OU=IDM\CN=IDV\CN=UserApp\CN=AppConfig\CN=RoleConfig\CN=Requests\CN=20180524113724-322b6ddf23624121
[05/24/18 11:34:42.145]:Role and Resource Service Driver ST:End transaction.


Any good ideas on finding what it’s tripping over? RRSD is kinda opaque, doesn’t put much information out anywhere to work with. I’m already at trace level 10, I don’t think this one supports anything above 5, or at least it doesn’t seem to. Despite the message, it does remove the Role assignment from the User, it just leaves the Resources still assigned, so that it looks like the Role revoke didn’t work.

We removed all of the nrf* and DirXML-Entitlements* attributes from the user, re-activated them, saw the Role and Resource assigns work correctly, then terminated them yet again, and saw the Resource removes work fine, and the Role revoke went without error. That seems to indicate to me that the Role, Resource, and role-to-resource linkage objects are all ok, since we didn't change them. So maybe it's something specific to the affected user object that RRSD is tripping over.

I don't see anything in Bugzilla that looks like this. RRSD reports version="4.0.0.6304" in trace, system is IDM4.6. I see a couple of RRSD patches have been released, but the list of fixes don't sound anything like this one.

On the bright side (?), it looks like I have about 750 more users to test any theories or ideas with.
Labels (1)
0 Likes
2 Replies
Highlighted
Visitor.

Re: RRSD throwing Java Null Pointer Exception on Role Revoke

Just ran into this issue myself (or at least the same symptoms)
After a role revoke, some of the resources was still assigned and the rrsd trace reported a null pointer exception.
If I reassigned the role again and revoked, I would get the same error and remaining resource assigments consistently.

The culprit turned out to be a specific nrfResource attribute value on the user(s) that were missing <ent-ref> and <ent-dn>.
Manually adding that to the attribute value or deleting the attribute altogether fixed it.

I can now assign/revoke that role on those users without any errors or lingering nrfResources 🙂
0 Likes
Highlighted
Knowledge Partner
Knowledge Partner

Re: RRSD throwing Java Null Pointer Exception on Role Revoke

christerj;2492266 wrote:
Just ran into this issue myself (or at least the same symptoms)
After a role revoke, some of the resources was still assigned and the rrsd trace reported a null pointer exception.
If I reassigned the role again and revoked, I would get the same error and remaining resource assigments consistently.

The culprit turned out to be a specific nrfResource attribute value on the user(s) that were missing <ent-ref> and <ent-dn>.
Manually adding that to the attribute value or deleting the attribute altogether fixed it.

I can now assign/revoke that role on those users without any errors or lingering nrfResources 🙂


Hey, cool, thanks for following up on this. I'm no longer working with the client where I ran in to this, but if I run in to it again I'll know what to look for.

IMHO, that's a bug in the RRSD driver. It should gracefully handle this (best case) or at least pump out an error message to indicate what's wrong (ok case). Having it just randomly fail with a Java NPE with no reason given isn't helpful.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.