Uploaded image for project: 'Crowd Data Center'
  1. Crowd Data Center
  2. CWD-3143

CrowdService API returns shadowed users depending on the shape of the query parameters

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Medium Medium
    • 2.6.2
    • 2.5.3, 2.4.8, 2.6.1
    • Backend / Domain Model
    • None

      We need to ensure that search calls to the CrowdService never return shadowed users. This change will require us to write several unit tests to verify the intended behaviour.

            [CWD-3143] CrowdService API returns shadowed users depending on the shape of the query parameters

            Eric Dalgliesh added a comment -

            Awesome, thanks for backporting this, Joe!

            Eric Dalgliesh added a comment - Awesome, thanks for backporting this, Joe!

            Oswaldo Hernandez (Inactive) added a comment -

            Good progress on this fix today, attended the comments raised in the code review and added a couple of performance optimisations that were suggested from it. Also added the HostApplicationControl toggle so that products can control whether to apply this fix or not.

            The interface has been defined in the embedded crowd SPI. Waiting for final feedback on code review before merging to crowd master.

            Oswaldo Hernandez (Inactive) added a comment - Good progress on this fix today, attended the comments raised in the code review and added a couple of performance optimisations that were suggested from it. Also added the HostApplicationControl toggle so that products can control whether to apply this fix or not. The interface has been defined in the embedded crowd SPI. Waiting for final feedback on code review before merging to crowd master.

            Mark Lassau (Inactive) added a comment -

            My understanding is that this fixing the bug where "find users in group X" can include shadowed users.
            This has always been a known problem in Crowd and one that they were unwilling to fix because of the massive performance impact of fixing it.

            JIRA can get away with this, because we cache all users in memory, but for other apps this would mean very chatty behaviour with the DB or even with the remote LDAP server in Crowd's case.

            I spoke with dberrueta about this, and we agree that this should work in the old way by default but allow applications to opt in to the fix.
            He suggests the best place to do this would be as an Application setting (application attribute).
            Perhaps another possibility would be to introduce a new SPI that lets the Host Application declare customised behaviour.
            (This is something I have done on an unrelated change that has not actually been committed yet. My interface is called HostApplicationControl)

            Mark Lassau (Inactive) added a comment - My understanding is that this fixing the bug where "find users in group X" can include shadowed users. This has always been a known problem in Crowd and one that they were unwilling to fix because of the massive performance impact of fixing it. JIRA can get away with this, because we cache all users in memory, but for other apps this would mean very chatty behaviour with the DB or even with the remote LDAP server in Crowd's case. I spoke with dberrueta about this, and we agree that this should work in the old way by default but allow applications to opt in to the fix. He suggests the best place to do this would be as an Application setting (application attribute). Perhaps another possibility would be to introduce a new SPI that lets the Host Application declare customised behaviour. (This is something I have done on an unrelated change that has not actually been committed yet. My interface is called HostApplicationControl)

            Eric Dalgliesh added a comment -

            Nice work ohernandez@atlassian.com

            Eric Dalgliesh added a comment - Nice work ohernandez@atlassian.com

            Oswaldo Hernandez (Inactive) added a comment -

            Good progress on this fix today, I have managed to code a failing unit test for exactly this scenario which I have pushed to the issue branch and has been reviewed by dberrueta. I have a potential fix for the issue in my box, that I have already discussed with dberrueta.

            Tomorrow, I will build a 2.6-SNAPSHOT and test JIRA Master against it to confirm that it fixes the symptoms described in JRA-30079. If all of that goes well I will push the fix to the issue branch and create the crucible review pre-merge to crowd master.

            Oswaldo Hernandez (Inactive) added a comment - Good progress on this fix today, I have managed to code a failing unit test for exactly this scenario which I have pushed to the issue branch and has been reviewed by dberrueta . I have a potential fix for the issue in my box, that I have already discussed with dberrueta . Tomorrow, I will build a 2.6-SNAPSHOT and test JIRA Master against it to confirm that it fixes the symptoms described in JRA-30079 . If all of that goes well I will push the fix to the issue branch and create the crucible review pre-merge to crowd master.

            Oswaldo Hernandez (Inactive) added a comment -

            Intended behaviour described at https://confluence.atlassian.com/display/JIRA/Managing+Multiple+Directories

            Oswaldo Hernandez (Inactive) added a comment - Intended behaviour described at https://confluence.atlassian.com/display/JIRA/Managing+Multiple+Directories

            Oswaldo Hernandez (Inactive) added a comment -

            CC dberrueta

            Oswaldo Hernandez (Inactive) added a comment - CC dberrueta

              ohernandez@atlassian.com Oswaldo Hernandez (Inactive)
              ohernandez@atlassian.com Oswaldo Hernandez (Inactive)
              Affected customers:
              0 This affects my team
              Watchers:
              3 Start watching this issue

                Created:
                Updated:
                Resolved: