Zope PluggableAuthService

Portal Role Manager crashes with uninformative error message when duplicate users or groups exist

Reported by Patrick Coleman on 2009-03-26
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Zope PAS
Undecided
Tres Seaver

Bug Description

Portal Role Manager (/Portal/acl_users/portal_role_manager) crashes with an AssertionError when multiple users or groups exist with the same name. For example, if an LDAP groups exists called 'Administrators' and there is an internal Zope group called 'Administrators' the role manager will crash with the following exception:

Traceback (innermost last):
  Module ZPublisher.Publish, line 119, in publish
  Module ZPublisher.mapply, line 88, in mapply
  Module ZPublisher.Publish, line 42, in call_object
  Module Shared.DC.Scripts.Bindings, line 313, in __call__
  Module Shared.DC.Scripts.Bindings, line 350, in _bindAndExec
  Module Products.PageTemplates.PageTemplateFile, line 129, in _exec
  Module Products.Gloworm, line 28, in pt_render
  Module zope.pagetemplate.pagetemplate, line 117, in pt_render
  Module zope.tal.talinterpreter, line 271, in __call__
  Module zope.tal.talinterpreter, line 346, in interpret
  Module zope.tal.talinterpreter, line 536, in do_optTag_tal
  Module zope.tal.talinterpreter, line 521, in do_optTag
  Module zope.tal.talinterpreter, line 516, in no_tag
  Module zope.tal.talinterpreter, line 346, in interpret
  Module zope.tal.talinterpreter, line 855, in do_condition
  Module zope.tal.talinterpreter, line 346, in interpret
  Module zope.tal.talinterpreter, line 824, in do_loop_tal
  Module zope.tal.talinterpreter, line 346, in interpret
  Module zope.tal.talinterpreter, line 623, in do_insertText_tal
  Module Products.PageTemplates.Expressions, line 228, in evaluateText
  Module zope.tales.tales, line 696, in evaluate
   - URL: manage_roles
   - Line 53, Column 4
   - Expression: <PythonExpr ','.join( [x[1] for x in here.listAssignedPrincipals(info['id'])] )>
   - Names:
      {'container': <GroupAwareRoleManager at /intranet/acl_users/portal_role_manager>,
       'context': <GroupAwareRoleManager at /intranet/acl_users/portal_role_manager>,
       'default': <object object at 0xb7d33528>,
       'here': <GroupAwareRoleManager at /intranet/acl_users/portal_role_manager>,
       'loop': {'info': <Products.PageTemplates.Expressions.PathIterator object at 0xcee15ec>},
       'nothing': None,
       'options': {'args': ()},
       'repeat': <Products.PageTemplates.Expressions.SafeMapping object at 0xb92ee6c>,
       'request': <HTTPRequest, URL=http://ganymede-new:8080/intranet/acl_users/portal_role_manager/manage_roles>,
       'root': <Application at >,
       'template': <PageTemplateFile at /intranet/acl_users/portal_role_manager/manage_roles>,
       'user': <PropertiedUser 'siteadmin'>}
  Module Products.PageTemplates.ZRPythonExpr, line 49, in __call__
   - __traceback_info__: ','.join( [x[1] for x in here.listAssignedPrincipals(info['id'])] )
  Module PythonExpr, line 1, in <expression>
  Module Products.PluggableAuthService.plugins.ZODBRoleManager, line 282, in listAssignedPrincipals
AssertionError

The following error is also logged to the event log:

2009-03-26T11:52:51 ERROR PluggableAuthService searchPrincipals() returned more than one result for id=Administrators

I propose the attached patch to make this error message more informative, and reduce the time required to diagnose and resolve this problem. After applying the patch, if duplicate users or groups exist and someone accesses portal role manager, the following exception is thrown:

...
    * Module PythonExpr, line 1, in <expression>
    * Module Products.PluggableAuthService.plugins.ZODBRoleManager, line 284, in listAssignedPrincipals

MultiplePrincipalError: Multiple principals exist with the name 'Administrators'. Remove one of the duplicate groups or users.

The following message is logged to the event log:

2009-03-26T12:13:14 ERROR PluggableAuthService Multiple principals exist with the name 'Administrators'. Remove one of the duplicate groups or users.

Patrick Coleman (blinken) wrote :

Should also mention: the attached patch is against PluggableAuthService-1.6-py2.4.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

The patch itself looks fine. Could you also add a test for
'listAssignedPrincipals' which asserts that the exception is raised in
the case of a duplicated principal?

Tres.
- --
===================================================================
Tres Seaver +1 540-429-0999 <email address hidden>
Palladion Software "Excellence by Design" http://palladion.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFJy3g4+gerLs4ltQ4RAucLAKC40/Zs1KdoorkKzRAcjXFS8qmT7gCfTTbv
PQMTcsBG9mi2L88GSQxT4YE=
=F+Fc
-----END PGP SIGNATURE-----

Patrick Coleman (blinken) wrote :

New patch attached. I'm not sure if putting the exception in ZODBRoleManager.py is the appropriate place - should it go somewhere more central?

As an aside, the ideal solution to this bug would be to make ZODBRoleManager deal with duplicate principals more gracefully - is this realistic or does too much of the code assume there is only one principal for a given id?

Cheers,

Patrick

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Patrick Coleman wrote:

> New patch attached. I'm not sure if putting the exception in
> ZODBRoleManager.py is the appropriate place - should it go somewhere
> more central?

No, I don't think so. The role manager is responsible for mapping a
principal ID to a set of roles, which requires having no ambiguity.

> As an aside, the ideal solution to this bug would be to make
> ZODBRoleManager deal with duplicate principals more gracefully - is this
> realistic or does too much of the code assume there is only one
> principal for a given id?

Unique prinicipal IDs (note that this is *not* the same as login names)
are absolutely central to the design of PAS: if you have a legitimate
need to have more than one plugin which might clash on role names, then
you need to give them (or all but one of them) prefixes.

Tres.
- --
===================================================================
Tres Seaver +1 540-429-0999 <email address hidden>
Palladion Software "Excellence by Design" http://palladion.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFJ0Mc5+gerLs4ltQ4RAiRgAKCIvMdSW71WcnIzCDZWBg9G3vN+jwCeLdJS
oiL8TYE3Wn4seCQneD2rKxE=
=6JZ1
-----END PGP SIGNATURE-----

On Mon, Mar 30, 2009 at 9:20 PM, Tres Seaver <email address hidden> wrote:
> Unique prinicipal IDs (note that this is *not* the same as login names)
> are absolutely central to the design of PAS:  if you have a legitimate
> need to have more than one plugin which might clash on role names, then
> you need to give them (or all but one of them) prefixes.

Right. That makes a lot more sense and is presumably what we should be
doing in our setup :)

-Patrick

Tres Seaver (tseaver) wrote :

Fix committed to the trunk for the 1.7.1 release.

Changed in zope-pas:
assignee: nobody → Tres Seaver (tseaver)
status: New → Fix Committed
Tres Seaver (tseaver) wrote :
Changed in zope-pas:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers