0
Fixed

Potential race condition in Identity Broker processing.

Shane Day (Chief Technology Officer) 8 years ago • updated by anonymous 3 years ago 8

There is a race condition in Identity Broker that can be exhibited by the following:

  • Begin a full import against a connected source.
  • While full import is occurring, export a new item from the Identity Management platform.
  • The full import finishes.
  • The change detection takes place and completes.

For some connectors, any export of a new item before the full import finishes will mean that item is not reported in the full import list. This will result in the item being deleted.

For all connectors, if the export of a new item occurs during the change detection phase, it may result in the item being deleted as the item is in the entity repository but not in the list of reported items from the connected source.

For most level 1 compliant connected sources, this will self correct over time, but there may be a window in which the item is in limbo. For level 0 compliant connectors, this will invariably end up with the item being lost, even though it may exist in the connected source.

Affected Versions:
Fixed by Version:

Although FINANCE-47 will be completed before this, there will still be a window of opportunity for the RACE condition. Any solution at the Identity Broker level must remove this window of opportunity completed.

Start by discussing options with Shane. Possibilities include:

  1. Putting a mutex on the adapter and not starting the export until the connector operation has been completed
  2. Queue the export until the connector operation has been completed
  3. Stopping the full import to complete the export.

Option 1 is preferred, but it may not be suitable to block an export for potentially hours while an import completes.

Once a suitable resolution has been determined, please add this to the regression test document at INTIDB:Regression Test Document

Matthew, the window for this to occur is quite small and I'm not sure how it would be tested for in a regression test.

Any suggestions?

Would this not be suitable?

  • Begin a full import against a connected source.
  • While full import is occurring, export a new item from the Identity Management platform.
  • The full import finishes.
  • The change detection takes place and completes.

I imagine if the import takes longer than 30 seconds you would have enough of a window to do this.

I can't see where it is stipulated that the connected source must contain a certain number of entities. Is this something that must be considered?

This condition has been unit tested. It's your call whether it should be included in the regression test plan.

Thanks.

Ran into this unit test yesterday - it should suitably cover this issue without the need for additional testing. Issue closed.