Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-7466

Get CTS total tokens using SNMP monitoring fails

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 12.0.2
    • Fix Version/s: None
    • Component/s: monitoring
    • Labels:
    • Support Ticket IDs:

      Description

      Getting total number of Oauth2 tokens using SNMP (https://backstage.forgerock.com/#!/docs/openam/12.0.0/reference#cts-token-totals), while genrating load to create new tokens (i.e. oauth2/access_token).
      It first succeeds, but we quickly get:

      # snmpget -t 1 -c public -v 2c :8085 enterprises.36733.1.2.3.5.1.1.3
      Error in packet
      Reason: (genError) A general failure occured
      Failed object: SNMPv2-SMI::enterprises.36733.1.2.3.5.1.1.3
      

      From session debug log:

      amCoreTokenService:11/17/2015 02:43:29:003 PM CET: Thread[CTSWorkerPool-16,5,main]
      ERROR: CTS Async: Task Processor Error: processing task
      org.forgerock.openam.cts.exceptions.QueryFailedException:
      CTS: Failed to complete query:
            DN: dc=com
          Conn: PooledConnection(AuthenticatedConnection(HeartBeatConnection(LDAPConnection(/172.16.204.139:17626,brie.internal.forgerock.com/172.16.204.139:1390))))
        Filter: (&(objectClass=frCoreToken)(&(coreTokenType=OAUTH)))
      	at org.forgerock.openam.cts.impl.query.LDAPSearchHandler.performSearch(LDAPSearchHandler.java:69)
      	at org.forgerock.openam.cts.impl.query.QueryBuilder.executeRawResults(QueryBuilder.java:250)
      	at org.forgerock.openam.cts.impl.query.QueryBuilder.executeAttributeQuery(QueryBuilder.java:217)
      	at org.forgerock.openam.cts.impl.task.PartialQueryTask.execute(PartialQueryTask.java:74)
      	at org.forgerock.openam.cts.impl.queue.TaskProcessor.run(TaskProcessor.java:106)
      	at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
      	at java.util.concurrent.FutureTask.run(FutureTask.java:266)
      	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
      	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
      	at java.lang.Thread.run(Thread.java:745)
      Caused by: org.forgerock.opendj.ldap.AuthorizationException: Insufficient Access Rights: You do not have sufficient privileges to perform an unindexed search
      	at org.forgerock.opendj.ldap.ErrorResultException.newErrorResult(ErrorResultException.java:203)
      	at com.forgerock.opendj.ldap.AbstractLDAPFutureResultImpl.setResultOrError(AbstractLDAPFutureResultImpl.java:138)
      	at com.forgerock.opendj.ldap.LDAPClientFilter$1.searchResult(LDAPClientFilter.java:346)
      	at com.forgerock.opendj.ldap.LDAPClientFilter$1.searchResult(LDAPClientFilter.java:79)
      	at com.forgerock.opendj.ldap.LDAPReader.decodeSearchResult(LDAPReader.java:1339)
      	at com.forgerock.opendj.ldap.LDAPReader.decodeProtocolOp(LDAPReader.java:1137)
      	at com.forgerock.opendj.ldap.LDAPReader.decode(LDAPReader.java:166)
      	at com.forgerock.opendj.ldap.LDAPClientFilter.handleRead(LDAPClientFilter.java:499)
      	at org.glassfish.grizzly.filterchain.ExecutorResolver$9.execute(ExecutorResolver.java:119)
      	at org.glassfish.grizzly.filterchain.DefaultFilterChain.executeFilter(DefaultFilterChain.java:291)
      	at org.glassfish.grizzly.filterchain.DefaultFilterChain.executeChainPart(DefaultFilterChain.java:209)
      	at org.glassfish.grizzly.filterchain.DefaultFilterChain.execute(DefaultFilterChain.java:137)
      	at org.glassfish.grizzly.filterchain.DefaultFilterChain.process(DefaultFilterChain.java:115)
      	at org.glassfish.grizzly.ProcessorExecutor.execute(ProcessorExecutor.java:77)
      	at org.glassfish.grizzly.nio.transport.TCPNIOTransport.fireIOEvent(TCPNIOTransport.java:550)
      	at org.glassfish.grizzly.strategies.AbstractIOStrategy.fireIOEvent(AbstractIOStrategy.java:112)
      	at org.glassfish.grizzly.strategies.WorkerThreadIOStrategy.run0(WorkerThreadIOStrategy.java:117)
      	at org.glassfish.grizzly.strategies.WorkerThreadIOStrategy.access$100(WorkerThreadIOStrategy.java:56)
      	at org.glassfish.grizzly.strategies.WorkerThreadIOStrategy$WorkerThreadRunnable.run(WorkerThreadIOStrategy.java:137)
      	at org.glassfish.grizzly.threadpool.AbstractThreadPool$Worker.doWork(AbstractThreadPool.java:565)
      	at org.glassfish.grizzly.threadpool.AbstractThreadPool$Worker.run(AbstractThreadPool.java:545)
      	... 1 more
      

      Indeed, the CTS is configured (following doc recommendation) to bind as a non-rootdn user, which no unindexed-search privilege.

      As soon as there more than 4000 tokens (default entry-limit), values frCoreToken and OAUTH are no longer indexed.

      Granting the unindexed-search privilege cannot be a solution here, since these kinds of searches could have a huge impact when CTS contain millions of tokens.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                sberthol Sebastien Bertholet [X] (Inactive)
              • Votes:
                1 Vote for this issue
                Watchers:
                5 Start watching this issue

                Dates

                • Created:
                  Updated: