Conflict When OIA Membership Rule And Import Threads Are Running At The Same Time (Doc ID 1677042.1)

Last updated on NOVEMBER 09, 2016

Applies to:

Oracle Identity Analytics - Version 11.1.1.5.1 to 11.1.1.5.7 [Release 11gR2]
Information in this document applies to any platform.

Symptoms

When executing "Import Users, Accounts, User Role Memberships and Entitlements"  job at OIA, the following error occurs:

10:03:22,358 DEBUG [DBIAMSolution] Adding the following Users [21669] to group 11008_Group
10:03:22,427 ERROR [DBRoleGrantsImporterHelperImpl] Error Importing RoleGrants Records from Staging Tables
org.springframework.jdbc.UncategorizedSQLException: SqlMapClient operation; uncategorized SQLException for SQL []; SQL state [null]; error code [0]; Error: executeQueryForObject returned too many results.; nested exception is java.sql.SQLException: Error: executeQueryForObject returned too many results.
at org.springframework.jdbc.support.AbstractFallbackSQLExceptionTranslator.translate(AbstractFallbackSQLExceptionTranslator.java:83)
at org.springframework.jdbc.support.AbstractFallbackSQLExceptionTranslator.translate(AbstractFallbackSQLExceptionTranslator.java:80)
at org.springframework.jdbc.support.AbstractFallbackSQLExceptionTranslator.translate(AbstractFallbackSQLExceptionTranslator.java:80)
at org.springframework.orm.ibatis.SqlMapClientTemplate.execute(SqlMapClientTemplate.java:212)
at org.springframework.orm.ibatis.SqlMapClientTemplate.queryForObject(SqlMapClientTemplate.java:271)
at com.vaau.rbacx.dao.ibatis.SqlMapGlobalUserRoleDao.getGlobalUserRoleAssociation(SqlMapGlobalUserRoleDao.java:128)
at sun.reflect.GeneratedMethodAccessor6732.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:307)
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:198)
at $Proxy64.getGlobalUserRoleAssociation(Unknown Source)
at sun.reflect.GeneratedMethodAccessor6732.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:307)
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:198)
at $Proxy65.getGlobalUserRoleAssociation(Unknown Source)
at sun.reflect.GeneratedMethodAccessor6732.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:307)
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:198)
at $Proxy66.getGlobalUserRoleAssociation(Unknown Source)
at com.vaau.rbacx.idw.manager.RoleManagerImpl.getGlobalUserRoleAssociation(RoleManagerImpl.java:3668)
at sun.reflect.GeneratedMethodAccessor6733.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:307)
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:198)
at $Proxy91.getGlobalUserRoleAssociation(Unknown Source)
at com.vaau.rbacx.core.support.RbacxDataImporterImpl.importRoleUserMembership(RbacxDataImporterImpl.java:4306)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:307)
at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:182)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:149)
at org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:106)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
at $Proxy127.importRoleUserMembership(Unknown Source)
at com.vaau.rbacx.iam.db.helpers.worker.rolegrants.DBRoleGrantsImporterHelperImpl.importRoleGrants(DBRoleGrantsImporterHelperImpl.java:86)
at com.vaau.rbacx.iam.db.helpers.worker.rolegrants.ConcurrentRoleGrantsImporter.run(ConcurrentRoleGrantsImporter.java:47)
at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:885)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:907)
at java.lang.Thread.run(Thread.java:619)
Caused by: java.sql.SQLException: Error: executeQueryForObject returned too many results.
at com.ibatis.sqlmap.engine.mapping.statement.MappedStatement.executeQueryForObject(MappedStatement.java:124)
at com.ibatis.sqlmap.engine.impl.SqlMapExecutorDelegate.queryForObject(SqlMapExecutorDelegate.java:529)
at com.ibatis.sqlmap.engine.impl.SqlMapExecutorDelegate.queryForObject(SqlMapExecutorDelegate.java:504)
at com.ibatis.sqlmap.engine.impl.SqlMapSessionImpl.queryForObject(SqlMapSessionImpl.java:106)
at org.springframework.orm.ibatis.SqlMapClientTemplate$1.doInSqlMapClient(SqlMapClientTemplate.java:273)
at org.springframework.orm.ibatis.SqlMapClientTemplate.execute(SqlMapClientTemplate.java:209)
... 44 more
10:03:22,427 ERROR [ConcurrentRoleGrantsImporter] Problem importing RoleGrants
10:03:22,466 DEBUG [ConcurrentMultithreadedIamDbRoleGrantsImporter] RoleGrants Import thread is done, removing from pool.

 

To replicate the issue:

1) Configure OIM/OIA preferred integration method.

2) Load 5000-7000 users in OIM. (We use Trusted Resource Recon and Target Resource Recon to LDAP to bring in users).

3) Create 4 groups in OIM.

4) Run all import jos in order as documented.

5) Use oimbulkload to grant all 4 groups to each user.

6) Run import role job from OIA.

7) Configure 4 Role Membership Rules in OIA for all users to be added to each of the 4 Roles.

8) Run "Import Users, Accounts, User Role Memberships and Entitlements" from OIA.  Go to step 9 immediately after starting this import.

9) On OIA, Run each of the 4 Role Membership Rules about 1 minute apart.  
    Have at least 2 running at the same time.  When one finishes spinning, start another one. 

10) Keep doing the step above until the following query against the OIA DB returns some records.

select globaluserkey,rolekey,status_id,count(*) from
oia111501.globaluser_roles where status_id = 1 group by
globaluserkey,rolekey,status_id having count (*) > 1;

11) Depending on the info returned in the above query, log into OIM and remove one of the Groups from the user.

For example, for the following:
GLOBALUSERKEY    ROLEKEY  STATUS_ID   COUNT(*)
------------- ---------- ---------- ----------
          524         12          1          2

You would use these two queries.

select rolename from roles where rolekey = '12';
Role2

select username from globalusers where globaluserkey = '524';
USER0632

..to remove Role2 Group from USER0632 in OIM.

12) Log back into OIA and run INCREMENTAL "Import Users, Accounts, User Role Memberships and Entitlements" import.

Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms