[BUG] Not all users are added to CF Org members

[AnatolManikalo]

Is there an existing issue for this?

• I have searched the existing issues

Are you using the latest docker image for BTPSA?

• I'm using the latest docker image for BTPSA.

Which area is mainly impacted

Cloud Foundry setups

Current Behavior

Some users are not added as CF Org managers: of 12 users who were supposed to be added only 8 got the actual assignment

Expected Behavior

All users should be added

Steps To Reproduce

I ran the script multiple times and the result is always the same: same 8 users of 12 total are added, 4 are missing, however logs show that commands are run for all users

Logs and configuration files available?

Anything else?

No response

[lechnerc77]

@AnatolManikalo as you ran the script several times one follow-up question: are always the same 4 users missing or is there a difference concerning the 8 users that were assigned?

[AnatolManikalo]

@lechnerc77 yes, exactly same users are added every time. Here's the result of the latest run, and same users are added (same missing :)

[lechnerc77]

I just reworked the error messages forwarded in the logs. This rework is available in the dev branch. Can you execute your setup with the following new dev container:

docker pull ghcr.io/sap-samples/btp-setup-automator-dev:dev

and post the logs here. Thanks

[AnatolManikalo]

Hi @lechnerc77

There are 2 types of error:

[2022-12-07 16:28:40] INFO       :  - user >[email protected]<
[2022-12-07 16:28:40] RUN COMMAND: cf set-org-role '[email protected]' 'sapit-automator-test' 'OrgManager'
[2022-12-07 16:28:41] ERROR      : Assigning role OrgManager to user [email protected] in org sapit-automator-test as [email protected]
[2022-12-07 16:28:41] ERROR      : Ambiguous user. User with username '[email protected]' exists in the following origins: platformcoeproxytest-platform, sap.ids. Specify an origin to disambiguate.

and

2022-12-07 16:28:45] INFO       :  - user >[email protected]<
[2022-12-07 16:28:45] RUN COMMAND: cf set-org-role '[email protected]' 'sapit-automator-test' 'OrgManager'
[2022-12-07 16:28:46] ERROR      : Assigning role OrgManager to user [email protected] in org sapit-automator-test as [email protected]
[2022-12-07 16:28:46] ERROR      : No user exists with the username '[email protected]'.

For the first: is there a way to ask automator to use sap.ids by default?
For the second: should there be something similar to --create-user-if-missing parameter in BTP?

[lechnerc77]

@AnatolManikalo : The first scenario can be mitigated by using the parameter "idp" in the assignrolecollections that you can specify per rolecollection. This will be propagated to the CF CLI via the --origin parameter.

There is no --create-user-if-missing parameter for the CF CLI. Supporting the user creation would be an enhancement of the current implementation for CF roles

[hschaefer123]

Hi @lechnerc77 ,

we have the same issue with latest image.

Using DEV image we also get an error output

[2022-12-07 17:16:25] ERROR      : Assigning role SpaceManager to user [email protected] in org udina-newcustx-test / space services as [email protected]
[2022-12-07 17:16:25] ERROR      : Ambiguous user. User with username '[email protected]' exists in the following origins: STZH-DEV, httpssts.windows.netc-YYXXYYZZ, sap.ids. Specify an origin to disambiguate.

The error is strange, because STZH-DEV is a trust in another Global Account!.

Having a look into

Extend command cf set-org-role"/"cf unset-org-role" with "--origin
if there are multiple origins

I think, by default all the calls should use
--origin sap.default
to avoid this and mabye making the origin param optional.

See
https://docs.cloudfoundry.org/cf-cli/getting-started.html#-manage-roles-for-users-with-identical-usernames-in-multiple-origins

The user exists in multiple origins. Specify an origin for the requested user from: ‘uaa’, ‘other’

Update
we just used your comment

{
            "name": "OrgManager",
            "type": "cloudfoundry",
            "level": "org",
            "idp": "sap.ids",
            "assignedUserGroupsFromParameterFile": [
                "admins"
            ]
}

and for our issue, this is working fine.

Maybe the idp setting should be set by default to "sap.ids"?!?
What do you mean?

Regards
Holger

[lechnerc77]

@hschaefer123 @AnatolManikalo here the warp up:

The handling of errors when executing cf set-org-role had a bug and as a consequence error where not reported back (as shown in the screenshots above). It seemed like the assignment was executed successfully, but it was not.
PR #357 fixed this behavior; errors are now propagated and displayed correctly. However, as they are now shown, you might run need to adjust your configuration files in case an "Ambiguous user" is detected that has several (IdP) origins. You can do that as of release 1.2.0 as described in the announcement of release 1.2.0 i.e., Detail on "Support of custom IdPs in role assignment (incl. CF roles)".

Why don't we default to sap.idp? This would mean that existing working configurations might need to be adopted and we want to avoid this breaking change for existing users.

The fix to get the correct error log is available in the dev branch and will be available in main with the next release. This issue will be closed once the new release is available

[lechnerc77]

@AnatolManikalo if you want to request the "create user if not existent" functionality for CF orgs, feel free to open an issue for an enhancement for that

[AnatolManikalo]

Hi @lechnerc77 here it is: #360

[lechnerc77]

Fix is available in main and in Docker image with release 1.2.1