{ Community }
  • Academy
  • Docs
  • Developers
  • Resources
    • Community Articles
    • Apigee on GitHub
    • Code Samples
    • Videos & eBooks
    • Accelerator Methodology
  • Support
  • Ask a Question
  • Spaces
    • Product Announcements
    • General
    • Edge/API Management
    • Developer Portal (Drupal-based)
    • Developer Portal (Integrated)
    • API Design
    • APIM on Istio
    • Extensions
    • Business of APIs
    • Academy/Certification
    • Adapter for Envoy
    • Analytics
    • Events
    • Hybrid
    • Integration (AWS, PCF, Etc.)
    • Microgateway
    • Monetization
    • Private Cloud Deployment
    • 日本語コミュニティ
    • Insights
    • IoT Apigee Link
    • BaaS/Usergrid
    • BaaS Transition/Migration
    • Apigee-127
    • New Customers
    • Topics
    • Questions
    • Articles
    • Ideas
    • Leaderboard
    • Badges
  • Log in
  • Sign up

Get answers, ideas, and support from the Apigee Community

  • Home /
  • Private Cloud Deployment /
avatar image
1
Question by na2379 · Aug 06, 2015 at 08:49 PM · 173 Views openldapopdk private cloud topology

Unable to remove custom userrole

When I try to delete a userrole, I keep getting the error "Unable to delete userrole:abcdMyRole as users exist for role"

Tried to delete using managment api call using curl and got the same error.

UI shows no users exist under that role.

Comment
Add comment
10 |5000 characters needed characters left characters exceeded
▼
  • Viewable by all users
  • Viewable by Apigeeks only
  • Viewable by the original poster
  • Viewable by moderators
  • Viewable by moderators and the original poster
  • Advanced visibility
Viewable by all users

Close

3 Answers

  • Sort: 
avatar image
1
Best Answer

Answer by na2379 · Aug 10, 2015 at 10:54 PM

i am able to delete the role after I removed the roleOccupant

dn: cn=abcdMyRole,ou=userroles,o=prod,ou=organizations,dc=apigee,dc=com

changetype: modify

delete: roleOccupant

roleOccupant: uid=4adffba3-fd01-4e68-a353-e143f3de1ec3,ou=users,ou=global,dc=apigee,dc=com

Comment
Add comment Show 1 · Link
10 |5000 characters needed characters left characters exceeded
▼
  • Viewable by all users
  • Viewable by Apigeeks only
  • Viewable by the original poster
  • Viewable by moderators
  • Viewable by moderators and the original poster
  • Advanced visibility
Viewable by all users
avatar image
1

Answer by na2379 · Aug 07, 2015 at 04:52 PM

Tried those two steps already. Here is the output.

$ mycurl -X GET http://localhost:8080/v1/o/prod/userroles/abcdMyRole/users

[ ]200

$ mycurl -X DELETE http://localhost:8080/v1/o/prod/userroles/abcdMyRole

{

"code" : "usersandroles.UserRoleDeleteFailedAsUsersExistForRole",

"message" : "Unable to delete userrole:abcdMyRole as users exist for role",

"contexts" : [ ]

}400

I am able to successfully create new custom role and delete it. Further more, I was querying ldap data using ldapsearch and could see a roleoccupant for the role abcdMyRole as follows though UI shows no user exists for that role.

dn: cn=abcdMyRole,ou=userroles,o=prod,ou=organizations,dc=apigee,dc=com objectClass: organizationalRole

cn: abcdMyRole

roleOccupant: uid=4adffba3-fd01-4e68-a353-e143f3de1ec3,ou=users,ou=global,dc=apigee,dc=com

uid=4adffba3-fd01-4e68-a353-e143f3de1ec3 does not correspond to any valid user in the system and does not exist anywhere else. This entry could be holding up the role delete. Looking for right way to cleanup that data.

Another interesting find from ldapsearch is that there are still lots of traces of old custom roles which got deleted long back. So looks like the DELETE operation from UI is not doing a complete cleanup in the ldap DB. This needs to be looked at and fixed.

Comment
Add comment · Link
10 |5000 characters needed characters left characters exceeded
▼
  • Viewable by all users
  • Viewable by Apigeeks only
  • Viewable by the original poster
  • Viewable by moderators
  • Viewable by moderators and the original poster
  • Advanced visibility
Viewable by all users
avatar image
0

Answer by Girish Gajria · Aug 20, 2018 at 01:14 PM

Understand that this is an old issue. But I am encountering this issue as well. It does not seeem to be consistent.

I am using the Apigee private clound (v 4.18.05). I remove all users asscociated to the role globally. Then, I try to remove the role itself. This only seems to work sometimes (not always). Once I remove the LDAP entries manually, then I can remove the role. Looks like the user removal is not triggering the deletion of the LDAP entries (??).

This is being done via a Nodejs offline script with around 10 to 15 users, using the below management APIs:

DELETE https://api.enterprise.apigee.com/v1/organizations/{org}/userroles/{role_name} 
DELETE https://api.enterprise.apigee.com/v1/users/{user_email}

Below is the LDAP and the management API response:

dn: cn=***,ou=userroles,o=***,ou=organizations,dc=apigee,dc=com
objectClass: organizationalRole
cn: ***
roleOccupant: uid=53491c9d-62f0-4e57-ae5f-3dd7e583e475,ou=users,ou=global,dc=apigee,dc=com
roleOccupant: uid=832b3bf8-cece-4988-abb4-f1afc3934973,ou=users,ou=global,dc=apigee,dc=com
roleOccupant: uid=9f41fee4-4607-4aa4-9888-b337c55e5aba,ou=users,ou=global,dc=apigee,dc=com
roleOccupant: uid=012b64e7-9c81-437f-866e-245db87f98ae,ou=users,ou=global,dc=apigee,dc=com
roleOccupant: uid=0bf10537-feec-4f60-820f-3bc9752dc71e,ou=users,ou=global,dc=apigee,dc=com
{  
"code" : "usersandroles.UserRoleDeleteFailedAsUsersExistForRole",  
"message" : "Unable to delete userrole:*** as users exist for role",  
"contexts" : [ ]
}

Thanks,

Girish

Comment
Add comment · Link
10 |5000 characters needed characters left characters exceeded
▼
  • Viewable by all users
  • Viewable by Apigeeks only
  • Viewable by the original poster
  • Viewable by moderators
  • Viewable by moderators and the original poster
  • Advanced visibility
Viewable by all users

Follow this Question

Answers Answers and Comments

13 People are following this question.

avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image

Related Questions

Package and libraries requried by Apigee 3 Answers

Issue installing Apigee Edge 4.17.09 on AWS ami 2 Answers

About items in OPDK's logs 1 Answer

OPDK installation - OpenLdap errors 5 Answers

Adding a data center : 4.19.01 with 4.19.06 1 Answer

  • Products
    • Edge - APIs
    • Insights - Big Data
    • Plans
  • Developers
    • Overview
    • Documentation
  • Resources
    • Overview
    • Blog
    • Apigee Institute
    • Academy
    • Documentation
  • Company
    • Overview
    • Press
    • Customers
    • Partners
    • Team
    • Events
    • Careers
    • Contact Us
  • Support
    • Support Overview
    • Documentation
    • Status
    • Edge Support Portal
    • Privacy Policy
    • Terms & Conditions
© 2021 Apigee Corp. All rights reserved. - Apigee Community Terms of Use - Powered by AnswerHub
  • Anonymous
  • Sign in
  • Create
  • Ask a question
  • Create an article
  • Post an idea
  • Spaces
  • Product Announcements
  • General
  • Edge/API Management
  • Developer Portal (Drupal-based)
  • Developer Portal (Integrated)
  • API Design
  • APIM on Istio
  • Extensions
  • Business of APIs
  • Academy/Certification
  • Adapter for Envoy
  • Analytics
  • Events
  • Hybrid
  • Integration (AWS, PCF, Etc.)
  • Microgateway
  • Monetization
  • Private Cloud Deployment
  • 日本語コミュニティ
  • Insights
  • IoT Apigee Link
  • BaaS/Usergrid
  • BaaS Transition/Migration
  • Apigee-127
  • New Customers
  • Explore
  • Topics
  • Questions
  • Articles
  • Ideas
  • Badges