cli icon indicating copy to clipboard operation
cli copied to clipboard

Published 20 hours ago verified publisher icon cloudfoundry

'cf delete-user' with CF7 fails if user does not exist in ccdb

Open johha opened this issue 5 years ago • 6 comments

Please fill out the issue checklist below and provide ALL the requested information.

  • [x] I reviewed open and closed github issues that may be related to my problem.
  • [x] I tried updating to the latest version of the CF CLI to see if it fixed my problem.
  • [x] I attempted to run the command with CF_TRACE=1 to help debug the issue.
  • [x] I am reporting a bug that others will be able to reproduce.

Describe the bug and the command you saw an issue with cf delete-user [some-user] with CF CLI v7 fails if the user does not exist in ccdb although it still exists in UAA. Verbose output:

...
DELETE /v3/users/a60990ed-1a06-48c4-8730-72f760c4aa39 HTTP/1.1
Host: api.cf.stagingac.hanavlab.ondemand.com
Accept: application/json
Authorization: [PRIVATE DATA HIDDEN]
User-Agent: cf/7.1.0+4c3168f9a.2020-09-09 (go1.13.8; amd64 linux)

RESPONSE: [2020-10-20T09:05:28Z]
HTTP/1.1 404 Not Found
Content-Length: 125
Content-Type: application/json; charset=utf-8
Date: Tue, 20 Oct 2020 09:05:28 GMT
Referrer-Policy: strict-origin-when-cross-origin
Server: nginx
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload;
X-Content-Type-Options: nosniff
X-Download-Options: noopen
X-Frame-Options: SAMEORIGIN
X-Permitted-Cross-Domain-Policies: none
X-Ratelimit-Limit: 40000
X-Ratelimit-Remaining: 39987
X-Ratelimit-Reset: 1603187210
X-Runtime: 0.007655
X-Vcap-Request-Id: 613b2e70-95b6-4ce7-5c63-7cca9cbd7652::d82e215d-a9d0-4f48-8730-f6925b652f9d
X-Xss-Protection: 1; mode=block
{
  "errors": [
    {
      "code": 10010,
      "detail": "User not found",
      "title": "CF-ResourceNotFound"
    }
  ]
}


User '' does not exist.
FAILED

With CF CLI v6 (verbose output):

REQUEST: [2020-10-20T09:05:47Z]
DELETE /v2/users/a60990ed-1a06-48c4-8730-72f760c4aa39?async=true HTTP/1.1
Host: api.cf.stagingac.hanavlab.ondemand.com
Accept: application/json
Authorization: [PRIVATE DATA HIDDEN]
Content-Type: application/json
User-Agent: go-cli 6.53.0+8e2b70a4a.2020-10-01 / linux


RESPONSE: [2020-10-20T09:05:47Z]
HTTP/1.1 404 Not Found
Connection: close
Content-Length: 141
Content-Type: application/json;charset=utf-8
Date: Tue, 20 Oct 2020 09:05:47 GMT
Server: nginx
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload;
X-Content-Type-Options: nosniff
X-Ratelimit-Limit: 40000
X-Ratelimit-Remaining: 39986
X-Ratelimit-Reset: 1603187210
X-Vcap-Request-Id: c564b693-2383-4d37-5681-1d086327bd05::e19bf093-96b7-4e50-ae2d-d573e9576f70

{
  "description": "The user could not be found: a60990ed-1a06-48c4-8730-72f760c4aa39",
  "error_code": "CF-UserNotFound",
  "code": 20003
}


REQUEST: [2020-10-20T09:05:47Z]
DELETE /Users/a60990ed-1a06-48c4-8730-72f760c4aa39 HTTP/1.1
Host: uaa.cf.stagingac.hanavlab.ondemand.com
Accept: application/json
Authorization: [PRIVATE DATA HIDDEN]
Content-Type: application/json
User-Agent: go-cli 6.53.0+8e2b70a4a.2020-10-01 / linux


RESPONSE: [2020-10-20T09:05:48Z]
HTTP/1.1 200 OK
Connection: close
Content-Length: 1866
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Content-Type: application/json
Date: Tue, 20 Oct 2020 09:05:47 GMT
Etag: "0"
Expires: 0
Pragma: no-cache
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload;
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-Vcap-Request-Id: 2bf66007-03c2-453b-4438-15af5efa29ca
X-Xss-Protection: 1; mode=block

{"id":"a60990ed-1a06-48c4-8730-72f760c4aa39","meta":{"version":0,"created":"2020-10-20T09:03:27.081Z","lastModified":"2020-10-20T09:03:27.081Z"},"userName":"ngp_test","name":{"familyName":"ngp_test","givenName":"ngp_test"},"emails":[{"value":"ngp_test","primary":false}],"groups":[{"value":"e26e47ee-a56f-4b71-be57-9c7385a5547b","display":"profile","type":"DIRECT"},{"value":"030b7987-7564-4374-a9b9-eac468f2e237","display":"cloud_controller.read","type":"DIRECT"},{"value":"d3ce4123-9f78-48ac-aaeb-17c2333d3ac9","display":"cloud_controller.write","type":"DIRECT"},{"value":"06c13670-e825-45de-b368-8d7f60c19d01","display":"notification_preferences.read","type":"DIRECT"},{"value":"3e86ec22-5268-4402-b891-6a910d286da6","display":"scim.me","type":"DIRECT"},{"value":"73307286-3efb-429a-809a-fe3752ba1e00","display":"oauth.approvals","type":"DIRECT"},{"value":"8c362e8f-3d23-4e0a-b028-124fdf1b9300","display":"user_attributes","type":"DIRECT"},{"value":"e8f9d735-11e4-40c5-aea5-e78326dd5e45","display":"roles","type":"DIRECT"},{"value":"d50e52c8-9c5d-4f51-93da-e03e793a11a5","display":"notification_preferences.write","type":"DIRECT"},{"value":"4a016250-2bd0-496d-84fb-d71d0315dfda","display":"openid","type":"DIRECT"},{"value":"6c89bc11-db16-4ab3-9ffe-cd3d3f7bbaab","display":"cloud_controller_service_permissions.read","type":"DIRECT"},{"value":"7e08f4a9-7b23-42c9-9fa1-c645cba61d95","display":"uaa.offline_token","type":"DIRECT"},{"value":"bc73f096-d8c2-4f3e-a2de-4e5132c6af93","display":"uaa.user","type":"DIRECT"},{"value":"63a29c4c-01ca-4171-98d2-f42a4085cab9","display":"approvals.me","type":"DIRECT"},{"value":"b70a8fa1-8447-4fcb-a0ee-f879875c1545","display":"password.write","type":"DIRECT"}],"approvals":[],"active":true,"verified":true,"origin":"uaa","zoneId":"uaa","passwordLastModified":"[PRIVATE DATA HIDDEN]","schemas":["urn:scim:schemas:core:1.0"]}
OK

What happened User could not be deleted from UAA

Expected behavior It should not matter if user is in ccdb or not, cf delete-user should always work

Exact Steps To Reproduce Steps to reproduce the behavior; include the exact CLI commands and verbose output: With CF CLI v7:

  1. cf create-user test_user test_pwd -> user exists in uaa and ccdb
  2. cf curl v3/users/[guid of test_user] -x DELETE -> user deleted in ccdb
  3. cf delete-user test_user -> Fails with "User '' does not exist."

Provide more context

  • Mac OS X 10.11 iTerm
  • cf/7.1.0+4c3168f9a.2020-09-09
  • CAPI 1.98.0

johha avatar Oct 20 '20 09:10 johha

We have created an issue in Pivotal Tracker to manage this:

https://www.pivotaltracker.com/story/show/175350863

The labels on this github issue will be updated when the story is started.

cf-gitbot avatar Oct 20 '20 09:10 cf-gitbot

This also happens if a user was created with uaac but not (yet) used with CF CLI (e.g. with cf auth). Can be reproduced with:

$ uaac user add test_user --emails [email protected] --origin uaa -p 123
user account successfully added

$ cf delete-user test_user -f
User '' does not exist.
FAILED

johha avatar Oct 21 '20 10:10 johha

Thanks for reporting this issue @johha. The CLI works through the CAPI api (doesn't interact directly with UAA) but , we'll investigate and report our findings once we're finished.

heyjcollins avatar Oct 26 '20 16:10 heyjcollins

@heyjcollins any updates?

juergen-walter avatar Mar 19 '21 11:03 juergen-walter

I think this is still biting us with cf-cli 8.6.0 (against capi 1.148.0)

risicle avatar Jun 15 '23 09:06 risicle

Specifically it appears to happen if a uaac-created user has never authenticated via cf and then targeted a space with e.g. cf target

risicle avatar Jun 15 '23 10:06 risicle