Investigating UUN and Prometheus Issues
Brief notes on investigating issues where users are not appearing in the Prometheus feed.
First place to look is on the "Person" desktop on TheonUI which presents all person records without
any constraining filter. Lookup by name preferably to find all matching staff, student and visitor instances
that may contribute to an account being created. Another useful desktop is "Register" and the first panel
which for any given session will return the currency and category status for any person.
Another place to look is the feeds, either on Hypatia or raw. For example the IDM feed from central auth:
ldapsearch -Q -LLL -H ldaps://authorise.is.ed.ac.uk:636 -b dc=authorise,dc=ed,dc=ac,dc=uk uid=UUN
or "sn=LASTNAME". The returned data can show for the account the type and currency (e.g. deleted or expiring).
The above can be run on the Hypatia db server as that has the functional account setup, see the /usr/lib/theon/conduits/incoming/idm_fetch
shell script for details.
Check the live Prometheus feed in Hypatia:
infdb=# select u.*, r.role from prometheus_user_3g u, prometheus_role_3g r where u.person =r.person and u.username = 'UUN';
or "surname=LASTNAME". If the person does not appear in above Hypatia does not (rightly or wrongly) think they are entitled to an account.
The "person" value returned in the above query will be a UUID which can identify the exact record in Hypatia from which the account
entitlement has been derived.
It is important to remember that in Hypatia a person can hold more that one primary name record. They will hold one for their representation
as a student, one as a member of staff and one as a visitor. Multiple instances of any of these do not result in multiple instances of the primary
name record - only the currently applicable instance is represented by the primary name record. The username can appear in any of these primary
name records - but is unique across them and will move automatically between them. So for example if Joe Bloggs has a staff record with UUN jbloggs
then leaves and gets a visitor record with UUN v1jbloggs and is reconciled then the username on the visitor record is updated to jbloggs which removes
it from the staff record to avoid conflict. A Prometheus account entitlement is only generated when there is a username associated with the primary
name record that is current (can be more than one).
--
TimColles - 27 Nov 2018
Topic revision: r1 - 27 Nov 2018 - 15:15:31 -
TimColles