Investigating UUN and Prometheus Issues

Brief notes on investigating issues where users are not appearing in the Prometheus feed.

First place to look is on the "Person" desktop on TheonUI which presents all person records without any constraining filter. Lookup by name preferably to find all matching staff, student and visitor instances that may contribute to an account being created. Another useful desktop is "Register" and the first panel which for any given session will return the currency and category status for any person.

Another place to look is the feeds, either on Hypatia or raw. For example the IDM feed from central auth:

ldapsearch -Q -LLL -H ldaps://authorise.is.ed.ac.uk:636 -b dc=authorise,dc=ed,dc=ac,dc=uk uid=UUN

or "sn=LASTNAME". The returned data can show for the account the type and currency (e.g. deleted or expiring). The above can be run on the Hypatia db server as that has the functional account setup, see the /usr/lib/theon/conduits/incoming/idm_fetch shell script for details.

Check the live Prometheus feed in Hypatia:

infdb=# select u.*, r.role from prometheus_user_3g u, prometheus_role_3g r where u.person =r.person and u.username = 'UUN';

or "surname=LASTNAME". If the person does not appear in above Hypatia does not (rightly or wrongly) think they are entitled to an account. The "person" value returned in the above query will be a UUID which can identify the exact record in Hypatia from which the account entitlement has been derived.

It is important to remember that in Hypatia a person can hold more that one primary name record. They will hold one for their representation as a student, one as a member of staff and one as a visitor. Multiple instances of any of these do not result in multiple instances of the primary name record - only the currently applicable instance is represented by the primary name record. The username can appear in any of these primary name records - but is unique across them and will move automatically between them. So for example if Joe Bloggs has a staff record with UUN jbloggs then leaves and gets a visitor record with UUN v1jbloggs and is reconciled then the username on the visitor record is updated to jbloggs which removes it from the staff record to avoid conflict. A Prometheus account entitlement is only generated when there is a username associated with the primary name record that is current (can be more than one).

-- TimColles - 27 Nov 2018

Topic revision: r1 - 27 Nov 2018 - 15:15:31 - TimColles
 
This site is powered by the TWiki collaboration platformCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback
This Wiki uses Cookies