Wednesday, July 17, 2013

OBIEE 11.1.1.7 in-place upgrade errors

Just a quick note on some security-related things to watch out or during/after an in-place upgrade to OBIEE 11.1.1.7. These were experienced on a 11.1.1.5.3 to 1.1.1.7.0 upgrade on 64bit Linux:

1.) Application Policies:

All custom-created application policies were dropped during the upgrade, leaving only the vanilla ones. Affected file: system-jazn-data.xml.

2.) Application Roles (this one is a bit queerer):

Affected file: system-jazn-data.xml.

Unmodified vanilla roles come through the upgrade unharmed and retain all their vanilla members (users, groups and app roles alike).
Custom roles equally come through the upgrade unharmed and retain all their vanilla as well as custom members of all kinds.

The problem is with vanilla application roles which have received new/additional members when compared to a plain install:
The role itself still exists, but it loses all vanilla members and only retains custom members.

Example application role "BIAdministrator":

Pre-upgrade members: vanilla group "BIAdministrators" (WLS-native LDAP group); group "CustomAdministrators" (custom LDAP derived group); user "cberg" (custom LDAP derived user) and several others.

Post-upgrade members: group "CustomAdministrators" (custom LDAP derived group); user "cberg" (custom LDAP derived user) - the WLS-native LDAP group has been dropped.

This wasn't immediately visible due to the new way the members of an application role are displayed (call me old-fashioned, but I prefered the old style - the new doesn't allocate enough screen real-estate) doesn't really show it at quick glance and I was wondering why I got weird "Logon Failed" errors when wanting to check the RPD online while all the logs proudly proclaimed "No no, you're definitely authenticated nicely". WLS and EM logons oviously work since the app role concept doens't kick in.

Hope this helps other people from wasting time.

@Borkur seems to have another nice one related to security hanging around. I'll make sure to ask him to post his one into the comments.

Cheers!

2 comments:

  1. Hi Christian

    Indeed, I have seen an issue where in-place upgrading from 11.1.1.6.x to 11.1.1.7.0, with two external LDAP authenticators as well as the DefaultAuthenticator. When trying to add users to Application Roles the GUI fails on populating the list of users. It's a known bug (ID:16808088) that does not (at least not last time I looked; not fixed in 11.1.1.7.1) have a resolution.

    The suggested work around is to set virtualize=false, restart WLS, add the users, set =true and restart WLS. Not great!
    The solution I used was to script the process of adding users to the roles. This works just fine, since it won't need to get the list of all known users (the part that fails). You then only have to refresh the metadata (Reload Files and Metadata), no restarting the whole stack!

    ReplyDelete
  2. Hey Christian, Thanks for the quick note. This surely helps.

    ReplyDelete