Affects Version/s: EJBCA 6.1.1, EJBCA 6.1.3
Fix Version/s: EJBCA 6.2.0
Component/s: CA GUI
Environment:RHEL 6.4 x86_64
JBoss EAP 6.2.0
MariaDB Galera 5.5.29/5.5.32/5.5.36 (both single and 3-node cluster)
Ubuntu 12.04 x64 3.2.0-59-virtual
JBoss AS 7.1.1.Final
Issue discovered during:Integration
When trying to disable more than one access rule for an administrator role on EJBCA instance that is using MariaDB Galera cluster for its database, an exception is thrown in the AdminGUI (org.mariadb.jdbc.internal.common.QueryException).
1. Create a new administrator role "TestRole".
2. Open the access rules for the "TestRole" role, switch to advanced mode, and set any two rules to "ACCEPT".
3. Save the changes.
4. Open the access rules for the "TestRole" role again, switch to advanced mode, and set the same two rules from step 2 to "UNUSED".
5. Save the changes.
1. The two access rules from steps 2 and 4 are now marked as "UNUSED" (i.e. they have been removed from the role).
2. No errors have been reported.
1. Only one of the access rules from steps 2 and 4 is now marked as "UNUSED" (i.e. the rule has been removed from the role).
2. An exception is thrown (see attached stack trace).
This same problem can be reproduced even on a non-clustered set-up, provided that the MariaDB Galera server package is used instead of the regular MariaDB server package.
Steps 1, 2, and 3 are not crucial for reproduction. Trying to remove two rules from an existing administrator role will result in same error.
I have observed that the MariaDB error log (from /var/lib/mysql/HOSTNAME.err) will additionally contain the following line after the exception is thrown in EJBCA:
WSREP: referenced FK check fail: 35