|Applies To||RSA Access Manager Authorization Server 6.0.2|
Sun Solaris 2.8
|Issue||AXM-For specific groups, the users are not able to login.|
Summary of Problem: For specific groups, the users are not able to login. The following error was observed at the aserver.
sequence_number=34346,remote_client=AuthServer-BM,2009-01-30 13:49:18:636 GMT,messageID=2003,user=bunbt01,webserver=www.omgeo.net,URI=/cleartrust/*,Resource=/cleartrust/ct_home.html,client_ip_address=172.27.18.148,client_port=53355,browser_ip_address=220.127.116.11,result_code=10,result_action=Authorization Success,result_reason=Group Entitlement
sequence_number=34347,remote_client=AuthServer-BM,2009-01-30 13:49:18:637 GMT,messageID=-2,internal_error,description='Unable to send data to receiver.',details='java.io.IOException: Unable to send data to receiver.
Large number of groups ~ 32 thousand
select count(*) from groups
select count(*) from group_subgroup
select count(*) from user_group
select count(*) from explicit_entitlement
There are ~12 groups that are members(sub groups) of thousands of groups. It is one of these subgroupds that is experiencing the problem.
The query causing the problem, searched 134 gig of data on a machine with 20 meg of database
SELECT G.ID AS ID, G.ADMIN_GROUP_ID, G.NAME, G.DESCRIPTION, G.PUBLIC_STATE, G.CREATION_DATE, GP.PROPERTY_DEF_ID, GP.BOOLEAN_VALUE, GP.DATE_VALUE, GP.FLOAT_VALUE, GP.INT_VALUE, GP.STRING_VALUE FROM GROUPS G, GROUP_PROPERTY GP, GROUP_SUBGROUP GS WHERE
1223696 is an internal support group who is a subgroup of 2700 thousand groups
|Cause||A bad GROUP SUBGROUP relation was causing the problem. A 3rd level was added erroneously which was causing full-table scans and queries timing out.|
|Resolution||With this many groups, keep nesting levels at two levels deep.|
|Legacy Article ID||a44443|