Add admin role error during the initial startup when a read only LDAP is used with the create_admin_account configuration as false

[deshankoswatte]

Describe the issue:

When a readonly LDAP user store is configured as the primary user store in the deployment.toml file with the create_admin_account set to false, the WSO2 IS startup fails with the following error during the initial startup (note that the user and the role is already available in the userstore).

[2024-05-14 19:29:37,383] [] DEBUG {org.wso2.carbon.user.core.common.DefaultRealm} - Cannot create org.wso2.carbon.user.core.ldap.UniqueIDReadOnlyLDAPUserStoreManager java.lang.reflect.InvocationTargetException
	at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
	at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
	at java.base/jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
	at java.base/java.lang.reflect.Constructor.newInstance(Constructor.java:490)
	at org.wso2.carbon.user.core.common.DefaultRealm.createObjectWithOptions(DefaultRealm.java:356)
	at org.wso2.carbon.user.core.common.DefaultRealm.initializeObjects(DefaultRealm.java:231)
	at org.wso2.carbon.user.core.common.DefaultRealm.init(DefaultRealm.java:136)
	at org.wso2.carbon.user.core.common.DefaultRealmService.initializeRealm(DefaultRealmService.java:276)
	at org.wso2.carbon.user.core.common.DefaultRealmService.<init>(DefaultRealmService.java:102)
	at org.wso2.carbon.user.core.common.DefaultRealmService.<init>(DefaultRealmService.java:115)
	at org.wso2.carbon.user.core.internal.Activator.startDeploy(Activator.java:80)
	at org.wso2.carbon.user.core.internal.BundleCheckActivator.start(BundleCheckActivator.java:61)
	at org.eclipse.osgi.internal.framework.BundleContextImpl$3.run(BundleContextImpl.java:842)
	at org.eclipse.osgi.internal.framework.BundleContextImpl$3.run(BundleContextImpl.java:1)
	at java.base/java.security.AccessController.doPrivileged(Native Method)
	at org.eclipse.osgi.internal.framework.BundleContextImpl.startActivator(BundleContextImpl.java:834)
	at org.eclipse.osgi.internal.framework.BundleContextImpl.start(BundleContextImpl.java:791)
	at org.eclipse.osgi.internal.framework.EquinoxBundle.startWorker0(EquinoxBundle.java:1013)
	at org.eclipse.osgi.internal.framework.EquinoxBundle$EquinoxModule.startWorker(EquinoxBundle.java:365)
	at org.eclipse.osgi.container.Module.doStart(Module.java:598)
	at org.eclipse.osgi.container.Module.start(Module.java:462)
	at org.eclipse.osgi.container.ModuleContainer$ContainerStartLevel$1.run(ModuleContainer.java:1820)
	at org.eclipse.osgi.internal.framework.EquinoxContainerAdaptor$2$1.execute(EquinoxContainerAdaptor.java:150)
	at org.eclipse.osgi.container.ModuleContainer$ContainerStartLevel.incStartLevel(ModuleContainer.java:1813)
	at org.eclipse.osgi.container.ModuleContainer$ContainerStartLevel.incStartLevel(ModuleContainer.java:1770)
	at org.eclipse.osgi.container.ModuleContainer$ContainerStartLevel.doContainerStartLevel(ModuleContainer.java:1735)
	at org.eclipse.osgi.container.ModuleContainer$ContainerStartLevel.dispatchEvent(ModuleContainer.java:1661)
	at org.eclipse.osgi.container.ModuleContainer$ContainerStartLevel.dispatchEvent(ModuleContainer.java:1)
	at org.eclipse.osgi.framework.eventmgr.EventManager.dispatchEvent(EventManager.java:234)
	at org.eclipse.osgi.framework.eventmgr.EventManager$EventThread.run(EventManager.java:345)
Caused by: org.wso2.carbon.user.core.UserStoreException: Admin role can not be created in primary user store. Add-Admin has been set to false. Please pick a Role name which is exist in the primary user store as Admin Role
	at org.wso2.carbon.user.core.common.AbstractUserStoreManager.addInitialAdminData(AbstractUserStoreManager.java:9978)
	at org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager.<init>(ReadOnlyLDAPUserStoreManager.java:265)
	at org.wso2.carbon.user.core.ldap.UniqueIDReadOnlyLDAPUserStoreManager.<init>(UniqueIDReadOnlyLDAPUserStoreManager.java:182)
	... 30 more

During this scenario, WSO2 IS will validate whether the user exists in the user store [1] and whether the defined admin role exists in the UM_HYBRID_ROLE table [2] [3]. The UM_HYBRID_ROLE table is empty by default during the first startup, causing WSO2 IS to fail to find the role, resulting in the error [4] above being thrown by WSO2 IS.

In cases where you have disabled group role separation and set the read_group parameter of the user store configuration to true, the role search will be performed in the user store itself [5], resolving the error. However, disabling group role separation should be done after assessing the use cases relevant to the customer’s business requirements.

This can be resolved by setting create_admin_account to true since it will create the configured role in the UM_HYBRID_ROLE [6]. Afterward, it will extract the group from the user store [7], update the group list of the hybrid role [8], and finally update the hybrid role list of the user [9].

However, when the user store is read-only, we should ideally perform the task mentioned in the above paragraph by default.

[1] - https://github.com/wso2/carbon-kernel/blob/v4.10.9/core/org.wso2.carbon.user.core/src/main/java/org/wso2/carbon/user/core/common/AbstractUserStoreManager.java#L9821-L9837

[2] - https://github.com/wso2/carbon-kernel/blob/v4.10.9/core/org.wso2.carbon.user.core/src/main/java/org/wso2/carbon/user/core/common/AbstractUserStoreManager.java#L9810-L9819

[3] - https://github.com/wso2/carbon-kernel/blob/v4.10.9/core/org.wso2.carbon.user.core/src/main/java/org/wso2/carbon/user/core/hybrid/HybridRoleManager.java#L312-L347

[4] - https://github.com/wso2/carbon-kernel/blob/v4.10.9/core/org.wso2.carbon.user.core/src/main/java/org/wso2/carbon/user/core/common/AbstractUserStoreManager.java#L9973-L9982

[5] - https://github.com/wso2/carbon-kernel/blob/v4.10.9/core/org.wso2.carbon.user.core/src/main/java/org/wso2/carbon/user/core/common/AbstractUserStoreManager.java#L9801-L9808

[6] - https://github.com/wso2/carbon-kernel/blob/v4.10.9/core/org.wso2.carbon.user.core/src/main/java/org/wso2/carbon/user/core/common/AbstractUserStoreManager.java#L9924-L9928

[7] - https://github.com/wso2/carbon-kernel/blob/v4.10.9/core/org.wso2.carbon.user.core/src/main/java/org/wso2/carbon/user/core/common/AbstractUserStoreManager.java#L9934-L9937

[8] - https://github.com/wso2/carbon-kernel/blob/v4.10.9/core/org.wso2.carbon.user.core/src/main/java/org/wso2/carbon/user/core/common/AbstractUserStoreManager.java#L9953-L9955

[9] - https://github.com/wso2/carbon-kernel/blob/v4.10.9/core/org.wso2.carbon.user.core/src/main/java/org/wso2/carbon/user/core/common/AbstractUserStoreManager.java#L9987-L9992

How to reproduce:

• Set up an LDAP with a user and a group (the group should be assigned to the user).
• Start the new WSO2 Identity Server with the same LDAP set as a read-only LDAP primary user store, configured in the deployment.toml file as follows:

[super_admin]
username = "<LDAP-created-user's-username>"
password = "<LDAP-created-user's-password>"
admin_role = "<LDAP-created-user's-role>"
create_admin_account = false

[user_store]
type = "read_only_ldap_unique_id"

• The above-mentioned error will be reproduced.

Expected behavior:

If the group-role separation is enabled, regardless of whether create_admin_account is enabled, we must create the admin role in the system and establish the necessary user associations. This is because roles are managed separately in the system database after the group-role separation.

Environment information

• Product Version: IS 7.0.0
• OS: Ubuntu 22.04.2 LTS
• Database: H2
• Userstore: JDBC

---