Server broker returns 500 on bind if the org / space policy doesn't exist
izgeri opened this issue · comments
Summary
On provision for v1+ the service broker automatically creates org / space Conjur policy branches.
If:
- Somehow the org / space policy branches get deleted, or
- A service instance is provisioned in an org/space with an earlier version of the service broker, the service broker is updated to v1+, and an org / space has an existing Conjur service instance that has not run through the special "Enable Org/Space Permissions in Existing Spaces" instructions for upgrading pre-v1.0 service brokers to v1+ service brokers here
Then when an app is deployed to that pre-existing org/space using the v1+ service broker, the bind request will get a 500 error and will fail.
Steps to Reproduce
See above.
Expected Results
The service broker should return a 40x response that is more clear about the failure reason.
Actual Results (including error logs, if applicable)
The service broker logs would show an error like
2020-06-25T11:38:52.74-0400 [APP/PROC/WEB/0] OUT I, [2020-06-25T15:38:52.743409 #125] INFO -- : [b8939f93-7255-4807-aa59-2d8ead28b6ce] Completed 500 Internal Server Error in 171ms
2020-06-25T11:38:52.74-0400 [APP/PROC/WEB/0] OUT F, [2020-06-25T15:38:52.743988 #125] FATAL -- : [b8939f93-7255-4807-aa59-2d8ead28b6ce]
2020-06-25T11:38:52.74-0400 [APP/PROC/WEB/0] OUT F, [2020-06-25T15:38:52.744050 #125] FATAL -- : [b8939f93-7255-4807-aa59-2d8ead28b6ce] OrgSpacePolicy::OrgPolicyNotFound (OrgSpacePolicy::OrgPolicyNotFound):
Reproducible
- Always
- Sometimes
- Non-Reproducible
Version/Tag number
Applies to v1+ of the service broker
Environment setup
PAS 2+
Additional Information
n/a