Conflict Resolution in Access Federation

JFrog Platform Administration Documentation
Content Type
Administration / Platform
ft:sourceType
Paligo

Starting from Artifactory 7.77.3, Access Federation has implemented advanced conflict resolution methodology.

Previously, when the source JPD publishes a full entity to the target server, the target server replaced its own entity with the new entity from the source JPD without managing any conflicts. If a user is added to group A in node A and to group B in node B at the same time, the result might not be as expected as the groups might get overridden upon sync between the nodes. Now, only the delta of changes are exchanged between the JPDs without overriding the data.

Set the property, federation.inbound.allow-partial-entity-sync, as true in the Access Configuration YAML file to enable conflict resolution. The default is false.Access YAML Configuration

federation:
   .
   .
   inbound:
    .
    .
    allow-partial-entity-sync: true

Access Federation stores any changes done to an entity in a JPD in the federation buffer. When the synchronization between JPDs occur, if the same entity has been updated in different JPDs, the timestamp of the entity is checked against the entry in the database. If the entity has been modified, the changes that has occurred in the entity between the JPD is merged and inserted to the database. The updated entity is then synchronized to the JPDs.

Conflict resolution kicks in during the following cases.

  • Group change

  • Password change

  • Permission change.

Conflict resolution is not applied in cases of deleted entities. You may encounter a race condition when you delete a permission in one JPD and update the same permission in another JPD at the same time.

Conflict Resolution Example

Consider an Access Federation setup with two JPDs - JPD A and JPD B. The same user is updated at both JPD A and JPD B.

  1. The user is added to group A in JPD A and a sync event is added to the federation buffer of JPD A, waiting to be published.

  2. The same user is added to group B in JPD B and a sync event is added to the federation buffer of JPD B for the user, before JPD A has synced its changes.

  3. JPD B publishes changes to JPD A.

  4. JPD A receives the published changes from JPD B. JPD A updates received entities by matching the modified timestamp before and after the published changes.

  5. If there is modification, the entity is fetched again from the database, conflicts are merged and the entity is updated in the database.

  6. After JPD A publishes the changes, the previous steps are repeated on JPD B.