When storing a Grant relationship between a User and a Role from different Partitions, PicketLink wrongly assume the Relationship lies within one Partition.
Affected method is
DefaultPartitionManager.getStoreForRelationshipOperation
The problem is actually in
RelationshipMetadata.queryRelationshipIdentityProperties
where
query.addCriteria(new TypedPropertyCriteria(IdentityType.class))
is called while the Grant looks like
@InheritsPrivileges("role") @StereotypeProperty(RELATIONSHIP_GRANT_ASSIGNEE) public IdentityType getAssignee() { return assignee; }
@StereotypeProperty(RELATIONSHIP_GRANT_ROLE) public Role getRole() { return role; }
Therefore I suggest to change it to
query.addCriteria(new TypedPropertyCriteria(IdentityType.class, TypedPropertyCriteria.MatchOption.SUB_TYPE));
|