How can i delete unused attributes?

Hey guys,

how can i delete unused attributes with Ziti Admin Console?

Oh, I bet that you can't... That's a good question. So you add an attribute to an object, then rename it or decide you don't want it but it shows up in your list of attributes forever....

@rgalletto there's no way to remove an attribute from "the global list", is there?

Looks like the only way to do it is to find the attribute from "all the things" and remove it. So somwhere there's an identity using the attribute. Find it and remove it from 'that thing'. Do that over and over and it'll eventually be "removed".

The API right now only shows you the list of defined/declared/used attributes.

I understand that but it is not in use. A delete button would be nice?

image2174×220 16.9 KB

That might be a bug then. Which view is that under?

i was clicking to the "Attribute Explorer" on the left side menu.

but the most problem is, i can select it on the identities.

image1152×682 34.9 KB

I was changing the id-core-router to id-public-router.

Thanks! That's definitely some kind of strange bug and sadly, I can't reproduce it.

Can you reproduce it consistently? If you click that attribute does it show anything?

no, it shows nothing when i'm clicking on identity "id-core-router".

image554×712 18.6 KB

The name in the first line is also now showing?

Very interesting. Can you use the ziti CLI and jq like this specifically looking for that id-core-router attribute:

ziti edge list identities "limit none" -j | jq '.data[] | [.name, .roleAttributes]'
[
  "ziti-edge-router-2",
  null
]
[
  "public",
  null
]
[
  "clint.dovholuk@",
  [
    "brozac.dialers",
    "docker.whale.dialers",
    "puter.dialers"
  ]
]
[
  "a",
  null
]
[
  "ryan.galletto@netfoundry.io",
  [
    "brozac.dialers",
    "docker.whale.dialers",
    "puter.dialers"
  ]
]
[
  "curt.tudor@netfoundry.io",
  [
    "brozac.dialers",
    "docker.whale.dialers",
    "puter.dialers"
  ]
]
[
  "Default Admin",
  null
]
[
  "ip-172-31-11-231-edge-router",
  [
    "brozac.binders",
    "docker.whale.binders"
  ]
]

i tried that but no output with "id-core-router".

Just to confirm what's been stated, ZAC doesn't support the ability to "Delete" an attribute from the system. In the attribute explorer "View" is the only available option, which should show what entities currently reference the selected attribute. A "delete from system" feature would definitely be a nice feature though, but it would need to be enabled via the API as well.

understand... are you caching the attributes somewhere? because they are not assigned to any identities..

ZAC should not be caching the attributes. If they still show as an option, I expect that's what's being returned from the API. I would try a refresh of the console though just to be sure.

Hi @fre4ki ,
Can you try a couple of CLI calls?

I tested this locally, to see if there was something sticking around:

plorenz@carrot:~/work/nf/ziti/zititest$ ziti edge create identity test
New identity test created with id: qVp6Wc46Y
plorenz@carrot:~/work/nf/ziti/zititest$ ziti edge update identity test -a id-core-router

plorenz@carrot:~/work/nf/ziti/zititest$ ziti edge list identity-role-attributes 'id contains "router"'
╭────────────────╮
│ ROLE ATTRIBUTE │
├────────────────┤
│ edge-router    │
│ id-core-router │
╰────────────────╯
results: 1-2 of 2

plorenz@carrot:~/work/nf/ziti/zititest$ ziti edge update identity test -a id-public-router

plorenz@carrot:~/work/nf/ziti/zititest$ ziti edge list identity-role-attributes 'id contains "router"'
╭──────────────────╮
│ ROLE ATTRIBUTE   │
├──────────────────┤
│ edge-router      │
│ id-public-router │
╰──────────────────╯
results: 1-2 of 2

plorenz@carrot:~/work/nf/ziti/zititest$ ziti edge list identities 'anyOf(roleAttributes) contains "router"'
╭────────────┬───────────────┬─────────┬────────────────────────────────────────┬─────────────╮
│ ID         │ NAME          │ TYPE    │ ATTRIBUTES                             │ AUTH-POLICY │
├────────────┼───────────────┼─────────┼────────────────────────────────────────┼─────────────┤
│ dtwfQcHrnj │ router-west   │ Router  │ edge-router,ert-host,host,tunneler     │ Default     │
│ qVp6Wc46Y  │ test          │ Default │ id-public-router                       │ Default     │
│ xc.8ycUrG  │ router-east-1 │ Router  │ client,edge-router,terminator,tunneler │ Default     │
╰────────────┴───────────────┴─────────┴────────────────────────────────────────┴─────────────╯
results: 1-3 of 3

Can you try specifically

ziti edge list identity-role-attributes
ziti edge list identities 'anyOf(roleAttributes) = "id-core-router"'

Thank you,
Paul

Hi Paul,

here it is.

image1058×814 39.3 KB

The "xx.." are placeholder

Thanks for posting that. Can you run one more thing for me, please?

ziti fabric db start-check-integrity

ziti fabric db check-integrity-status

It should be quick, but if you've got a large DB, it may take a little bit run, so you may need to re-run the check-integrity-status a few times.

When I ran it locally, I found a bug related to nillable unique constraints, which is now fixed (db intergrity checker doesn't take nullable flag into account when checking unique indices · Issue #73 · openziti/storage · GitHub), so you may see some spurious errors that look like:

Issue: unique index identities.externalId missing value  for id zh0EeI3E6. Fixed: false

The integrity check is read-only, unless you run it with the --fix-errors flag, so it should be safe to run. I'm curious if it finds the id-core-router attribute as an orphan in the index.

I also tried to duplicate the issue locally, both via CLI and using the admin console, with no results. Do you remember the steps you took? If it's a bug, it would be very helpful if we steps to replicate.

Thank you,
Paul

Hey Paul,

i have checked that - and, of course i have many lines like this:
Issue: unique index identities.externalId missing value for id 8Q8G7q1K3l. Fixed: false

than i was try the command:
ziti fabric db start-check-integrity --fix-errors

after a restart of the controller the issue is gone:

ziti fabric db check-integrity-status
In Progress: false
Fixing Errors: false
Too Many Errors: false (if true, additional errors can be found in controller log)
Started At: <nil>
Finished At: <nil>
Operation Error: <nil>
no data integrity errors found
root@ctn:~#

but the attribute is still there.

Sorry, i don't know the way how it was created in the past. :-/

Ok, last couple of suggestions:

Check to see if there are any hidden spaces:

ziti edge list identity-role-attributes 'id contains "core"' -j | jq .data.[0]

Use the attribute directly in the query, in case there's an odd character

ziti edge list identities "anyOf(roleAttributes)=\"$(ziti edge list identity-role-attributes 'id contains "core"' -j | jq -r .data.[0])\""

Otherwise, if you want to DM me a copy of your DB file, I can take a look and see if I find anything.

When I have time I'm going to also try adding an extra value to the index to make sure the checker correctly flags and fixes it.

Cheers,
Paul

root@ctn:~# ziti edge list identity-role-attributes 'id contains "core"' -j | jq .data.[0]
"id-core-router"

root@ctn:~# ziti edge list identities "anyOf(roleAttributes)="$(ziti edge list identity-role-attributes 'id contains "core"' -j | jq -r .data.[0])""
╭────┬──────┬──────┬────────────┬─────────────╮
│ ID │ NAME │ TYPE │ ATTRIBUTES │ AUTH-POLICY │
├────┼──────┼──────┼────────────┼─────────────┤
╰────┴──────┴──────┴────────────┴─────────────╯
results: none
root@ctn:~#