Uploaded image for project: 'Dev - Nexus Repo'
  1. Dev - Nexus Repo
  2. NEXUS-10256

extremely poor performance in user role/privilege resolution for LDAP users

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Critical
    • Resolution: Fixed
    • Affects Version/s: 3.0.0
    • Fix Version/s: 3.0.1
    • Component/s: LDAP, Security
    • Labels:
    • Story Points:
      3
    • Sprint:
      Sprint 70

      Description

      When an LDAP mapped user uses Nexus we are repeated looping through all of their LDAP groups. This is done for every single privilege check. The comparison done is very inefficient, and an exception is thrown for each group not found mapped to a nexus role.

      Here's an example, there were 970 of these just for this one group in 11 seconds. All I did was click around the UI a bit while logged in as an LDAP user mapped to nx-admin. This is repeated for every group my test user is a member of.

      2016-05-20 08:48:24,365-0500 TRACE [qtp1603293723-358] rseddon org.sonatype.nexus.security.internal.RolePermissionResolverImpl - Ignoring missing role: nested
      org.sonatype.nexus.security.role.NoSuchRoleException: Role not found: nested
      at org.sonatype.nexus.security.internal.SecurityConfigurationManagerImpl.readRole(SecurityConfigurationManagerImpl.java:197) [na:na]
      at org.sonatype.nexus.security.internal.RolePermissionResolverImpl.resolvePermissionsInRole(RolePermissionResolverImpl.java:116) [na:na]
      at org.apache.shiro.realm.AuthorizingRealm.resolveRolePermissions(AuthorizingRealm.java:447) [org.apache.shiro.core:1.2.4]
      at org.apache.shiro.realm.AuthorizingRealm.getPermissions(AuthorizingRealm.java:415) [org.apache.shiro.core:1.2.4]
      at org.apache.shiro.realm.AuthorizingRealm.isPermitted(AuthorizingRealm.java:468) [org.apache.shiro.core:1.2.4]
      at org.apache.shiro.realm.AuthorizingRealm.isPermitted(AuthorizingRealm.java:499) [org.apache.shiro.core:1.2.4]
      at org.apache.shiro.realm.AuthorizingRealm.isPermitted(AuthorizingRealm.java:489) [org.apache.shiro.core:1.2.4]
      at org.sonatype.nexus.security.authz.ExceptionCatchingModularRealmAuthorizer.isPermitted(ExceptionCatchingModularRealmAuthorizer.java:256) [org.sonatype.nexus.security:3.0.0.03]
      at org.apache.shiro.mgt.AuthorizingSecurityManager.isPermitted(AuthorizingSecurityManager.java:125) [org.apache.shiro.core:1.2.4]
      at org.apache.shiro.subject.support.DelegatingSubject.isPermitted(DelegatingSubject.java:175) [org.apache.shiro.core:1.2.4]
      at org.sonatype.nexus.rapture.internal.security.SecurityComponent.calculatePermissions(SecurityComponent.java:207) [org.sonatype.nexus.rapture:3.0.0.03]
      at org.sonatype.nexus.rapture.internal.security.SecurityComponent.getPermissions(SecurityComponent.java:170) [org.sonatype.nexus.rapture:3.0.0.03]
      at org.sonatype.nexus.rapture.internal.security.SecurityComponent.getState(SecurityComponent.java:179) [org.sonatype.nexus.rapture:3.0.0.03]
      at org.sonatype.nexus.rapture.internal.state.StateComponent.getState(StateComponent.java:81) [org.sonatype.nexus.rapture:3.0.0.03]
      at org.sonatype.nexus.rapture.internal.state.StateComponent$$EnhancerByGuice$$c680be9.CGLIB$getState$0(<generated>) [4.0:na]
      at org.sonatype.nexus.rapture.internal.state.StateComponent$$EnhancerByGuice$$c680be9$$FastClassByGuice$$f5589e80.invoke(<generated>) [4.0:na]
      at com.google.inject.internal.cglib.proxy.$MethodProxy.invokeSuper(MethodProxy.java:228) [com.google.inject:4.0.0]
      at com.google.inject.internal.InterceptorStackCallback$InterceptedMethodInvocation.proceed(InterceptorStackCallback.java:75) [com.google.inject:4.0.0]
      at com.palominolabs.metrics.guice.TimedInterceptor.invoke(TimedInterceptor.java:47) [com.palominolabs.metrics.guice:3.0.2]
      at com.google.inject.internal.InterceptorStackCallback$InterceptedMethodInvocation.proceed(InterceptorStackCallback.java:75) [com.google.inject:4.0.0]
      at com.google.inject.internal.InterceptorStackCallback.intercept(InterceptorStackCallback.java:55) [com.google.inject:4.0.0]
      at org.sonatype.nexus.rapture.internal.state.StateComponent$$EnhancerByGuice$$c680be9.getState(<generated>) [4.0:na]
      at sun.reflect.GeneratedMethodAccessor107.invoke(Unknown Source) [na:na]
      at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) [na:1.8.0_60]
      at java.lang.reflect.Method.invoke(Method.java:497) [na:1.8.0_60]
      

      Acceptance Criteria:

      • Examine how to reduce the exception count as a bare minimum
      • Some minimal tuning to identify what the deeper issue is
      • Solve low hanging fruit, gain information on larger issues
        • Get together to produce follow up issues/stories based on deeper understanding

      NOTE:

      • We will need to test this against a large LDAP instance to verify the fixes if we make any

        Attachments

          Activity

            People

            Assignee:
            jtom Joe Tom
            Reporter:
            rseddon Rich Seddon
            Last Updated By:
            Peter Lynch
            Votes:
            0 Vote for this issue
            Watchers:
            6 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:
              Date of First Response:

                tigCommentSecurity.panel-title