Uploaded image for project: 'Dev - Nexus Repo'
  1. Dev - Nexus Repo
  2. NEXUS-15878

UI poll requests iterates over all privileges.

    Details

    • Story Points:
      5

      Description

      Every time the UI polls Nexus it iterates over all privileges:

      https://github.com/sonatype/nexus-internal/blob/release-3.8.0-02/components/nexus-rapture/src/main/java/org/sonatype/nexus/rapture/internal/security/SecurityComponent.java#L197

      This is similar to an issue we fixed in Nexus 2.x (NEXUS-5713).

      The processing of these privileges looks very expensive:

       

      "qtp1909464898-53236" #53236 prio=5 os_prio=0 tid=0x00007fc1fd002800 nid=0x7e9b runnable [0x00007fbdc0269000]
      java.lang.Thread.State: RUNNABLE
      at java.util.HashMap.hash(HashMap.java:338)
      at java.util.HashMap.put(HashMap.java:611)
      at java.util.HashSet.add(HashSet.java:219)
      at java.util.AbstractCollection.addAll(AbstractCollection.java:344)
      at org.apache.shiro.realm.AuthorizingRealm.getPermissions(AuthorizingRealm.java:417)
      at org.apache.shiro.realm.AuthorizingRealm.isPermitted(AuthorizingRealm.java:468)
      at org.apache.shiro.realm.AuthorizingRealm.isPermitted(AuthorizingRealm.java:499)
      at org.apache.shiro.realm.AuthorizingRealm.isPermitted(AuthorizingRealm.java:489)
      at org.sonatype.nexus.security.authz.ExceptionCatchingModularRealmAuthorizer.isPermitted(ExceptionCatchingModularRealmAuthorizer.java:256)
      at org.apache.shiro.mgt.AuthorizingSecurityManager.isPermitted(AuthorizingSecurityManager.java:125)
      at org.apache.shiro.subject.support.DelegatingSubject.isPermitted(DelegatingSubject.java:175)
      at org.sonatype.nexus.rapture.internal.security.SecurityComponent.calculatePermissions(SecurityComponent.java:215)
      at org.sonatype.nexus.rapture.internal.security.SecurityComponent.getPermissions(SecurityComponent.java:178)
      at org.sonatype.nexus.rapture.internal.security.SecurityComponent$$EnhancerByGuice$$53f0c4b1.CGLIB$getPermissions$3(<generated>)
      at org.sonatype.nexus.rapture.internal.security.SecurityComponent$$EnhancerByGuice$$53f0c4b1$$FastClassByGuice$$e138cccd.invoke(<generated>)
      at com.google.inject.internal.cglib.proxy.$MethodProxy.invokeSuper(MethodProxy.java:228)
      at com.google.inject.internal.InterceptorStackCallback$InterceptedMethodInvocation.proceed(InterceptorStackCallback.java:76)
      at com.palominolabs.metrics.guice.ExceptionMeteredInterceptor.invoke(ExceptionMeteredInterceptor.java:49)
      at com.google.inject.internal.InterceptorStackCallback$InterceptedMethodInvocation.proceed(InterceptorStackCallback.java:77)
      at com.palominolabs.metrics.guice.TimedInterceptor.invoke(TimedInterceptor.java:47)
      at com.google.inject.internal.InterceptorStackCallback$InterceptedMethodInvocation.proceed(InterceptorStackCallback.java:77)
      at com.google.inject.internal.InterceptorStackCallback.intercept(InterceptorStackCallback.java:55)
      at org.sonatype.nexus.rapture.internal.security.SecurityComponent$$EnhancerByGuice$$53f0c4b1.getPermissions(<generated>)
      at org.sonatype.nexus.rapture.internal.security.SecurityComponent.getState(SecurityComponent.java:187)
      at org.sonatype.nexus.rapture.internal.state.StateComponent.getState(StateComponent.java:83)
      at org.sonatype.nexus.rapture.internal.state.StateComponent$$EnhancerByGuice$$c680be9.CGLIB$getState$0(<generated>)
      at org.sonatype.nexus.rapture.internal.state.StateComponent$$EnhancerByGuice$$c680be9$$FastClassByGuice$$f5589e80.invoke(<generated>)
      at com.google.inject.internal.cglib.proxy.$MethodProxy.invokeSuper(MethodProxy.java:228)
      at com.google.inject.internal.InterceptorStackCallback$InterceptedMethodInvocation.proceed(InterceptorStackCallback.java:76)
      at com.palominolabs.metrics.guice.ExceptionMeteredInterceptor.invoke(ExceptionMeteredInterceptor.java:49)
      at com.google.inject.internal.InterceptorStackCallback$InterceptedMethodInvocation.proceed(InterceptorStackCallback.java:77)
      at com.palominolabs.metrics.guice.TimedInterceptor.invoke(TimedInterceptor.java:47)
      at com.google.inject.internal.InterceptorStackCallback$InterceptedMethodInvocation.proceed(InterceptorStackCallback.java:77)
      at com.google.inject.internal.InterceptorStackCallback.intercept(InterceptorStackCallback.java:55)
      at org.sonatype.nexus.rapture.internal.state.StateComponent$$EnhancerByGuice$$c680be9.getState(<generated>)
      at sun.reflect.GeneratedMethodAccessor226.invoke(Unknown Source)
      at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
      at java.lang.reflect.Method.invoke(Method.java:498)
      at com.softwarementors.extjs.djn.router.dispatcher.DispatcherBase.invokeJavaMethod(DispatcherBase.java:142)
      at com.softwarementors.extjs.djn.router.dispatcher.DispatcherBase.invokeMethod(DispatcherBase.java:133)
      at org.sonatype.nexus.extdirect.internal.ExtDirectServlet$3.invokeMethod(ExtDirectServlet.java:227)
      at com.softwarementors.extjs.djn.router.dispatcher.DispatcherBase.dispatch(DispatcherBase.java:63)
      at com.softwarementors.extjs.djn.router.processor.poll.PollRequestProcessor.process(PollRequestProcessor.java:145)
      at org.sonatype.nexus.extdirect.internal.ExtDirectServlet$4.processPollRequest(ExtDirectServlet.java:330)
      at com.softwarementors.extjs.djn.servlet.DirectJNgineServlet.processRequest(DirectJNgineServlet.java:621)
      at com.softwarementors.extjs.djn.servlet.DirectJNgineServlet.doPost(DirectJNgineServlet.java:580)
      at org.sonatype.nexus.extdirect.internal.ExtDirectServlet.doPost(ExtDirectServlet.java:133)
      at javax.servlet.http.HttpServlet.service(HttpServlet.java:707)
      at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
      

      Mitigation

      Reducing the frequency the UI makes poll requests will in turn reduce the total processing of these requests by UI users. By default, poll requests are sent every 5 seconds.

      Go to "system/capabilities" in the administration UI, and click on the "UI: Settings" capability. In the settings tab, change the "authenticated user status interval" to something like 120 seconds. Make sure the standard request timeout value is higher than 120 seconds or whatever you sent the value to.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              mpiggott Matthew Piggott
              Reporter:
              rseddon Rich Seddon
              Last Updated By:
              Hajime Osako Hajime Osako
              Team:
              NXRM - Tron
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:
                Date of First Response:

                  tigCommentSecurity.panel-title