Uploaded image for project: 'Dev - Nexus Repo'
  1. Dev - Nexus Repo
  2. NEXUS-18564

Delete orphaned API keys task run before any other HTTP activity can stop some LDAP operations

    XMLWordPrintable

    Details

      Description

      If an 'Admin - Delete orphaned API keys' task is run at startup before any users access the UI, LDAP users will not be able to logon if NuGet API keys are used.  Also, the LDAP server connection will not appear in Security > LDAP.

      Here are the steps to reproduce:

      1. Create an LDAP connection, enable the NuGet API-Key realm, and configure an LDAP user to have an NuGet API key.
      2. Create a scheduled task of type 'Admin - Delete orphaned API keys'.  Configure the job to run frequently (e.g. every 2 mins, cron exp = 0 0/2 * 1/1 * ? *).
      3. Stop Nexus 3, and close all browser windows to prevent stray UI requests.
      4. Start Nexus and ensure the orphan API key task runs.
      5. Attempt to logon with an LDAP user.
      6. Logon with a native admin and check Security > LDAP.

      For #5, LDAP users cannot logon.  For #6, there will not be any LDAP connections present in Security > LDAP.

      The nexus.log will show a message similar to:

      2018-11-26 11:24:37,604-0800 INFO  [quartz-6-thread-2]  *SYSTEM org.sonatype.nexus.internal.security.apikey.PurgeApiKeysTask - Task log: /path/to/nexus-3.13.0-01/sonatype-work/nexus3/log/tasks/security.purge-api-keys-20181126112437587.log
      2018-11-26 11:24:37,609-0800 INFO  [quartz-6-thread-1]  *SYSTEM org.sonatype.nexus.repository.search.SearchFacetImpl - Rebuilding index of repository test
      2018-11-26 11:24:37,631-0800 INFO  [quartz-6-thread-2]  *SYSTEM com.hazelcast.cache.impl.CacheService - [192.168.41.1]:5701 [nexus] [3.8.9] Added cache config: CacheConfig{name='enterprise-ldap', managerPrefix='/hz/', inMemoryFormat=BINARY, backupCount=1, hotRestart=HotRestartConfig{enabled=false, fsync=false}}
      2018-11-26 11:24:37,658-0800 WARN  [quartz-6-thread-2]  *SYSTEM org.sonatype.nexus.ldap.persist.internal.DefaultLdapConfigurationManager - Cannot retrieve LDAP configuration
      java.lang.IllegalArgumentException: Class 'ldap' not found in current database
              at com.orientechnologies.orient.core.db.document.ODatabaseDocumentTx.browseClass(ODatabaseDocumentTx.java:2589)
              at com.orientechnologies.orient.core.db.document.ODatabaseDocumentTx.browseClass(ODatabaseDocumentTx.java:2581)
              at org.sonatype.nexus.orient.entity.EntityAdapter.browseDocuments(EntityAdapter.java:244)
              at org.sonatype.nexus.orient.entity.action.BrowseEntitiesAction.execute(BrowseEntitiesAction.java:40)
              at org.sonatype.nexus.orient.entity.IterableEntityAdapter.browse(IterableEntityAdapter.java:96)
              at org.sonatype.nexus.ldap.persist.internal.orient.OrientDBLdapConfigurationSource.lambda$0(OrientDBLdapConfigurationSource.java:73)
              at org.sonatype.nexus.orient.transaction.OrientOperations.lambda$1(OrientOperations.java:56)
              at org.sonatype.nexus.transaction.OperationPoint.proceed(OperationPoint.java:64)
              at org.sonatype.nexus.transaction.Operations.transactional(Operations.java:196)
              at org.sonatype.nexus.transaction.Operations.call(Operations.java:146)
              at org.sonatype.nexus.orient.transaction.OrientOperations.call(OrientOperations.java:56)
              at org.sonatype.nexus.ldap.persist.internal.orient.OrientDBLdapConfigurationSource.loadAll(OrientDBLdapConfigurationSource.java:73)
              at org.sonatype.nexus.common.stateguard.MethodInvocationAction.run(MethodInvocationAction.java:39)
              at org.sonatype.nexus.common.stateguard.StateGuard$GuardImpl.run(StateGuard.java:270)
              at org.sonatype.nexus.common.stateguard.GuardedInterceptor.invoke(GuardedInterceptor.java:53)
              at org.sonatype.nexus.ldap.persist.internal.DefaultLdapConfigurationManager.getConfiguration(DefaultLdapConfigurationManager.java:209)
              at org.sonatype.nexus.ldap.persist.internal.DefaultLdapConfigurationManager.listLdapServerConfigurations(DefaultLdapConfigurationManager.java:105)
              at org.sonatype.nexus.ldap.internal.realms.EnterpriseLdapManager.getLdapConnectors(EnterpriseLdapManager.java:310)
              at org.sonatype.nexus.ldap.internal.realms.EnterpriseLdapManager.getUser(EnterpriseLdapManager.java:219)
              at org.sonatype.nexus.ldap.internal.LdapUserManager.getUser(LdapUserManager.java:47)
              at org.sonatype.nexus.security.UserPrincipalsHelper.getUserStatus(UserPrincipalsHelper.java:59)
              at org.sonatype.nexus.internal.security.apikey.ApiKeyStoreImpl.lambda$5(ApiKeyStoreImpl.java:186)
              at org.sonatype.nexus.orient.transaction.OrientOperations.lambda$2(OrientOperations.java:63)
              at org.sonatype.nexus.transaction.OperationPoint.lambda$0(OperationPoint.java:53)
              at org.sonatype.nexus.transaction.OperationPoint.proceed(OperationPoint.java:64)
              at org.sonatype.nexus.transaction.TransactionalWrapper.proceedWithTransaction(TransactionalWrapper.java:56)
              at org.sonatype.nexus.transaction.Operations.transactional(Operations.java:200)
              at org.sonatype.nexus.transaction.Operations.run(Operations.java:155)
              at org.sonatype.nexus.orient.transaction.OrientOperations.run(OrientOperations.java:63)
              at org.sonatype.nexus.internal.security.apikey.ApiKeyStoreImpl.purgeApiKeys(ApiKeyStoreImpl.java:181)
              at org.sonatype.nexus.common.stateguard.MethodInvocationAction.run(MethodInvocationAction.java:39)
              at org.sonatype.nexus.common.stateguard.StateGuard$GuardImpl.run(StateGuard.java:270)
              at org.sonatype.nexus.common.stateguard.GuardedInterceptor.invoke(GuardedInterceptor.java:53)
              at org.sonatype.nexus.internal.security.apikey.PurgeApiKeysTask.execute(PurgeApiKeysTask.java:44)
              at org.sonatype.nexus.internal.security.apikey.PurgeApiKeysTask.execute(PurgeApiKeysTask.java:1)
              at org.sonatype.nexus.scheduling.TaskSupport.call(TaskSupport.java:93)
              at org.sonatype.nexus.quartz.internal.task.QuartzTaskJob.doExecute(QuartzTaskJob.java:145)
              at org.sonatype.nexus.quartz.internal.task.QuartzTaskJob.execute(QuartzTaskJob.java:108)
              at org.quartz.core.JobRunShell.run(JobRunShell.java:202)
              at org.sonatype.nexus.thread.internal.MDCAwareRunnable.run(MDCAwareRunnable.java:40)
              at org.apache.shiro.subject.support.SubjectRunnable.doRun(SubjectRunnable.java:120)
              at org.apache.shiro.subject.support.SubjectRunnable.run(SubjectRunnable.java:108)
              at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
              at java.util.concurrent.FutureTask.run(FutureTask.java:266)
              at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
              at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
              at java.lang.Thread.run(Thread.java:748)

        Attachments

          Activity

            People

            Assignee:
            jtom Joe Tom
            Reporter:
            jkruger John Kruger
            Last Updated By:
            Peter Lynch
            Team:
            NXRM - Cypher
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:
              Date of First Response:

                tigCommentSecurity.panel-title