Uploaded image for project: 'Dev - Nexus Repo'
  1. Dev - Nexus Repo
  2. NEXUS-18997

authenticated LDAP users may inherit roles from the same userid in a different LDAP server

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Parked
    • Affects Version/s: 3.15.1, 3.15.2
    • Fix Version/s: None
    • Component/s: LDAP
    • Notability:
      3

      Description

      Summary

      An authenticated LDAP user from LDAP server B may will inherit the roles of an identical userid from LDAP server A.

      Scenario

      Two ldap servers, configured in this order:
      ldapserver1
      ldapserver2

      cuser ldap user is present in both ldap servers

      cuser in ldapserver1 has password "password"
      cuser in ldapserver2 has password "admin123"

      repomaintainer static group is present in ldapserver1 and ldapserver2
      repoconsumer static group is present in ldapserver1 and ldapserver2

      cuser is NOT a member of repomaintainer ldap group in ldapserver1
      cuser is a member of repomaintainer ldap group in ldapserver2
      cuser is a member of repoconsumer ldap group in ldapserver1 and ldapserver2

      NXRM ONLY explicitly maps external role repomaintainer and assigns it privilege 'nx-all'
      NXRM does not explicitly map any reference to ldap group repoconsumer

      cuser signs into nexus with password "admin123"

      Authentication fails in ldapserver1 as expected

      2019-01-29 11:02:15,549-0400 DEBUG [qtp2094155505-66] *UNKNOWN org.sonatype.nexus.ldap.internal.realms.EnterpriseLdapManager - Failed to find user: cuser
      org.apache.shiro.authc.AuthenticationException: User 'cuser' cannot be authenticated.
      

      Authentication succeeds for ldapserver2 as expected

      2019-01-29 11:02:15,563-0400 DEBUG [qtp2094155505-66] *UNKNOWN org.sonatype.nexus.ldap.internal.realms.EnterpriseLdapManager - Adding Ldap User: cuser to cache, from server: dd2cc30f-71c4-4e3c-b54a-a01038edc396, item should be valid until: Tue Jan 29 11:04:15 AST 2019
      

      This caches the user in the LDAP cache inside NXRM.

      When the UI loads after authentication, the user does not have permission that would be normally be granted by nx-all privilege which should be inherited by their membership of repomaintainer LDAP group in ldapserver2

      The roles for cuser are loaded from ldapserver1 ( effectively none ), instead of the ldapserver2, where they were authenticated.

      In the same thread, get a large WARN about unrelated role named repoconsumer which exists in both ldap servers:

      2019-01-29 11:02:15,603-0400 WARN  [qtp2094155505-69] cuser org.sonatype.nexus.internal.selector.SelectorManagerImpl - Unable to find role for roleId=repoconsumer, continue searching for roles
      org.sonatype.nexus.security.role.NoSuchRoleException: Role not found: repoconsumer
       at org.sonatype.nexus.security.internal.SecurityConfigurationManagerImpl.readRole(SecurityConfigurationManagerImpl.java:198)
       at org.sonatype.nexus.security.internal.AuthorizationManagerImpl.getRole(AuthorizationManagerImpl.java:179)
       at org.sonatype.nexus.internal.selector.SelectorManagerImpl.getRoles(SelectorManagerImpl.java:244)
       at org.sonatype.nexus.internal.selector.SelectorManagerImpl.lambda$3(SelectorManagerImpl.java:236)
       at java.util.ArrayList.forEach(ArrayList.java:1257)
       at org.sonatype.nexus.internal.selector.SelectorManagerImpl.getRoles(SelectorManagerImpl.java:236)
       at org.sonatype.nexus.internal.selector.SelectorManagerImpl.browseActive(SelectorManagerImpl.java:194)
       at org.sonatype.nexus.internal.selector.SelectorManagerImpl$$EnhancerByGuice$$9f288a38.CGLIB$browseActive$7(<generated>)
       at org.sonatype.nexus.internal.selector.SelectorManagerImpl$$EnhancerByGuice$$9f288a38$$FastClassByGuice$$b84ceafd.invoke(<generated>)
       at com.google.inject.internal.cglib.proxy.$MethodProxy.invokeSuper(MethodProxy.java:228)
       at com.google.inject.internal.InterceptorStackCallback$InterceptedMethodInvocation.proceed(InterceptorStackCallback.java:76)
       at org.sonatype.nexus.common.stateguard.MethodInvocationAction.run(MethodInvocationAction.java:39)
       at org.sonatype.nexus.common.stateguard.StateGuard$GuardImpl.run(StateGuard.java:272)
       at org.sonatype.nexus.common.stateguard.GuardedInterceptor.invoke(GuardedInterceptor.java:53)
       at com.google.inject.internal.InterceptorStackCallback$InterceptedMethodInvocation.proceed(InterceptorStackCallback.java:77)
       at com.google.inject.internal.InterceptorStackCallback.intercept(InterceptorStackCallback.java:55)
       at org.sonatype.nexus.internal.selector.SelectorManagerImpl$$EnhancerByGuice$$9f288a38.browseActive(<generated>)
       at org.sonatype.nexus.repository.security.RepositoryPermissionChecker.subjectHasAnyContentSelectorAccessTo(RepositoryPermissionChecker.java:121)
       at org.sonatype.nexus.repository.security.RepositoryPermissionChecker.userCanBrowseRepositories(RepositoryPermissionChecker.java:109)
       at org.sonatype.nexus.repository.security.RepositoryPermissionChecker$userCanBrowseRepositories$0.call(Unknown Source)
       at org.sonatype.nexus.coreui.RepositoryComponent.getBrowseableFormats(RepositoryComponent.groovy:135)
       at org.sonatype.nexus.coreui.RepositoryComponent$$EnhancerByGuice$$665c34e1.CGLIB$getBrowseableFormats$25(<generated>)
       at org.sonatype.nexus.coreui.RepositoryComponent$$EnhancerByGuice$$665c34e1$$FastClassByGuice$$8c50a3db.invoke(<generated>)
       at com.google.inject.internal.cglib.proxy.$MethodProxy.invokeSuper(MethodProxy.java:228)
       at com.google.inject.internal.InterceptorStackCallback$InterceptedMethodInvocation.proceed(InterceptorStackCallback.java:76)
       at com.palominolabs.metrics.guice.ExceptionMeteredInterceptor.invoke(ExceptionMeteredInterceptor.java:49)
       at com.google.inject.internal.InterceptorStackCallback$InterceptedMethodInvocation.proceed(InterceptorStackCallback.java:77)
       at com.palominolabs.metrics.guice.TimedInterceptor.invoke(TimedInterceptor.java:47)
       at com.google.inject.internal.InterceptorStackCallback$InterceptedMethodInvocation.proceed(InterceptorStackCallback.java:77)
       at com.google.inject.internal.InterceptorStackCallback.intercept(InterceptorStackCallback.java:55)
       at org.sonatype.nexus.coreui.RepositoryComponent$$EnhancerByGuice$$665c34e1.getBrowseableFormats(<generated>)
       at org.sonatype.nexus.coreui.RepositoryComponent.getState(RepositoryComponent.groovy:147)
       at org.sonatype.nexus.rapture.internal.state.StateComponent.getState(StateComponent.java:87)
       at org.sonatype.nexus.rapture.internal.state.StateComponent$$EnhancerByGuice$$c680be9.CGLIB$getState$0(<generated>)
       at org.sonatype.nexus.rapture.internal.state.StateComponent$$EnhancerByGuice$$c680be9$$FastClassByGuice$$f5589e80.invoke(<generated>)
       at com.google.inject.internal.cglib.proxy.$MethodProxy.invokeSuper(MethodProxy.java:228)
       at com.google.inject.internal.InterceptorStackCallback$InterceptedMethodInvocation.proceed(InterceptorStackCallback.java:76)
       at com.palominolabs.metrics.guice.ExceptionMeteredInterceptor.invoke(ExceptionMeteredInterceptor.java:49)
       at com.google.inject.internal.InterceptorStackCallback$InterceptedMethodInvocation.proceed(InterceptorStackCallback.java:77)
       at com.palominolabs.metrics.guice.TimedInterceptor.invoke(TimedInterceptor.java:47)
       at com.google.inject.internal.InterceptorStackCallback$InterceptedMethodInvocation.proceed(InterceptorStackCallback.java:77)
       at com.google.inject.internal.InterceptorStackCallback.intercept(InterceptorStackCallback.java:55)
       at org.sonatype.nexus.rapture.internal.state.StateComponent$$EnhancerByGuice$$c680be9.getState(<generated>)
       at sun.reflect.GeneratedMethodAccessor107.invoke(Unknown Source)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
       at java.lang.reflect.Method.invoke(Method.java:498)
       at com.softwarementors.extjs.djn.router.dispatcher.DispatcherBase.invokeJavaMethod(DispatcherBase.java:142)
       at com.softwarementors.extjs.djn.router.dispatcher.DispatcherBase.invokeMethod(DispatcherBase.java:133)
       at org.sonatype.nexus.extdirect.internal.ExtDirectDispatcher.invokeMethod(ExtDirectDispatcher.java:82)
       at com.softwarementors.extjs.djn.router.dispatcher.DispatcherBase.dispatch(DispatcherBase.java:63)
       at com.softwarementors.extjs.djn.router.processor.poll.PollRequestProcessor.process(PollRequestProcessor.java:145)
       at org.sonatype.nexus.extdirect.internal.ExtDirectServlet$3.processPollRequest(ExtDirectServlet.java:247)
       at com.softwarementors.extjs.djn.servlet.DirectJNgineServlet.processRequest(DirectJNgineServlet.java:636)
      

      The WARN continues for every UI POLL request while the cuser is signed in.

      Additional Problem Scope

      Signin as cuser with password value of "password". Authentication works against ldapserver1 and cuser inherits the group membership privileges from ldapserver2. The UI loads with nx-all privileges. Possibly some customers may be relying on this cascading behaviour case - but it still seems wrong as the same user in another ldap server is NOT the same user in all cases.

      Expected

      Roles for a user should be loaded only from the ldap server where authentication worked for that user - the cuser account in ldapserver1 is not the same user account and should not put its roles into the ldapserver2 authenticated user.

      The verbose WARN message needs diagnosis. Why is NXRM throwing a very verbose WARN message about a role that is not even mapped and has nothing to do with test case.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              Unassigned Unassigned
              Reporter:
              plynch Peter Lynch
              Last Updated By:
              Damian Bradicich Damian Bradicich
              Votes:
              2 Vote for this issue
              Watchers:
              5 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:
                Date of First Response:

                  tigCommentSecurity.panel-title