Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Unresolved
Priority: Major
Fix Version/s: None
Affects Version/s: 3.19.0
Component/s: Documentation, REST
Labels:
- doc-only
- performance

Notability:
4

Description

The REST API to list users /security/users is documented to return no more than 100 users at a time for anything other than the 'default' realm ( user-source ).

The criteria is set in code here.

However when the source=LDAP and there are more than one LDAP servers configured, then the actual limit is 100 users per LDAP server queried.

So the general contract currently implemented is

if user source not set

then return max 100 users for each realm (user-source) and for LDAP source, max 100 per defined LDAP server

else if source is LDAP

max 100 per defined LDAP server

else if source is Crowd

max 500 per search query to crowd server ( ~~NEXUS-6366~~ )

else if other source

max 100 users

Expected

Any limits we impose on the REST API should be documented and enforced correctly on realms we maintain.

The javadoc for UserSearchCriteria public API getLimit() should document how to impose the limit for custom realms/user sources third parties may implement. Currently there is none there.

Attachments

Issue Links

is related to

NEXUS-6366 Crowd: excessive requests to crowd server when listing crowd users

Closed

NEXUS-13071 Unfiltered LDAP user search will retrieve all users from an LDAP server, which can result in an OOM

Closed

Activity

People

Assignee:: Unassigned

Reporter:: Peter Lynch

Last Updated By:: Michael Oliverio

Votes:: 0 Vote for this issue

Watchers:: 6 Start watching this issue

Dates

Created:: 10/04/19 07:00 PM

Updated:: 02/28/23 09:01 PM

Date of First Response:: 07/Oct/19 4:27 PM

REST /security/users resource is documented to return max 100 users but can return more