Uploaded image for project: 'Dev - Nexus Repo'
  1. Dev - Nexus Repo
  2. NEXUS-30807

Nexus Repository fails to create user-token record when using PostgresDB for some users

    Details

    • Story Points:
      2
    • Notability:
      2
    • InvestmentLayer:
      support-escalated
    • Aha Concept:
      non-concept

      Description

      When a user authenticated with a different realm like SAML realm attempts to access userToken via nexus UI, then it produces an Access Error. "You must authenticate successfully to access your token" In the nexus logs we see this error:

      2022-01-04 16:45:07,830+1100 WARN  [qtp46267572-324]  test_saml org.sonatype.nexus.siesta.internal.UnexpectedExceptionMapper - (ID 0b04c5cd-f471-4727-b211-0d4af139207f) Unexpected exception: java.lang.IllegalStateException: Failed to create user-token record; giving up after 11 attempts
      java.lang.IllegalStateException: Failed to create user-token record; giving up after 11 attempts
      	at com.google.common.base.Preconditions.checkState(Preconditions.java:562)
      	at com.sonatype.nexus.usertoken.plugin.internal.UserTokenServiceImpl.create(UserTokenServiceImpl.java:341)
      	at com.sonatype.nexus.usertoken.plugin.internal.UserTokenServiceImpl.current(UserTokenServiceImpl.java:251)
      	at com.sonatype.nexus.usertoken.plugin.api.CurrentUserUserTokenApiResource.readUserToken(CurrentUserUserTokenApiResource.java:77)
      	at org.sonatype.nexus.validation.internal.ValidationInterceptor.invoke(ValidationInterceptor.java:53)
      	at org.apache.shiro.guice.aop.AopAllianceMethodInvocationAdapter.proceed(AopAllianceMethodInvocationAdapter.java:49)
      	at org.apache.shiro.authz.aop.AuthorizingAnnotationMethodInterceptor.invoke(AuthorizingAnnotationMethodInterceptor.java:68)
      	at org.apache.shiro.guice.aop.AopAllianceMethodInterceptorAdapter.invoke(AopAllianceMethodInterceptorAdapter.java:36)
      	at org.apache.shiro.guice.aop.AopAllianceMethodInvocationAdapter.proceed(AopAllianceMethodInvocationAdapter.java:49)
      	at org.apache.shiro.authz.aop.AuthorizingAnnotationMethodInterceptor.invoke(AuthorizingAnnotationMethodInterceptor.java:68)
      	at org.apache.shiro.guice.aop.AopAllianceMethodInterceptorAdapter.invoke(AopAllianceMethodInterceptorAdapter.java:36)
      	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
      	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
      	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
      	at java.lang.reflect.Method.invoke(Method.java:498)
      	at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:138)
          .
          .
      	at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)
      	at com.codahale.metrics.jetty9.InstrumentedHandler.handle(InstrumentedHandler.java:239)
      	at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:146)
      	at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)
      	at org.eclipse.jetty.server.Server.handle(Server.java:516)
      	at org.eclipse.jetty.server.HttpChannel.lambda$handle$1(HttpChannel.java:388)
      	at org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:633)
      	at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:380)
      	at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:277)
      	at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:311)
      	at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:105)
      	at org.eclipse.jetty.io.ChannelEndPoint$1.run(ChannelEndPoint.java:104)
      	at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:338)
      	at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:315)
      	at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:173)
      	at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:131)
      	at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:386)
      	at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:883)
      	at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:1034)
      	at java.lang.Thread.run(Thread.java:748)
      2022-01-04 16:45:07,830+1100 WARN  [qtp46267572-324]  test_saml org.sonatype.nexus.siesta.internal.UnexpectedExceptionMapper - (ID 0b04c5cd-f471-4727-b211-0d4af139207f) Response: [500] 'ERROR: (ID 0b04c5cd-f471-4727-b211-0d4af139207f) java.lang.IllegalStateException: Failed to create user-token record; giving up after 11 attempts'; mapped from: java.lang.IllegalStateException: Failed to create user-token record; giving up after 11 attempts
      

      In the request.log we can see 500 error :

      192.168.56.1 - test_saml [04/Jan/2022:16:45:07 +1100] "GET /service/rest/internal/current-user/user-token?authToken=WjVsRxxxxxxM5RjJPK3Qxd0wwb29RVTdpNlRtdEVIYmRJUlBTdmRLVnRIV3U2K2ZqVCtNODJxWDRHbGQwcUxrblB6Q0RPSDxxxxxxxxxx==&_dc=1641275106793 HTTP/1.1" 500 - 145 1076 "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36" [qtp46267572-324]
      

      Steps to reproduce:
      1. Setup NXRM 3.36.0 with Postgres DB.
      2. Setup SAML authentication.
      3. Create a user "test_saml" in SAML IDP as well as inside the nexus Default embedded user base Or may be inside LDAP.
      4. Make sure that the user has correct privileges to be able to create user tokens.
      5. Login to Nexus UI as test_saml user without SSO and create a userToken.
      6. Logout as 'test_saml' user.
      7. Login to Nexus UI as 'test_saml' via SAML SSO.
      8. Try creating userToken, and it should produce above kind of errors.

      Observation:
      The "user_token" table schema is different in OrientDB vs PostgresDB. In postgres the primary key in user_token is user_name, in OrientDb it is namecode.

      Expected:
      User should be able to generate User Tokens without any issue.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              dsawa Dawid Sawa
              Reporter:
              jsensharma Jay Kumar SenSharma
              Last Updated By:
              Nicholas Blair Nicholas Blair
              Team:
              NXRM - Optimus
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:
                Date of First Response:

                  tigCommentSecurity.panel-title