Uploaded image for project: 'Dev - Nexus Repo'
  1. Dev - Nexus Repo
  2. NEXUS-31286

nexus.datastore arguments do not overwrite values in nexus-store.properties file

    Details

    • Notability:
      3

      Description

      ISSUE:

      When deploying Nexus in container / cloud environments, we recommend customers to use -Dnexus.datastore.nexus arguments for external database details. New / changed values passed via these arguments are ignored by Nexus on startup causing failure.

      CAUSE:
      Nexus persists the external DB values in $karaf-data/etc/fabric/nexus-store.properties file on first startup. 

      On subsequent startups, this file takes precedence and any updated values (password change / db username change etc) passed via arguments are ignored.

      This behavior defeats the purpose of using -Dnexus.datastore.nexus arguments. 

      REPRODUCE STEPS:

      **(To make it simple, we can try below on non-container env)

      1. Provision a nexus instance with external DB and use nexus.vmoptions for passing -Dnexus.datastore.nexus arguments
      [nexus@centos79 bin]$ pwd
      /opt/nexus-psql/nexus-3.37.3-02/bin
      [nexus@centos79 bin]$ tail -5 nexus.vmoptions
      -Dnexus.datastore.enabled=true
      -Dnexus.datastore.nexus.jdbcUrl=jdbc:postgresql://centos79.avsrini.net:5432/nexusdb
      -Dnexus.datastore.nexus.username=nexus
      -Dnexus.datastore.nexus.password=nexus123
      

      2. Change postgresql user password at database side and update nexus.vmoptions file with new password

      [nexus@centos79 bin]$ tail -5 nexus.vmoptions
      -Dnexus.datastore.enabled=true
      -Dnexus.datastore.nexus.jdbcUrl=jdbc:postgresql://centos79.avsrini.net:5432/nexusdb
      -Dnexus.datastore.nexus.username=nexus
      #-Dnexus.datastore.nexus.password=nexus123
      -Dnexus.datastore.nexus.password=nexus345
      

      3. Start nexus and it would fail with wrong credentials as below

      2022-02-18 12:15:00,546+1100 ERROR [FelixStartLevel] *SYSTEM com.zaxxer.hikari.pool.HikariPool - nexus - Exception during pool initialization.2022-02-18 12:15:00,546+1100 ERROR [FelixStartLevel] *SYSTEM com.zaxxer.hikari.pool.HikariPool - nexus - Exception during pool initialization.org.postgresql.util.PSQLException: FATAL: password authentication failed for user "nexus" at org.postgresql.core.v3.ConnectionFactoryImpl.doAuthentication(ConnectionFactoryImpl.java:613) at org.postgresql.core.v3.ConnectionFactoryImpl.tryConnect(ConnectionFactoryImpl.java:161) at org.postgresql.core.v3.ConnectionFactoryImpl.openConnectionImpl(ConnectionFactoryImpl.java:213)
      

      4. Datastore properties file still has old value

      [root@centos79 fabric]# pwd
      /opt/nexus-psql/sonatype-work/nexus3/etc/fabric
      [root@centos79 fabric]# more nexus-store.properties
      #2022-02-18 12:14:59,225+1100
      #Fri Feb 18 12:14:59 AEDT 2022
      password=nexus123
      jdbcUrl=jdbc\:postgresql\://centos79.avsrini.net\:5432/nexusdb
      username=nexus
      

      EXPECTED RESULT:
      Values passed via -Dnexus.datastore.nexus.* arguments should take precedence and update the nexus-store.properties file.
      Not sure, if we need a new JIRA, but can we encrypt the password written to nexus-store.properties file, as its plain text now and not secured? 
      At minimum, the document should mention clearly that nexus-store.properties won't be removed by recreating container/pod even if the system properties -Dnexus.datastore.nexus.* are used.

        Attachments

          Activity

            People

            Assignee:
            Unassigned Unassigned
            Reporter:
            sappusamy Srinivasan Appusamy
            Last Updated By:
            Peter Lynch Peter Lynch
            Team:
            NXRM - Sentinels
            Votes:
            2 Vote for this issue
            Watchers:
            8 Start watching this issue

              Dates

              Created:
              Updated:
              Date of First Response:

                tigCommentSecurity.panel-title