org.sonatype.nexus.security.role.NoSuchRoleException: Role not found: nested

Sonatype JIRA | Rich Seddon | 6 months ago
  1. 0

    When an LDAP mapped user uses Nexus we are repeated looping through all of their LDAP groups. This is done for every single privilege check. The comparison done is very inefficient, and an exception is thrown for each group not found mapped to a nexus role. Here's an example, there were 970 of these just for this one group in 11 seconds. All I did was click around the UI a bit while logged in as an LDAP user mapped to nx-admin. This is repeated for every group my test user is a member of. {noformat} 2016-05-20 08:48:24,365-0500 TRACE [qtp1603293723-358] rseddon org.sonatype.nexus.security.internal.RolePermissionResolverImpl - Ignoring missing role: nested org.sonatype.nexus.security.role.NoSuchRoleException: Role not found: nested at org.sonatype.nexus.security.internal.SecurityConfigurationManagerImpl.readRole(SecurityConfigurationManagerImpl.java:197) [na:na] at org.sonatype.nexus.security.internal.RolePermissionResolverImpl.resolvePermissionsInRole(RolePermissionResolverImpl.java:116) [na:na] at org.apache.shiro.realm.AuthorizingRealm.resolveRolePermissions(AuthorizingRealm.java:447) [org.apache.shiro.core:1.2.4] at org.apache.shiro.realm.AuthorizingRealm.getPermissions(AuthorizingRealm.java:415) [org.apache.shiro.core:1.2.4] at org.apache.shiro.realm.AuthorizingRealm.isPermitted(AuthorizingRealm.java:468) [org.apache.shiro.core:1.2.4] at org.apache.shiro.realm.AuthorizingRealm.isPermitted(AuthorizingRealm.java:499) [org.apache.shiro.core:1.2.4] at org.apache.shiro.realm.AuthorizingRealm.isPermitted(AuthorizingRealm.java:489) [org.apache.shiro.core:1.2.4] at org.sonatype.nexus.security.authz.ExceptionCatchingModularRealmAuthorizer.isPermitted(ExceptionCatchingModularRealmAuthorizer.java:256) [org.sonatype.nexus.security:3.0.0.03] at org.apache.shiro.mgt.AuthorizingSecurityManager.isPermitted(AuthorizingSecurityManager.java:125) [org.apache.shiro.core:1.2.4] at org.apache.shiro.subject.support.DelegatingSubject.isPermitted(DelegatingSubject.java:175) [org.apache.shiro.core:1.2.4] at org.sonatype.nexus.rapture.internal.security.SecurityComponent.calculatePermissions(SecurityComponent.java:207) [org.sonatype.nexus.rapture:3.0.0.03] at org.sonatype.nexus.rapture.internal.security.SecurityComponent.getPermissions(SecurityComponent.java:170) [org.sonatype.nexus.rapture:3.0.0.03] at org.sonatype.nexus.rapture.internal.security.SecurityComponent.getState(SecurityComponent.java:179) [org.sonatype.nexus.rapture:3.0.0.03] at org.sonatype.nexus.rapture.internal.state.StateComponent.getState(StateComponent.java:81) [org.sonatype.nexus.rapture:3.0.0.03] at org.sonatype.nexus.rapture.internal.state.StateComponent$$EnhancerByGuice$$c680be9.CGLIB$getState$0(<generated>) [4.0:na] at org.sonatype.nexus.rapture.internal.state.StateComponent$$EnhancerByGuice$$c680be9$$FastClassByGuice$$f5589e80.invoke(<generated>) [4.0:na] at com.google.inject.internal.cglib.proxy.$MethodProxy.invokeSuper(MethodProxy.java:228) [com.google.inject:4.0.0] at com.google.inject.internal.InterceptorStackCallback$InterceptedMethodInvocation.proceed(InterceptorStackCallback.java:75) [com.google.inject:4.0.0] at com.palominolabs.metrics.guice.TimedInterceptor.invoke(TimedInterceptor.java:47) [com.palominolabs.metrics.guice:3.0.2] at com.google.inject.internal.InterceptorStackCallback$InterceptedMethodInvocation.proceed(InterceptorStackCallback.java:75) [com.google.inject:4.0.0] at com.google.inject.internal.InterceptorStackCallback.intercept(InterceptorStackCallback.java:55) [com.google.inject:4.0.0] at org.sonatype.nexus.rapture.internal.state.StateComponent$$EnhancerByGuice$$c680be9.getState(<generated>) [4.0:na] at sun.reflect.GeneratedMethodAccessor107.invoke(Unknown Source) [na:na] at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) [na:1.8.0_60] at java.lang.reflect.Method.invoke(Method.java:497) [na:1.8.0_60] {noformat} Acceptance Criteria: * Examine how to reduce the exception count as a bare minimum * Some minimal tuning to identify what the deeper issue is * Solve low hanging fruit, gain information on larger issues ** Get together to produce follow up issues/stories based on deeper understanding NOTE: * We will need to test this against a large LDAP instance to verify the fixes if we make any

    Sonatype JIRA | 6 months ago | Rich Seddon
    org.sonatype.nexus.security.role.NoSuchRoleException: Role not found: nested

    Root Cause Analysis

    1. org.sonatype.nexus.security.role.NoSuchRoleException

      Role not found: nested

      at org.sonatype.nexus.security.internal.SecurityConfigurationManagerImpl.readRole()
    2. org.sonatype.nexus
      RolePermissionResolverImpl.resolvePermissionsInRole
      1. org.sonatype.nexus.security.internal.SecurityConfigurationManagerImpl.readRole(SecurityConfigurationManagerImpl.java:197)[na:na]
      2. org.sonatype.nexus.security.internal.RolePermissionResolverImpl.resolvePermissionsInRole(RolePermissionResolverImpl.java:116)[na:na]
      2 frames
    3. Shiro
      AuthorizingRealm.isPermitted
      1. org.apache.shiro.realm.AuthorizingRealm.resolveRolePermissions(AuthorizingRealm.java:447)[org.apache.shiro.core:1.2.4]
      2. org.apache.shiro.realm.AuthorizingRealm.getPermissions(AuthorizingRealm.java:415)[org.apache.shiro.core:1.2.4]
      3. org.apache.shiro.realm.AuthorizingRealm.isPermitted(AuthorizingRealm.java:468)[org.apache.shiro.core:1.2.4]
      4. org.apache.shiro.realm.AuthorizingRealm.isPermitted(AuthorizingRealm.java:499)[org.apache.shiro.core:1.2.4]
      5. org.apache.shiro.realm.AuthorizingRealm.isPermitted(AuthorizingRealm.java:489)[org.apache.shiro.core:1.2.4]
      5 frames
    4. org.sonatype.nexus
      ExceptionCatchingModularRealmAuthorizer.isPermitted
      1. org.sonatype.nexus.security.authz.ExceptionCatchingModularRealmAuthorizer.isPermitted(ExceptionCatchingModularRealmAuthorizer.java:256)[org.sonatype.nexus.security:3.0.0.03]
      1 frame
    5. Shiro
      DelegatingSubject.isPermitted
      1. org.apache.shiro.mgt.AuthorizingSecurityManager.isPermitted(AuthorizingSecurityManager.java:125)[org.apache.shiro.core:1.2.4]
      2. org.apache.shiro.subject.support.DelegatingSubject.isPermitted(DelegatingSubject.java:175)[org.apache.shiro.core:1.2.4]
      2 frames
    6. org.sonatype.nexus
      StateComponent$$EnhancerByGuice$$c680be9$$FastClassByGuice$$f5589e80.invoke
      1. org.sonatype.nexus.rapture.internal.security.SecurityComponent.calculatePermissions(SecurityComponent.java:207)[org.sonatype.nexus.rapture:3.0.0.03]
      2. org.sonatype.nexus.rapture.internal.security.SecurityComponent.getPermissions(SecurityComponent.java:170)[org.sonatype.nexus.rapture:3.0.0.03]
      3. org.sonatype.nexus.rapture.internal.security.SecurityComponent.getState(SecurityComponent.java:179)[org.sonatype.nexus.rapture:3.0.0.03]
      4. org.sonatype.nexus.rapture.internal.state.StateComponent.getState(StateComponent.java:81)[org.sonatype.nexus.rapture:3.0.0.03]
      5. org.sonatype.nexus.rapture.internal.state.StateComponent$$EnhancerByGuice$$c680be9.CGLIB$getState$0(<generated>)[4.0:na]
      6. org.sonatype.nexus.rapture.internal.state.StateComponent$$EnhancerByGuice$$c680be9$$FastClassByGuice$$f5589e80.invoke(<generated>)[4.0:na]
      6 frames
    7. Google Guice - Core Library
      InterceptorStackCallback$InterceptedMethodInvocation.proceed
      1. com.google.inject.internal.cglib.proxy.$MethodProxy.invokeSuper(MethodProxy.java:228)[com.google.inject:4.0.0]
      2. com.google.inject.internal.InterceptorStackCallback$InterceptedMethodInvocation.proceed(InterceptorStackCallback.java:75)[com.google.inject:4.0.0]
      2 frames
    8. com.palominolabs.metrics
      TimedInterceptor.invoke
      1. com.palominolabs.metrics.guice.TimedInterceptor.invoke(TimedInterceptor.java:47)[com.palominolabs.metrics.guice:3.0.2]
      1 frame
    9. Google Guice - Core Library
      InterceptorStackCallback.intercept
      1. com.google.inject.internal.InterceptorStackCallback$InterceptedMethodInvocation.proceed(InterceptorStackCallback.java:75)[com.google.inject:4.0.0]
      2. com.google.inject.internal.InterceptorStackCallback.intercept(InterceptorStackCallback.java:55)[com.google.inject:4.0.0]
      2 frames
    10. org.sonatype.nexus
      StateComponent$$EnhancerByGuice$$c680be9.getState
      1. org.sonatype.nexus.rapture.internal.state.StateComponent$$EnhancerByGuice$$c680be9.getState(<generated>)[4.0:na]
      1 frame
    11. Java RT
      Method.invoke
      1. sun.reflect.GeneratedMethodAccessor107.invoke(Unknown Source)[na:na]
      2. sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)[na:1.8.0_60]
      3. java.lang.reflect.Method.invoke(Method.java:497)[na:1.8.0_60]
      3 frames