Skip to content
This repository has been archived by the owner on May 27, 2024. It is now read-only.

Timing issue in automatic user creation #21

Open
mikkolehtisalo opened this issue Nov 22, 2016 · 1 comment
Open

Timing issue in automatic user creation #21

mikkolehtisalo opened this issue Nov 22, 2016 · 1 comment

Comments

@mikkolehtisalo
Copy link

mikkolehtisalo commented Nov 22, 2016

Problem description

Automatic user creation may create several users with the same username.

Steps to reproduce the problem

  1. Enable automatic user creation
  2. Issue two valid SSO authentication requests at the same time (down to couple milliseconds probably)
  3. Two users with the same username get created
  4. Authentication fails with Shiro exceptions saying "There was more than one matching user for username XXXXX. This should never happen.";
  5. See two users in user management UI with the same username

Environment

  • Graylog Version: 2.1.x
  • Plugin Version: 1.0.2

I am afraid this issue is very hard to reproduce reliably, because the timing of the couple requests has to be very exact. (Both requests probably must pass the user load test at the realm logic...)

@kroepke kroepke added this to the 2.2.0 milestone Nov 28, 2016
@joschi joschi removed this from the 2.2.0 milestone Jan 4, 2017
@hc4
Copy link

hc4 commented Aug 4, 2017

Got same bug.
The problem caused be architecture of creating new user:

user = userService.create();
user.setName(username);
// modify user
userService.save(user); // duplicate stored to DB

user's name field must be readonly and initial user name must be passed in userService.create() arguments.
So user creation code will be changed to:

user = userService.create(userName); //throws on duplicate/invalid username
// modify user
userService.save(user);

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

No branches or pull requests

4 participants