search

TheHive-Project / TheHive

TheHive: a Scalable, Open Source and Free Security Incident Response Platform
https://thehive-project.org
GNU Affero General Public License v3.0
3.28k stars 605 forks source link

[Bug] profile name is empty, cannot be deleted, prevents user creation and update #2436

Open blues-dev opened 1 year ago

blues-dev commented 1 year ago

Request Type

Bug

Work Environment

Question Answer
OS version (server) Red Hat Enterprise Linux release 8.6 (Ootpa)
OS version (client) Windows 10
Virtualized Env. True
Dedicated RAM 64 GB
vCPU 16
TheHive version / git hash 4.1.24-1
Package Type RPM
Database Cassandra
Index type Lucene
Attachments storage Local
Browser type & version no applicable

Problem Description

Our TheHive knows over 25 users already. We are productive. We tried to create a new user in TheHive. In the lower left corner the following error message is shown:

Screenshot2022-12-05

Recherche in /var/log/thehive/application.log shows:

2022-12-05 10:04:41,087 [ERROR] from org.thp.scalligraph.traversal.TraversalOps in application-akka.actor.default-dispatcher-24 [|] vertex 8280 doesn't comply with its schema, field name is missing:
v[8280]
2022-12-05 10:04:41,087 [ERROR] from org.thp.scalligraph.traversal.TraversalOps in application-akka.actor.default-dispatcher-24 [|] vertex 8280 doesn't comply with its schema, field _createdAt is missing:
v[8280]
2022-12-05 10:04:41,088 [ERROR] from org.thp.scalligraph.traversal.TraversalOps in application-akka.actor.default-dispatcher-24 [|] vertex 8280 doesn't comply with its schema, field _createdBy is missing:
v[8280]
2022-12-05 10:05:35,677 [ERROR] from org.thp.scalligraph.traversal.TraversalOps in application-akka.actor.default-dispatcher-57 [00027161|4952fd39] vertex 8280 doesn't comply with its schema, field name is missing:
v[8280]
2022-12-05 10:05:35,677 [ERROR] from org.thp.scalligraph.traversal.TraversalOps in application-akka.actor.default-dispatcher-57 [00027161|4952fd39] vertex 8280 doesn't comply with its schema, field _createdAt is missing:
v[8280]
2022-12-05 10:05:35,677 [ERROR] from org.thp.scalligraph.traversal.TraversalOps in application-akka.actor.default-dispatcher-57 [00027161|4952fd39] vertex 8280 doesn't comply with its schema, field _createdBy is missing:
v[8280]
2022-12-05 10:05:35,680 [ERROR] from org.thp.scalligraph.utils.Retry in application-akka.actor.default-dispatcher-57 [00027161|4952fd39] uncaught error, not retrying
org.thp.scalligraph.InternalError: Fail to create edge between Role:~270418168 and Profile:~8280, Profile:~8280 not found
2022-12-05 10:05:35,680 [ERROR] from org.thp.scalligraph.models.Database in application-akka.actor.default-dispatcher-57 [00027161|4952fd39] Exception raised, rollback (Fail to create edge between Role:~270418168 and Profile:~8280, Profile:~8280 not found)

Verify existing profiles by API call:

curl -u admin@thehive.local:password -H 'Content-type: application/json' http: //127.0.0.1:9000/api/v1/query -d '{"query":[{"_name":"listProfile"}]}'

Found standard profiles: read-only, analyst, admin, org-admin and one without name, createdBy and createdAt. I have no idea where this is coming from.

[
    {
        "_id": "~8192",
        "id": "~8192",
        "createdBy": "system@thehive.local",
        "createdAt": 1638954078040,
        "_type": "profile",
        "name": "read-only",
        "permissions": [],
        "editable": true,
        "isAdmin": false
    },
    {
        "_id": "~8280",
        "id": "~8280",
        "createdBy": "",
        "createdAt": 0,
        "_type": "profile",
        "name": "",
        "permissions": [],
        "editable": true,
        "isAdmin": false
    },
    {
        "_id": "~12304",
        "id": "~12304",
        "createdBy": "system@thehive.local",
        "createdAt": 1638954078038,
        "_type": "profile",
        "name": "analyst",
        "permissions": [ "accessTheHiveFS", "manageAction", "manageAlert", "manageAnalyse", "manageCase",
        "manageObservable", "managePage", "manageProcedure", "manageShare", "manageTask" ],
        "editable": true,
        "isAdmin": false
    },

...

next we tried to delete the "no name profile" via UI:

grafik

without success. /var/log/thehive/application.log shows:

2022-12-05 10:11:49,964 [INFO] from org.thp.scalligraph.controllers.Entrypoint in application-akka.actor.default-dispatcher-24 [00027378|] 172.16.1.5 DELETE /api/profile/~8280
2022-12-05 10:11:49,970 [ERROR] from org.thp.scalligraph.utils.Retry in application-akka.actor.default-dispatcher-24 [00027378|65bfdfba] uncaught error, not retrying
org.thp.scalligraph.NotFoundError: Profile ~8280 not found
2022-12-05 10:11:49,970 [ERROR] from org.thp.scalligraph.models.Database in application-akka.actor.default-dispatcher-24 [00027378|65bfdfba] Exception raised, rollback (Profile ~8280 not found)
2022-12-05 10:11:49,970 [WARN] from org.thp.scalligraph.ErrorHandler in application-akka.actor.default-dispatcher-24 [00027378|65bfdfba] DELETE /api/profile/~8280 returned 404
2022-12-05 10:11:49,970 [INFO] from org.thp.scalligraph.AccessLogFilter in application-akka.actor.default-dispatcher-23 [00027378|] 172.16.1.5 DELETE /api/profile/~8280 took 6ms and returned 404 60 bytes
2022-12-05 10:12:08,075 [ERROR] from org.thp.scalligraph.traversal.TraversalOps in application-akka.actor.default-dispatcher-25 [|47e058d0] vertex 8280 doesn't comply with its schema, field name is missing:
v[8280]
2022-12-05 10:12:08,075 [ERROR] from org.thp.scalligraph.traversal.TraversalOps in application-akka.actor.default-dispatcher-25 [|47e058d0] vertex 8280 doesn't comply with its schema, field _createdAt is missing:
v[8280]
2022-12-05 10:12:08,076 [ERROR] from org.thp.scalligraph.traversal.TraversalOps in application-akka.actor.default-dispatcher-25 [|47e058d0] vertex 8280 doesn't comply with its schema, field _createdBy is missing:
v[8280]
blues-dev commented 1 year ago

User administration malfunction

Each writing user administration action (create an user, lock an user, modify an user) checks all associated data areas before proceed.

In our database exists a profile record without name, without a createdBy name and without a createdBy timestamp. The existence of this record prevents the requested user action and forced an error, as shown above.

We tried via WebUI and via curl API call to remove this no name profile record. Without success, because this record has no name!

Now we are looking for an alternative way to remove this disturbing record. Does any one have an idea how? Perhaps it is possible with cqlsh in cassandra directly, or so ...

Keroseno101 commented 1 year ago

How do you add new users to your TheHive system? LDAP? Local?

I would never recommend to delete the Data trhough cqlsh, if you delete the wront data, forget about your complete Database.

That happen after a System Reboot? Maybe you had a reboot 2 weeks ago and now trying to create a new user you found the problem.

Check the logs of Cassandra and Lucene after your last reboot. If you find something, paste the error logs here.

If you dont find new errors, go to /etc/thehive/logback.xml and down there you can change the ROOT LOG from INFO to DEBUG and check again what happen when you try to create a user.

ghost commented 1 year ago

image im getting just this profile here. any idea guys?