[Bug] Users / Organisations gone corrupted after Cassandra crash

[TheMatrix97]

Request Type

Bug

Work Environment

Question	Answer
OS version (server)	Debian, Ubuntu, CentOS, RedHat, ...
OS version (client)	XP, Seven, 10, Ubuntu, ...
Virtualized Env.	True / False
Dedicated RAM	XX GB
vCPU	4 / 8 / 16 / 32
TheHive version / git hash	4.x, hash of the commit
Package Type	RPM, DEB, Docker, Binary, From source
Database	Cassandra / BerlkelyDB
Index type	Lucene / Elasticsearch
Attachments storage	Local, NFS, S3, HDFS
Browser type & version	If applicable

Problem Description

Right now I have organisation "A", this organisation existed one uppon a time, and "user1" was the org-admin of this organisation. Eventually, Cassandra went full, so TheHive crashed, we were able to increase the volume size and recover the application. Although, users were apparently lost...

If I run the query to list users of a given organisation I'm only obtaining "user2", which was the one created after the cassandra crash:

curl -H "Authorization: Bearer APIKEY" -H "Content-Type: application/json" -X POST http://localhost:9000/api/v0/query

Body:

{
  "query": [
    {
      "_name": "getOrganisation",
      "idOrName": "A"
    },
    {
      "_name": "users"
    },
    {
      "_name": "sort",
      "_fields": [
        {
          "login": "asc"
        }
      ]
    },
    {
      "_name": "page",
      "from": 0,
      "to": 15,
      "organisation": "A"
    }
  ]
}

It returns user2 only:

[
    {
        "_id": "~333099454",
        "id": "user2",
        "createdBy": "admin@thehive.local",
        "updatedBy": "admin@thehive.local",
        "createdAt": 1679485199426,
        "updatedAt": 1679485211963,
        "_type": "user",
        "login": "user2",
        "name": "user2",
        "roles": [
            "admin",
            "write",
            "read",
            "alert"
        ],
        "organisation": "A",
        "hasKey": true,
        "status": "Ok"
    }
]

But now, if I try to create the "user1" again....

$ curl -X POST http://localhost:9000/api/v1/user

Body:

{
  "login" : "user1",
  "name" : "user1",
  "organisation": "A",
  "profile": "org-admin",
  "email": "user1",
  "password": "supersecret"
}

It returns 201 with the information of user1 (before the Cassandra crash), but it indicates is assigned to organization "no - org"

{
    "_id": "~24632",
    "_createdBy": "admin@thehive.local",
    "_updatedBy": "admin@thehive.local",
    "_createdAt": 1678881396871, # BEFORE CASSANDRA CRASH
    "_updatedAt": 1679484293863,
    "login": "user1",
    "name": "user1",
    "hasKey": true,
    "hasPassword": true,
    "hasMFA": false,
    "locked": false,
    "profile": "org-admin",
    "permissions": [
        "manageShare",
        "manageAnalyse",
        "manageTask",
        "manageCaseTemplate",
        "manageCase",
        "manageUser",
        "manageProcedure",
        "managePage",
        "manageObservable",
        "manageTag",
        "manageConfig",
        "manageAlert",
        "accessTheHiveFS",
        "manageAction"
    ],
    "organisation": "no org",
    "organisations": [],
    "extraData": {}
}

So, although it returns a 201 status code, the user "user1" is missing from organisation A. Notice, user1 can login to the system, as it's registered to other organisations. Also, user1 appears to be associated to organisation A, although the API throws a 404 error when I try to query information about organisation A as user1:

$ curl -I -X "GET" http://localhost/api/organisation/a
404

I'm pretty aware this is unrelated to Indexes and ElasticSearch. I already rebuilt the indexes several times (https://github.com/TheHive-Project/TheHive/issues/2372)

Any idea about what could have gone wrong?

Steps to Reproduce

1. step 1
2. step 2
3. step 3...

Possible Solutions

(keep this section if you have suggestions on how to solve the problem. Otherwise delete it)

Complementary information

(add anything that can help identifying the problem such as log excerpts, screenshots, configuration dumps etc.)