All user ids point to the same

[delanym]

I have local users and LDAP users configured. When I view the list of local users I can see their "User ID" correctly displayed in the first column. When I open a user, no matter which one, the ID is listed as "proxies". If I add a role to any user, it gets added to the proxies user.

I am unable to edit roles for any LDAP users. When I save, I get a notification "User not found: proxies"

What is special about the proxies user? Well I deleted the anonymous user and set the proxies user as the anonymous user

Nexus OSS 3.61.0-02 running on Windows

The previous version was nexus-3.37.3-02 and I suspect that the issue did not exist at that time (I did the migration in November 2023)

[delanym]

I see now that by editing my "endorser" user, all of their details have been set for the "proxies" user.

This is a major security issue! If I allow anonymous access to the server with the proxies user, that user will have whatever roles (and other details) where last saved for another user. So if I update the admin user, it will apply to the proxy user and expose the whole system.

[nblair]

Hi @delanym thanks for opening an issue. It's hard to understand the complete picture how you've configured all of the listed users, what roles and privileges they have, and how it intersects with the anonymous settings.

How to configure Anonymous Access is documented at https://help.sonatype.com/en/anonymous-access.html. If you have anonymous access enabled, with empty values for username and realm, any requests for content in repositories will be bound to a built in user "nx-anonymous", with privileges listed on that document. The screenshot you show above allows administrators to bind anonymous access to a different account (and realm) within the system, and requests for content will have the privileges of the specified user. Authentication and authorization decisions for accessing your content should always be made carefully and intentionally.

[delanym]

The nx-anonymous role is a default role and cannot be modified. That is why I made a proxies user with its own role/permission mapping. Nothing complicated. But back to the issue: There is corruption of the local user data, or a bug in the interface.

How is it possible that the user ids of all local users is "proxies"?

Why does this differ from ids listed in the user table?

[nblair]

It's not clear what could be at the root cause from the detail you've provided here so far to understand all of the configuration options and surrounding environment. This isn't something we can readily replicate; being able to dive in further would necessitate an engagement with Sonatype Support, which is available for Pro customers. I've applied the help-wanted label to solicit eyes from the rest of the community to see if others may be able to assist.

[delanym]

I can't believe what I'm reading. What configuration option could cause local user ids to point to the same? This is a bug, a hack, or a one in a million chance of bit rot. Either way, its a bug, so please label it so. This is a major elevation of privilege issue and you're telling me, just because I'm not a paying customer, Sonatype is not going to own and run with it? Having had a brief look at the code and its history I don't expect the "community" to do anything.

That anonymous access feature always bugged me - and now my nightmare has come true. I will never trust Nexus to manage authentication again.

Having said that, I can't just swap it out. And right now I cant configure LDAP users, so I'm going to get into that embedded OrientDB somehow and try to rebuild the user ids for local users. My guess is the code that handled the migration from nexus-3.37.3-02 corrupted the data.

I'd also bet that Nexus never expected someone to remove the anonymous user and replace it with another.

[delanym]

I upgraded to the latest 3.67.1-01 on Linux and the problem has resolved. This suggests the issue was with the interface or some middleware, not the db.

[nblair]

Hi @delanym glad to hear you've found a resolution. It's difficult to understand the details of the root cause without having direct access to the underlying database, the configuration you have setup with LDAP/users/roles/privileges, and other aspects of your environment. I scanned the issues delivered between 3.61 and 3.67 and I don't see anything specific or similar to this issue.

[vlastimil-dolejs]

I have the same problem. All users have the same ID in user management after upgrade from 3.37.3-02 to 3.68.1-02. I can't edit the user roles.

[delanym]

@vlastimil-dolejs can I ask if you ever modified the anonymous user account or settings related to it?

[github-actions[bot]]

This issue is stale because it has been open for 60 days with no activity.

[vlastimil-dolejs]

@delanym I don't know. Sorry for the late reply.

[delanym]

This is now happening on 3.69.0-02 running in linux container. I cannot edit any user permissions because they all have the same user id! At least, according to the UI.

Can someone in Sonatype with insider knowledge please suggest how I can go about troubleshooting this issue.

Dumping OrientDB in favour of H2 is almost certainly part of the confusion here. The current version of OrientDB is 2.2.37 (Sep 14, 2018!)