Uploaded image for project: 'Artifactory Binary Repository'
  1. Artifactory Binary Repository
  2. RTFACT-18741

Outdated Crowd REST client version Artifactory causes delayed logins when HTTPS is used

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Done
    • Priority: 3 - High
    • Resolution: Done
    • Affects Version/s: 6.8.3
    • Fix Version/s: 6.11.0
    • Component/s: Crowd
    • Labels:
      None
    • Severity:
      High

      Description

      Summary:

      Artifactory uses an outdated Atlassian Crowd/Jira REST client version. The package limits the Crowd communication to two concurrent connections when going to an HTTPS backed Crowd server. This causes delayed logins due to a capped Crowd HTTP client connection pool.

      The issue will intensify when there are many concurrent requests using Crowd authentication as well as when it takes more time to return the requested payload from Crowd.

      Crowd JIRA ref: https://jira.atlassian.com/browse/CWD-4337

      Otherwise, it should have obeyed the system property (etc/artifactory.system.properties) of crowd.property.http.max.connections=numberOfConnections

      Workaround or a mean to lower the effects:

      • Set the Crowd server URL to use plain HTTP.
      • Consider using an Access Tokens/APIKey based authentication. This should lower the amount of Crowd bound authentication requests.

      Steps to Reproduce:

      1. Setup Crowd and configure SSL termination (HTTPS), e.g. using Nginx:

      server {
      
          listen 80;
          listen 443 ssl;
      
          ssl_certificate    /etc/ssl/artifactorydev.jfrog.com.crt;
          ssl_certificate_key    /etc/ssl/artifactorydev.jfrog.com.key;
      
          server_name artifactorydev.jfrog.com;
          if ($http_x_forwarded_proto = '') {
              set $http_x_forwarded_proto  $scheme;
          }
          ## Application specific logs
          access_log /var/log/nginx/localhost-access.log;
          error_log /var/log/nginx/localhost-error.log;
          location /crowd/ {
          proxy_pass          http://crowdserver:8095/crowd/;
          proxy_set_header    X-Forwarded-Proto $http_x_forwarded_proto;
          proxy_set_header    Host              $http_host;
          proxy_set_header    X-Forwarded-For   $proxy_add_x_forwarded_for;
          proxy_set_header    X-Real-IP       $remote_addr;
          port_in_redirect off;
        }
      
      }

      2. Configure the Crowd integration and use the HTTPS Crowd URL. Verify the connection and successful user login.

      3. Issue multiple concurrent requests (can use the script below), you will see 2 active requests (threads) serving the connections to Crowd.

      uiLoginCrowdLoop.sh Script and command:

      ./uiLoginCrowdLoop.sh 250

      #!/bin/bash
      
      repeats=$1
      
      i=0
      
      while [ $i -lt $repeats ]; do
      
              curl  -XPOST -i -Lvv "http://localhost:8080/artifactory/ui/auth/login" -d '{"user": "user'$i'", "password": "secret", "type": "login"}' -H 'Content-Type: application/json' &
              sleep 0.01
              i=`expr $i + 1`
      
      done
      

      4. Meanwhile the loop runs - try to do a UI login/authenticate via REST and Crowd credentials - notice the delayed login.

      Requests comparison:

      Crowd HTTPS:
      
      time curl -u user508:secret -i -Lvv "http://localhost:8080/artifactory/api/docker/docker/v2/token"
      
      {"token":"AKCp5cbwXCcmgNPB5XGACb7mDECcJeTxLy5Vo8iQoDw8nwTx1B9YCwC2FkjE7hBVuC32zDoXA","expires_in":3600}
      
      0.01s user 0.01s system 0% cpu 24.848 total
      
      
      
      Crowd HTTP:
      
      time curl -u user501:secret -i -Lvv "http://localhost:8080/artifactory/api/docker/docker/v2/token"
      
      {"token":"AKCp5cbwXCcSoPHoa31zQdtZtx9yHbK786YVXJB1bXudNakMYLM9WrZnmAhmw2kDk7EdHfzsx","expires_in":3600}
      
      0.01s user 0.01s system 0% cpu 11.867 total
      
      
      
      ApiKey:
      
      time curl -u admin:AKCp5cbwXCcSsf3sJjSaaWohctKijTPpxuQGoK5ae74zLPy5qX2zPQ6t8TbEKsx3QTjkn21P9 -i -Lvv "http://localhost:8080/artifactory/api/docker/docker/v2/token"
      
      {"token":"AKCp5cbwXBdyviH4DpcMDtusH6dHhTJCsPJh2A6iUREtNqTngbyromhLxeaMRHQr8Nj5U8iQ1","expires_in":3600}
      
      0.01s user 0.01s system 1% cpu 0.806 total
      

      Thread dumps attached. Note the two 2 active connections with HTTPS and 20 for HTTP.

      • You can search for 'at java.net.SocketInputStream.socketRead(SocketInputStream.java:116)' and see the Tomcat/user and Crowd bound running threads

        Attachments

          Activity

            People

            Assignee:
            andreik Andrei Komarov
            Reporter:
            andreik Andrei Komarov
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:

                Sync Status

                Connection: RTFACT Sync
                RTMID-18741 -
                SYNCHRONIZED
                • Last Sync Date: