Page MenuHomePhabricator
Create Task
Maniphest T355352

Users in archiva-deployer group can't upload artifacts anymore.
Closed, ResolvedPublic
Actions

Description

I used to be able to upload artifacts to archiva.wikimedia.org from my user (joal) either manually or through maven.
Now I can't do it anymore, neither through the UI (upload section is invisible) not through Maven (401 is answered when trying).
Interestingly, the jenkins user can still release jars.

Details

SubjectRepoBranchLines +/-
archiva: fix 400s when proxying requests with spaces in the URLoperations/puppetproduction+2 -2
Customize query in gerrit

Related Objects

Event Timeline

JAllemandou created this task.Jan 18 2024, 6:29 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJan 18 2024, 6:29 PM
JAllemandou updated the task description. (Show Details)Jan 18 2024, 6:29 PM
JAllemandou updated the task description. (Show Details)
JAllemandou mentioned this in T309097: [Maintenance] We should have a top level maven parent pom based on wikimedia-discovery-discovery-parent-pom,.
JAllemandou moved this task from Next Up to Radar (External Teams) on the Data-Engineering (Sprint 7) board.
dcausse awarded a token.Jan 18 2024, 6:42 PM
Gehel triaged this task as High priority.Jan 18 2024, 8:30 PM
Gehel edited projects, added Data-Platform-SRE (2024.01.01 - 2024.01.21); removed Data-Platform-SRE.
bking subscribed.Jan 19 2024, 2:32 PM
dr0ptp4kt subscribed.Jan 19 2024, 6:59 PM
brouberol subscribed.EditedJan 22 2024, 7:34 AM

I've ssh -ed onto archiva1002.wikimedia.org and had a look at the archiva logs.

I'm seeing many occurences of these logs in /var/log/archiva/wrapper.log:

INFO   | jvm 1    | 2024/01/22 03:06:38 | [INFO] Failed to parse Maven artifact /var/lib/archiva/repositories/releases/com/googlesource/gerrit/plugins/wikimedia/2.15.2/wikimedia-2.15.2.jar due to error in opening zip file
INFO   | jvm 1    | 2024/01/22 03:06:38 | [INFO] Failed to parse Maven artifact /var/lib/archiva/repositories/releases/com/googlesource/gerrit/plugins/quota/2.15.2/quota-2.15.2.jar due to error in opening zip file

and indeed, these files seem tiny in size:

brouberol@archiva1002:~$ ls -alh /var/lib/archiva/repositories/releases/com/googlesource/gerrit/plugins/wikimedia/2.16.16/wikimedia-2.16.16.jar
-rw-r--r-- 1 archiva archiva 217K Feb 21  2020 /var/lib/archiva/repositories/releases/com/googlesource/gerrit/plugins/wikimedia/2.16.16/wikimedia-2.16.16.jar
brouberol@archiva1002:~$ ls -alh /var/lib/archiva/repositories/releases/com/googlesource/gerrit/plugins/quota/2.15.2/quota-2.15.2.jar
-rw-r--r-- 1 archiva archiva 74 Jun  7  2018 /var/lib/archiva/repositories/releases/com/googlesource/gerrit/plugins/quota/2.15.2/quota-2.15.2.jar

Could they be corrupted?

I checked, and these are regular files, not symlinks

brouberol@archiva1002:~$ stat /var/lib/archiva/repositories/releases/com/googlesource/gerrit/plugins/wikimedia/2.15.2/wikimedia-2.15.2.jar
  File: /var/lib/archiva/repositories/releases/com/googlesource/gerrit/plugins/wikimedia/2.15.2/wikimedia-2.15.2.jar
  Size: 74        	Blocks: 8          IO Block: 4096   regular file
Device: fe11h/65041d	Inode: 5378818     Links: 1
Access: (0644/-rw-r--r--)  Uid: (  112/ archiva)   Gid: (  119/ archiva)
Access: 2022-07-24 20:59:48.860010437 +0000
Modify: 2018-06-07 22:46:53.933146869 +0000
Change: 2022-07-24 20:59:48.860010437 +0000
 Birth: -
brouberol@archiva1002:~$ stat /var/lib/archiva/repositories/releases/com/googlesource/gerrit/plugins/quota/2.15.2/quota-2.15.2.jar
  File: /var/lib/archiva/repositories/releases/com/googlesource/gerrit/plugins/quota/2.15.2/quota-2.15.2.jar
  Size: 74        	Blocks: 8          IO Block: 4096   regular file
Device: fe11h/65041d	Inode: 5378497     Links: 1
Access: (0644/-rw-r--r--)  Uid: (  112/ archiva)   Gid: (  119/ archiva)
Access: 2022-07-24 20:59:48.644009325 +0000
Modify: 2018-06-07 22:46:01.744872087 +0000
Change: 2022-07-24 20:59:48.644009325 +0000
 Birth: -

They do point to git-fat though:

brouberol@archiva1002:~$ cat /var/lib/archiva/repositories/releases/com/googlesource/gerrit/plugins/wikimedia/2.15.2/wikimedia-2.15.2.jar
#$# git-fat c97c489fe61891fca04ad715b4a55547a4d74cd3               219919

and git-fat does seem to be struggling:

brouberol@archiva1002:~$ sudo systemctl status archiva-gitfat-link.service
● archiva-gitfat-link.service - Archiva tool to create jar symlinks using their sha1 checksum as filename.
   Loaded: loaded (/lib/systemd/system/archiva-gitfat-link.service; static; vendor preset: enabled)
   Active: activating (start) since Mon 2024-01-22 07:35:01 UTC; 3min 27s ago
     Docs: https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state
 Main PID: 12817 (archiva-gitfat-)
    Tasks: 4 (limit: 4700)
   Memory: 353.7M
   CGroup: /system.slice/archiva-gitfat-link.service
           ├─12817 /bin/sh /usr/local/bin/archiva-gitfat-link ../repositories .
           ├─16620 /bin/sh /usr/local/bin/archiva-gitfat-link ../repositories .
           ├─16621 /bin/sh /usr/local/bin/archiva-gitfat-link ../repositories .
           └─16622 awk {print $1}

Jan 22 07:35:01 archiva1002 systemd[1]: Starting Archiva tool to create jar symlinks using their sha1 checksum as filename....
brouberol@archiva1002:~$ sudo systemctl status archiva-gitfat-link.service
● archiva-gitfat-link.service - Archiva tool to create jar symlinks using their sha1 checksum as filename.
   Loaded: loaded (/lib/systemd/system/archiva-gitfat-link.service; static; vendor preset: enabled)
   Active: inactive (dead) since Mon 2024-01-22 07:38:43 UTC; 2s ago
     Docs: https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state
  Process: 12817 ExecStart=/bin/bash -c cd /var/lib/archiva/git-fat && /usr/local/bin/archiva-gitfat-link ../repositories . (code=exited, status=0/SUCCESS)
 Main PID: 12817 (code=exited, status=0/SUCCESS)

Jan 22 07:35:01 archiva1002 systemd[1]: Starting Archiva tool to create jar symlinks using their sha1 checksum as filename....
Jan 22 07:38:43 archiva1002 systemd[1]: archiva-gitfat-link.service: Succeeded.
Jan 22 07:38:43 archiva1002 systemd[1]: Started Archiva tool to create jar symlinks using their sha1 checksum as filename..
brouberol added a comment.Jan 22 2024, 7:35 AM

I'm also seeing the following traceback in /var/log/archiva/wrapper.log

INFO   | jvm 1    | 2024/01/22 02:30:02 | 2024-01-22 02:30:02.519:WARN:oejs.ServletHandler:/repository/mirrored/io/undertow/undertow-core/maven-metadata.xml
INFO   | jvm 1    | 2024/01/22 02:30:02 | java.lang.IllegalArgumentException: Comparison method violates its general contract!
INFO   | jvm 1    | 2024/01/22 02:30:02 | 	at java.util.TimSort.mergeHi(TimSort.java:899)
INFO   | jvm 1    | 2024/01/22 02:30:02 | 	at java.util.TimSort.mergeAt(TimSort.java:516)
INFO   | jvm 1    | 2024/01/22 02:30:02 | 	at java.util.TimSort.mergeForceCollapse(TimSort.java:457)
INFO   | jvm 1    | 2024/01/22 02:30:02 | 	at java.util.TimSort.sort(TimSort.java:254)
INFO   | jvm 1    | 2024/01/22 02:30:02 | 	at java.util.Arrays.sort(Arrays.java:1512)
INFO   | jvm 1    | 2024/01/22 02:30:02 | 	at java.util.ArrayList.sort(ArrayList.java:1464)
INFO   | jvm 1    | 2024/01/22 02:30:02 | 	at java.util.Collections.sort(Collections.java:177)
INFO   | jvm 1    | 2024/01/22 02:30:02 | 	at org.apache.archiva.repository.metadata.MetadataTools.updateMetadataVersions(MetadataTools.java:649)
INFO   | jvm 1    | 2024/01/22 02:30:02 | 	at org.apache.archiva.repository.metadata.MetadataTools.updateMetadata(MetadataTools.java:471)
INFO   | jvm 1    | 2024/01/22 02:30:02 | 	at org.apache.archiva.proxy.DefaultRepositoryProxyConnectors.fetchMetadataFromProxies(DefaultRepositoryProxyConnectors.java:515)
INFO   | jvm 1    | 2024/01/22 02:30:02 | 	at org.apache.archiva.webdav.ArchivaDavResourceFactory.fetchContentFromProxies(ArchivaDavResourceFactory.java:792)
INFO   | jvm 1    | 2024/01/22 02:30:02 | 	at org.apache.archiva.webdav.ArchivaDavResourceFactory.processRepository(ArchivaDavResourceFactory.java:627)
INFO   | jvm 1    | 2024/01/22 02:30:02 | 	at org.apache.archiva.webdav.ArchivaDavResourceFactory.processRepositoryGroup(ArchivaDavResourceFactory.java:490)
INFO   | jvm 1    | 2024/01/22 02:30:02 | 	at org.apache.archiva.webdav.ArchivaDavResourceFactory.createResource(ArchivaDavResourceFactory.java:262)
INFO   | jvm 1    | 2024/01/22 02:30:02 | 	at org.apache.archiva.webdav.RepositoryServlet.service(RepositoryServlet.java:126)
INFO   | jvm 1    | 2024/01/22 02:30:02 | 	at javax.servlet.http.HttpServlet.service(HttpServlet.java:848)
INFO   | jvm 1    | 2024/01/22 02:30:02 | 	at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:684)
INFO   | jvm 1    | 2024/01/22 02:30:02 | 	at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:501)
INFO   | jvm 1    | 2024/01/22 02:30:02 | 	at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:137)
INFO   | jvm 1    | 2024/01/22 02:30:02 | 	at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:557)
INFO   | jvm 1    | 2024/01/22 02:30:02 | 	at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:231)
INFO   | jvm 1    | 2024/01/22 02:30:02 | 	at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1086)
INFO   | jvm 1    | 2024/01/22 02:30:02 | 	at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:428)
INFO   | jvm 1    | 2024/01/22 02:30:02 | 	at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:193)
INFO   | jvm 1    | 2024/01/22 02:30:02 | 	at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1020)
INFO   | jvm 1    | 2024/01/22 02:30:02 | 	at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:135)
INFO   | jvm 1    | 2024/01/22 02:30:02 | 	at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:255)
INFO   | jvm 1    | 2024/01/22 02:30:02 | 	at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:154)
INFO   | jvm 1    | 2024/01/22 02:30:02 | 	at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:116)
INFO   | jvm 1    | 2024/01/22 02:30:02 | 	at org.eclipse.jetty.server.Server.handle(Server.java:370)
INFO   | jvm 1    | 2024/01/22 02:30:02 | 	at org.eclipse.jetty.server.AbstractHttpConnection.handleRequest(AbstractHttpConnection.java:494)
INFO   | jvm 1    | 2024/01/22 02:30:02 | 	at org.eclipse.jetty.server.AbstractHttpConnection.headerComplete(AbstractHttpConnection.java:971)
INFO   | jvm 1    | 2024/01/22 02:30:02 | 	at org.eclipse.jetty.server.AbstractHttpConnection$RequestHandler.headerComplete(AbstractHttpConnection.java:1033)
INFO   | jvm 1    | 2024/01/22 02:30:02 | 	at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:644)
INFO   | jvm 1    | 2024/01/22 02:30:02 | 	at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:235)
INFO   | jvm 1    | 2024/01/22 02:30:02 | 	at org.eclipse.jetty.server.AsyncHttpConnection.handle(AsyncHttpConnection.java:82)
INFO   | jvm 1    | 2024/01/22 02:30:02 | 	at org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint.java:667)
INFO   | jvm 1    | 2024/01/22 02:30:02 | 	at org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.java:52)
INFO   | jvm 1    | 2024/01/22 02:30:02 | 	at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:608)
INFO   | jvm 1    | 2024/01/22 02:30:02 | 	at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:543)
INFO   | jvm 1    | 2024/01/22 02:30:02 | 	at java.lang.Thread.run(Thread.java:750)
brouberol added a comment.Jan 22 2024, 7:39 AM

What I'm seeing points to an issue with git-fat, and I'll continue investigating after baby-duty.

brouberol added a comment.Jan 22 2024, 7:42 AM

Ah wait, no, git-fat is a oneshot service, so it's *supposed* to start regularly

brouberol@archiva1002:~$ sudo systemctl cat archiva-gitfat-link.service
# /lib/systemd/system/archiva-gitfat-link.service
[Unit]
Description=Archiva tool to create jar symlinks using their sha1 checksum as filename.
Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state

[Service]
Type=oneshot
User=archiva
SyslogIdentifier=archiva-gitfat-link
ExecStart=/bin/bash -c 'cd /var/lib/archiva/git-fat && /usr/local/bin/archiva-gitfat-link ../repositories .'
gerritbot added a comment.Jan 22 2024, 9:52 AM

Change 992089 had a related patch set uploaded (by Brouberol; author: Brouberol):

[operations/puppet@production] archiva: fix 400s when proxying requests with spaces in the URL

https://gerrit.wikimedia.org/r/992089

gerritbot added a project: Patch-For-Review.Jan 22 2024, 9:52 AM
brouberol added a comment.Jan 22 2024, 10:00 AM

All my previous comments related to git-fat were invalid. When digging in the Archiva UI, we realized that XHR calls to https://archiva.wikimedia.org/restServices/redbackServices/roleManagementService/getRole/<any-role-name-with-spaces-in-them> failed. if the group didn't have any space in it, the call succeeded.

We believed that fixing this bug might fix the permission issue, as archiva is trying to assess what permission are associated with the LDAP user, and can't get the permission associated to the Archiva group, mapped to the LDAP user cn.

brouberol added a comment.EditedJan 22 2024, 10:12 AM

We checked with @BTullis that this patch didn't reopen the XSS vulnerability documented in T318962, which it did not.

brouberol added a subscriber: BTullis.Jan 22 2024, 10:12 AM
gerritbot added a comment.Jan 22 2024, 10:13 AM

Change 992089 merged by Brouberol:

[operations/puppet@production] archiva: fix 400s when proxying requests with spaces in the URL

https://gerrit.wikimedia.org/r/992089

Maintenance_bot removed a project: Patch-For-Review.Jan 22 2024, 10:30 AM
brouberol claimed this task.Jan 22 2024, 10:45 AM
Gehel edited projects, added Data-Platform-SRE (2024.01.22 - 2024.02.11); removed Data-Platform-SRE (2024.01.01 - 2024.01.21).Jan 22 2024, 1:47 PM
Gehel moved this task from Backlog to In Progress on the Data-Platform-SRE (2024.01.22 - 2024.02.11) board.
brouberol added a comment.Jan 22 2024, 2:06 PM

It turns out the issue was in LDAP/Archiva. The archiva-deployers had an extra cn attribute with value cn=releng. Somehow, both groups were shown in the Archiva list, and only the permission applied to the releng group were taken into account.

We cleaned up the extra LDAP cn, and permission issues have now gone away.

brouberol closed this task as Resolved.Jan 22 2024, 2:06 PM
Gehel moved this task from In Progress to Done on the Data-Platform-SRE (2024.01.22 - 2024.02.11) board.Jan 22 2024, 2:29 PM
BTullis added a comment.Jan 22 2024, 2:36 PM

In case it helps, there is a long Slack thread about this incident here: https://wikimedia.slack.com/archives/C055QGPTC69/p1705609783973829

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL