I have configured my spring boot application to obtain the database credentials from the vault database backend. This is working fine when I run it with the vault in 'vault for development mode'. But, now I am trying to get it to work when the vault server is running in the production mode.
I am getting below exception in the spring boot application at the context loading.
Error starting ApplicationContext. To display the conditions report re-run your application with 'debug' enabled.
2023-01-31 19:22:12.511 WARN 32872 --- [ Test worker] LeaseEventPublisher$LoggingErrorListener : [RequestedSecret [path='database/creds/myrole', mode=RENEW]] Lease [leaseId='database/creds/myrole/sDABdI1ZfDyYiuzZ3WUmZN9o', leaseDuration=PT5M, renewable=true] Status 400 Bad Request: failed to revoke entry: resp: (*logical.Response)(nil) err: ERROR: role "v-root-myrole-o1PzAyuwybhLzZpPx1k0-1675173125" cannot be dropped because some objects depend on it (SQLSTATE 2BP01); nested exception is org.springframework.web.client.HttpClientErrorException$BadRequest: 400 Bad Request
org.springframework.vault.VaultException: Status 400 Bad Request: failed to revoke entry: resp: (*logical.Response)(nil) err: ERROR: role "v-root-myrole-o1PzAyuwybhLzZpPx1k0-1675173125" cannot be dropped because some objects depend on it (SQLSTATE 2BP01); nested exception is org.springframework.web.client.HttpClientErrorException$BadRequest: 400 Bad Request
at org.springframework.vault.client.VaultResponses.buildException(VaultResponses.java:63) ~[spring-vault-core-2.2.0.RELEASE.jar:2.2.0.RELEASE]
at org.springframework.vault.core.VaultTemplate.doWithSession(VaultTemplate.java:391) ~[spring-vault-core-2.2.0.RELEASE.jar:2.2.0.RELEASE]
at org.springframework.vault.core.lease.SecretLeaseContainer.doRevokeLease(SecretLeaseContainer.java:785) [spring-vault-core-2.2.0.RELEASE.jar:2.2.0.RELEASE]
at org.springframework.vault.core.lease.SecretLeaseContainer.destroy(SecretLeaseContainer.java:503) [spring-vault-core-2.2.0.RELEASE.jar:2.2.0.RELEASE]
at org.springframework.beans.factory.support.DisposableBeanAdapter.destroy(DisposableBeanAdapter.java:258) [spring-beans-5.2.0.RELEASE.jar:5.2.0.RELEASE]
at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.destroyBean(DefaultSingletonBeanRegistry.java:571) [spring-beans-5.2.0.RELEASE.jar:5.2.0.RELEASE]
at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.destroySingleton(DefaultSingletonBeanRegistry.java:543) [spring-beans-5.2.0.RELEASE.jar:5.2.0.RELEASE]
at org.springframework.beans.factory.support.DefaultListableBeanFactory.destroySingleton(DefaultListableBeanFactory.java:1072) [spring-beans-5.2.0.RELEASE.jar:5.2.0.RELEASE]
at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.destroySingletons(DefaultSingletonBeanRegistry.java:504) [spring-beans-5.2.0.RELEASE.jar:5.2.0.RELEASE]
at org.springframework.beans.factory.support.DefaultListableBeanFactory.destroySingletons(DefaultListableBeanFactory.java:1065) [spring-beans-5.2.0.RELEASE.jar:5.2.0.RELEASE]
at org.springframework.context.support.AbstractApplicationContext.destroyBeans(AbstractApplicationContext.java:1060) [spring-context-5.2.0.RELEASE.jar:5.2.0.RELEASE]
at org.springframework.context.support.AbstractApplicationContext.doClose(AbstractApplicationContext.java:1029) [spring-context-5.2.0.RELEASE.jar:5.2.0.RELEASE]
at org.springframework.context.support.AbstractApplicationContext.close(AbstractApplicationContext.java:978) [spring-context-5.2.0.RELEASE.jar:5.2.0.RELEASE]
...
Also I am getting below error in the vault (docker container) log as well.
2023-01-31T13:51:38.534Z [ERROR] expiration: failed to revoke lease: lease_id=database/creds/myrole/JhS1BcblrfdqHAWGnTSjTx8p error="failed to revoke entry: resp: (*logical.Response)(nil) err: ERROR: role \"v-root-myrole-PMfgb1jqWGBNlXIGKM2E-1675171846\" cannot be dropped because some objects depend on it (SQLSTATE 2BP01)"
2023-01-31T13:51:38.660Z [ERROR] expiration: failed to revoke lease: lease_id=database/creds/myrole/tX4nIeWS4tWS0bJGpMSB5uAA error="failed to revoke entry: resp: (*logical.Response)(nil) err: ERROR: role \"v-root-myrole-LpuSXIp0yzV6uqQpwllS-1675171653\" cannot be dropped because some objects depend on it (SQLSTATE 2BP01)"
2023-01-31T13:51:54.010Z [ERROR] expiration: failed to revoke lease: lease_id=database/creds/myrole/JhS1BcblrfdqHAWGnTSjTx8p error="failed to revoke entry: resp: (*logical.Response)(nil) err: ERROR: role \"v-root-myrole-PMfgb1jqWGBNlXIGKM2E-1675171846\" cannot be dropped because some objects depend on it (SQLSTATE 2BP01)"
2023-01-31T13:52:04.127Z [ERROR] expiration: failed to revoke lease: lease_id=database/creds/myrole/tX4nIeWS4tWS0bJGpMSB5uAA error="failed to revoke entry: resp: (*logical.Response)(nil) err: ERROR: role \"v-root-myrole-LpuSXIp0yzV6uqQpwllS-1675171653\" cannot be dropped because some objects depend on it (SQLSTATE 2BP01)"
2023-01-31T13:52:12.474Z [ERROR] secrets.system.system_e586bc2f: lease revocation failed: lease_id=database/creds/myrole/sDABdI1ZfDyYiuzZ3WUmZN9o error="failed to revoke entry: resp: (*logical.Response)(nil) err: ERROR: role \"v-root-myrole-o1PzAyuwybhLzZpPx1k0-1675173125\" cannot be dropped because some objects depend on it (SQLSTATE 2BP01)"
I tried to add below policy to the default policy as well, but it didn't resolve this issue.
path "sys/leases/revoke/*" {
capabilities = ["update"]
}
Since it has this in the exception message, I tried to add read, update capabilities for "database/creds/myrole" in the default policy, and all of a sudden vault started throwing the below error as well. But, it was fixed after I removed the policy config and re-updated the password of the user from the database.
expiration: failed to revoke lease: lease_id=database/creds/myrole/tX4nIeWS4tWS0bJGpMSB5uAA error="failed to revoke entry: resp: (*logical.Response)(nil) err: error verifying connection: failed to connect to `host=host.docker.internal user=spring_user database=ax`: failed SASL auth (FATAL: password authentication failed for user \"spring_user\" (SQLSTATE 28P01))"
Appreciate if someone can help me resolve this issue, I have been trying to find a solution, but now I am confused.
The reason for the sql error was, all the roles created by the vault during the entire was available in the database. As the error mentioned, the vault is unable to drop the role as there were other objects tied to the role.
The 400 bad request error didn't come when I restarted the service after revoking privileges and dropping all the roles created by the vault.
Then adding the script below the Revocation Statement of my database backend role, helped to remove the previously created role automatically, when the lease period expired.
DROP OWNED BY "{{name}}"; REVOKE ALL PRIVILEGES ON ALL SEQUENCES IN SCHEMA ax_management FROM "{{name}}"; DROP ROLE "{{name}}";
Related
I have created a new user and mapped to the old role which role is having all the update permission but still, i'm getting access denied error in Marklogic, I'm trying to update the document through XCC connector
XCC version : 7.0.1
Marklogic Version : 10.0.2
Error:
Caused by: com.app.connector.AppException: com.marklogic.xcc.exceptions.XQueryException: ERR_ACCESSDENIED (perm:error): Access denied for user XCC_BASIC to $author/basic/create-tag elementID: 0
[Session: user=admin-user, cb=App [ContentSource: user=admin-user, cb=App [provider: address=mldev.com.web/xx.xx.xx.xx:8017, pool=1/64]]]
[Client: XCC/7.0-1, Server: XDBC/10.0-2.1]
in /lib/permission.xqy, on line 1845
expr: ,
in assert-access("$au/basic/create-tag", "0")
in /lib/permission.xqy, on line 1849
expr: ,
in perm:assert-access("$au/basic/create-tag")
in /lib/data.xqy, on line 7689
expr: ,
in data:create-tag(xs:anyURI("/test.xml"), "Admin_09_Convert", "Autocreated by Admin before run Converter query")
on line 4
I implemented User storage SPI to use keycloak with an existing user DB, but I ran into this problem: when updating roles in my DB, roles in keycloak are not updated and all my attempts to fix this lead to errors, for example i try do disable the cache for User Federation, an error after disabling the cache:
21:37:46,556 ERROR [org.keycloak.services.error.KeycloakErrorHandler] (default task-3) Uncaught server error: java.lang.NullPointerException
at org.keycloak.keycloak-server-spi-private#9.0.2//org.keycloak.models.utils.KeycloakModelUtils.resolveAttribute(KeycloakModelUtils.java:415)
at org.keycloak.keycloak-services#9.0.2//org.keycloak.protocol.oidc.mappers.UserAttributeMapper.setClaim(UserAttributeMapper.java:101)
at org.keycloak.keycloak-services#9.0.2//org.keycloak.protocol.oidc.mappers.AbstractOIDCProtocolMapper.setClaim(AbstractOIDCProtocolMapper.java:119)
at org.keycloak.keycloak-services#9.0.2//org.keycloak.protocol.oidc.mappers.AbstractOIDCProtocolMapper.transformAccessToken(AbstractOIDCProtocolMapper.java:81)
at org.keycloak.keycloak-services#9.0.2//org.keycloak.protocol.oidc.TokenManager.transformAccessToken(TokenManager.java:556)
at org.keycloak.keycloak-services#9.0.2//org.keycloak.protocol.oidc.TokenManager.createClientAccessToken(TokenManager.java:415)
I found a workaround to solve this problem - override the getAttribute method from the UserModel interface: workaround and then got this error:
21:42:05,659 ERROR [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (default task-3) Unique index or primary key violation: "PRIMARY_KEY_41 ON PUBLIC.FED_USER_ROLE_MAPPING(ROLE_ID, USER_ID) VALUES ('3cc65575-ba9b-4248-8601-bf4a9413cb17', 'f:cbd0e1b7-c6ed-4bd2-a4eb-b47fd8201ca8:1', 1)"; SQL statement:
insert into FED_USER_ROLE_MAPPING (REALM_ID, STORAGE_PROVIDER_ID, ROLE_ID, USER_ID) values (?, ?, ?, ?) [23505-193]
21:42:05,661 ERROR [org.keycloak.services.error.KeycloakErrorHandler] (default task-3) Uncaught server error: javax.persistence.PersistenceException: org.hibernate.exception.ConstraintViolationException: could not execute statement
at org.hibernate#5.3.13.Final//org.hibernate.internal.ExceptionConverterImpl.convert(ExceptionConverterImpl.java:154)
at org.hibernate#5.3.13.Final//org.hibernate.query.internal.AbstractProducedQuery.list(AbstractProducedQuery.java:1515)
if i enable the cache, then on the first request of the token I get the same error as above, and on all subsequent ones I just get the token, but the roles do not match mine from DB. What i can do with it? Thanks.
I created a local user under a pluggable database. I granted some privileges required to open and use it. I check the username and the password. Still it keep saying invalid username/password.
Step that I take:
1. alter session set container = xxxxpdb
2. alter pluggable database xxxpdb open
3. SQL> alter user #### identified by #### container = current;
User altered. -----i did this one to make sure that i have a correct password
4. connect ###/####XXXXpdb;
ERROR:
ORA-01017: invalid username/password; logon denied
5. Then tried to connect to it this way
$ sqlplus ###/####xxxxpdb
ERROR:
ORA-01017: invalid username/password; logon denied
I am new to container database. I would appreciate any detailed explanation! Thank you.
Based on error message, it looks like the user doesn't exist in PDB.
For an existing user you may get a relevant error related to privilege. For example:
SQL> conn <existing_uname_without_required_privileges>/<upass>#<pdb_name>
ERROR:
ORA-01045: user <uname> lacks CREATE SESSION privilege; logon denied
Warning: You are no longer connected to ORACLE.
SQL>
For a non-existing user, the error you have observed will be returned:
SQL> conn <non_existing_user>/<upass>#<pdb_name>
ERROR:
ORA-01017: invalid username/password; logon denied
SQL>
This OraDoc Page provides the local user related information in CDB.
I am trying to shutdown one of the mongodb instance in a 3 node replica set. The config file has auth set to 1. I have a admin account that has userAdminAnyDatabase role and I logged to admin database with that account. However when I run db.shutdownServer() I get the following error
db.shutdownServer()
assert failed : unexpected error: "shutdownServer failed: unauthorized"
Error: Printing Stack Trace
at printStackTrace (src/mongo/shell/utils.js:37:15)
at doassert (src/mongo/shell/assert.js:6:5)
at assert (src/mongo/shell/assert.js:14:5)
at DB.shutdownServer (src/mongo/shell/db.js:346:9)
at (shell):1:4
Mon Jun 23 12:52:51.839 assert failed : unexpected error: "shutdownServer failed: unauthorized" at src/mongo/shell/assert.js:7
I created another user that has both dbAdminAnyDatabase and userAdminAnyDatabase roles and that also gets the same error.
Can someone help me with this error?
If running MongoDB 2.4 a user with the clusterAdmin role is needed to run db.shutdownServer(). A full list of user roles for MongoDB 2.4 is available here: http://docs.mongodb.org/v2.4/reference/user-privileges/
If on MongoDB 2.6 you would use the hostManager role instead. See the following page for 2.6 roles: http://docs.mongodb.org/manual/reference/built-in-roles/
I didn't face this error before. I have a database db, that contains a table tb_name, I create a connection in iReport Designer with credentials of the db owner. Then I create new report, but the query select * from tb_name; throws the following error:
SQL problems: ERROR: permission denied for relation tb_name
Query error
Message:
net.sf.jasperreports.engine.JRException: SQL problems: ERROR: permission denied for relation tb_name Level:
SEVERE Stack Trace: SQL problems: ERROR: permission denied for relation tb_name
com.jaspersoft.ireport.designer.data.fieldsproviders.SQLFieldsProvider.getFields(SQLFieldsProvider.java:435)
com.jaspersoft.ireport.designer.connection.JDBCConnection.readFields(JDBCConnection.java:470)
com.jaspersoft.ireport.designer.wizards.ConnectionSelectionWizardPanel.validate(ConnectionSelectionWizardPanel.java:146)
org.openide.WizardDescriptor$7.run(WizardDescriptor.java:1357)
org.openide.util.RequestProcessor$Task.run(RequestProcessor.java:572)
org.openide.util.RequestProcessor$Processor.run(RequestProcessor.java:997)
When I test connection everything's fine. What can be a reason of this error? Thanks in advance.
Please check if the user has rights to execute statements. Some database changes might have caused the user to lose query permission.