TheHive
TheHive copied to clipboard
TheHive-Project
[Bug] Users / Organisations gone corrupted after Cassandra crash
Request Type
Bug
Work Environment
| Question | Answer |
|---|---|
| OS version (server) | Debian, Ubuntu, CentOS, RedHat, ... |
| OS version (client) | XP, Seven, 10, Ubuntu, ... |
| Virtualized Env. | True / False |
| Dedicated RAM | XX GB |
| vCPU | 4 / 8 / 16 / 32 |
| TheHive version / git hash | 4.x, hash of the commit |
| Package Type | RPM, DEB, Docker, Binary, From source |
| Database | Cassandra / BerlkelyDB |
| Index type | Lucene / Elasticsearch |
| Attachments storage | Local, NFS, S3, HDFS |
| Browser type & version | If applicable |
Problem Description
Right now I have organisation "A", this organisation existed one uppon a time, and "user1" was the org-admin of this organisation. Eventually, Cassandra went full, so TheHive crashed, we were able to increase the volume size and recover the application. Although, users were apparently lost...
If I run the query to list users of a given organisation I'm only obtaining "user2", which was the one created after the cassandra crash:
curl -H "Authorization: Bearer APIKEY" -H "Content-Type: application/json" -X POST http://localhost:9000/api/v0/query
Body:
{
"query": [
{
"_name": "getOrganisation",
"idOrName": "A"
},
{
"_name": "users"
},
{
"_name": "sort",
"_fields": [
{
"login": "asc"
}
]
},
{
"_name": "page",
"from": 0,
"to": 15,
"organisation": "A"
}
]
}
It returns user2 only:
[
{
"_id": "~333099454",
"id": "user2",
"createdBy": "[email protected]",
"updatedBy": "[email protected]",
"createdAt": 1679485199426,
"updatedAt": 1679485211963,
"_type": "user",
"login": "user2",
"name": "user2",
"roles": [
"admin",
"write",
"read",
"alert"
],
"organisation": "A",
"hasKey": true,
"status": "Ok"
}
]
But now, if I try to create the "user1" again....
$ curl -X POST http://localhost:9000/api/v1/user
Body:
{
"login" : "user1",
"name" : "user1",
"organisation": "A",
"profile": "org-admin",
"email": "user1",
"password": "supersecret"
}
It returns 201 with the information of user1 (before the Cassandra crash), but it indicates is assigned to organization "no - org"
{
"_id": "~24632",
"_createdBy": "[email protected]",
"_updatedBy": "[email protected]",
"_createdAt": 1678881396871, # BEFORE CASSANDRA CRASH
"_updatedAt": 1679484293863,
"login": "user1",
"name": "user1",
"hasKey": true,
"hasPassword": true,
"hasMFA": false,
"locked": false,
"profile": "org-admin",
"permissions": [
"manageShare",
"manageAnalyse",
"manageTask",
"manageCaseTemplate",
"manageCase",
"manageUser",
"manageProcedure",
"managePage",
"manageObservable",
"manageTag",
"manageConfig",
"manageAlert",
"accessTheHiveFS",
"manageAction"
],
"organisation": "no org",
"organisations": [],
"extraData": {}
}
So, although it returns a 201 status code, the user "user1" is missing from organisation A. Notice, user1 can login to the system, as it's registered to other organisations. Also, user1 appears to be associated to organisation A, although the API throws a 404 error when I try to query information about organisation A as user1:
$ curl -I -X "GET" http://localhost/api/organisation/a
404
I'm pretty aware this is unrelated to Indexes and ElasticSearch. I already rebuilt the indexes several times (https://github.com/TheHive-Project/TheHive/issues/2372)
Any idea about what could have gone wrong?
Steps to Reproduce
- step 1
- step 2
- step 3...
Possible Solutions
(keep this section if you have suggestions on how to solve the problem. Otherwise delete it)
Complementary information
(add anything that can help identifying the problem such as log excerpts, screenshots, configuration dumps etc.)
