Question on dissapearing superuser password account on AWS instance

0

Our superuser account seems to periodically just not respond to it's normal password.  I can go into postgres and set it to empty, then create a new one, it works fine for some unknown amount of time and then it's reset again.

Any clue at all at what might be happening? I thought maybe it's resetting the password back to the initial default password, which is the EC2 instance ID, but that doesn't work either.

 

Thanks for any ideas how to debug this. 

brian.fleming's picture
Joined: Feb 4 2015 - 2:32pm
Last seen: 2 years 6 months ago
We're not importing anything. This is a new server has not seen much activity. I noticed there is a script on the AWS instance /etc/init.d/jrs_init_password This sets the password to the instance ID. But I thought I tried the instance id password as one of my guesses at what the password might have been reset to. We created a new superuser account just in case this one keeps giving us trouble. I moved that /etc script out of /etc/init.d. Seems like our password hasn't changed since.
brian.fleming - 4 years 7 months ago

Happened again. This is in the logs.   Annoying that there is no date timestamp, but can someone confirm my suspicion that this is being reset from within the UI?

 

LOG:  execute <unnamed>: update JIUser set username=$1, tenantId=$2, fullname=$3, emailAddress=$4, password=$5, externallyDefined=$6, enabled=$7, previousPasswordChangeTime=$8 where id=$9
DETAIL:  parameters: $1 = 'superuser', $2 = '3', $3 = 'superuser', $4 = '', $5 = '<new password???!>', $6 = 'f', $7 = 't', $8 = '2015-05-20 18:08:33.834', $9 = '11'
brian.fleming - 4 years 7 months ago

I just determined that the superuser password is being reset after I login as the superuser account SOMETIMES.  The password is being reset to the same value every time (by looking in the postgres db) What is this about?? 

 

LOG:  execute S_2: COMMIT
LOG:  execute S_1: BEGIN
LOG:  execute <unnamed>: select roles0_.userId as userId1_, roles0_.roleId as roleId1_, reporole1_.id as id9_0_, reporole1_.rolename as rolename9_0_, reporole1_.tenantId as tenantId9_0_, reporole1_.externallyDefined as external4_9_0_ from JIUserRole roles0_ left outer join JIRole reporole1_ on roles0_.roleId=reporole1_.id where roles0_.userId=$1
DETAIL:  parameters: $1 = '11'
LOG:  execute <unnamed>: select repoprofil0_.id as id12_, repoprofil0_.attrName as attrName12_, repoprofil0_.attrValue as attrValue12_, repoprofil0_.principalobjectclass as principa4_12_, repoprofil0_.principalobjectid as principa5_12_ from JIProfileAttribute repoprofil0_ where (repoprofil0_.principalobjectid in ($1)) and repoprofil0_.principalobjectclass=$2 order by repoprofil0_.id asc
DETAIL:  parameters: $1 = '11', $2 = 'com.jaspersoft.jasperserver.api.metadata.user.domain.impl.hibernate.RepoUser'
LOG:  execute S_2: COMMIT
LOG:  execute S_1: BEGIN
LOG:  execute <unnamed>: select roles0_.userId as userId1_, roles0_.roleId as roleId1_, reporole1_.id as id9_0_, reporole1_.rolename as rolename9_0_, reporole1_.tenantId as tenantId9_0_, reporole1_.externallyDefined as external4_9_0_ from JIUserRole roles0_ left outer join JIRole reporole1_ on roles0_.roleId=reporole1_.id where roles0_.userId=$1
DETAIL:  parameters: $1 = '11'
LOG:  execute <unnamed>: select this_.id as id9_0_, this_.rolename as rolename9_0_, this_.tenantId as tenantId9_0_, this_.externallyDefined as external4_9_0_ from JIRole this_ where (this_.tenantId=$1 and this_.rolename=$2)
DETAIL:  parameters: $1 = '3', $2 = 'ROLE_SUPERUSER'
LOG:  execute <unnamed>: select this_.id as id9_0_, this_.rolename as rolename9_0_, this_.tenantId as tenantId9_0_, this_.externallyDefined as external4_9_0_ from JIRole this_ where (this_.tenantId=$1 and this_.rolename=$2)
DETAIL:  parameters: $1 = '3', $2 = 'ROLE_ADMINISTRATOR'
LOG:  execute <unnamed>: update JIUser set username=$1, tenantId=$2, fullname=$3, emailAddress=$4, password=$5, externallyDefined=$6, enabled=$7, previousPasswordChangeTime=$8 where id=$9
DETAIL:  parameters: $1 = 'superuser', $2 = '3', $3 = 'superuser', $4 = '', $5 = '<same password>', $6 = 'f', $7 = 't', $8 = '2015-05-20 22:15:19.567', $9 = '11'
LOG:  execute <unnamed>: delete from JIUserRole where userId=$1
DETAIL:  parameters: $1 = '11'
LOG:  execute <unnamed>: insert into JIUserRole (userId, roleId) values ($1, $2)
DETAIL:  parameters: $1 = '11', $2 = '5'
LOG:  execute <unnamed>: insert into JIUserRole (userId, roleId) values ($1, $2)
DETAIL:  parameters: $1 = '11', $2 = '9'
brian.fleming - 4 years 7 months ago
show 2 more...

I'll look into it and try to replicate, which version of Jasper are you using in AWS?
The only thing I can think of is some sort of hibernate caching issue that is flushing some old cache data, but I don't get where it would get the new password from. Do you anything at the Jasperserver log at the same time? Any SSO mechanism setup?


 

marianol - 4 years 7 months ago

It would be interesting to know what is featured in the password used to reset. Is that a previous password, random characters or some well defined word related to the superuser?

That might give an indication as to where it's coming from.

kkumlien - 4 years 6 months ago

2 Answers:

0

Strange one! allowUserPasswordChange is off by default (though not 100% sure on Amazon!). Are you perhaps importing a repository export (either by the UI or js-import.sh) that is overriding the password? 

ernestoo's picture
9094
Joined: Nov 29 2010 - 11:59am
Last seen: 2 years 2 months ago
0

Have you tried to set the logging for com.jaspersoft.jasperserver.api.metadata.user.domain.* to DEBUG level? Or maybe a more specific class in that package or in another within the same hierarchy?

There are probably other classes that will be useful to expose, but I'm not sure.

kkumlien's picture
2986
Joined: Jan 22 2015 - 4:36am
Last seen: 2 days 17 hours ago
Feedback
randomness