Is it possible that Nuget APIKeys are changed after Nexus 3 upgrade

[Mariska]

I just found out that the NuGet APIKeys in Nexus3 for the build users have changed. I'm not sure what may have caused this.

As we mainly pull from Nexus 3 and only sometimes push packages, I don't know when exactly it happened. In any case, some time between now and 3 weeks ago the API Keys have changed as I was able to push packages 3 weeks ago with the old keys. I've upgraded to v3.8.0 in between, but maybe some other activities may have set this off.

So, my question: what may cause all NuGet API Keys to be reset?

Thanks,

Mariska.

[Peter Lynch]

A run of the Delete Orphaned API Keys can cause this if the keys are orphaned. Or if the user account is inside an external LDAP/Crowd server, and the connection information inside Nexus has changed. There is also a found bug if the NuGet API keys were generated while signed in with a RUT Auth token: https://issues.sonatype.org/browse/NEXUS-15422

Resetting API keys should not happen on a standard upgrade to a new version. What version of Nexus did you upgrade from to 3.8.0?

Thanks,

Mariska.

--
You received this message because you are subscribed to the Google Groups "Nexus Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to nexus-users+unsubscribe@glists.sonatype.com.
To post to this group, send email to nexus...@glists.sonatype.com.
To view this discussion on the web visit https://groups.google.com/a/glists.sonatype.com/d/msgid/nexus-users/ec6aa420-0d83-49ac-9d22-5d9a1ebd2014%40glists.sonatype.com.
For more options, visit https://groups.google.com/a/glists.sonatype.com/d/optout.

[Mariska]

I found out the keys were changed because after upgrading the server (to 3.8.0-02), I ran some automated groovy scripts, which updates the local users if there are changes. Although nothing changed, updating the user with the same values, will reset the Nuget APIKey. Changing the user password also resets the Nuget API Key. 

Is this by design? 

Thanks,

Mariska

On Wednesday, March 7, 2018 at 1:56:57 PM UTC+1, Peter Lynch wrote:

On Wed, Mar 7, 2018 at 8:09 AM, Mariska <talla...@gmail.com> wrote:

I just found out that the NuGet APIKeys in Nexus3 for the build users have changed. I'm not sure what may have caused this.

As we mainly pull from Nexus 3 and only sometimes push packages, I don't know when exactly it happened. In any case, some time between now and 3 weeks ago the API Keys have changed as I was able to push packages 3 weeks ago with the old keys. I've upgraded to v3.8.0 in between, but maybe some other activities may have set this off.

So, my question: what may cause all NuGet API Keys to be reset?

A run of the Delete Orphaned API Keys can cause this if the keys are orphaned. Or if the user account is inside an external LDAP/Crowd server, and the connection information inside Nexus has changed. There is also a found bug if the NuGet API keys were generated while signed in with a RUT Auth token: https://issues.sonatype.org/browse/NEXUS-15422

Resetting API keys should not happen on a standard upgrade to a new version. What version of Nexus did you upgrade from to 3.8.0?

Thanks,

Mariska.

--
You received this message because you are subscribed to the Google Groups "Nexus Users" group.

To unsubscribe from this group and stop receiving emails from it, send an email to nexus-users...@glists.sonatype.com.

[Peter Lynch]

On Wed, Mar 7, 2018 at 10:18 AM, Mariska <talla...@gmail.com> wrote:

I found out the keys were changed because after upgrading the server (to 3.8.0-02), I ran some automated groovy scripts, which updates the local users if there are changes. Although nothing changed, updating the user with the same values, will reset the Nuget APIKey. Changing the user password also resets the Nuget API Key. 

Is this by design? 

I don't think changing the API key if the regular password changes should happen. API keys should be tied to identity of the same user account, not the password value of that account. I've reproduced that changing the password resets the NuGet API key and filed https://issues.sonatype.org/browse/NEXUS-16476.

 

The UI only enables the save button if the UI detects the content of the user profile account settings change. Even then, if I change the name of the user in the UI and save it, the nuget API key does not change. Please post the groovy code you are using to update the user account while saving the exact same information for the save account. This may be bypassing some code the UI change is attempting to enforce.

 

Thanks,

Mariska

On Wednesday, March 7, 2018 at 1:56:57 PM UTC+1, Peter Lynch wrote:

On Wed, Mar 7, 2018 at 8:09 AM, Mariska <talla...@gmail.com> wrote:

I just found out that the NuGet APIKeys in Nexus3 for the build users have changed. I'm not sure what may have caused this.

As we mainly pull from Nexus 3 and only sometimes push packages, I don't know when exactly it happened. In any case, some time between now and 3 weeks ago the API Keys have changed as I was able to push packages 3 weeks ago with the old keys. I've upgraded to v3.8.0 in between, but maybe some other activities may have set this off.

So, my question: what may cause all NuGet API Keys to be reset?

A run of the Delete Orphaned API Keys can cause this if the keys are orphaned. Or if the user account is inside an external LDAP/Crowd server, and the connection information inside Nexus has changed. There is also a found bug if the NuGet API keys were generated while signed in with a RUT Auth token: https://issues.sonatype.org/browse/NEXUS-15422

Resetting API keys should not happen on a standard upgrade to a new version. What version of Nexus did you upgrade from to 3.8.0?

Thanks,

Mariska.

--
You received this message because you are subscribed to the Google Groups "Nexus Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to nexus-users...@glists.sonatype.com.
To post to this group, send email to nexus...@glists.sonatype.com.
To view this discussion on the web visit https://groups.google.com/a/glists.sonatype.com/d/msgid/nexus-users/ec6aa420-0d83-49ac-9d22-5d9a1ebd2014%40glists.sonatype.com.
For more options, visit https://groups.google.com/a/glists.sonatype.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Nexus Users" group.

To unsubscribe from this group and stop receiving emails from it, send an email to nexus-users+unsubscribe@glists.sonatype.com.

To post to this group, send email to nexus...@glists.sonatype.com.

To view this discussion on the web visit https://groups.google.com/a/glists.sonatype.com/d/msgid/nexus-users/19330e21-3372-418f-9cd3-0b4c8fa89f69%40glists.sonatype.com.

[Mariska]

import groovy.json.JsonSlurper
import org.sonatype.nexus.security.user.UserNotFoundException
parsed_args = new JsonSlurper().parseText(args)
log.info('Users {} update', parsed_args)
try {
    log.info('Users {} try update', parsed_args)
    // update an existing user
    user = security.securitySystem.getUser(parsed_args.username)
    user.setFirstName(parsed_args.first_name)
    user.setLastName(parsed_args.last_name)
    user.setEmailAddress(parsed_args.email)
    security.securitySystem.updateUser(user)
    security.setUserRoles(parsed_args.username, parsed_args.roles)
    security.securitySystem.changePassword(parsed_args.username, parsed_args.password)
} catch(UserNotFoundException ignored) {
    // create the new user
    log.info('Users {} try add', parsed_args)
    security.addUser(parsed_args.username, parsed_args.first_name, parsed_args.last_name, parsed_args.email,
true, parsed_args.password, parsed_args.roles)
}

Example of the json:

{

       "username": "builduser",
       "first_name": "My",
       "last_name": "Builduser",
       "email": "m...@email.eu",
       "password": "Mypasswd",
       "roles": [ "NXRM3-CC-OC-USERS" ]
}

Note that the role is an LDAP role which I granted the required privileges.

[Peter Lynch]

This looks like the same problem as https://issues.sonatype.org/browse/NEXUS-16476

If you comment out the line that calls security.securitySystem.changePassword(parsed_args.username, parsed_args.password)  

then Nexus will not reset the Nuget API key.

The SecurityApi impl does not expose an updateUser method - at this time one would have to lookup 

To unsubscribe from this group and stop receiving emails from it, send an email to nexus-users+unsubscribe@glists.sonatype.com.

To post to this group, send email to nexus...@glists.sonatype.com.

To view this discussion on the web visit https://groups.google.com/a/glists.sonatype.com/d/msgid/nexus-users/dcc239d3-bc5c-43cf-a9b8-12804801326a%40glists.sonatype.com.

[Brian Fox]

This is by design. If you change your password, the intended implication is that any logins are expired and API keys fall into that criteria. The one exception is if the password is changed in an external system such as ldap since we don't have visibility or an event when that changes.

To view this discussion on the web visit https://groups.google.com/a/glists.sonatype.com/d/msgid/nexus-users/CAC16qPj24FKsbwANEz1xDJBBHjw5CoFh-50yfL3dFPX_1OAvEg%40mail.gmail.com.

[Mariska]

I'll comment it out for now until this is solved. Thanks for verifying.

[Mariska]

Not by design according to https://issues.sonatype.org/browse/NEXUS-16476. 

To view this discussion on the web visit https://groups.google.com/a/glists.sonatype.com/d/msgid/nexus-users/dcc239d3-bc5c-43cf-a9b8-12804801326a%40glists.sonatype.com.

For more options, visit https://groups.google.com/a/glists.sonatype.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Nexus Users" group.

To unsubscribe from this group and stop receiving emails from it, send an email to nexus-users...@glists.sonatype.com.
To post to this group, send email to nexus...@glists.sonatype.com.

[Brian Fox]

That ticket was created as a result of this thread, so it's not a reliable statement of intent. When we designed user tokens (which came after the nuget key iirc) it was intentional that the token also reset when the password was reset. I view the change of nuget key behavior in nx3 as correcting that historical discrepancy in key behavior in 2x that was there for historical reasons. 

To unsubscribe from this group and stop receiving emails from it, send an email to nexus-users+unsubscribe@glists.sonatype.com.

To post to this group, send email to nexus...@glists.sonatype.com.

To view this discussion on the web visit https://groups.google.com/a/glists.sonatype.com/d/msgid/nexus-users/0f8799e1-f493-474b-9f66-9574818997d5%40glists.sonatype.com.