Brent N Atkinson created CONTINUUM-2761:
-------------------------------------------
Summary: Users with limited group visibility cause expensive
queries when running build reports
Key: CONTINUUM-2761
URL: https://issues.apache.org/jira/browse/CONTINUUM-2761
Project: Continuum
Issue Type: Bug
Reporter: Brent N Atkinson
Assignee: Brent N Atkinson
Fix For: 1.5.0
As a user with limited group visibility, when running a report for ALL groups
the entire result set is queried. The results are subsequently loaded into
memory and are filtered based on their permissions. This allows the user to
initiate much more expensive queries that can have a significantly negative
effect on service health.
An example:
The guest user is granted permission to see only the Default Group, which is
empty, on a server with an extremely large number of build results in other
groups. An anonymous user visits the server and runs an open build report (ALL
groups, ALL statuses).
What you would expect: The anonymous user finds exactly what is visible to them
by browsing the project group: there are no results. Because there are no
results, the query is answered quickly.
What actually happens: the entire build result table is scanned resulting in an
extremely long query (due to the large number of build results). Also, prior to
the work on CONTINUUM-2746, which uses range queries to load results in
batches, this would crash the system with an {{OutOfMemoryError}}.
The essence of the issue is that users can cause an effect that is
disproportional to their privilege. Ideally, users should only be able to
affect the system by accessing resources they actually have permission to see
(scanning only rows they have access to).
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
