Project

General

Profile

Bug #10570

Regex search on node properties is broken: returns all nodes with a property when no using invalid value

Added by François ARMAND 7 months ago. Updated 7 months ago.

Status:
Released
Priority:
N/A
Category:
Web - Nodes & inventories
Target version:
Target version (plugin):
Severity:
Major - prevents use of part of Rudder | no simple workaround
User visibility:
Getting started - demo | first install | level 1 Techniques
Effort required:
Small
Priority:
0

Description

The search on node properties, for the regex part, is completly broken and always returns all nodes: :

[2017-04-07 11:18:14] DEBUG com.normation.rudder.services.queries.InternalLDAPQueryProcessor - [0] Start search for { returnType:'NodeReturnType' with 'And' criteria [serializedNodeProperty.name.value regex datacenter:Europe] }
[2017-04-07 11:18:14] DEBUG com.normation.rudder.services.queries.InternalLDAPQueryProcessor - [0] |-- LDAPObjectType(ou=Nodes,cn=rudder-configuration,One,LDAPObjectTypeFilter((objectClass=*)),None,DNJoin,Set((And,RegexFilter(serializedNodeProperty,.*.*))))
[2017-04-07 11:18:14] DEBUG com.normation.rudder.services.queries.InternalLDAPQueryProcessor - [0] |--- SearchRequest(baseDN='ou=Nodes,cn=rudder-configuration', scope=ONE, deref=NEVER, sizeLimit=0, timeLimit=0, filter='(&(objectClass=*)(objectClass=*))', attrs={1.1, serializedNodeProperty})
[2017-04-07 11:18:14] DEBUG com.normation.rudder.services.queries.InternalLDAPQueryProcessor - [0] |---- 5 result(s)
[2017-04-07 11:18:14] DEBUG com.normation.rudder.services.queries.InternalLDAPQueryProcessor - [0] |---- post-process with filters: [(And,RegexFilter(serializedNodeProperty,.*.*))]
[2017-04-07 11:18:14] DEBUG com.normation.rudder.services.queries.InternalLDAPQueryProcessor - [0] |---- results (post-process): 5
[2017-04-07 11:18:14] DEBUG com.normation.rudder.services.queries.InternalLDAPQueryProcessor - [0] |-- 5 sub-results (merged)
[2017-04-07 11:18:14] DEBUG com.normation.rudder.services.queries.InternalLDAPQueryProcessor - [0] |- (final query) LDAPObjectType(ou=Nodes,ou=Accepted Inventories,ou=Inventories,cn=rudder-configuration,One,LDAPObjectTypeFilter((objectClass=*)),Some((|(nodeId=0c846655-cb06-486f-ace4-eaeb11372097)(nodeId=root)(nodeId=8b168194-c0b4-41ab-b2b5-9571a8906d59)(nodeId=fc846655-cb06-486f-ace4-eaeb11372097)(nodeId=717b63d1-01fe-4d4f-a7e5-cfb7c0d47b4f))),DNJoin,Set())
[2017-04-07 11:18:14] DEBUG com.normation.rudder.services.queries.InternalLDAPQueryProcessor - [0] |--- SearchRequest(baseDN='ou=Nodes,ou=Accepted Inventories,ou=Inventories,cn=rudder-configuration', scope=ONE, deref=NEVER, sizeLimit=0, timeLimit=0, filter='(&(objectClass=*)(|(nodeId=0c846655-cb06-486f-ace4-eaeb11372097)(nodeId=root)(nodeId=8b168194-c0b4-41ab-b2b5-9571a8906d59)(nodeId=fc846655-cb06-486f
-ace4-eaeb11372097)(nodeId=717b63d1-01fe-4d4f-a7e5-cfb7c0d47b4f)))', attrs={...snip...})
[2017-04-07 11:18:14] DEBUG com.normation.rudder.services.queries.InternalLDAPQueryProcessor - [0] |---- 5 result(s)
[2017-04-07 11:18:14] DEBUG com.normation.rudder.services.queries.InternalLDAPQueryProcessor - [0] `-> 5 results

On 4.0, the results works as expected (even if the post-process seems false, to):

[2017-04-07 11:25:38] DEBUG com.normation.rudder.services.queries.InternalLDAPQueryProcessor - [940835812988] Start search for { returnType:'NodeReturnType' with 'And' criteria [serializedNodeProperty.name.value regex .*foo.*] }
[2017-04-07 11:25:38] DEBUG com.normation.rudder.services.queries.InternalLDAPQueryProcessor - [940835812988] |-- LDAPObjectType(ou=Nodes,cn=rudder-configuration,One,LDAPObjectTypeFilter((objectClass=*)),None,DNJoin,Set((And,RegexFilter(serializedNodeProperty,.*.*))))
[2017-04-07 11:25:38] DEBUG com.normation.rudder.services.queries.InternalLDAPQueryProcessor - [940835812988] |--- SearchRequest(baseDN='ou=Nodes,cn=rudder-configuration', scope=ONE, deref=NEVER, sizeLimit=0, timeLimit=0, filter='(&(objectClass=*)(objectClass=*))', attrs={1.1, serializedNodeProperty})
[2017-04-07 11:25:38] DEBUG com.normation.rudder.services.queries.InternalLDAPQueryProcessor - [940835812988] |---- 11 result(s)
[2017-04-07 11:25:38] DEBUG com.normation.rudder.services.queries.InternalLDAPQueryProcessor - [940835812988] |---- post-process with filters: [(And,RegexFilter(serializedNodeProperty,.*.*))]
[2017-04-07 11:25:38] DEBUG com.normation.rudder.services.queries.InternalLDAPQueryProcessor - [940835812988] |---- results (post-process): 0
[2017-04-07 11:25:38] DEBUG com.normation.rudder.services.queries.InternalLDAPQueryProcessor - [940835812988] |-- 0 sub-results (merged)
[2017-04-07 11:25:38] DEBUG com.normation.rudder.services.queries.InternalLDAPQueryProcessor - [940835812988] `-> early stop query (empty sub-query)

Related issues

Related to Rudder - Bug #10599: Impossible to search or build groups based on JSON values in node properties Pending technical review

Associated revisions

Revision 1b4b8ea8
Added by Vincent MEMBRÉ 7 months ago

Fixes #10570: Regex search on node properties is broken: returns all nodes with a property when no using invalid value

History

#1 Updated by François ARMAND 7 months ago

  • Severity set to Critical - prevents main use of Rudder | no workaround | data loss | security
  • User visibility set to Getting started - demo | first install | level 1 Techniques
  • Effort required set to Small

I'm setting criticity to "critical", because it means that people using that feature and migrating to 4.1 may encounter data loss (dyn group can be broken).

#2 Updated by Vincent MEMBRÉ 7 months ago

  • Status changed from New to In progress
  • Assignee set to Vincent MEMBRÉ

#3 Updated by François ARMAND 7 months ago

  • Severity changed from Critical - prevents main use of Rudder | no workaround | data loss | security to Major - prevents use of part of Rudder | no simple workaround

Ok, so in fact, it is not a regression. We just have more luck in the environment, and so it won't break existing things (it's just that the problem is not raised when nodes don't have properties). I'm decreasing the severity to major, because it "just" make some part of Rudder not usable.

#4 Updated by Vincent MEMBRÉ 7 months ago

More explanation.

A value in a 'name=value' field (here Node properties, but it's the same for environment variable) needs an = to make a difference between name and value.

If you enter a value without "=" in a regex query, it fails to split the value and it should fail. But we ignore the error and replace by ".*.*"

Which matches any property and so every Node with a property is a valid result... Which is clearly not what we want

Which should make an error when the data is not valid

#5 Updated by Vincent MEMBRÉ 7 months ago

  • Target version changed from 4.1.1 to 3.1.19

#6 Updated by Vincent MEMBRÉ 7 months ago

  • Status changed from In progress to Pending technical review
  • Assignee changed from Vincent MEMBRÉ to François ARMAND
  • Pull Request set to https://github.com/Normation/rudder/pull/1626

#7 Updated by Vincent MEMBRÉ 7 months ago

  • Subject changed from Regex search on node properties is broken: returns all node to Regex search on node properties is broken: returns all nodes with a property when no using invalid value

#8 Updated by Vincent MEMBRÉ 7 months ago

  • Status changed from Pending technical review to Pending release

#9 Updated by Vincent MEMBRÉ 7 months ago

  • Status changed from Pending release to Released

This bug has been fixed in Rudder 3.1.19, 4.0.4 and 4.1.1 which were released today.

#10 Updated by François ARMAND 7 months ago

  • Related to Bug #10599: Impossible to search or build groups based on JSON values in node properties added

Also available in: Atom PDF