starred/cloudbeaver
1
0
Fork 0
mirror of https://github.com/dbeaver/cloudbeaver.git synced 2026-04-25 13:46:02 +03:00
Code Issues 212 Projects Releases Packages Wiki Activity

[GH-ISSUE #2851] reverseProxyAuth: If user has more groups than configured then login fails #976

New issue
Open
opened 2026-03-07 20:57:35 +03:00 by kerem · 0 comments
kerem commented 2026-03-07 20:57:35 +03:00
Owner
Copy link

Originally created by @brunnels on GitHub (Aug 17, 2024).
Original GitHub issue: https://github.com/dbeaver/cloudbeaver/issues/2851

I had this working well when my user was only a member of 2 groups and I configured the groups in initial-data.conf

{
    teams: [
        {
            subjectId: "Administrators",
            teamName: "Administrators",
            description: "Administrative access. Has all permissions.",
            permissions: [ "admin" ]
        },
        {
            subjectId: "Domain Users",
            teamName: "Domain Users",
            description: "All users, including anonymous.",
            permissions: [ ]
        }
    ]
}

When I added an additional group to the user in my upstream auth, causing the reverse proxy auth header to contain more groups, I was no longer able to login and was presented with this in the logs:

17-08-2024 15:16:17.672 [qtp1835713430-44] DEBUG i.c.service.auth.RPSessionHandler - Attempting to authenticate user 'cbtestuser' with teams [Domain Users, Administrators, Qsync] through reverse proxy
17-08-2024 15:16:17.695 [qtp1835713430-44] ERROR i.c.service.core.impl.WebServiceCore - Error calling session handler 'RPSessionHandler'
io.cloudbeaver.DBWebException: Error:
Error saving user teams in database
.....
Caused by: org.jkiss.dbeaver.model.exec.DBCException: Error saving user teams in database
        at io.cloudbeaver.service.security.CBEmbeddedSecurityController.setUserTeams(CBEmbeddedSecurityController.java:222)
        at io.cloudbeaver.service.security.CBEmbeddedSecurityController.findOrCreateExternalUserByCredentials(CBEmbeddedSecurityController.java:2454)
        at io.cloudbeaver.service.security.CBEmbeddedSecurityController.finishAuthentication(CBEmbeddedSecurityController.java:2160)
        at io.cloudbeaver.service.security.CBEmbeddedSecurityController.authenticate(CBEmbeddedSecurityController.java:1565)
        at io.cloudbeaver.service.auth.RPSessionHandler.reverseProxyAuthentication(RPSessionHandler.java:130)
        ... 61 common frames omitted
Caused by: org.postgresql.util.PSQLException: ERROR: insert or update on table "cb_user_team" violates foreign key constraint "cb_user_team_team_id_fkey"
  Detail: Key (team_id)=(Qsync) is not present in table "cb_team".

Here's my auth config as well

        authConfigurations: [
          {
            id: "reverseProxy",
            provider: "reverseProxy",
            displayName: "Reverse Proxy",
            disabled: false,
            iconURL: "",
            description: "Authelia Reverse Proxy with ingress-nginx",
            parameters: {
              full-name-header: "Remote-Name",
              user-header: "Remote-User",
              team-header: "Remote-Groups",
              team-delimiter: ",",
              logout-url: "https://auth.${SECRET_DOMAIN}/logout?rd\u003dhttps://cloudbeaver.${SECRET_DOMAIN}"
            }
          }
        ]

I can resolve the issue by adding the qsync group to my config but I don't believe I should need to do this because cloudbeaver should be able to deal with a user being a member of a group it doesn't know about.

Originally created by @brunnels on GitHub (Aug 17, 2024). Original GitHub issue: https://github.com/dbeaver/cloudbeaver/issues/2851 I had this working well when my user was only a member of 2 groups and I configured the groups in initial-data.conf ``` { teams: [ { subjectId: "Administrators", teamName: "Administrators", description: "Administrative access. Has all permissions.", permissions: [ "admin" ] }, { subjectId: "Domain Users", teamName: "Domain Users", description: "All users, including anonymous.", permissions: [ ] } ] } ``` When I added an additional group to the user in my upstream auth, causing the reverse proxy auth header to contain more groups, I was no longer able to login and was presented with this in the logs: ``` 17-08-2024 15:16:17.672 [qtp1835713430-44] DEBUG i.c.service.auth.RPSessionHandler - Attempting to authenticate user 'cbtestuser' with teams [Domain Users, Administrators, Qsync] through reverse proxy 17-08-2024 15:16:17.695 [qtp1835713430-44] ERROR i.c.service.core.impl.WebServiceCore - Error calling session handler 'RPSessionHandler' io.cloudbeaver.DBWebException: Error: Error saving user teams in database ..... Caused by: org.jkiss.dbeaver.model.exec.DBCException: Error saving user teams in database at io.cloudbeaver.service.security.CBEmbeddedSecurityController.setUserTeams(CBEmbeddedSecurityController.java:222) at io.cloudbeaver.service.security.CBEmbeddedSecurityController.findOrCreateExternalUserByCredentials(CBEmbeddedSecurityController.java:2454) at io.cloudbeaver.service.security.CBEmbeddedSecurityController.finishAuthentication(CBEmbeddedSecurityController.java:2160) at io.cloudbeaver.service.security.CBEmbeddedSecurityController.authenticate(CBEmbeddedSecurityController.java:1565) at io.cloudbeaver.service.auth.RPSessionHandler.reverseProxyAuthentication(RPSessionHandler.java:130) ... 61 common frames omitted Caused by: org.postgresql.util.PSQLException: ERROR: insert or update on table "cb_user_team" violates foreign key constraint "cb_user_team_team_id_fkey" Detail: Key (team_id)=(Qsync) is not present in table "cb_team". ``` Here's my auth config as well ``` authConfigurations: [ { id: "reverseProxy", provider: "reverseProxy", displayName: "Reverse Proxy", disabled: false, iconURL: "", description: "Authelia Reverse Proxy with ingress-nginx", parameters: { full-name-header: "Remote-Name", user-header: "Remote-User", team-header: "Remote-Groups", team-delimiter: ",", logout-url: "https://auth.${SECRET_DOMAIN}/logout?rd\u003dhttps://cloudbeaver.${SECRET_DOMAIN}" } } ] ``` I can resolve the issue by adding the qsync group to my config but I don't believe I should need to do this because cloudbeaver should be able to deal with a user being a member of a group it doesn't know about.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
devel
dbeaver/cloudbeaver#4120-support-token-header
dbeaver/pro#8978-advanced-paste
dbeaver/pro#5680-add-generation-rest-api-for-te
8961-cb-checkboxes-are-not-clickable-in-main-toolbar-dropdown-menu
dbeaver/pro#9047-cb-explain-execution-plan-ai
8328-cb-sql-query-generation-add-settings-for-the-generated-sql-window
8473-ai-confirmation
8107-cb-increase-the-contrast-of-some-elements
dbeaver/cloudbeaver#4249-session-id-rotation
dbeaver/pro#8234-udbt-only-for-admins
dbeaver/pro#9061-NPE-on-starting-RM-and-QM-applications
dbeaver/pro#8707-remove-folder-feature
dbeaver/pro#8766-migrate-to-junit5
dbeaver/pro#8711-sql-executation-plan-improvments
9048-cb-deadlock
release_26_0_3
dbeaver/pro#8044-add-api-for-database-user-preference
8839-entraid-not-working-from-within-myappsmicrosoftcom
8559-te-launch-redesign
8670-cb-multi-paste-support-in-data-editor-3
8943-cb-bump-npm-dependencies
dbeaver/pro#8655-cb-ai-functions-support
dbeaver/pro#8746-oauth
dbeaver/pro#8824-Unify-file-lock-handling-for-local-and-shared-fs
7912-db-oauth-in-te
dbeaver/pro#4158-tree-advanced-filter
dbeaver/dbeaver-devops#1604-non-root-user-25-2
dbeaver/pro#5124-fix-case-insensetive-username-in-import
3815-ctrl-z-is-unstable-lib-523-version
8894-ai-assistant-cache
dbeaver/pro#8896-Remove-added-h2_server_v3
release_26_0_2
dbeaver/pro#8392-Add-H2-driver-with-the-newest-version
8065-lsp-front-end
release_26_0_1
dbeaver/pro#7844-cb-lsp-server
dbeaver/pro#7530-csp-protection
release_26_0_0
release_25_3_5
release_25_3_4
release_25_3_3
7953-cb-ability-to-pin-rows-in-the-data-editor
devops-2221-base-java-repo
7923-cb-ws-events-are-misconfigured
release_25_3_2
release_25_3_1
release_25_3_0
release_25_2_5
dbeaver/pro#5267/auth-providers-refactoring
dbeaver/pro#6364-add-option-to-set-default-view-for-project
release_25_2_4
dbeaver/pro#5476-task-scheduler-refactor
release_25_2_3
7128-remove-deprecated-api
release_25_2_0
release_25_2_1
release_25_2_2
4569-cb-3681-use-something-better-than-md5-hash-to-pass-local-user-passwords
dbeaver/dbeaver-devops#1604-non-root-user-without-user-in-image
dbeaver/pro#6976-logging-poc
dbeaver/pro#6324-cursor-sync
dbeaver/pro#5630-add-cache-for-queries
dbeaver/pro#5574/fix/multi-query-vqb
dbeaver/pro#5802/feat/table-api
5664-cb-vscode-value-panel-support-text-format
CB-6291-build-local-script-do-not-clone-all-required-repos-for-successful-build
4288-core-fix-critical-cve-2022-0839-and-cve-2022-0839-in-liquibase-bundle
3944-model-data
4207-core-duplicate-cb-session-id-in-dc-side
chore/update-vite-assets-plugin
25.1.5
25.1.4
25.1.3
25.1.2
25.1.1
25.1.0
25.0.5
25.0.4
25.0.3
25.0.2
25.0.1
25.0.0
24.3.5
24.3.4
24.3.3
24.3.2
24.3.0
24.3.1
24.2.5
24.2.4
24.2.3
24.2.2
24.2.1
24.2.0
24.1.5
24.1.4
24.1.3
24.1.2
24.1.0
24.1.1
24.0.5
24.0.4
24.0.3
24.0.2
24.0.1
24.0.0
23.3.5
23.3.4
23.3.3
23.3.2
23.3.1
23.3.0
23.2.5
23.2.4
23.2.3
23.2.2
23.2.1
23.2.0
23.1.5
23.1.4
23.1.3
23.1.2
23.1.1
v23.1.0
v23_0_5
21.3.3
21.2.4
1.2.0
1.1.0
1.0.4
1.0.3
1.0.1b
1.0.2
1.0.1
1.0.0
Labels
Clear labels   
AS

   
can't reproduce

   
can't reproduce

   
deployment

   
development

   
documentation

   
duplicate

   
duplicate

   
ee

   
enhancement

   
external

   
new driver

   
performance

   
pull-request

Mirrored from GitHub Pull Request

  
third party issue

   
wait for response

   
wait for review

   
wontfix

   
x:Oracle

   
x:cassandra

   
x:clickhouse

   
x:db2

   
x:duckdb

   
x:greenplum

   
x:h2

   
x:h2gis

   
x:hana

   
x:hive

   
x:intersystems

   
x:kyuubi

   
x:maria

   
x:mongo

   
x:mysql

   
x:postgresql

   
x:presto

   
x:sql server

   
x:sqlite

   
x:teradata

   
x:trino

   
xf:accessibility

   
xf:administration

   
xf:ai

   
xf:authentication

   
xf:aws

   
xf:commit-mode

   
xf:connection

   
xf:dark theme

   
xf:data editor

   
xf:datatransfer

   
xf:dba

   
xf:driver management

   
xf:erd

   
xf:filters

   
xf:i18n

   
xf:i18n

   
xf:installer

   
xf:json

   
xf:kerberos

   
xf:ldap

   
xf:local config

   
xf:log viewer

   
xf:metadata

   
xf:metadata editor

   
xf:navigator

   
xf:okta

   
xf:query manager

   
xf:resource manager

   
xf:scripts

   
xf:sql editor

   
xf:tasks

   
xf:ui/uix

   
xo: Firefox

   
xo:eclipse

   
xo:internet explorer

   
xo:macos

   
xp:major

   
xrn:internal
No labels
AS
can't reproduce
can't reproduce
deployment
development
documentation
duplicate
duplicate
ee
enhancement
external
new driver
performance
pull-request
third party issue
wait for response
wait for review
wontfix
x:Oracle
x:cassandra
x:clickhouse
x:db2
x:duckdb
x:greenplum
x:h2
x:h2gis
x:hana
x:hive
x:intersystems
x:kyuubi
x:maria
x:mongo
x:mysql
x:postgresql
x:presto
x:sql server
x:sqlite
x:teradata
x:trino
xf:accessibility
xf:administration
xf:ai
xf:authentication
xf:aws
xf:commit-mode
xf:connection
xf:dark theme
xf:data editor
xf:datatransfer
xf:dba
xf:driver management
xf:erd
xf:filters
xf:i18n
xf:i18n
xf:installer
xf:json
xf:kerberos
xf:ldap
xf:local config
xf:log viewer
xf:metadata
xf:metadata editor
xf:navigator
xf:okta
xf:query manager
xf:resource manager
xf:scripts
xf:sql editor
xf:tasks
xf:ui/uix
xo: Firefox
xo:eclipse
xo:internet explorer
xo:macos
xp:major
xrn:internal
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/cloudbeaver#976
No description provided.