Timing issue in automatic user creation

[mikkolehtisalo]

Problem description

Automatic user creation may create several users with the same username.

Steps to reproduce the problem

1. Enable automatic user creation
2. Issue two valid SSO authentication requests at the same time (down to couple milliseconds probably)
3. Two users with the same username get created
4. Authentication fails with Shiro exceptions saying "There was more than one matching user for username XXXXX. This should never happen.";
5. See two users in user management UI with the same username

Environment

• Graylog Version: 2.1.x
• Plugin Version: 1.0.2

I am afraid this issue is very hard to reproduce reliably, because the timing of the couple requests has to be very exact. (Both requests probably must pass the user load test at the realm logic...)

[hc4]

Got same bug.
The problem caused be architecture of creating new user:

user = userService.create();
user.setName(username);
// modify user
userService.save(user); // duplicate stored to DB

user's name field must be readonly and initial user name must be passed in userService.create() arguments.
So user creation code will be changed to:

user = userService.create(userName); //throws on duplicate/invalid username
// modify user
userService.save(user);