ARTIFACTORY: SAML users with a large set of groups will be observing issues in the Artifactory UI/Projects View

ARTIFACTORY: SAML users with a large set of groups will be observing issues in the Artifactory UI/Projects View
AuthorFullName__c
Janardhana JL
articleNumber
000005924
ft:sourceType
Salesforce
FirstPublishedDate
2023-11-30T18:26:55Z
lastModifiedDate
2023-11-30
VersionNumber
7

When the SAML user is added to more than 80+ groups you may be observing an "oops something went wrong" error message with the project view in the UI and also the UI is freezing with 500 and 400 error.
 

User-added image
User-added image



In the Artifactory  Frontend logs we will be noticing the below error:

2022-08-26T18:16:17.443Z [jffe ] [[31M[1M[ERROR][22M[39M] [0b9124fe6a0707d0] [                              ] [main                ] - Error: Received RST_STREAM with code 0
   at Object.callErrorFromStatus (/opt/jfrog/artifactory/app/frontend/bin/server/dist/node_modules/@grpc/grpc-js/src/call.ts:81:24)
   at Object.onReceiveStatus (/opt/jfrog/artifactory/app/frontend/bin/server/dist/node_modules/@grpc/grpc-js/src/client.ts:593:32)
   at Object.onReceiveStatus (/opt/jfrog/artifactory/app/frontend/bin/server/dist/node_modules/@grpc/grpc-js/src/client-interceptors.ts:424:48)
   at /opt/jfrog/artifactory/app/frontend/bin/server/dist/node_modules/@grpc/grpc-js/src/call-stream.ts:330:24


Error: Received RST_STREAM with code 0, indicating that the server unexpectedly closed the stream before the client considered it to be complete.The issue was that grpc max metadata size by default is 8KB. Due to the fact that there were a lot of groups attached to the token(when user login using SAML, all groups attached to the access token), it made the metadata size to be greater than 8KB hence the grpc is failed.

In Tomcat catalina.log we see “Request header is too large” error messages.

INFO [http-nio-8081-exec-3] org.apache.coyote.http11.Http11Processor.service Error parsing HTTP request header
Note: further occurrences of HTTP request parsing errors will be logged at DEBUG level.
java.lang.IllegalArgumentException: Request header is too large


To overcome this behavior we need to tune the maxInboundMetadataSize under Access and also need to increase the maxHttpHeaderSize on Access and Artifactory tomcat server. The default value is 8KB 

Please find the below example snippet, make the changes in the system.yaml file, restart the Artifactory server to take the changes into consideration.

artifactory:

  tomcat:

    connector:

      extraConfig: "maxHttpHeaderSize='9999999'"   

access:

  http:

    port: 8040

  tomcat:

    connector:

      extraConfig: "maxHttpHeaderSize='9999999'"


  grpc:

    maxInboundMetadataSize: 2147483647