Unlimited .data fields

Hello,

This is not a direct bug, but maybe a safety net for other users to not do the same mistake as we did.

We had a prod environment going down due to fusionauth OOM errors which were cause by a bug on one of our services. There is everything fine with the FusionAuth in general, but the problem was that we filled up the users.data field for each user with too much data due to an error (should only have been a list of some bytes). Therefore, after some months we started to have some occasional OOM errors of FusionAuth, as the 0.5GB RAM were not sufficient anymore to load even a single user (which had a users.data text field of 400MB).

After cleaning that, everything is back to normal.

My proposition might be, to put a (maybe configurable) size limit on the *.data fields to prevent such hard to catch runtime errors.

Feel free to ask back for more info, I just wanted to put this here in case you might wanna consider it

Yeah, that was it... I guess it was already late

Thanks, that was exactly what I was looking for. I just didn't stumble across this part of the docs.

To your question, I guess it is already at the right place. I would maybe just mention it in the create events and link this part of the docs as otherwise (at least in my case where most of the webhooks already work), I did not go back to the general webhook setup docs.

This is something I have already tried ad did not work. At least not with my setup. I have changed my setup and use now two databases instead of two schemas.

Hello,

This is not a direct bug, but maybe a safety net for other users to not do the same mistake as we did.

We had a prod environment going down due to fusionauth OOM errors which were cause by a bug on one of our services. There is everything fine with the FusionAuth in general, but the problem was that we filled up the users.data field for each user with too much data due to an error (should only have been a list of some bytes). Therefore, after some months we started to have some occasional OOM errors of FusionAuth, as the 0.5GB RAM were not sufficient anymore to load even a single user (which had a users.data text field of 400MB).

After cleaning that, everything is back to normal.

My proposition might be, to put a (maybe configurable) size limit on the *.data fields to prevent such hard to catch runtime errors.

Feel free to ask back for more info, I just wanted to put this here in case you might wanna consider it

Sure!

The PUT method is used to replace an existing object completely with the provided information. This means I need to provide the complete informations of the object even when I only want to update one single value. (If I don't, all values which already exist but I do not provide get wiped!)

The PATCH method will merge the provided information into the existing object, meaning I can only give the missing information without having to provide the rest of the values, too.

This is already implemented on the API level of fusionauth, but just not available in the client libraries. This would be very handy, as with the PUT request, I am forced to GET the object first to then be able to change information and send a second PUT request to update it. BUT, when I have the object-id already, I can directly PATCH a single data field and cut the transaction count in half.

You can have a look at the different ways described here.

I hope this is clearer now, otherwise come back to me

PS: I would like to have this on every endpoint which already provides PATCH methods documented in the api docs here. (The functionality is already there, just not accessible by the client libs.)

Hello,

I am using the typescript client library and I was wondering whether the PATCH method is also available somewhere in there, which is documented in the REST API though.

The PUT request, as usually used by update<Resource>() overwrites the complete object and requires to retrieve the object beforehand. The PATCH would allow to just overwrite some values and is very handy. (Currently I use it for example to setup my default tenant while kickstarting)

I have seen in the library that there is a function .withMethod("PUT") here which gets called from any update<Resource>() method and was therefore wondering why no .withMethod("PATCH") for lets say updatePartial<Resource>()? The client libs are autom. generated if I understood this correctly, so it should not be such a big problem, or did I miss something crucial?

Thx for clarification!

Cyrill

Hello,

I can see on this page that a Key Manager only can be created with admin or kickstart.

When I have a look at the kickstart docs, I cannot find how to do that. There are all other api key features explained, but not the keyManager setting.

From the first page I can see in the return data of the api keys, which field must be set to do it, but this is only guessing and might be good to be clarified.

This is something I have already tried ad did not work. At least not with my setup. I have changed my setup and use now two databases instead of two schemas.

Hi, I have been using the local docker setup for fusionauth with a local postgres db until now. Now I wanted to switch to a hosted DB solution, where I do not want to give the root passwords to the fusionauth app, but instead set up the DB schema manually. This worked so far without any problems, but I was wondering whether I could install the DB schema as a non-default schema instead of using the public schema which is provided by the DB at launch?

I was able to set it up and create a user, but the connection url jdbc:postgresql://db:5432/fusionauth and the config files do not provide the possibility to select a specific schema on the DB and default automatically to public.

Such as

CREATE SCHEMA my_fusionauth_schema
    AUTHORIZATION postgres;

ALTER DEFAULT PRIVILEGES IN SCHEMA my_fusionauth_schema
GRANT INSERT, SELECT, UPDATE, DELETE ON TABLES TO fusionauth;

Thank you for your answer ansd clarifications.

Cyrill

Thanks, that was exactly what I was looking for. I just didn't stumble across this part of the docs.

To your question, I guess it is already at the right place. I would maybe just mention it in the create events and link this part of the docs as otherwise (at least in my case where most of the webhooks already work), I did not go back to the general webhook setup docs.

Yeah, that was it... I guess it was already late

Hello, I came a across a strange behaviour, as I was playing with the user.created event. I listen to this with a webhook when a new user is created and then I create a user entry on my side, too. But as I have a default application, I wanted to automatically create a registration for this user. This is not needed when it is a self-signup, but only when the user is created in the fusion auth app.

I understand now that when the webhook fails, the user does not get created, and that is why the user cannot actually exist yet in the database of fusionauth. But the docs are missleading as they state that the event user.created is fired upon a user creation, which indicates the user already exists.
Event: User Created

Did I understand correct or is there something I have missed?

I have installed fusionauth+postgres with docker on an ubuntu server. Everything works fine, but as soon as I want to enable productive mode, FusionAuth does not start anymore. I am using an nginx proxy, but the communication between fusionauth and the database happens inside the docker network.

I have following logs:

root@dev1:~/launch# ./sh/local-iam-maintenance 
Creating volume "launch_fa_config" with default driver
Creating volume "launch_web-root" with local driver
Creating fusionauthdb ... done
Creating fusionauth   ... done
Creating webserver    ... done
Attaching to fusionauthdb, fusionauth, webserver
fusionauth      | NOTE: Picked up JDK_JAVA_OPTIONS:  --add-opens=java.base/java.lang=ALL-UNNAMED --add-opens=java.base/java.io=ALL-UNNAMED --add-opens=java.rmi/sun.rmi.transport=ALL-UNNAMED
fusionauthdb    | 
fusionauthdb    | PostgreSQL Database directory appears to contain a database; Skipping initialization
fusionauthdb    | 
fusionauthdb    | 2021-01-19 12:17:34.854 UTC [1] LOG:  listening on IPv4 address "0.0.0.0", port 5432
fusionauthdb    | 2021-01-19 12:17:34.854 UTC [1] LOG:  listening on IPv6 address "::", port 5432
fusionauthdb    | 2021-01-19 12:17:34.858 UTC [1] LOG:  listening on Unix socket "/var/run/postgresql/.s.PGSQL.5432"
fusionauthdb    | 2021-01-19 12:17:34.881 UTC [20] LOG:  database system was shut down at 2021-01-19 12:16:47 UTC
fusionauthdb    | 2021-01-19 12:17:34.892 UTC [1] LOG:  database system is ready to accept connections
webserver       | /docker-entrypoint.sh: /docker-entrypoint.d/ is not empty, will attempt to perform configuration
webserver       | /docker-entrypoint.sh: Looking for shell scripts in /docker-entrypoint.d/
webserver       | /docker-entrypoint.sh: Launching /docker-entrypoint.d/10-listen-on-ipv6-by-default.sh
webserver       | 10-listen-on-ipv6-by-default.sh: info: Getting the checksum of /etc/nginx/conf.d/default.conf
webserver       | 10-listen-on-ipv6-by-default.sh: info: Enabled listen on IPv6 in /etc/nginx/conf.d/default.conf
webserver       | /docker-entrypoint.sh: Launching /docker-entrypoint.d/20-envsubst-on-templates.sh
webserver       | /docker-entrypoint.sh: Configuration complete; ready for start up
fusionauth      | 19-Jan-2021 12:17:36.900 INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent The Apache Tomcat Native library which allows using OpenSSL was not found on the java.library.path: [/usr/java/packages/lib:/usr/lib64:/lib64:/lib:/usr/lib]
fusionauth      | 19-Jan-2021 12:17:37.280 INFO [main] org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler ["http-nio-9011"]
fusionauth      | 19-Jan-2021 12:17:37.305 INFO [main] org.apache.tomcat.util.net.NioSelectorPool.getSharedSelector Using a shared selector for servlet write/read
fusionauth      | 19-Jan-2021 12:17:37.359 INFO [main] org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler ["https-jsse-nio-9013"]
fusionauth      | 19-Jan-2021 12:17:37.750 INFO [main] org.apache.tomcat.util.net.NioSelectorPool.getSharedSelector Using a shared selector for servlet write/read
fusionauth      | 19-Jan-2021 12:17:37.754 INFO [main] org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler ["ajp-nio-127.0.0.1-9019"]
fusionauth      | 19-Jan-2021 12:17:37.758 INFO [main] org.apache.tomcat.util.net.NioSelectorPool.getSharedSelector Using a shared selector for servlet write/read
fusionauth      | 19-Jan-2021 12:17:37.761 INFO [main] org.apache.catalina.startup.Catalina.load Initialization processed in 1373 ms
fusionauth      | 19-Jan-2021 12:17:37.771 INFO [main] org.apache.catalina.core.StandardService.startInternal Starting service [Catalina]
fusionauth      | 19-Jan-2021 12:17:37.773 INFO [main] org.apache.catalina.core.StandardEngine.startInternal Starting Servlet Engine: Apache Tomcat/8.5.57
fusionauth      | Jan 19, 2021 12:17:39 PM org.apache.jasper.servlet.TldScanner scanJars
fusionauth      | INFO: At least one JAR was scanned for TLDs yet contained no TLDs. Enable debug logging for this logger for a complete list of JARs that were scanned but no TLDs were found in them. Skipping unneeded JARs during scanning can improve startup time and JSP compilation time.
fusionauth      | 2021-01-19 12:17:40.331 PM INFO  io.fusionauth.api.configuration.DefaultFusionAuthConfiguration - Loading FusionAuth configuration file [/usr/local/fusionauth/config/fusionauth.properties]
fusionauth      | 2021-01-19 12:17:40.336 PM INFO  io.fusionauth.api.configuration.DefaultFusionAuthConfiguration - Set property [fusionauth-app.url] set to [http://fusionauth:9011] using configured value.
fusionauth      | 2021-01-19 12:17:40.343 PM ERROR org.primeframework.mvc.guice.GuiceBootstrap - 
fusionauth      | 
fusionauth      | ===================================================================================================
fusionauth      | 
fusionauth      |   Unable to start the server. Here's why: 
fusionauth      | 
fusionauth      | 
fusionauth      | [Error injecting constructor, java.lang.UnsupportedOperationException] 
fusionauth      |        -> [class java.lang.UnsupportedOperationException] null
fusionauth      | 
fusionauth      | ===================================================================================================
fusionauth      | 
fusionauth      | 
fusionauth      | 2021-01-19 12:17:40.352 PM ERROR org.primeframework.mvc.guice.GuiceBootstrap - Unable to start the server. Exception: 
fusionauth      | 
fusionauth      | com.google.inject.CreationException: Unable to create injector, see the following errors:
fusionauth      | 
fusionauth      | 1) Error injecting constructor, java.lang.UnsupportedOperationException
fusionauth      |   at io.fusionauth.api.configuration.DefaultFusionAuthConfiguration.<init>(DefaultFusionAuthConfiguration.java:58)
fusionauth      |   at io.fusionauth.api.configuration.DefaultFusionAuthConfiguration.class(DefaultFusionAuthConfiguration.java:23)
fusionauth      |   while locating io.fusionauth.api.configuration.DefaultFusionAuthConfiguration
fusionauth      |   at io.fusionauth.app.maintenance.guice.FusionAuthInitialMaintenanceModeModule.configure(FusionAuthInitialMaintenanceModeModule.java:19)
fusionauth      |   while locating io.fusionauth.api.configuration.FusionAuthConfiguration
fusionauth      | 
fusionauth      | 1 error
fusionauth      |        at com.google.inject.internal.Errors.throwCreationExceptionIfErrorsExist(Errors.java:554)
fusionauth      |        at com.google.inject.internal.InternalInjectorCreator.injectDynamically(InternalInjectorCreator.java:188)
fusionauth      |        at com.google.inject.internal.InternalInjectorCreator.build(InternalInjectorCreator.java:111)
fusionauth      |        at com.google.inject.Guice.createInjector(Guice.java:87)
fusionauth      |        at com.google.inject.Guice.createInjector(Guice.java:69)
fusionauth      |        at com.google.inject.Guice.createInjector(Guice.java:59)
fusionauth      |        at org.primeframework.mvc.guice.GuiceBootstrap.initialize(GuiceBootstrap.java:58)
fusionauth      |        at com.inversoft.maintenance.servlet.MaintenanceModePrimeServletContextListener.contextInitialized(MaintenanceModePrimeServletContextListener.java:39)
fusionauth      |        at io.fusionauth.app.primeframework.FusionAuthAppPrimeServletContextListener.contextInitialized(FusionAuthAppPrimeServletContextListener.java:26)
fusionauth      |        at org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:4689)
fusionauth      |        at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5155)
fusionauth      |        at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
fusionauth      |        at org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1412)
fusionauth      |        at org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1402)
fusionauth      |        at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
fusionauth      |        at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1130)
fusionauth      |        at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:630)
fusionauth      |        at java.base/java.lang.Thread.run(Thread.java:832)
fusionauth      | Caused by: java.lang.UnsupportedOperationException: null
fusionauth      |        at io.fusionauth.api.domain.RuntimeMode.fromConfiguration(RuntimeMode.java:21)
fusionauth      |        at io.fusionauth.api.configuration.DefaultFusionAuthConfiguration.initialize(DefaultFusionAuthConfiguration.java:181)
fusionauth      |        at com.inversoft.configuration.BasePropertiesFileInversoftConfiguration.initializeAndLogWarningsAndErrors(BasePropertiesFileInversoftConfiguration.java:514)
fusionauth      |        at com.inversoft.configuration.BasePropertiesFileInversoftConfiguration.<init>(BasePropertiesFileInversoftConfiguration.java:88)
fusionauth      |        at io.fusionauth.api.configuration.DefaultFusionAuthConfiguration.<init>(DefaultFusionAuthConfiguration.java:58)
fusionauth      |        at io.fusionauth.api.configuration.DefaultFusionAuthConfiguration$$FastClassByGuice$$b82219af.newInstance(<generated>)
fusionauth      |        at com.google.inject.internal.DefaultConstructionProxyFactory$FastClassProxy.newInstance(DefaultConstructionProxyFactory.java:89)
fusionauth      |        at com.google.inject.internal.ConstructorInjector.provision(ConstructorInjector.java:114)
fusionauth      |        at com.google.inject.internal.ConstructorInjector.construct(ConstructorInjector.java:91)
fusionauth      |        at com.google.inject.internal.ConstructorBindingImpl$Factory.get(ConstructorBindingImpl.java:306)
fusionauth      |        at com.google.inject.internal.ProviderToInternalFactoryAdapter.get(ProviderToInternalFactoryAdapter.java:40)
fusionauth      |        at com.google.inject.internal.SingletonScope$1.get(SingletonScope.java:168)
fusionauth      |        at com.google.inject.internal.InternalFactoryToProviderAdapter.get(InternalFactoryToProviderAdapter.java:39)
fusionauth      |        at com.google.inject.internal.FactoryProxy.get(FactoryProxy.java:62)
fusionauth      |        at com.google.inject.internal.ProviderToInternalFactoryAdapter.get(ProviderToInternalFactoryAdapter.java:40)
fusionauth      |        at com.google.inject.internal.SingletonScope$1.get(SingletonScope.java:168)
fusionauth      |        at com.google.inject.internal.InternalFactoryToProviderAdapter.get(InternalFactoryToProviderAdapter.java:39)
fusionauth      |        at com.google.inject.internal.InternalInjectorCreator.loadEagerSingletons(InternalInjectorCreator.java:213)
fusionauth      |        at com.google.inject.internal.InternalInjectorCreator.injectDynamically(InternalInjectorCreator.java:184)
fusionauth      |        ... 16 common frames omitted
fusionauth      | Jan 19, 2021 12:17:40 PM org.apache.catalina.core.StandardContext listenerStart
fusionauth      | SEVERE: Exception sending context initialized event to listener instance of class [io.fusionauth.app.primeframework.FusionAuthAppPrimeServletContextListener]
fusionauth      | org.primeframework.mvc.PrimeException
fusionauth      |        at org.primeframework.mvc.guice.GuiceBootstrap.initialize(GuiceBootstrap.java:77)
fusionauth      |        at com.inversoft.maintenance.servlet.MaintenanceModePrimeServletContextListener.contextInitialized(MaintenanceModePrimeServletContextListener.java:39)
fusionauth      |        at io.fusionauth.app.primeframework.FusionAuthAppPrimeServletContextListener.contextInitialized(FusionAuthAppPrimeServletContextListener.java:26)
fusionauth      |        at org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:4689)
fusionauth      |        at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5155)
fusionauth      |        at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
fusionauth      |        at org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1412)
fusionauth      |        at org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1402)
fusionauth      |        at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
fusionauth      |        at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1130)
fusionauth      |        at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:630)
fusionauth      |        at java.base/java.lang.Thread.run(Thread.java:832)
fusionauth      | 
fusionauth      | 19-Jan-2021 12:17:40.355 SEVERE [localhost-startStop-1] org.apache.catalina.core.StandardContext.startInternal One or more listeners failed to start. Full details will be found in the appropriate container log file
fusionauth      | 19-Jan-2021 12:17:40.376 SEVERE [localhost-startStop-1] org.apache.catalina.core.StandardContext.startInternal Context [] startup failed due to previous errors
fusionauth      | Jan 19, 2021 12:17:40 PM org.apache.catalina.core.StandardContext listenerStop
fusionauth      | SEVERE: Exception sending context destroyed event to listener instance of class [io.fusionauth.app.primeframework.FusionAuthAppPrimeServletContextListener]
fusionauth      | java.lang.NullPointerException
fusionauth      |        at org.primeframework.mvc.guice.GuiceBootstrap.shutdown(GuiceBootstrap.java:88)
fusionauth      |        at org.primeframework.mvc.servlet.PrimeServletContextListener.contextDestroyed(PrimeServletContextListener.java:47)
fusionauth      |        at org.apache.catalina.core.StandardContext.listenerStop(StandardContext.java:4735)
fusionauth      |        at org.apache.catalina.core.StandardContext.stopInternal(StandardContext.java:5399)
fusionauth      |        at org.apache.catalina.util.LifecycleBase.stop(LifecycleBase.java:257)
fusionauth      |        at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:187)
fusionauth      |        at org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1412)
fusionauth      |        at org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1402)
fusionauth      |        at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
fusionauth      |        at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1130)
fusionauth      |        at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:630)
fusionauth      |        at java.base/java.lang.Thread.run(Thread.java:832)
fusionauth      | 
fusionauth      | 19-Jan-2021 12:17:40.434 INFO [main] org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler ["http-nio-9011"]
fusionauth      | 19-Jan-2021 12:17:40.447 INFO [main] org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler ["https-jsse-nio-9013"]
fusionauth      | 19-Jan-2021 12:17:40.451 INFO [main] org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler ["ajp-nio-127.0.0.1-9019"]
fusionauth      | 19-Jan-2021 12:17:40.454 INFO [main] org.apache.catalina.startup.Catalina.start Server startup in 2692 ms

and using following docker-compose file:

version: '3.7'

services:
  fusionauthdb:
    container_name: fusionauthdb
    image: postgres:11.9-alpine
    environment:
      PGDATA: /var/lib/postgresql/data/pgdata
      POSTGRES_USER: postgres
      POSTGRES_PASSWORD: postgres
    networks:
      - app-network
    restart: unless-stopped
    volumes:
      - /var/lib/postgresql:/var/lib/postgresql/data

  fusionauth:
    container_name: fusionauth
    image: fusionauth/fusionauth-app:1.22.2
    depends_on:
      - fusionauthdb
    environment:
      DATABASE_URL: jdbc:postgresql://fusionauthdb:5432/fusionauth
      DATABASE_ROOT_USERNAME: postgres
      DATABASE_ROOT_PASSWORD: postgres
      DATABASE_USERNAME: fusionauth
      DATABASE_PASSWORD: hkaLBM3RVnyYeYeqE3WI1w2e4Avpy0Wd5O3s3
      FUSIONAUTH_APP_MEMORY: '512M'
      FUSIONAUTH_APP_RUNTIME_MODE: development
      FUSIONAUTH_APP_URL: http://fusionauth:9011
      SEARCH_TYPE: database

    networks:
     - app-network
    restart: unless-stopped
    ports:
      - 9011:9011
    volumes:
      - fa_config:/usr/local/fusionauth/config


volumes:
  fa_config:

networks:
  app-network:
    driver: bridge

I do not really understand the error message and what is going wrong.

Thank you for your help!

Cyrill