search

TheHive-Project / TheHive

TheHive: a Scalable, Open Source and Free Security Incident Response Platform
https://thehive-project.org
GNU Affero General Public License v3.0
3.39k stars 617 forks source link

Thehive 5 authentication failure in cluster [Bug] #2445

Open muhyuddin opened 1 year ago

muhyuddin commented 1 year ago

Request Type

Bug

Work Environment

Question Answer
OS version (server) CentOS
OS version (client) XP, Seven, 10, Ubuntu, ...
Virtualized Env. True
Dedicated RAM 8 GB
vCPU 4
TheHive version / git hash strangebee TheHive5
Package Type Docker
Database Cassandra
Index type Elasticsearch
Attachments storage S3
Browser type & version If applicable

Problem Description

Using docker to deploy thehive stack with cassandra, elasticsearch and minio. Can successfully login to thehive with default creds admin/secret on master node. When another thehive instance is connected to the master seed in cluster, it starts showing Authentication Failure message on default creds.

Below are the logs on auth failure.

Complementary information

root-thehive-1        | [info] o.t.t.c.c.s.CortexDataImportActor [|] Analyzer templates already present (found 215), skipping
root-thehive-1        | [warn] o.t.s.m.Database [a84dc17c3f2af381|53c0620acb105433] Index refers to the non-existent vertex ~24816. Removing the document from index.
root-thehive-1        | [warn] o.t.s.u.Retry [a84dc17c3f2af381|8c78e8b23fa34143] An error occurs (org.thp.scalligraph.models.DatabaseException: org.thp.scalligraph.MissingLabelError: Missing label on vertex ~24816 (expected: User)), retrying (1/6)
root-thehive-1        | [warn] o.t.t.s.TOTPAuthSrv [a84dc17c3f2af381|8c78e8b23fa34143] session fails: org.thp.scalligraph.NotSupportedError: Operation not supported
root-thehive-1        | [warn] o.t.t.s.TOTPAuthSrv [a84dc17c3f2af381|8c78e8b23fa34143] basic fails: org.thp.scalligraph.NotSupportedError: Operation not supported
root-thehive-1        | [warn] o.t.t.s.TOTPAuthSrv [a84dc17c3f2af381|8c78e8b23fa34143] local fails: org.thp.scalligraph.AuthenticationError: Authentication failure
root-thehive-1        | [warn] o.t.t.s.TOTPAuthSrv [a84dc17c3f2af381|8c78e8b23fa34143] key fails: org.thp.scalligraph.NotSupportedError: Operation not supported
root-thehive-1        | [error] o.t.s.auth [a84dc17c3f2af381|6128dfcfaba4a738] Failed password for admin
root-thehive-1        | [info] o.t.s.AccessLogFilter [a84dc17c3f2af381|36583d3c18f57c94] 192.168.0.143 POST /api/v1/login took 2306ms and returned 401 65 bytes
root-thehive-1        | [info] o.t.s.AccessLogFilter [248e23a83a3586e7|52e68723eb5e3318] 192.168.0.143 GET /api/v1/user/current took 1ms and returned 401 65 bytes
root-thehive-1        | [info] o.t.s.AccessLogFilter [7642db5b9b676ed0|e19c752d800fad15] 192.168.0.143 GET /static/fonts/Montserrat/Montserrat-SemiBold.ttf took 13ms and returned 304 0 bytes

docker-compose.yml

version: "3"
services:
  thehive:
    hostname: thehive-1
    image: strangebee/thehive:5.0.21-1
    depends_on:
      - cassandra
      - elasticsearch
      - minio
    mem_limit: 1500m
    ports:
      - "9000:9000"
      - "2551:2551"

    environment:
      - JVM_OPTS="-Xms1024M -Xmx1024M"

    command:
      - --config-file
      - "/etc/thehive/application.conf"
    network_mode: host
    volumes:
      - ./application.conf:/etc/thehive/application.conf

  cassandra:
    hostname: cassandra-1
    image: 'cassandra:4'
    ports:
      - "9042:9042"
      - "7000:7000"
    command:
      - "-Dcassandra.config=/etc/cassandra/cassandra.yml"

    volumes:
      - cassandradata:/var/lib/cassandra
      - ./cassandra.yml:/etc/cassandra/cassandra.yml
      - ./cassandra-topology.properties:/etc/cassandra/cassandra-topology.properties
    network_mode: host

  minio:
    hostname: minio-1
    image: quay.io/minio/minio
    command: ["minio", "server", "/data", "--console-address", ":9001", "--address", ":9002"]
    environment:
      - MINIO_ROOT_USER=minioadmin
      - MINIO_ROOT_PASSWORD=minioadmin
    ports:
      - "9001:9001"
    volumes:
      - "miniodata:/data"
    networks:
      - thehive

volumes:
  miniodata:
  cassandradata:
  elasticsearchdata:

networks:
  thehive:

application.conf

play.http.secret.key="redacted"
## TheHive cluster
akka {
  cluster.enable = on
  actor {
    provider = cluster
  }
  remote.artery {
    canonical {
      hostname = "192.168.0.137"
      port = 2551
    }
  }

  # seed node list contains at least one active node
  cluster.seed-nodes = [
                      "akka://application@192.168.0.137:2551",
                      "akka://application@192.168.0.199:2551",
                     ]
}

## Cassandra database configuration
db.janusgraph {
  storage {
    ## Cassandra configuration
    # More information at https://docs.janusgraph.org/basics/configuration-reference/#storagecql
    backend: cql
    hostname: ["192.168.0.137", "192.168.0.199"]
    # Cassandra authentication (if configured)
    //username: "thehive"
    //password: "PASSWORD"
    cql {
      cluster-name: thp
      keyspace: thehive
    }
  }
  ## Index configuration
  index.search {
        backend : elasticsearch
        hostname : ["elasticsearch-1"]
        index-name : thehive
  }
}
auth {
  providers: [
    {name: session}
    {name: basic, realm: thehive}
    {name: local}
    {name: key}
  ]
}

## MinIO configuration
storage {
  provider: s3
  s3 {
    bucket = "thehive"
    readTimeout = 1 minute
    writeTimeout = 1 minute
    chunkSize = 1 MB
    endpoint = "http://minio-1:9002"
    accessKey = "minioadmin"
    secretKey = "minioadmin"
    region = "us-east-1"
  }
}

alpakka.s3.path-style-access = force