search

elastic / elasticsearch

Free and Open Source, Distributed, RESTful Search Engine
https://www.elastic.co/products/elasticsearch
Other
844 stars 24.8k forks source link

Include node information in failed security exceptions #29780

Open elasticmachine opened 7 years ago

elasticmachine commented 7 years ago

Original comment by @ppf2:

Maps to: LINK REDACTED

Our current Shield/Xpack security responses for failed authentication/authorization does not include any node information. Customer would like us to include information on the node that failed authentication/authorization in the response of the request so they can easily tell where to go look for potential configuration issues (certainly more useful for file realm).

{\"error\":{\"root_cause\":[{\"type\":\"security_exception\",\"reason\":\"unable to authenticate user [logstashUser] for REST request [/_bulk]\",\"header\":{\"WWW-Authenticate\":\"Basic realm=\\\"security\\\" charset=\\\"UTF-8\\\"\"}}],\"type\":\"security_exception\",\"reason\":\"unable to authenticate user [logstashUser] for REST request [/_bulk]\",\"header\":{\"WWW-Authenticate\":\"Basic realm=\\\"security\\\" charset=\\\"UTF-8\\\"\"}},\"status\":401}
elasticmachine commented 7 years ago

Original comment by @jaymode:

Shouldn't this be a general thing? Like all exceptions that get emitted should have node information attached as part of the response?

elasticmachine commented 7 years ago

Original comment by @ppf2:

Yah that will be helpful to have something generic (the file based use case is just one that will be particularly useful for it opens the door to users having file based users/roles that can potentially be out of sync). thx!