Open philippkahr opened 2 years ago
Pinging @elastic/es-security (Team:Security)
Thanks for reporting. Yes we need to improve error messages around failures due to run-as. This issue #72904 is along the same line that error message of run-as failure does not tell you the actual problem.
What I suspect we ought to do is add a "failed with error message" to realm lookup like we have with realm authentication.
Realms that cannot support lookup (particularly if that is due to specific config) can then add a message of "realm [x] cannot perform lookup of users because ..."
Then, when the AuthcService fails to lookup a user it can print out the set of messages (just like when authc fails).
Elasticsearch version (
bin/elasticsearch --version
): 7.15.0Plugins installed: [none]
JVM version (
java -version
): bundledOS version (
uname -a
if on a Unix-like system): CentOS 7Description of the problem including expected versus actual behavior:
The error displayed (under Step 3), is not helpful. The Active Directory Realm config states that
The error message should reflect that statement.
Steps to reproduce:
_security/_authenticate
API. using a curl similar tocurl -H "es-security-runas-user: active-directory-username" -u elastic .../_security/_authenticate