search

opensearch-project / security

🔐 Secure your cluster with TLS, numerous authentication backends, data masking, audit logging as well as role-based access control on indices, documents, and fields
https://opensearch.org/docs/latest/security-plugin/index/
Apache License 2.0
180 stars 263 forks source link

[BUG] Annoying warning message "No 'Basic Authorization' header, send 401 and 'WWW-Authenticate Basic'" still not fixed #4054

Open ComBin opened 4 months ago

ComBin commented 4 months ago

What is the bug? While basic+saml security configuration every user login generate a lot of WARN message in logs:

[2024-02-16T11:24:43,253][WARN ][o.o.s.h.HTTPBasicAuthenticator] [elk-h01.test.logs.infra.rbc.ru] No 'Basic Authorization' header, send 401 and 'WWW-Authenticate Basic'
[2024-02-16T11:24:43,261][WARN ][o.o.s.h.HTTPBasicAuthenticator] [elk-h01.test.logs.infra.rbc.ru] No 'Basic Authorization' header, send 401 and 'WWW-Authenticate Basic'
[2024-02-16T11:24:43,368][WARN ][o.o.s.h.HTTPBasicAuthenticator] [elk-h01.test.logs.infra.rbc.ru] No 'Basic Authorization' header, send 401 and 'WWW-Authenticate Basic'
[2024-02-16T11:24:43,374][WARN ][o.o.s.h.HTTPBasicAuthenticator] [elk-h01.test.logs.infra.rbc.ru] No 'Basic Authorization' header, send 401 and 'WWW-Authenticate Basic'

This complicates debugging, takes up extra disk space, etc.

How can one reproduce the bug? Steps to reproduce the behavior:

  1. Take some adfs server
  2. Create security config like this: 
    ---
_meta:
type: config
config_version: 2
config:
dynamic:
kibana:
  server_username: opensearch_dashboards
  index: ".kibana"
authc:
  basic_internal_auth_domain:
    description: Authenticate via HTTP Basic against internal users database
    http_enabled: true
    transport_enabled: true
    order: 1
    http_authenticator:
      type: basic
      challenge: false
    authentication_backend:
      type: intern
  saml_auth_domain:
    http_enabled: true
    transport_enabled: false
    order: 2
    http_authenticator:
      type: saml
      challenge: true
      config:
        idp:
          metadata_url: <metadata_url>
          entity_id: <entity_id>
        sp:
          entity_id: <entity_id>
        kibana_url: <kibana_url>
        roles_key: roles
        exchange_key: <some_key>
    authentication_backend:
      type: noop
  3. Login adfs user
  4. See log file in OpenSearch node

What is the expected behavior? This log message see only on TRACE/DEBUG level.

What is your host/environment?

Do you have any screenshots? No

Do you have any additional context? This problem was marked as resolved in https://github.com/opensearch-project/security/issues/3273, but:

  1. In fix fixed message "No 'Authorization' header, send 401 and 'WWW-Authenticate Basic'", but problematic message is "No 'Basic Authorization' header, send 401 and 'WWW-Authenticate Basic'"
  2. It fixed in class BackendRegistry but problematic message produced by o.o.s.h.HTTPBasicAuthenticator class.

Also i found problematic message this: https://github.com/opensearch-project/security/blob/b7b49b9de147126a7c7a3ed0f2f1a33d02eaee9f/src/main/java/org/opensearch/security/support/HTTPHelper.java#L45

DarshitChanpura commented 4 months ago

[Triage] Thanks for filing this issue @ComBin . It has a clear exit criteria. Marking it as triaged.

Jakob3xD commented 1 week ago

Really annoying log message. "Workaround" is to set the log level to error.


PUT /_cluster/settings
{
  "persistent" : {
    "logger": {
      "org.opensearch.security.http": "ERROR"
    }
  }
}