Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Enhance logging when configured realms are not available in current license #45728

Closed
jkakavas opened this issue Aug 20, 2019 · 3 comments
Closed
Labels
>enhancement :Security/Authentication Logging in, Usernames/passwords, Realms (Native/LDAP/AD/SAML/PKI/etc) Team:Security Meta label for security team

Comments

@jkakavas
Copy link
Member

We generally handle this case well and print relevant logs in AuthenticationService#consumeUser :

logger.warn("Authentication failed using realms [{}]." +
                            " Realms [{}] were skipped because they are not permitted on the current license",

There are however cases when the AuthenticationToken extraction fails and we end up with a null token for the configured realms, in which cases we don't enter in consumeUser and never log this information.

An example of this is when only the PKI realm is configured on a license that doesn't allow it ( i.e. Basic ) where we won't print anything in the logs, making it harder for users to troubleshoot the authentication error they get.

I believe that the case with PKI is unique, as SAML and OIDC have relevant logging on the REST layer, but we should verify that adequate information is logged in all cases.

@jkakavas jkakavas added >enhancement :Security/Authentication Logging in, Usernames/passwords, Realms (Native/LDAP/AD/SAML/PKI/etc) labels Aug 20, 2019
@elasticmachine
Copy link
Collaborator

Pinging @elastic/es-security

@rjernst rjernst added the Team:Security Meta label for security team label May 4, 2020
@sebgl
Copy link

sebgl commented Nov 4, 2020

(discuss topic where this came up recently: https://discuss.elastic.co/t/using-pki-based-auth-for-a-cluster-created-with-elastic-cloud-on-k8s/254245 - it took me a while to figure out the license problem)

@ywangd
Copy link
Member

ywangd commented Nov 4, 2020

Wasn't aware of this issue when I raised #61090. They are in fact the same issue and are now resolved by #61402

@ywangd ywangd closed this as completed Nov 4, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
>enhancement :Security/Authentication Logging in, Usernames/passwords, Realms (Native/LDAP/AD/SAML/PKI/etc) Team:Security Meta label for security team
Projects
None yet
Development

No branches or pull requests

5 participants