401 error after upgrade from preview 8

[jaxxstorm]

When trying to search for logs after an upgrade from preview 8, I get a 401 error in the logs:

[error] m.UserService - Unauthorized to load user admin
lib.APIException: API call failed GET http://@10.115.16.204:12900/users/admin returned 401 Unauthorized body:
at lib.ApiClientImpl$ApiRequestBuilder.execute(ApiClientImpl.java:355) ~[graylog2-web-interface.graylog2-web-interface-0.20.0-rc.1.jar:0.20.0-rc.1]
at models.UserService.authenticateSessionUser(UserService.java:155) ~[graylog2-web-interface.graylog2-web-interface-0.20.0-rc.1.jar:0.20.0-rc.1]
at lib.security.RedirectAuthenticator.getUsername(RedirectAuthenticator.java:43) ~[graylog2-web-interface.graylog2-web-interface-0.20.0-rc.1.jar:0.20.0-rc.1]
at controllers.SessionsController.index(SessionsController.java:58) ~[graylog2-web-interface.graylog2-web-interface-0.20.0-rc.1.jar:0.20.0-rc.1]
at Routes$$anonfun$routes$1$$anonfun$applyOrElse$1$$anonfun$apply$1.apply(routes_routing.scala:585) ~[graylog2-web-interface.graylog2-web-interface-0.20.0-rc.1.jar:na]
at Routes$$anonfun$routes$1$$anonfun$applyOrElse$1$$anonfun$apply$1.apply(routes_routing.scala:585) ~[graylog2-web-interface.graylog2-web-interface-0.20.0-rc.1.jar:na]

[lennartkoopmann]

Is this still an issue? Looks like you are doing an unauthorized call. RC.1 introduced the call authentication so you have to pass a Graylog2 user and password with the correct permission. (Admin users have all permissions)

[jaxxstorm]

This is using the default admin user:password upon install (pulled directly from /etc/graylog2-server.conf)

[lennartkoopmann]

`API call failed GET http://@10.115.16.204:12900/users/admin returned 401``

Seems like it is not arriving. It should be saying http://admin:passwort@10.115 ....

[kroepke]

The log entry strips authentication info, if anything it should include the user name but not the password.

@jaxxstorm how does this happen exactly? preview.8 mongodb and then just upgrading the graylog2 binaries?

[jaxxstorm]

That's exactly it, upgrading binaries from preview 8

On 16 Jan 2014, at 05:25, Kay Roepke notifications@github.com wrote:

The log entry strips authentication info, if anything it should include the user name but not the password.

@jaxxstorm how does this happen exactly? preview.8 mongodb and then just upgrading the graylog2 binaries?

—
Reply to this email directly or view it on GitHub.

[kroepke]

I cannot reproduce this :(

Does this happen still for you @jaxxstorm ?

[jaxxstorm]

Haven't seen it for a while, let's close it and if it pops up again I'll reopen.

[alex88]

I'm getting the same error after upgrading to web 0.92.1-2 (server is 0.92.1-2 too), application secrets are shared between server and web and the exception is:

2014-12-15T11:51:11.551+01:00 - [ERROR] - from org.graylog2.restclient.models.UserService in play-akka.actor.default-dispatcher-2
Unauthorized to load user admin
org.graylog2.restclient.lib.APIException: API call failed GET http://@127.0.0.1:12900/users/admin returned 401 Unauthorized body:
        at org.graylog2.restclient.lib.ApiClientImpl$ApiRequestBuilder.execute(ApiClientImpl.java:436) ~[org.graylog2.graylog2-rest-client-0.92.1.jar:na]
        at org.graylog2.restclient.models.UserService.retrieveUserWithSessionId(UserService.java:169) ~[org.graylog2.graylog2-rest-client-0.92.1.jar:na]
        at lib.security.RedirectAuthenticator.authenticateSessionUser(RedirectAuthenticator.java:122) [graylog2-web-interface.graylog2-web-interface-0.92.1.jar:0.92.1]
        at lib.security.RedirectAuthenticator.getUsername(RedirectAuthenticator.java:54) [graylog2-web-interface.graylog2-web-interface-0.92.1.jar:0.92.1]
        at controllers.SessionsController.index(SessionsController.java:62) [graylog2-web-interface.graylog2-web-interface-0.92.1.jar:0.92.1]
        at Routes$$anonfun$routes$1$$anonfun$applyOrElse$1$$anonfun$apply$347.apply(routes_routing.scala:1270) [graylog2-web-interface.graylog2-web-interface-0.92.1.jar:na]
        at Routes$$anonfun$routes$1$$anonfun$applyOrElse$1$$anonfun$apply$347.apply(routes_routing.scala:1270) [graylog2-web-interface.graylog2-web-interface-0.92.1.jar:na]
        at play.core.Router$HandlerInvokerFactory$$anon$4.resultCall(Router.scala:264) [com.typesafe.play.play_2.10-2.3.6.jar:2.3.6]
        at play.core.Router$HandlerInvokerFactory$JavaActionInvokerFactory$$anon$15$$anon$1.invocation(Router.scala:255) [com.typesafe.play.play_2.10-2.3.6.jar:2.3.6]
        at play.core.j.JavaAction$$anon$1.call(JavaAction.scala:55) [com.typesafe.play.play_2.10-2.3.6.jar:2.3.6]
        at play.GlobalSettings$1.call(GlobalSettings.java:67) [com.typesafe.play.play_2.10-2.3.6.jar:2.3.6]
        at play.core.j.JavaAction$$anonfun$11.apply(JavaAction.scala:82) [com.typesafe.play.play_2.10-2.3.6.jar:2.3.6]
        at play.core.j.JavaAction$$anonfun$11.apply(JavaAction.scala:82) [com.typesafe.play.play_2.10-2.3.6.jar:2.3.6]
        at scala.concurrent.impl.Future$PromiseCompletingRunnable.liftedTree1$1(Future.scala:24) [org.scala-lang.scala-library-2.10.4.jar:na]
        at scala.concurrent.impl.Future$PromiseCompletingRunnable.run(Future.scala:24) [org.scala-lang.scala-library-2.10.4.jar:na]
        at play.core.j.HttpExecutionContext$$anon$2.run(HttpExecutionContext.scala:40) [com.typesafe.play.play_2.10-2.3.6.jar:2.3.6]
        at play.api.libs.iteratee.Execution$trampoline$.execute(Execution.scala:46) [com.typesafe.play.play-iteratees_2.10-2.3.6.jar:2.3.6]
        at play.core.j.HttpExecutionContext.execute(HttpExecutionContext.scala:32) [com.typesafe.play.play_2.10-2.3.6.jar:2.3.6]
        at scala.concurrent.impl.Future$.apply(Future.scala:31) [org.scala-lang.scala-library-2.10.4.jar:na]
        at scala.concurrent.Future$.apply(Future.scala:485) [org.scala-lang.scala-library-2.10.4.jar:na]
        at play.core.j.JavaAction$class.apply(JavaAction.scala:82) [com.typesafe.play.play_2.10-2.3.6.jar:2.3.6]
        at play.core.Router$HandlerInvokerFactory$JavaActionInvokerFactory$$anon$15$$anon$1.apply(Router.scala:252) [com.typesafe.play.play_2.10-2.3.6.jar:2.3.6]
        at play.api.mvc.Action$$anonfun$apply$1$$anonfun$apply$4$$anonfun$apply$5.apply(Action.scala:130) [com.typesafe.play.play_2.10-2.3.6.jar:2.3.6]
        at play.api.mvc.Action$$anonfun$apply$1$$anonfun$apply$4$$anonfun$apply$5.apply(Action.scala:130) [com.typesafe.play.play_2.10-2.3.6.jar:2.3.6]
        at play.utils.Threads$.withContextClassLoader(Threads.scala:21) [com.typesafe.play.play_2.10-2.3.6.jar:2.3.6]
        at play.api.mvc.Action$$anonfun$apply$1$$anonfun$apply$4.apply(Action.scala:129) [com.typesafe.play.play_2.10-2.3.6.jar:2.3.6]
        at play.api.mvc.Action$$anonfun$apply$1$$anonfun$apply$4.apply(Action.scala:128) [com.typesafe.play.play_2.10-2.3.6.jar:2.3.6]
        at scala.Option.map(Option.scala:145) [org.scala-lang.scala-library-2.10.4.jar:na]
        at play.api.mvc.Action$$anonfun$apply$1.apply(Action.scala:128) [com.typesafe.play.play_2.10-2.3.6.jar:2.3.6]
        at play.api.mvc.Action$$anonfun$apply$1.apply(Action.scala:121) [com.typesafe.play.play_2.10-2.3.6.jar:2.3.6]
        at play.api.libs.iteratee.Iteratee$$anonfun$mapM$1.apply(Iteratee.scala:483) [com.typesafe.play.play-iteratees_2.10-2.3.6.jar:2.3.6]
        at play.api.libs.iteratee.Iteratee$$anonfun$mapM$1.apply(Iteratee.scala:483) [com.typesafe.play.play-iteratees_2.10-2.3.6.jar:2.3.6]
        at play.api.libs.iteratee.Iteratee$$anonfun$flatMapM$1.apply(Iteratee.scala:519) [com.typesafe.play.play-iteratees_2.10-2.3.6.jar:2.3.6]
        at play.api.libs.iteratee.Iteratee$$anonfun$flatMapM$1.apply(Iteratee.scala:519) [com.typesafe.play.play-iteratees_2.10-2.3.6.jar:2.3.6]
        at play.api.libs.iteratee.Iteratee$$anonfun$flatMap$1$$anonfun$apply$14.apply(Iteratee.scala:496) [com.typesafe.play.play-iteratees_2.10-2.3.6.jar:2.3.6]
        at play.api.libs.iteratee.Iteratee$$anonfun$flatMap$1$$anonfun$apply$14.apply(Iteratee.scala:496) [com.typesafe.play.play-iteratees_2.10-2.3.6.jar:2.3.6]
        at scala.concurrent.impl.Future$PromiseCompletingRunnable.liftedTree1$1(Future.scala:24) [org.scala-lang.scala-library-2.10.4.jar:na]
        at scala.concurrent.impl.Future$PromiseCompletingRunnable.run(Future.scala:24) [org.scala-lang.scala-library-2.10.4.jar:na]
        at akka.dispatch.TaskInvocation.run(AbstractDispatcher.scala:41) [com.typesafe.akka.akka-actor_2.10-2.3.4.jar:na]
        at akka.dispatch.ForkJoinExecutorConfigurator$AkkaForkJoinTask.exec(AbstractDispatcher.scala:393) [com.typesafe.akka.akka-actor_2.10-2.3.4.jar:na]
        at scala.concurrent.forkjoin.ForkJoinTask.doExec(ForkJoinTask.java:260) [org.scala-lang.scala-library-2.10.4.jar:na]
        at scala.concurrent.forkjoin.ForkJoinPool$WorkQueue.runTask(ForkJoinPool.java:1339) [org.scala-lang.scala-library-2.10.4.jar:na]
        at scala.concurrent.forkjoin.ForkJoinPool.runWorker(ForkJoinPool.java:1979) [org.scala-lang.scala-library-2.10.4.jar:na]
        at scala.concurrent.forkjoin.ForkJoinWorkerThread.run(ForkJoinWorkerThread.java:107) [org.scala-lang.scala-library-2.10.4.jar:na]

[joschi]

I cannot reproduce this with graylog2-server 0.92.1 and graylog2-web-interface 0.92.1.

@alex88 Please post your graylog2.conf and graylog2-web-interface.conf files (replace credentials with another string, but be aware of trailing white spaces and stuff like that!) and check your graylog2-server logs for errors around the time the login failed on the web interface.

[alex88]

This is the server config:

is_master = true
node_id_file = /etc/graylog2/server/node-id
password_secret = somesecret
root_username = admin
root_password_sha2 = passwordsha
plugin_dir = /usr/share/graylog2-server/plugin
rest_listen_uri = http://127.0.0.1:12900/
rotation_strategy = count
elasticsearch_max_docs_per_index = 20000000
elasticsearch_max_number_of_indices = 20
retention_strategy = delete
elasticsearch_shards = 4
elasticsearch_replicas = 0
elasticsearch_index_prefix = graylog2
allow_leading_wildcard_searches = false
allow_highlighting = false
elasticsearch_cluster_name = graylog2
elasticsearch_cluster_discovery_timeout = 15000
elasticsearch_analyzer = standard
output_batch_size = 25
output_flush_interval = 1
processbuffer_processors = 5
outputbuffer_processors = 3
processor_wait_strategy = blocking
ring_size = 1024
dead_letters_enabled = false
lb_recognition_period_seconds = 3
mongodb_useauth = false
mongodb_host = 127.0.0.1
mongodb_database = graylog2
mongodb_port = 27017
mongodb_max_connections = 100
mongodb_threads_allowed_to_block_multiplier = 5
message_cache_spool_dir = /var/lib/graylog2-server/message-cache-spool

and this is the web config:

graylog2-server.uris="http://127.0.0.1:12900/"
application.secret="somesecret"
field_list_limit=100
application.global=lib.Global

and this is the log while trying to login from the web interface:

2014-12-16T09:36:37.667+01:00 WARN  [SessionsResource] Unable to log in user admin
org.apache.shiro.authc.AuthenticationException: No account information found for authentication token [org.apache.shiro.authc.UsernamePasswordToken - admin, rememberMe=false] by this Authenticator instance.  Please check that it is configured correctly.
        at org.apache.shiro.authc.AbstractAuthenticator.authenticate(AbstractAuthenticator.java:202)
        at org.apache.shiro.mgt.AuthenticatingSecurityManager.authenticate(AuthenticatingSecurityManager.java:106)
        at org.apache.shiro.mgt.DefaultSecurityManager.login(DefaultSecurityManager.java:270)
        at org.apache.shiro.subject.support.DelegatingSubject.login(DelegatingSubject.java:256)
        at org.graylog2.rest.resources.system.SessionsResource.newSession(SessionsResource.java:89)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:606)
        at org.glassfish.jersey.server.model.internal.ResourceMethodInvocationHandlerFactory$1.invoke(ResourceMethodInvocationHandlerFactory.java:81)
        at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher$1.run(AbstractJavaResourceMethodDispatcher.java:151)
        at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.invoke(AbstractJavaResourceMethodDispatcher.java:171)
        at org.glassfish.jersey.server.model.internal.JavaResourceMethodDispatcherProvider$TypeOutInvoker.doDispatch(JavaResourceMethodDispatcherProvider.java:195)
        at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.dispatch(AbstractJavaResourceMethodDispatcher.java:104)
        at org.glassfish.jersey.server.model.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:384)
        at org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:342)
        at org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:101)
        at org.glassfish.jersey.server.ServerRuntime$1.run(ServerRuntime.java:271)
        at org.glassfish.jersey.internal.Errors$1.call(Errors.java:271)
        at org.glassfish.jersey.internal.Errors$1.call(Errors.java:267)
        at org.glassfish.jersey.internal.Errors.process(Errors.java:315)
        at org.glassfish.jersey.internal.Errors.process(Errors.java:297)
        at org.glassfish.jersey.internal.Errors.process(Errors.java:267)
        at org.glassfish.jersey.process.internal.RequestScope.runInScope(RequestScope.java:297)
        at org.glassfish.jersey.server.ServerRuntime.process(ServerRuntime.java:254)
        at org.glassfish.jersey.server.ApplicationHandler.handle(ApplicationHandler.java:1030)
        at org.graylog2.jersey.container.netty.NettyContainer.messageReceived(NettyContainer.java:356)
        at org.jboss.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:70)
        at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564)
        at org.jboss.netty.channel.DefaultChannelPipeline$DefaultChannelHandlerContext.sendUpstream(DefaultChannelPipeline.java:791)
        at org.jboss.netty.handler.execution.ChannelUpstreamEventRunnable.doRun(ChannelUpstreamEventRunnable.java:43)
        at org.jboss.netty.handler.execution.ChannelEventRunnable.run(ChannelEventRunnable.java:67)
        at com.codahale.metrics.InstrumentedExecutorService$InstrumentedRunnable.run(InstrumentedExecutorService.java:176)
        at org.jboss.netty.handler.execution.MemoryAwareThreadPoolExecutor$MemoryAwareRunnable.run(MemoryAwareThreadPoolExecutor.java:622)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
        at java.lang.Thread.run(Thread.java:745)

server process is running with this command line:

/usr/bin/java -jar -Dlog4j.configuration=file:///etc/graylog2/server/log4j.xml /usr/share/graylog2-server/graylog2-server.jar -f /etc/graylog2.conf

[dennusb]

I have the exact same problem... 2 hosts installed freshly (0.91.3) but hosts not seeing eachother (in web interface on the nodes page) and this error :

2014-12-16T14:51:45.998+01:00 - [ERROR] - from org.graylog2.restclient.models.UserService in play-akka.actor.default-dispatcher-9
Unauthorized to load user admin
org.graylog2.restclient.lib.APIException: API call failed GET http://@92.42.236.48:12900/users/admin returned 401 Unauthorized body:
at org.graylog2.restclient.lib.ApiClientImpl$ApiRequestBuilder.execute(ApiClientImpl.java:404) ~[org.graylog2.graylog2-rest-client-0.91.3.jar:na]
at org.graylog2.restclient.models.UserService.retrieveUserWithSessionId(UserService.java:132) ~[org.graylog2.graylog2-rest-client-0.91.3.jar:na]
at lib.security.RedirectAuthenticator.authenticateSessionUser(RedirectAuthenticator.java:122) [graylog2-web-interface.graylog2-web-interface-0.91.3.jar:0.91.3]
at lib.security.RedirectAuthenticator.getUsername(RedirectAuthenticator.java:54) [graylog2-web-interface.graylog2-web-interface-0.91.3.jar:0.91.3]
at play.mvc.Security$AuthenticatedAction.call(Security.java:34) [com.typesafe.play.play_2.10-2.2.2.jar:2.2.2]
at play.core.j.JavaAction$$anon$3.apply(JavaAction.scala:91) [com.typesafe.play.play_2.10-2.2.2.jar:2.2.2]
at play.core.j.JavaAction$$anon$3.apply(JavaAction.scala:90) [com.typesafe.play.play_2.10-2.2.2.jar:2.2.2]
at play.core.j.FPromiseHelper$$anonfun$flatMap$1.apply(FPromiseHelper.scala:82) [com.typesafe.play.play_2.10-2.2.2.jar:2.2.2]
at play.core.j.FPromiseHelper$$anonfun$flatMap$1.apply(FPromiseHelper.scala:82) [com.typesafe.play.play_2.10-2.2.2.jar:2.2.2]
at scala.concurrent.Future$$anonfun$flatMap$1.apply(Future.scala:251) [org.scala-lang.scala-library-2.10.3.jar:na]
at scala.concurrent.Future$$anonfun$flatMap$1.apply(Future.scala:249) [org.scala-lang.scala-library-2.10.3.jar:na]
at scala.concurrent.impl.CallbackRunnable.run(Promise.scala:32) [org.scala-lang.scala-library-2.10.3.jar:na]
at play.core.j.HttpExecutionContext$$anon$2.run(HttpExecutionContext.scala:37) [com.typesafe.play.play_2.10-2.2.2.jar:2.2.2]
at akka.dispatch.TaskInvocation.run(AbstractDispatcher.scala:42) [com.typesafe.akka.akka-actor_2.10-2.2.0.jar:2.2.0]
at akka.dispatch.ForkJoinExecutorConfigurator$AkkaForkJoinTask.exec(AbstractDispatcher.scala:386) [com.typesafe.akka.akka-actor_2.10-2.2.0.jar:2.2.0]
at scala.concurrent.forkjoin.ForkJoinTask.doExec(ForkJoinTask.java:260) [org.scala-lang.scala-library-2.10.3.jar:na]
at scala.concurrent.forkjoin.ForkJoinPool$WorkQueue.runTask(ForkJoinPool.java:1339) [org.scala-lang.scala-library-2.10.3.jar:na]
at scala.concurrent.forkjoin.ForkJoinPool.runWorker(ForkJoinPool.java:1979) [org.scala-lang.scala-library-2.10.3.jar:na]
at scala.concurrent.forkjoin.ForkJoinWorkerThread.run(ForkJoinWorkerThread.java:107) [org.scala-lang.scala-library-2.10.3.jar:na]

[alex88]

Seems both doesn't insert the username in the api call http://@127.0.0.1:12900 http://@92.42.236.48:12900. Since only the password is filtered, username should be present

[joschi]

@alex88 The complete authority part of the URI part is filtered out on purpose. It just looks a little strange with the leading '@' sign.

[dennusb]

Yes, but the unauthorized thingy is very strange. Secrets are exactly the same on both servers, but it is not working :(

[alex88]

In my case the server API works fine using a command line client with the admin credentials

[dennusb]

@alex88 What do you execute exactly on CLI? I can try it here then...

[alex88]

@dennusb listing users using graylog api:

http -v -a admin:yourpassword http://localhost:12900/users

I use httpie since with curl I was getting 401

[dennusb]

Getting 401 with CURL is weird already... :P

[alex88]

meh, with httpie it should work, maybe I had to try with digest auth instead of basic :)

[joschi]

graylog2-server is using HTTP/1.1 Basic Authentication.

[alex88]

Anyway, just tried now and it works also via curl, so forget the curl issue