Failing ES Promotion: Kerberos security Kerberos authentication finishing SPNEGO should properly set cookie and authenticate user

[mistic]

This failure is preventing the promotion of the current Elasticsearch nightly snapshot.

7.x/7.8: https://kibana-ci.elastic.co/job/elasticsearch+snapshots+verify/625/

For more information on the Elasticsearch snapshot promotion process: https://www.elastic.co/guide/en/kibana/master/development-es-snapshots.html

Failed Tests Reporter:
  - Test has not failed recently on tracked branches

[00:00:00]       │
[00:00:00]         └-: apis Kerberos
[00:00:00]           └-> "before all" hook
[00:00:00]           └-: security
[00:00:00]             └-> "before all" hook
[00:00:00]             └-: Kerberos authentication
[00:00:00]               └-> "before all" hook
[00:00:00]               └-> "before all" hook
[00:00:00]               └-> should reject API requests if client is not authenticated
[00:00:00]                 └-> "before each" hook: global before each
[00:00:00]                 │ info [o.e.x.s.a.AuthenticationService] [kibana-ci-immutable-ubuntu-18-tests-xl-1588534984773052792] Authentication of [<Kerberos Token>] was terminated by realm [kerb1] - failed to authenticate user, gss context negotiation failure
[00:00:00]                 │ proc [kibana]   log   [20:53:23.491] [info][authentication][plugins][security] Authentication attempt failed: Unauthorized
[00:00:00]                 └- ✓ pass  (110ms) "apis Kerberos security Kerberos authentication should reject API requests if client is not authenticated"
[00:00:00]               └-> does not prevent basic login
[00:00:00]                 └-> "before each" hook: global before each
[00:00:00]                 └- ✓ pass  (137ms) "apis Kerberos security Kerberos authentication does not prevent basic login"
[00:00:00]               └-: initiating SPNEGO
[00:00:00]                 └-> "before all" hook
[00:00:00]               └-: finishing SPNEGO
[00:00:00]                 └-> "before all" hook
[00:00:00]                 └-> should properly set cookie and authenticate user
[00:00:00]                   └-> "before each" hook: global before each
[00:00:00]                   │ info [o.e.x.s.s.SecurityIndexManager] [kibana-ci-immutable-ubuntu-18-tests-xl-1588534984773052792] security index does not exist. Creating [.security-tokens-7] with alias [.security-tokens]
[00:00:00]                   │ info [o.e.c.m.MetadataCreateIndexService] [kibana-ci-immutable-ubuntu-18-tests-xl-1588534984773052792] applying create index request using v1 templates []
[00:00:00]                   │ info [o.e.c.m.MetadataCreateIndexService] [kibana-ci-immutable-ubuntu-18-tests-xl-1588534984773052792] [.security-tokens-7] creating index, cause [api], templates [], shards [1]/[0], mappings [_doc]
[00:00:01]                   └- ✖ fail: "apis Kerberos security Kerberos authentication finishing SPNEGO should properly set cookie and authenticate user"
[00:00:01]                   │

[elasticmachine]

Pinging @elastic/kibana-security (Team:Security)

[azasypkin]

Hmm,

I see it has been disabled on master, does it fail on master or just 7.x, @mistic ?

Hopefully we're not masking ES breaking changes by just skipping the test. I'm going to look into it.

[azasypkin]

Just a heads up: ES changed _authenticate API a bit in elastic/elasticsearch#53453 and it started to return roles derived from the anonymous user. We'll update to our tests to be in sync with these changes.

[mistic]

@azasypkin I was having the failure both for master and 7.x 😃

[azasypkin]

Got it, thanks for confirming 👍