[CI] ReservedRealmIntegTests & NativeRealmIntegTests failures because of "incorrect password hashing algorithm" #31670

polyfractal · 2018-06-28T21:27:47Z

I suspect this is related to #31234

Build failure log:
https://elasticsearch-ci.elastic.co/job/elastic+elasticsearch+master+intake/2222/

They both reproduce for me locally, although the second one takes a few more iterations. I'm going to mute both tests.

./gradlew :x-pack:plugin:security:test -Dtests.seed=2A5C17AE002ED323 -Dtests.class=org.elasticsearch.xpack.security.authc.esnative.ReservedRealmIntegTests -Dtests.method="testChangingPassword" -Dtests.security.manager=true -Dtests.locale=und -Dtests.timezone=America/Boa_Vista

ERROR   14.6s | ReservedRealmIntegTests.testChangingPassword <<< FAILURES!
   > Throwable #1: java.lang.IllegalArgumentException: incorrect password hashing algorithm [PBKDF2] used while [BCRYPT] is configured.
   >    at __randomizedtesting.SeedInfo.seed([2A5C17AE002ED323:4C2A4F5B61B82A1E]:0)
   >    at org.elasticsearch.xpack.security.action.user.TransportChangePasswordAction.doExecute(TransportChangePasswordAction.java:49)
   >    at org.elasticsearch.xpack.security.action.user.TransportChangePasswordAction.doExecute(TransportChangePasswordAction.java:25)
   >    at org.elasticsearch.action.support.TransportAction$RequestFilterChain.proceed(TransportAction.java:143)
   >    at org.elasticsearch.xpack.security.action.filter.SecurityActionFilter.lambda$apply$0(SecurityActionFilter.java:92)
   >    at org.elasticsearch.action.ActionListener$1.onResponse(ActionListener.java:60)
   >    at org.elasticsearch.xpack.security.action.filter.SecurityActionFilter.lambda$authorizeRequest$4(SecurityActionFilter.java:181)
   >    at org.elasticsearch.xpack.security.authz.AuthorizationUtils$AsyncAuthorizer.maybeRun(AuthorizationUtils.java:173)
   >    at org.elasticsearch.xpack.security.authz.AuthorizationUtils$AsyncAuthorizer.setRunAsRoles(AuthorizationUtils.java:167)
   >    at org.elasticsearch.xpack.security.authz.AuthorizationUtils$AsyncAuthorizer.authorize(AuthorizationUtils.java:155)
   >    at org.elasticsearch.xpack.security.action.filter.SecurityActionFilter.authorizeRequest(SecurityActionFilter.java:183)
   >    at org.elasticsearch.xpack.security.action.filter.SecurityActionFilter.lambda$applyInternal$3(SecurityActionFilter.java:161)
   >    at org.elasticsearch.action.ActionListener$1.onResponse(ActionListener.java:60)
   >    at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.lambda$authenticateAsync$2(AuthenticationService.java:172)
   >    at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.lambda$lookForExistingAuthentication$4(AuthenticationService.java:205)
   >    at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.lookForExistingAuthentication(AuthenticationService.java:216)
   >    at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.authenticateAsync(AuthenticationService.java:170)
   >    at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.access$000(AuthenticationService.java:131)
   >    at org.elasticsearch.xpack.security.authc.AuthenticationService.authenticate(AuthenticationService.java:101)
   >    at org.elasticsearch.xpack.security.action.filter.SecurityActionFilter.applyInternal(SecurityActionFilter.java:160)
   >    at org.elasticsearch.xpack.security.action.filter.SecurityActionFilter.apply(SecurityActionFilter.java:113)
   >    at org.elasticsearch.action.support.TransportAction$RequestFilterChain.proceed(TransportAction.java:141)
   >    at org.elasticsearch.action.support.TransportAction.execute(TransportAction.java:119)
   >    at org.elasticsearch.action.support.HandledTransportAction$TransportHandler.messageReceived(HandledTransportAction.java:70)
   >    at org.elasticsearch.action.support.HandledTransportAction$TransportHandler.messageReceived(HandledTransportAction.java:65)
   >    at org.elasticsearch.xpack.security.transport.SecurityServerTransportInterceptor$ProfileSecuredRequestHandler$1.doRun(SecurityServerTransportInterceptor.java:259)
   >    at org.elasticsearch.common.util.concurrent.AbstractRunnable.run(AbstractRunnable.java:37)
   >    at org.elasticsearch.common.util.concurrent.EsExecutors$1.execute(EsExecutors.java:135)
   >    at org.elasticsearch.xpack.security.transport.SecurityServerTransportInterceptor$ProfileSecuredRequestHandler.lambda$messageReceived$0(SecurityServerTransportInterceptor.java:308)
   >    at org.elasticsearch.action.ActionListener$1.onResponse(ActionListener.java:60)
   >    at org.elasticsearch.xpack.security.transport.ServerTransportFilter$NodeProfile.lambda$inbound$2(ServerTransportFilter.java:148)
   >    at org.elasticsearch.xpack.security.authz.AuthorizationUtils$AsyncAuthorizer.maybeRun(AuthorizationUtils.java:173)
   >    at org.elasticsearch.xpack.security.authz.AuthorizationUtils$AsyncAuthorizer.setRunAsRoles(AuthorizationUtils.java:167)
   >    at org.elasticsearch.xpack.security.authz.AuthorizationUtils$AsyncAuthorizer.authorize(AuthorizationUtils.java:155)
   >    at org.elasticsearch.xpack.security.transport.ServerTransportFilter$NodeProfile.lambda$inbound$3(ServerTransportFilter.java:150)
   >    at org.elasticsearch.action.ActionListener$1.onResponse(ActionListener.java:60)
   >    at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.lambda$writeAuthToContext$23(AuthenticationService.java:432)
   >    at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.writeAuthToContext(AuthenticationService.java:441)
   >    at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.finishAuthentication(AuthenticationService.java:422)
   >    at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.consumeUser(AuthenticationService.java:363)
   >    at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.lambda$consumeToken$14(AuthenticationService.java:294)
   >    at org.elasticsearch.action.ActionListener$1.onResponse(ActionListener.java:60)
   >    at org.elasticsearch.xpack.core.common.IteratingActionListener.onResponse(IteratingActionListener.java:102)
   >    at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.lambda$consumeToken$11(AuthenticationService.java:267)
   >    at org.elasticsearch.action.ActionListener$1.onResponse(ActionListener.java:60)
   >    at org.elasticsearch.xpack.security.authc.support.CachingUsernamePasswordRealm.handleResult(CachingUsernamePasswordRealm.java:148)
   >    at org.elasticsearch.xpack.security.authc.support.CachingUsernamePasswordRealm.lambda$authenticateWithCache$2(CachingUsernamePasswordRealm.java:118)
   >    at org.elasticsearch.action.ActionListener$1.onResponse(ActionListener.java:60)
   >    at org.elasticsearch.common.util.concurrent.ListenableFuture.lambda$notifyListener$1(ListenableFuture.java:90)
   >    at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:514)
   >    at java.util.concurrent.FutureTask.run(FutureTask.java:264)
   >    at org.elasticsearch.common.util.concurrent.EsExecutors$1.execute(EsExecutors.java:135)
   >    at java.util.concurrent.AbstractExecutorService.submit(AbstractExecutorService.java:118)
   >    at org.elasticsearch.common.util.concurrent.ListenableFuture.notifyListener(ListenableFuture.java:85)
   >    at org.elasticsearch.common.util.concurrent.ListenableFuture.addListener(ListenableFuture.java:53)
   >    at org.elasticsearch.xpack.security.authc.support.CachingUsernamePasswordRealm.authenticateWithCache(CachingUsernamePasswordRealm.java:113)
   >    at org.elasticsearch.xpack.security.authc.support.CachingUsernamePasswordRealm.authenticate(CachingUsernamePasswordRealm.java:80)
   >    at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.lambda$consumeToken$13(AuthenticationService.java:262)
   >    at org.elasticsearch.xpack.core.common.IteratingActionListener.onResponse(IteratingActionListener.java:99)
   >    at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.lambda$consumeToken$11(AuthenticationService.java:279)
   >    at org.elasticsearch.action.ActionListener$1.onResponse(ActionListener.java:60)
   >    at org.elasticsearch.xpack.security.authc.support.CachingUsernamePasswordRealm.handleResult(CachingUsernamePasswordRealm.java:163)
   >    at org.elasticsearch.xpack.security.authc.support.CachingUsernamePasswordRealm.lambda$authenticateWithCache$2(CachingUsernamePasswordRealm.java:118)
   >    at org.elasticsearch.action.ActionListener$1.onResponse(ActionListener.java:60)
   >    at org.elasticsearch.common.util.concurrent.ListenableFuture.lambda$notifyListener$1(ListenableFuture.java:90)
   >    at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:514)
   >    at java.util.concurrent.FutureTask.run(FutureTask.java:264)
   >    at org.elasticsearch.common.util.concurrent.EsExecutors$1.execute(EsExecutors.java:135)
   >    at java.util.concurrent.AbstractExecutorService.submit(AbstractExecutorService.java:118)
   >    at org.elasticsearch.common.util.concurrent.ListenableFuture.notifyListener(ListenableFuture.java:85)
   >    at org.elasticsearch.common.util.concurrent.ListenableFuture.addListener(ListenableFuture.java:53)
   >    at org.elasticsearch.xpack.security.authc.support.CachingUsernamePasswordRealm.authenticateWithCache(CachingUsernamePasswordRealm.java:113)
   >    at org.elasticsearch.xpack.security.authc.support.CachingUsernamePasswordRealm.authenticate(CachingUsernamePasswordRealm.java:80)
   >    at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.lambda$consumeToken$13(AuthenticationService.java:262)
   >    at org.elasticsearch.xpack.core.common.IteratingActionListener.run(IteratingActionListener.java:81)
   >    at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.consumeToken(AuthenticationService.java:298)
   >    at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.lambda$extractToken$9(AuthenticationService.java:234)
   >    at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.extractToken(AuthenticationService.java:244)
   >    at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.lambda$authenticateAsync$0(AuthenticationService.java:178)
   >    at org.elasticsearch.action.ActionListener$1.onResponse(ActionListener.java:60)
   >    at org.elasticsearch.xpack.security.authc.TokenService.getAndValidateToken(TokenService.java:294)
   >    at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.lambda$authenticateAsync$2(AuthenticationService.java:174)
   >    at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.lambda$lookForExistingAuthentication$4(AuthenticationService.java:205)
   >    at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.lookForExistingAuthentication(AuthenticationService.java:216)
   >    at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.authenticateAsync(AuthenticationService.java:170)
   >    at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.access$000(AuthenticationService.java:131)
   >    at org.elasticsearch.xpack.security.authc.AuthenticationService.authenticate(AuthenticationService.java:101)
   >    at org.elasticsearch.xpack.security.transport.ServerTransportFilter$NodeProfile.inbound(ServerTransportFilter.java:129)
   >    at org.elasticsearch.xpack.security.transport.SecurityServerTransportInterceptor$ProfileSecuredRequestHandler.messageReceived(SecurityServerTransportInterceptor.java:315)
   >    at org.elasticsearch.transport.RequestHandlerRegistry.processMessageReceived(RequestHandlerRegistry.java:63)
   >    at org.elasticsearch.transport.TcpTransport$RequestHandler.doRun(TcpTransport.java:1667)
   >    at org.elasticsearch.common.util.concurrent.AbstractRunnable.run(AbstractRunnable.java:37)
   >    at org.elasticsearch.common.util.concurrent.EsExecutors$1.execute(EsExecutors.java:135)
   >    at org.elasticsearch.transport.TcpTransport.handleRequest(TcpTransport.java:1625)
   >    at org.elasticsearch.transport.TcpTransport.messageReceived(TcpTransport.java:1489)
   >    at org.elasticsearch.transport.netty4.Netty4MessageChannelHandler.channelRead(Netty4MessageChannelHandler.java:62)
   >    at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362)
   >    at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348)
   >    at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340)
   >    at io.netty.handler.codec.ByteToMessageDecoder.fireChannelRead(ByteToMessageDecoder.java:310)
   >    at io.netty.handler.codec.ByteToMessageDecoder.fireChannelRead(ByteToMessageDecoder.java:297)
   >    at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:413)
   >    at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:265)
   >    at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362)
   >    at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348)
   >    at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340)
   >    at io.netty.handler.logging.LoggingHandler.channelRead(LoggingHandler.java:241)
   >    at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362)
   >    at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348)
   >    at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340)
   >    at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1359)
   >    at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362)
   >    at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348)
   >    at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:935)
   >    at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:134)
   >    at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:645)
   >    at io.netty.channel.nio.NioEventLoop.processSelectedKeysPlain(NioEventLoop.java:545)
   >    at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:499)
   >    at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:459)
   >    at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:858)
   >    at java.lang.Thread.run(Thread.java:844)

And the second one:

 ./gradlew :x-pack:plugin:security:test -Dtests.seed=2A5C17AE002ED323 -Dtests.class=org.elasticsearch.xpack.security.authc.esnative.NativeRealmIntegTests -Dtests.method="testCreateAndChangePassword" -Dtests.security.manager=true -Dtests.locale=sr-Latn -Dtests.timezone=HST

java.lang.IllegalArgumentException: incorrect password hashing algorithm [PBKDF2_1000] used while [BCRYPT] is configured.
	at __randomizedtesting.SeedInfo.seed([2A5C17AE002ED323:50D4F88F2FCC56BB]:0)
	at org.elasticsearch.xpack.security.action.user.TransportChangePasswordAction.doExecute(TransportChangePasswordAction.java:49)
	at org.elasticsearch.xpack.security.action.user.TransportChangePasswordAction.doExecute(TransportChangePasswordAction.java:25)
	at org.elasticsearch.action.support.TransportAction$RequestFilterChain.proceed(TransportAction.java:143)
	at org.elasticsearch.xpack.security.action.filter.SecurityActionFilter.lambda$apply$0(SecurityActionFilter.java:92)
	at org.elasticsearch.action.ActionListener$1.onResponse(ActionListener.java:60)
	at org.elasticsearch.xpack.security.action.filter.SecurityActionFilter.lambda$authorizeRequest$4(SecurityActionFilter.java:181)
	at org.elasticsearch.xpack.security.authz.AuthorizationUtils$AsyncAuthorizer.maybeRun(AuthorizationUtils.java:173)
	at org.elasticsearch.xpack.security.authz.AuthorizationUtils$AsyncAuthorizer.setRunAsRoles(AuthorizationUtils.java:167)
	at org.elasticsearch.xpack.security.authz.AuthorizationUtils$AsyncAuthorizer.authorize(AuthorizationUtils.java:155)
	at org.elasticsearch.xpack.security.action.filter.SecurityActionFilter.authorizeRequest(SecurityActionFilter.java:183)
	at org.elasticsearch.xpack.security.action.filter.SecurityActionFilter.lambda$applyInternal$3(SecurityActionFilter.java:161)
	at org.elasticsearch.action.ActionListener$1.onResponse(ActionListener.java:60)
	at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.lambda$writeAuthToContext$23(AuthenticationService.java:432)
	at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.writeAuthToContext(AuthenticationService.java:441)
	at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.finishAuthentication(AuthenticationService.java:422)
	at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.consumeUser(AuthenticationService.java:363)
	at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.lambda$consumeToken$14(AuthenticationService.java:294)
	at org.elasticsearch.action.ActionListener$1.onResponse(ActionListener.java:60)
	at org.elasticsearch.xpack.core.common.IteratingActionListener.onResponse(IteratingActionListener.java:102)
	at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.lambda$consumeToken$11(AuthenticationService.java:267)
	at org.elasticsearch.action.ActionListener$1.onResponse(ActionListener.java:60)
	at org.elasticsearch.xpack.security.authc.support.CachingUsernamePasswordRealm.handleResult(CachingUsernamePasswordRealm.java:140)
	at org.elasticsearch.xpack.security.authc.support.CachingUsernamePasswordRealm.lambda$authenticateWithCache$2(CachingUsernamePasswordRealm.java:118)
	at org.elasticsearch.action.ActionListener$1.onResponse(ActionListener.java:60)
	at org.elasticsearch.common.util.concurrent.ListenableFuture.lambda$notifyListener$1(ListenableFuture.java:90)
	at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
	at java.util.concurrent.FutureTask.run(FutureTask.java:266)
	at org.elasticsearch.common.util.concurrent.ThreadContext$ContextPreservingRunnable.run(ThreadContext.java:624)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
	at java.lang.Thread.run(Thread.java:748)

The text was updated successfully, but these errors were encountered:

elasticmachine · 2018-06-28T21:27:48Z

Pinging @elastic/es-security

Tracking issue: #31670

jkakavas · 2018-06-28T21:53:17Z

This is me and #31234, will address this first thing my morning

As part of the changes in elastic#31234,the password verification logic determines the algorithm used for hashing the password from the format of the stored password hash itself. Thus, it is generally possible to validate a password even if it's associated stored hash was not created with the same algorithm than the one currently set in the settings. At the same time, we introduced a check for incoming client change password requests to make sure that the request's password is hashed with the same algorithm that is configured to be used in the node settings. In the spirit of randomizing the algorithms used, the {@code SecurityClient} used in the {@code NativeRealmIntegTests} and {@code ReservedRealmIntegTests} would send all requests dealing with user passwords by randomly selecting a hashing algorithm each time. This meant that some change password requests were using a different password hashing algorithm than the one used for the node and the request would fail. This commit changes this behavior in the two aforementioned Integ tests to use the same password hashing algorithm for the node and the clients, no matter what the request is. Resolves elastic#31670

$@polyfractal$ polyfractal added >test-failure Triaged test failures from CI :Security/Authentication Logging in, Usernames/passwords, Realms (Native/LDAP/AD/SAML/PKI/etc) labels Jun 28, 2018

polyfractal added a commit that referenced this issue Jun 28, 2018

$@polyfractal$

[TEST] Mute failing tests in NativeRealmInteg and ReservedRealmInteg

eef8e80

Tracking issue: #31670

tvernum assigned jkakavas Jun 28, 2018

jkakavas closed this as completed in 40bf58e Jun 29, 2018

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[CI] ReservedRealmIntegTests & NativeRealmIntegTests failures because of "incorrect password hashing algorithm" #31670

[CI] ReservedRealmIntegTests & NativeRealmIntegTests failures because of "incorrect password hashing algorithm" #31670

polyfractal commented Jun 28, 2018

elasticmachine commented Jun 28, 2018

jkakavas commented Jun 28, 2018

[CI] ReservedRealmIntegTests & NativeRealmIntegTests failures because of "incorrect password hashing algorithm" #31670

[CI] ReservedRealmIntegTests & NativeRealmIntegTests failures because of "incorrect password hashing algorithm" #31670

Comments

polyfractal commented Jun 28, 2018

elasticmachine commented Jun 28, 2018

jkakavas commented Jun 28, 2018