Skip to content

[CI] Auditing log fails for API key realm name during BWC with version prior to v7.5 #59425

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
ywangd opened this issue Jul 13, 2020 · 5 comments · Fixed by #59470
Closed

[CI] Auditing log fails for API key realm name during BWC with version prior to v7.5 #59425

ywangd opened this issue Jul 13, 2020 · 5 comments · Fixed by #59470
Assignees
@ywangd
Labels
:Security/Audit X-Pack Audit logging Team:Security Meta label for security team >test-failure Triaged test failures from CI

Comments

@ywangd
Copy link
Member

ywangd commented Jul 13, 2020
edited
Loading

The failed test UpgradeClusterClientYamlTestSuiteIT.test {p0=mixed_cluster/120_api_key_auth/Test API key authentication will work in a mixed cluster}.

ApiKey realm name is not available in Authentication metadata till v7.5. Hence auditing log fails to retrieve it for older versions.

The failed test has been configured to run only for v7.5 and up. Once this issue is fixed, it can be renabled for older versions by removing these two lines.

Build scan: https://gradle-enterprise.elastic.co/s/zyiwyg5feg74a
@ywangd ywangd added >test-failure Triaged test failures from CI :Security/Audit X-Pack Audit logging labels Jul 13, 2020
ywangd added a commit that referenced this issue Jul 13, 2020
@ywangd
Adjust BWC versions for API key auth test.
edf27cd 
API key realm name is not available in authentication metadata prior to
v7.5. The issue is tracked at #59425
ywangd added a commit that referenced this issue Jul 13, 2020
@ywangd
Mute failed 120_api_key_auth test till #59425 is addressed.
cc9166a
@ywangd ywangd added :Security/Audit X-Pack Audit logging and removed :Security/Audit X-Pack Audit logging labels Jul 13, 2020
@elasticmachine
Copy link
Collaborator

Pinging @elastic/es-security (:Security/Audit)

@elasticmachine elasticmachine added the Team:Security Meta label for security team label Jul 13, 2020
@albertzaharovits albertzaharovits mentioned this issue Jul 13, 2020
Merged
albertzaharovits added a commit that referenced this issue Jul 14, 2020
@albertzaharovits
Fix auditing of API Key authn without the owner realm name (#59470)
4f8ff43 
The `Authentication` object that gets built following an API Key authentication
contains the realm name of the owner user that created the key (which is audited),
but the specific field used for storing it changed in #51305 .

This PR makes it so that auditing tolerates an "unfound" realm name, so it doesn't
throw an NPE, because the owner realm name is not found in the expected field.

Closes #59425
@albertzaharovits albertzaharovits mentioned this issue Jul 14, 2020
Merged
albertzaharovits added a commit that referenced this issue Jul 14, 2020
@albertzaharovits
Fix auditing of API Key authn without the owner realm name (#59470)
b1e4233 
The `Authentication` object that gets built following an API Key authentication
contains the realm name of the owner user that created the key (which is audited),
but the specific field used for storing it changed in #51305 .

This PR makes it so that auditing tolerates an "unfound" realm name, so it doesn't
throw an NPE, because the owner realm name is not found in the expected field.

Closes #59425
@dakrone
Copy link
Member

dakrone commented Jul 15, 2020

I believe this is the same issue: https://gradle-enterprise.elastic.co/s/x3e4t32i6m3jq that failed today

@dakrone dakrone reopened this Jul 15, 2020
dakrone added a commit to dakrone/elasticsearch that referenced this issue Jul 15, 2020
@dakrone
Mute {p0=mixed_cluster/120_api_key_auth/Test API key authentication w…
2f56c00 
…ill work in a mixed cluster}

Relates to elastic#59425
@dakrone dakrone mentioned this issue Jul 15, 2020
Merged
dakrone added a commit that referenced this issue Jul 15, 2020
@dakrone
Mute {p0=mixed_cluster/120_api_key_auth/Test API key authentication w…
74372df 
…ill work in a mixed cluster} (#59663)

Relates to #59425
@dakrone
Copy link
Member

dakrone commented Jul 15, 2020

Muted this since it has failed a couple of times today

dakrone added a commit that referenced this issue Jul 15, 2020
@dakrone
Mute {p0=mixed_cluster/120_api_key_auth/Test API key authentication w…
3f1265c 
…ill work in a mixed cluster} (#59663)

Relates to #59425
@ywangd ywangd self-assigned this Jul 15, 2020
@ywangd
Copy link
Member Author

ywangd commented Jul 15, 2020

Thanks @dakrone
The new failure is caused by missing role descriptors when creating the API key. The role descriptors were mandatory till v7.3 (#43481). Will raise a fix.

@ywangd ywangd mentioned this issue Jul 16, 2020
Merged
ywangd added a commit that referenced this issue Jul 16, 2020
@ywangd
Fix test of API key creation in a mixed cluster (#59680)
067db1f 
RoleDescriptors are mandatory prior to v7.3

Relates: #59425
@ywangd
Copy link
Member Author

ywangd commented Jul 16, 2020

Fixed with #59680

@ywangd ywangd closed this as completed Jul 16, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ywangd ywangd

Labels
:Security/Audit X-Pack Audit logging Team:Security Meta label for security team >test-failure Triaged test failures from CI
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Audited API Key authentication might not have a realm name albertzaharovits/elasticsearch
3 participants
@dakrone @ywangd @elasticmachine