Change HTTPBasicAuthenticator log message from warning to trace for 'No basic auth' error #5221
Conversation
Signed-off-by: Stewart Brown <stewart.brown@sas.com>
StewartWBrown
requested review from
DarshitChanpura,
RyanL1997,
cwperks,
derek-ho,
nibix,
peternied,
reta and
willyborankin
as code owners
| if (!authorizationHeader.trim().toLowerCase().startsWith("basic ")) { | ||
| log.warn("No 'Basic Authorization' header, send 401 and 'WWW-Authenticate Basic'"); | ||
| if (!authorizationHeader.trim().toLowerCase().startsWith("basic ") && isTraceEnabled) { | ||
| log.trace("No 'Basic Authorization' header, send 401 and 'WWW-Authenticate Basic'"); |
There was a problem hiding this comment.
Thanks for the PR. While I understand noise created when multiple auth types are used, moving this line to trace logging might be an issue for clusters with only basic auth enabled. I don't think there's another log line available.
For #4054, would it be possible to change the order , i.e. mark SAML as order 1 and basic auth as order 2? Do you still see same amount of logs?
There was a problem hiding this comment.
I also agree that changing to trace isn't the answer but the behavior should change for valid scenarios requiring multiple authenticators using fallthrough.
The fix required could be one of the following:
- Pass the isChallenge flag from the authDomain to the extractCredentials calls. Only log.warn when isChallenge is true
- Alternatively, and probably a more complete fix, would be be to pass the firstChallengingHttpAuthenticator to the extractCredentials calls. Only log.warn when the firstChallengingHttpAuthenticator is of type HTTPBasicAuthenticator
The starting point for these changes would be the httpAuthenticator.extractCredentials call at https://github.com/opensearch-project/security/blob/main/src/main/java/org/opensearch/security/auth/BackendRegistry.java#L282
There was a problem hiding this comment.
Thanks all! Initially raised this PR as i felt that it was odd that basic auth was the only authentication type logging a warn message on checking that the header was in the expected format- leaving this message-spam only occurring when basic auth was earlier in the order.
But i understand this is could be a helpful message, so banishing it away to Trace or Debug may not be useful (especially for a more common auth type like Basic). I agree with Terry that passing isChallenge may be the way forward in this case. Especially after reading the docs, which at the moment seems inconsistent with this logging message: https://opensearch.org/docs/latest/security/authentication-backends/basic-authc/#the-challenge-setting
Will look into this a little more later this week with a bit more of a complete fix!
There was a problem hiding this comment.
@shikharj05 This log line is available elsewhere in the BackendRegistry here: https://github.com/opensearch-project/security/blob/main/src/main/java/org/opensearch/security/auth/BackendRegistry.java#L352-L354
tbh, if the log level is a concern I would suggest to remove this line and make the one in BackendRegistry warn level to solve this issue.
There was a problem hiding this comment.
Something like this: cwperks#57
@cwperks Yes, removing the problematic log line, as you have here, should also resolve it.
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #5221 +/- ##
==========================================
- Coverage 72.04% 71.69% -0.36%
==========================================
Files 336 384 +48
Lines 22648 23862 +1214
Branches 3560 3635 +75
==========================================
+ Hits 16317 17107 +790
- Misses 4556 4931 +375
- Partials 1775 1824 +49
🚀 New features to boost your workflow:
|
…hallenge is true Signed-off-by: Stewart Brown <stewart.brown@sas.com>
Signed-off-by: Stewart Brown <stewart.brown@sas.com>
|
Have added in the isChallenge flag to extractCredentials as suggested! Log the error message as a warn if 'challenge' is enabled, and at trace level if 'trace' is enabled. Otherwise do not print the error which will hopefully reduce the log spam being seen when security configs are set up in this specific ordering. Sorry for delay, other things popped up over past few weeks! Still need to test this works as expected, and will have time to do so at the start of next week. |
|
@StewartWBrown Sorry for the delay on review. I was out at OpenSearchCon EU last week and back in the office this week. |
|
@StewartWBrown I think the fix for this can be even simpler. wdyt about only logging the It doesn't make sense to log that out when the Authorization header is present, but of a different type of token that is not a basic auth header. |
|
@cwperks No worries at all - hope OpenSearchCon EU went well! Looking forward to catch up on some sessions if they become available online :) Although this would stop the log message if using JWT authentication for example (where the header is present, but with a different type of token). Wouldn't this issue still persist if using SAML which I believe doesn't have an Authorization header? Not too familiar with some of the other Auth methods OpenSearch can use so not sure if there's others that fall in the same boat too. |
|
I'd just give my five cents here, but then I'll immediately disappear again, because I have two days off ;-) It can be helpful to just consult the guidelines for using log4j log levels at https://commons.apache.org/proper/commons-logging/guide.html#Message_Priorities.2FLevels
IMHO, these criteria do not match the absence of an "Authorization" header. This is not an undesirable or unexpected condition, it is part of a normal protocol flow. Let's check the guidelines for INFO:
Also for this, I'd say that the criteria is not met. It will be impossible to keep them at a minimum if these are caused by normal protocol flows. Thus, my opinion would be to just generally lower the log level to DEBUG. |
|
For further support of changing the message logging level, I can see similar checks to this one for different Auth types happening at either Debug or Trace: HTTPProxyAuthenticator, OnBehalfOf, HTTPClientCertAuthenticator, JWT Authentication. From @nibix suggestion above, I think these should all be consistently Debug instead of Trace too which I can change as part of this PR. That being said, I can see the value in raising a warning for Basic Auth as it's likely to be more commonly used. Making the message more visible could help with quicker diagnosis- which is why I felt the isChallenge tag approach was an appropriate middleground for this scenario. But I recognise the perspective that having an extra parameter passed into extractCredentials could be a bit overkill. Unless there's additional benefit of passing challenge context for other authentication methods' extractCredentials too which we could utilize? |
I would need to check, but it would still certainly reduce the log volume immensely since SAML login does not occur frequently. FYI The SAML login flow occurs once per OSD session. After successful login, OpenSearch will issue a JWT and then use that for subsequent requests against the backend cluster. I wonder if there's another value to look for to determine if a request is in the initial SAML flow to skip this message. |
|
@cwperks Thank you for revisiting this. We found that the change submitted here was the least intrusive that would actually fix the bug correctly. The basic auth check should only log that it is returning a 401 when set to challenge so we passed that flag through. Note we also have a finalizing basic authenticator that is set to challenge and will log and behave appropriately when authentication details are missing. The first basic auth check cannot challenge as we have others that can follow, e.g. JWT , that use the header. For other auth types it seems better to check for the challenge flag too rather than relying on specific text included in the header - this is also to ensure it is future-proof. |
|
@terryquigleysas I think there's an opportunity to make the logic much simpler and achieve the same outcome without having to keep track of whether the authenticator is a challenging authenticator. If these 2 conditions are met:
Then we should log out that warning, otherwise skip it. The current logic is definitely wrong and should not log a warning when an |
Thanks @cwperks , we will take a look again with this suggestion. |
| if (authorizationHeader != null) { | ||
| if (!authorizationHeader.trim().toLowerCase().startsWith("basic ")) { | ||
| log.warn("No 'Basic Authorization' header, send 401 and 'WWW-Authenticate Basic'"); | ||
| if (isChallenge) { |
There was a problem hiding this comment.
Apologies for joining the party late, i'm slightly confused on what exactly are we trying to solve here? Is it that we log at warn only when Basic Auth fails or is it that we will log at warn when no other domains to be evaluated against are present?
I'm okay with current implementation if the idea is to simply reduce warning messages for auth types other than Basic.
There was a problem hiding this comment.
The goal is to only log this in valid scenarios. The following criteria needs to be met:
- Request has no Authorization header
- There is a challenging basic auth authenticator
- Request is not for the SAML ACS endpoint which does not accept an Authorization header (its the endpoint that accepts the XML assertion) and is used in the SAML flow.
Currently, this is getting logged if a request has an Authorization header of a different kind (like a bearer token) and its annoying because its being logged excessively and its not accurate.
There was a problem hiding this comment.
If the idea is to limit logging of this message only when basic auth is the challenging authenticator and creds fail, I'm okay with this flag.
|
@StewartWBrown This can be closed off now #5377 has been merged. |
8 participants
Description
When basic auth and SAML authentications are both enabled, the logs are filled with messages stating:
"level": "WARN", "component": "o.o.s.h.HTTPBasicAuthenticator", "message": "No 'Basic Authorization' header, send 401 and 'WWW-Authenticate Basic'"This was thought to be addressed by #3364, however the logging message remained in another area which this PR has tuned to trace level instead.
Issues Resolved
No 'Basic Authorization' header, send 401 and 'WWW-Authenticate Basic'in log #3273Testing
Bulk Integration testing workflow with this change seems to look fine!
Check List
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.