Authentication failed for null

We’re using search-guard-flx 1.0.0-es-7.10.2 on one of our test clusters, and for some reason the internal users all get 401’s for any request e.g. / or /_searchguard/authinfo:

HTTP/1.1 401 Unauthorized
WWW-Authenticate: Bearer realm="Search Guard"
content-type: text/plain; charset=UTF-8
content-length: 12

Clientcert works fine for instance.

On the server, we see the following trace logs:

{"type":"server","timestamp":"2023-02-14T10:01:23,656+01:00","level":"TRACE","component":"c.f.s.a.l.LegacyRestAuthenticationProcessor","cluster.name":"plop","node.name":"node0792.example.com","message":"Rest authentication request from 10.10.234.170 [original: /10.10.234.170:56120]","cluster.uuid":"RVbZ4JXkQPWTHp5XAtygSQ","node.id":"Q99PLn7PSiSDDSmv5c0W1g"}
{"type":"server","timestamp":"2023-02-14T10:01:23,656+01:00","level":"DEBUG","component":"c.f.s.a.b.RequestAuthenticationProcessor","cluster.name":"plop","node.name":"node0792.example.com","message":"Authenticating request using: [sg_auth_token, session]","cluster.uuid":"RVbZ4JXkQPWTHp5XAtygSQ","node.id":"Q99PLn7PSiSDDSmv5c0W1g"}
{"type":"server","timestamp":"2023-02-14T10:01:23,656+01:00","level":"TRACE","component":"c.f.s.a.b.RequestAuthenticationProcessor","cluster.name":"plop","node.name":"node0792.example.com","message":"Checking authdomain session (total: 2)","cluster.uuid":"RVbZ4JXkQPWTHp5XAtygSQ","node.id":"Q99PLn7PSiSDDSmv5c0W1g"}
{"type":"server","timestamp":"2023-02-14T10:01:23,656+01:00","level":"TRACE","component":"c.f.s.a.l.LegacyRestRequestAuthenticationProcessor","cluster.name":"plop","node.name":"node0792.example.com","message":"Try to extract auth creds from session http authenticator","cluster.uuid":"RVbZ4JXkQPWTHp5XAtygSQ1g"}
{"type":"server","timestamp":"2023-02-14T10:01:23,656+01:00","level":"TRACE","component":"c.f.s.a.l.LegacyRestRequestAuthenticationProcessor","cluster.name":"plop","node.name":"node0792.example.com","message":"no session credentials found in request","cluster.uuid":"RVbZ4JXkQPWTHp5XAtygSQ","node.id":"Q99PLn7PSiSDDSmv5c0W1g"}
{"type":"server","timestamp":"2023-02-14T10:01:23,656+01:00","level":"WARN","component":"c.f.s.a.b.RequestAuthenticationProcessor","cluster.name":"plop","node.name":"node0792.example.com","message":"Authentication failed for null from [request=/_cat/, directIpAddress=10.10.234.170, originatingIpAddress=10.10.234.170, clientCertSubject=null]","cluster.uuid":"RVbZ4JXkQPWTHp5XAtygSQ","node.id":"Q99PLn7PSiSDDSmv5c0W1g"}

What authentication method and backends do you want to use?

In the logs, there is this:

Authenticating request using: [sg_auth_token, session]

These seem to be very little different authentication domains. Can you double check your config? Or maybe post it?

Also, for debugging authentication in SG FLX, see here for the special debug mode:

It would seem we haven’t migrated the configuration to flx yet.
This might be the reason - I’ll migrate and report back

That was it. I think what happened is that old sg configuration was uploaded after the migration.
Pushing the migrated config resolved the issue !

Sorry for the missing information, and thanks for the authz debugging pointer

1 Like

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.