Elasticsearch version: 7.17.12
Server OS version: Rocky Linux release 8.8 (Green Obsidian)
Java version: openjdk version “17.0.8.1” 2023-08-24
Search Guard version: 1.3.0-es-7.17.12
Describe the issue:
When I’m doing many requests in parallels, some of them fails, and in the log, I’m getting the following stack:
[2023-09-27T16:14:43,273][ERROR][c.f.s.a.b.RequestAuthenticationProcessor] [XXX-1] Error while authenticating AuthCredentials [username=XXXX, subUserName=null, authDomainInfo=AuthDomainInfo [authDomainId=null, authenticatorType=trusted_origin, authBackend
Type=null], password=null, nativeCredentials=null, backendRoles=[], searchGuardRoles=[], complete=true, authzComplete=false, redirectUri=null, attributes={}, structuredAttributes={}, claims={}, attributesForUserMapping={credentials={user_name=n/a}, request
={headers=org.elasticsearch.http.netty4.Netty4HttpRequest$HttpHeadersMap@771fcdd5, direct_ip_address=XXXX, originating_ip_address=XXX}}]
{ldap_rc=91 (connect error)}
com.floragunn.searchguard.authc.AuthenticatorUnavailableException: Error while creating connection to LDAP server
LDAPException(resultCode=91 (connect error), errorMessage='An error occurred while attempting to connect to server XXXX:636: IOException(LDAPException(resultCode=91 (connect error), errorMessage='An error occurred while attempting to
establish a connection to server XXXX/XXX:636: AccessControlException(access denied ("java.net.SocketPermission" "XXXX:636" "connect,resolve")), ldapSDKVersion=5.0.1, revision=3290ee33d4aa17df1aadb4d814d6534375f395a
9'))')
at com.floragunn.searchguard.enterprise.auth.ldap.LDAPConnectionManager.getConnection(LDAPConnectionManager.java:270) ~[dlic-search-guard-flx-security-1.3.0-es-7.17.12.jar:1.3.0-es-7.17.12]
at com.floragunn.searchguard.enterprise.auth.ldap.LDAPAuthenticationBackend.searchGroups(LDAPAuthenticationBackend.java:219) ~[dlic-search-guard-flx-security-1.3.0-es-7.17.12.jar:1.3.0-es-7.17.12]
at com.floragunn.searchguard.enterprise.auth.ldap.LDAPAuthenticationBackend.getUserInformation(LDAPAuthenticationBackend.java:161) ~[dlic-search-guard-flx-security-1.3.0-es-7.17.12.jar:1.3.0-es-7.17.12]
at com.floragunn.searchguard.authc.base.StandardAuthenticationDomain.authenticate(StandardAuthenticationDomain.java:343) ~[search-guard-flx-security-1.3.0-es-7.17.12.jar:1.3.0-es-7.17.12]
at com.floragunn.searchguard.authc.base.RequestAuthenticationProcessor.callAuthcBackends(RequestAuthenticationProcessor.java:379) [search-guard-flx-security-1.3.0-es-7.17.12.jar:1.3.0-es-7.17.12]
...
Caused by: java.security.AccessControlException: access denied ("java.net.SocketPermission" "XXXX:636" "connect,resolve")
at java.security.AccessControlContext.checkPermission(AccessControlContext.java:485) ~[?:?]
at java.security.AccessController.checkPermission(AccessController.java:1068) ~[?:?]
at java.lang.SecurityManager.checkPermission(SecurityManager.java:416) ~[?:?]
at java.lang.SecurityManager.checkConnect(SecurityManager.java:919) ~[?:?]
at java.net.Socket.connect(Socket.java:629) ~[?:?]
at sun.security.ssl.SSLSocketImpl.connect(SSLSocketImpl.java:304) ~[?:?]
at com.unboundid.ldap.sdk.ConnectThread.run(ConnectThread.java:163) ~[unboundid-ldapsdk-5.0.1.jar:5.0.1]
The LDAP connection configuration is:
idp:
tls:
trust_all: false
enabled_protocols:
- "TLSv1.2"
- "TLSv1.3"
hosts:
- "XXXX:636"
connection_pool:
min_size: 5
max_size: 5
bind_dn: "XXXX"
password: "XXXX"
user_search:
filter:
by_attribute: "sAMAccountName"
base_dn: "XXXX"
group_search:
base_dn: "XXX"
recursive:
enabled: true
role_name_attribute: "dn"
I don’t understand why in some case the security manager fails, but not all the time. Look like a concurency bug for me.
It’s critical, it prevent from upgrading to flx and I don’t see any work around.