Skip_users feature not taking any effect when configured in basic_auth_domain to avoid "No 'Basic Authorization' header, send 401 and 'WWW-Authenticate Basic'" warning in the logs while using multiple auth domains

Elasticsearch version: 7.8.0

Describe the issue:
I have configured skip_users parameter in basic_auth_domain config section to avoid the warning log “No ‘Basic Authorization’ header, send 401 and ‘WWW-Authenticate Basic’” , however it is not taking any effect and I can still observe the warning in the log.
Searchguard version 7 is been used.

PFB sg_config.yml section -sg-config

Do you have a user that has kibanauser name? It is a reserved backend role in Search Guard.

I have provided “kibanauser” just as a sample name here. In configuration file, I have given the correct username.

I created an issue. I’ll reach you back when there is any update.

You have to move up the skip_users by two levels, directly under basic_internal_auth_domain. This would be the correct location.

However, I am not sure if this change would be actually effective, as - if I see it correctly - the log message is generated before the user is known. And for skip_users to work, you have to know the user.

For more information, we would need to see your whole configuration, the whole log message and the exact version of Search Guard you are using.

Hi
I tried the scenario by keeping “skip_users” directly under basic_internal_auth_domain section and still it is not taking any effect.
Search Guard version: 7.8.0-43.0
PFB the config:

PFB logs:
{“type”:“log”,“host”:“elasticsearch-client”,“level”:“DEBUG”,“systemid”:“2106a117733f42d697284fbc54927928”,“system”:“ELK-SYSTEM”,“time”: “2020-10-30T06:51:29.066Z”,“logger”:“c.f.s.a.BackendRegistry”,“timezone”:“UTC”,“marker”:"[elasticsearch-client] “,“log”:{“message”:“Check authdomain for rest internal/0 or 2 in total”}}
{“type”:“log”,“host”:“elasticsearch-client”,“level”:“WARN”,“systemid”:“2106a117733f42d697284fbc54927928”,“system”:“ELK-SYSTEM”,“time”: “2020-10-30T06:51:29.066Z”,“logger”:“c.f.s.h.HTTPBasicAuthenticator”,“timezone”:“UTC”,“marker”:”[elasticsearch-client] “,“log”:{“message”:“No ‘Basic Authorization’ header, send 401 and ‘WWW-Authenticate Basic’”}}
{“type”:“log”,“host”:“elasticsearch-client”,“level”:“DEBUG”,“systemid”:“2106a117733f42d697284fbc54927928”,“system”:“ELK-SYSTEM”,“time”: “2020-10-30T06:51:29.066Z”,“logger”:“c.f.s.a.BackendRegistry”,“timezone”:“UTC”,“marker”:”[elasticsearch-client] “,“log”:{“message”:“Check authdomain for rest noop/1 or 2 in total”}}
{“type”:“log”,“host”:“elasticsearch-client”,“level”:“DEBUG”,“systemid”:“2106a117733f42d697284fbc54927928”,“system”:“ELK-SYSTEM”,“time”: “2020-10-30T06:51:29.088Z”,“logger”:“c.n.c.b.HTTPKeycloakAuthenticator”,“timezone”:“UTC”,“marker”:”[elasticsearch-client] ",“log”:{“message”:“Received jwt token is valid”}}

This seems to be not the default Search Guard log configuration, as it also includes DEBUG messages.

Furthermore c.n.c.b.HTTPKeycloakAuthenticator does not seem to be a Search Guard component.

To disable the log messages from Search Guard, you can modify the file config/log4j2.properties on each node of the ES installation and add:

logger.sgbackendregistry.name = com.floragunn.searchguard.auth.BackendRegistry
logger.sgbackendregistry.level = info

logger.sghttpauth.name = com.floragunn.searchguard.http.HTTPBasicAuthenticator
logger.sghttpauth.level = error

For the log messages from c.n.c.b.HTTPKeycloakAuthenticator, you could do the same, but would need to know the whole package name (which is only abbreviated by c.n.c.b in the logs).

By the way, if this is a production system, I’d recommend to disable any log messages with level DEBUG or lower. There can be a very high amount of such messages which might negatively affect the performance of the whole system.

1 Like

Yes, by default log level is set as “INFO” only. To capture the complete logs, I enabled debug level logs and shared here.
However, {“type”:“log”,“host”:“elasticsearch-client”,“level”:“WARN”,“systemid”:“2106a117733f42d697284fbc54927928”,“system”:“ELK-SYSTEM”,“time”: “2020-10-30T06:51:29.066Z”,“logger”:“c.f.s.h.HTTPBasicAuthenticator”,“timezone”:“UTC”,“marker”:”[elasticsearch-client] “,“log”:{“message”:“No ‘Basic Authorization’ header, send 401 and ‘WWW-Authenticate Basic’”}} : This is a warn level log which comes even with “INFO” level log and to remove this we are trying to use skip_users feature which is not taking any effect.

I experience the same issue. skip_users has also no effect in my configuration. I am using openid and basicauth (for internal users of course). I was addressing the issue in this post: No 'Basic Authorization' header, send 401 and 'WWW-Authenticate Basic' while using openid and basic auth domain - #6 by jkressin

As noted above, the warning log message is issued before the user is known. skip_user obviously only works after the user is known.

Right now, the only way to address the warning message is adapting the logging configuration as shown above.

Is skip_users functionality in authentication domain been made available for elk 7.8.0?
As it is making no difference even after configuring at config or auth_domain level.

Please read the answers carefully. Again:

skip_users has and can have no effect on the warning message, as the warning message is produced before the user is known and thus before skip_users is evaluated.

The proper way to address the problem is to adjust the logging configuration:

logger.sghttpauth.name = com.floragunn.searchguard.http.HTTPBasicAuthenticator
logger.sghttpauth.level = error

Okay thanks for the information.
Can you please tell when does the skip_users functionality gets evaluated and also please confirm if this feature is available for elk 7.8.0?

The skip_users feature is available since Search Guard 41.

It is getting evaluated after the user information has been extracted from a request to decide whether to use that information or to skip to the next auth domain.

Thankyou for the information.