Describe the issue:
I have configured skip_users parameter in basic_auth_domain config section to avoid the warning log “No ‘Basic Authorization’ header, send 401 and ‘WWW-Authenticate Basic’” , however it is not taking any effect and I can still observe the warning in the log.
Searchguard version 7 is been used.
You have to move up the skip_users by two levels, directly under basic_internal_auth_domain. This would be the correct location.
However, I am not sure if this change would be actually effective, as - if I see it correctly - the log message is generated before the user is known. And for skip_users to work, you have to know the user.
For more information, we would need to see your whole configuration, the whole log message and the exact version of Search Guard you are using.
Hi
I tried the scenario by keeping “skip_users” directly under basic_internal_auth_domain section and still it is not taking any effect.
Search Guard version: 7.8.0-43.0
PFB the config:
For the log messages from c.n.c.b.HTTPKeycloakAuthenticator, you could do the same, but would need to know the whole package name (which is only abbreviated by c.n.c.b in the logs).
By the way, if this is a production system, I’d recommend to disable any log messages with level DEBUG or lower. There can be a very high amount of such messages which might negatively affect the performance of the whole system.
Yes, by default log level is set as “INFO” only. To capture the complete logs, I enabled debug level logs and shared here.
However, {“type”:“log”,“host”:“elasticsearch-client”,“level”:“WARN”,“systemid”:“2106a117733f42d697284fbc54927928”,“system”:“ELK-SYSTEM”,“time”: “2020-10-30T06:51:29.066Z”,“logger”:“c.f.s.h.HTTPBasicAuthenticator”,“timezone”:“UTC”,“marker”:”[elasticsearch-client] “,“log”:{“message”:“No ‘Basic Authorization’ header, send 401 and ‘WWW-Authenticate Basic’”}} : This is a warn level log which comes even with “INFO” level log and to remove this we are trying to use skip_users feature which is not taking any effect.
Is skip_users functionality in authentication domain been made available for elk 7.8.0?
As it is making no difference even after configuring at config or auth_domain level.
skip_users has and can have no effect on the warning message, as the warning message is produced before the user is known and thus before skip_users is evaluated.
The proper way to address the problem is to adjust the logging configuration:
Okay thanks for the information.
Can you please tell when does the skip_users functionality gets evaluated and also please confirm if this feature is available for elk 7.8.0?
The skip_users feature is available since Search Guard 41.
It is getting evaluated after the user information has been extracted from a request to decide whether to use that information or to skip to the next auth domain.