Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

do not warn when switching capabilities for resources with optional auth #61043

Merged
merged 2 commits into from
Mar 24, 2020
Merged

do not warn when switching capabilities for resources with optional auth #61043

merged 2 commits into from
Mar 24, 2020

Conversation

mshustov
Copy link
Contributor

@mshustov mshustov commented Mar 24, 2020
edited
Loading

Summary

You can see a warning in logs when landing on /login page:

{"type":"log","@timestamp":"2020-03-23T19:17:47+00:00","tags":["warning","plugins","spaces"],"pid":18348,"message":"Error toggling capabilities for request to /api/core/capabilities: [security_exception] missing authentication credentials for REST request [/_security/user/_has_privileges], with  ....

AFAIK It doesn't break any logic.
I'm not sure what it the right solution for this use case if we need to get capabilities for a resource with 'optional' auth. Any other plugin can use the Security plugin API to verify that a user is authenticated, but Spaces & Security cannot call each other due to circular dependencies.

UPDATED: based on a conversation with @legrego: it's expected behavior, and we should downgrade log level to avoid confusion.

Checklist

For maintainers

@mshustov mshustov added chore Feature:New Platform Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more! release_note:skip Skip the PR/issue when compiling release notes v7.7.0 labels Mar 24, 2020
@mshustov mshustov requested a review from a team as a code owner March 24, 2020 08:53
@elasticmachine
Copy link
Contributor

Pinging @elastic/kibana-security (Team:Security)

@mshustov mshustov changed the title do not switch capabilities for optional routes do not switch capabilities for resources with optional auth Mar 24, 2020
@mshustov mshustov requested a review from legrego March 24, 2020 08:53
legrego
legrego approved these changes Mar 24, 2020
View reviewed changes
Copy link
Member

@legrego legrego left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks for the fix! This check is consistent with what the security plugin does in its switcher today

edit: looking at failing test..

@legrego legrego self-requested a review March 24, 2020 10:37
legrego
legrego reviewed Mar 24, 2020
View reviewed changes
x-pack/plugins/spaces/server/capabilities/capabilities_switcher.ts Outdated
const isAnonymousRequest = !request.route.options.authRequired;

if (isAnonymousRequest) {
if (!request.auth.isAuthenticated) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We may have to check if security is enabled before bailing here. Luckily (?), Spaces declares an optional dependency on security, so we can check if security is enabled, and if it is an authenticated request

Copy link
Contributor Author

@mshustov mshustov Mar 24, 2020
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@legrego our tests verify another behavior.

kibana/x-pack/test/ui_capabilities/spaces_only/tests/catalogue.ts

Line 25 in d66b3c7

const expected = mapValues(uiCapabilities.value!.catalogue, () => true);

Seems that it doesn't rely on security plugin availability.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Our goal here is to skip toggling capabilities if we don't have credentials, but would otherwise need them in order to perform the capabilities check. We used to silently fail in the past, but we made this more explicit in #57693 (comment).

So we need to figure out a way to determine if credentials are required in order to toggle capabilities. Prior to #58589, we had two distinct routes to retrieve capabilities: one which required auth, and another which didn't. This made the check easy for us here, but it's no longer sufficient now that we have a single route with optional auth.

When security is disabled, then I believe request.auth.isAuthenticated will always be false, but in this case, we will still want to attempt to toggle capabilities.

When security is enabled, then we only want to attempt to toggle capabilities when request.auth.isAuthenticated is true

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

When security is disabled, then I believe request.auth.isAuthenticated will always be false, but in this case, we will still want to attempt to toggle capabilities.

It sounds like you want to know AuthState, which is available via auth api
And you need to retrieve capabilities for authenticated & unknown statuses. Is it right? Moreover, Spaces plugin will log the same warning. Then the current PR can wait or we even can keep the current behavior from the master.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

When security is disabled, then I believe request.auth.isAuthenticated will always be false, but in this case, we will still want to attempt to toggle capabilities.

It sounds like you want to know AuthState, which is available via auth api
And you need to retrieve capabilities for authenticated & unknown statuses. Is it right? Moreover, Spaces plugin will log the same warning.

Yes, that sounds correct to me

Then the current PR can wait or we even can keep the current behavior from the master.

Perhaps it'd be worthwhile to reduce this message from warn to debug then, if this is a message we're going to expect in certain conditions. I don't want to pollute the logs unnecessarily.

@legrego legrego changed the title do not switch capabilities for resources with optional auth do not warn when switching capabilities for resources with optional auth Mar 24, 2020
@kibanamachine
Copy link
Contributor

💚 Build Succeeded

History

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

@mshustov mshustov merged commit f371acf into elastic:master Mar 24, 2020
@mshustov mshustov deleted the warn-switch-capabilities branch March 24, 2020 15:12
@mshustov mshustov mentioned this pull request Mar 24, 2020
Merged
mshustov added a commit to mshustov/kibana that referenced this pull request Mar 24, 2020
@mshustov
do not warn when switching capabilities for resources with optional a…
7ebce3a 
…uth (elastic#61043)

* do not switch capabilities for optional routes

* downgrade message to debug
@liza-mae
Copy link
Contributor

Thanks for setting up a PR to fix, I was seeing this message on master and 7.x -- when I would login or logout.

I am seeing this error in the logs when I login or out of Kibana, is it expected or is it an issue?
{"type":"log","@timestamp":"2020-03-23T19:17:47+00:00","tags":["warning","plugins","spaces"],"pid":18348,"message":"Error toggling capabilities for request to /api/core/capabilities: [security_exception] missing authentication credentials for REST request [/_security/user/_has_privileges], with { header={ WWW-Authenticate={ 0="ApiKey" & 1="Basic realm=\"security\" charset=\"UTF-8\"" } } } :: {"path":"/_security/user/_has_privileges","query":{},"body":"{\"applications\":[{\"application\":\"kibana-.kibana\",\"resources\":[\"space:default\"],\"privileges\":[\"version:8.0.0-SNAPSHOT\",\"login:\"]}]}","statusCode":401,"response":"{\"error\":{\"root_cause\":[{\"type\":\"security_exception\",\"reason\":\"missing authentication credentials for REST request [/_security/user/_has_privileges]\",\"header\":{\"WWW-Authenticate\":[\"ApiKey\",\"Basic realm=\\\"security\\\" charset=\\\"UTF-8\\\"\"]}}],\"type\":\"security_exception\",\"reason\":\"missing authentication credentials for REST request [/_security/user/_has_privileges]\",\"header\":{\"WWW-Authenticate\":[\"ApiKey\",\"Basic realm=\\\"security\\\" charset=\\\"UTF-8\\\"\"]}},\"status\":401}","wwwAuthenticateDirective":"ApiKey, Basic realm=\"security\" charset=\"UTF-8\""}"}

@mshustov
Copy link
Contributor Author

@liza-mae yes, as stated in the PR title:

UPDATED: based on a conversation with @legrego: it's expected behavior, and we should downgrade log level to avoid confusion.

@liza-mae
Copy link
Contributor

Thanks @restrry !

mshustov added a commit that referenced this pull request Mar 24, 2020
@mshustov
do not warn when switching capabilities for resources with optional a…
962ca07 
…uth (#61043) (#61090)

* do not switch capabilities for optional routes

* downgrade message to debug
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@legrego legrego legrego approved these changes

Assignees
No one assigned
Labels
chore release_note:skip Skip the PR/issue when compiling release notes Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more! v7.7.0 v8.0.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@mshustov @elasticmachine @kibanamachine @liza-mae @legrego