Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

WebUI inaccessible after upgrading to 3.1.0-0-RC1 (elastic4play and Play exceptions) #674

Closed
christophetd opened this issue Aug 15, 2018 · 9 comments
Closed

WebUI inaccessible after upgrading to 3.1.0-0-RC1 (elastic4play and Play exceptions) #674

christophetd opened this issue Aug 15, 2018 · 9 comments
Assignees
@To-om
Labels
bug
Milestone
3.1.0-RC2

Comments

@christophetd
Copy link

WebUI inaccessible after upgrading to 3.1.0-0-RC1: "Operation not supported" from elastic4play + "No configuration setting found" from Play

Request Type

Bug

Work Environment

Question Answer
OS version (server) Ubuntu 16.04
OS version (client) Ubuntu
TheHive version / git hash 3.1.0-0.1RC1
Package Type Docker

Problem Description

After upgrading The Hive from 3.0.9 to 3.1.0-0-RC1, I'm running into issues and hive fails to start. Here are the errors I get in the logs:

thehive_1        | [info] p.c.s.AkkaHttpServer - Listening for HTTP on /0.0.0.0:9000
thehive_1        | [info] p.c.s.AkkaHttpServer - Listening for HTTPS on /0.0.0.0:9443
thehive_1        | [error] o.e.s.a.MultiAuthSrv - Authentication failure
thehive_1        | org.elastic4play.AuthenticationError: Operation not supported
thehive_1        |      at org.elastic4play.services.AuthSrv.authenticate(UserSrv.scala:44)
thehive_1        |      at org.elastic4play.services.AuthSrv.authenticate$(UserSrv.scala:44)
thehive_1        |      at org.elastic4play.services.auth.LdapAuthSrv.authenticate(LdapAuthSrv.scala:108)

I did not try to authenticate to the web UI, so I believe this is due to Hive failing to connect to the LDAP server (for whose the credentials are correct).

I also have a second issue, which I believe is not related: the web UI is not accessible on HTTPS (on port 9443) but only via HTTP via port 9000, and the following error occurs:

Caused by: com.typesafe.config.ConfigException$Missing: No configuration setting found for key 'play.server.https.trustStore.path'
thehive_1        |      at com.typesafe.config.impl.SimpleConfig.findKeyOrNull(SimpleConfig.java:156)
thehive_1        |      at com.typesafe.config.impl.SimpleConfig.findOrNull(SimpleConfig.java:174)
thehive_1        |      at com.typesafe.config.impl.SimpleConfig.findOrNull(SimpleConfig.java:180)

I did not change my application.conf, and it is correctly mounted inside the container. The relevant section reads:

play.server.https.keyStore {
  path: "/var/certs/hive.jks"
  type: "JKS"
  password: "redacted"
}

(the file /var/certs/hive.jks exists and is correctly mounted inside the container)

Steps to Reproduce

  1. step 1
  2. step 2
  3. step 3...

Possible Solutions

First error seems to come from elastic4play, so maybe it is due to the upgrade of elastic4play version (1f99c4d)

Complementary information

  • The API seems to work even with these errors (at least it returns 20x HTTP codes), but the web UI doesn't respond
  • For now I reverted my Hive instance to the previous version

Any suggestion welcome, thanks
@3c7
Copy link

3c7 commented Aug 15, 2018

For the https issue, please try to change play.server.https.keyStore to play.server.https.trustStore. I'm not familiar with that, but the error message indicate that somehow. :)

@christophetd
Copy link
Author

christophetd commented Aug 16, 2018
edited
Loading

Tried with the following application.conf:

play.server.https.trustStore {
  path: "/var/certs/hive.jks"
  type: "JKS"
  password: "redacted"
}

And I still get the same errors:

thehive_1        | [error] o.e.s.a.MultiAuthSrv - Authentication failure
thehive_1        | org.elastic4play.AuthenticationError: Operation not supported
thehive_1        |      at org.elastic4play.services.AuthSrv.authenticate(UserSrv.scala:44)
thehive_1        |      at org.elastic4play.services.AuthSrv.authenticate$(UserSrv.scala:44)
thehive_1        |      at org.elastic4play.services.auth.LdapAuthSrv.authenticate(LdapAuthSrv.scala:108)
thehive_1        |      at org.elastic4play.services.auth.MultiAuthSrv.$anonfun$authenticate$2(MultiAuthSrv.scala:62)
thehive_1        |      at org.elastic4play.services.auth.MultiAuthSrv$$anonfun$$nestedInanonfun$forAllAuthProvider$1$1.applyOrElse(MultiAuthSrv.scala:46)
thehive_1        |      at org.elastic4play.services.auth.MultiAuthSrv$$anonfun$$nestedInanonfun$forAllAuthProvider$1$1.applyOrElse(MultiAuthSrv.scala:44)
thehive_1        |      at scala.concurrent.Future.$anonfun$recoverWith$1(Future.scala:413)
thehive_1        |      at scala.concurrent.impl.Promise.$anonfun$transformWith$1(Promise.scala:37)
thehive_1        |      at scala.concurrent.impl.CallbackRunnable.run(Promise.scala:60)
thehive_1        |      at akka.dispatch.BatchingExecutor$AbstractBatch.processBatch(BatchingExecutor.scala:55)


thehive_1        | [error] o.e.s.a.MultiAuthSrv - Authentication failure
thehive_1        | org.elastic4play.AuthenticationError: Operation not supported
thehive_1        |      at org.elastic4play.services.AuthSrv.authenticate(UserSrv.scala:44)
thehive_1        |      at org.elastic4play.services.AuthSrv.authenticate$(UserSrv.scala:44)
thehive_1        |      at org.elastic4play.services.auth.LdapAuthSrv.authenticate(LdapAuthSrv.scala:108)
thehive_1        |      at org.elastic4play.services.auth.MultiAuthSrv.$anonfun$authenticate$2(MultiAuthSrv.scala:62)
thehive_1        |      at org.elastic4play.services.auth.MultiAuthSrv$$anonfun$$nestedInanonfun$forAllAuthProvider$1$1.applyOrElse(MultiAuthSrv.scala:46)
thehive_1        |      at org.elastic4play.services.auth.MultiAuthSrv$$anonfun$$nestedInanonfun$forAllAuthProvider$1$1.applyOrElse(MultiAuthSrv.scala:44)
thehive_1        |      at scala.concurrent.Future.$anonfun$recoverWith$1(Future.scala:413)
thehive_1        |      at scala.concurrent.impl.Promise.$anonfun$transformWith$1(Promise.scala:37)
thehive_1        |      at scala.concurrent.impl.CallbackRunnable.run(Promise.scala:60)
thehive_1        |      at akka.dispatch.BatchingExecutor$AbstractBatch.processBatch(BatchingExecutor.scala:55)


thehive_1        | [error] a.a.OneForOneStrategy - No configuration setting found for key 'play.server.https.keyStore.path'
thehive_1        | akka.actor.ActorInitializationException: akka://application/system/StreamSupervisor-0/flow-23-1: exception during creation
thehive_1        |      at akka.actor.ActorInitializationException$.apply(Actor.scala:193)
thehive_1        |      at akka.actor.ActorCell.create(ActorCell.scala:671)
thehive_1        |      at akka.actor.ActorCell.invokeAll$1(ActorCell.scala:525)
thehive_1        |      at akka.actor.ActorCell.systemInvoke(ActorCell.scala:547)
thehive_1        |      at akka.dispatch.Mailbox.processAllSystemMessages(Mailbox.scala:282)
thehive_1        |      at akka.dispatch.Mailbox.run(Mailbox.scala:223)
thehive_1        |      at akka.dispatch.Mailbox.exec(Mailbox.scala:234)
thehive_1        |      at akka.dispatch.forkjoin.ForkJoinTask.doExec(ForkJoinTask.java:260)
thehive_1        |      at akka.dispatch.forkjoin.ForkJoinPool$WorkQueue.runTask(ForkJoinPool.java:1339)
thehive_1        |      at akka.dispatch.forkjoin.ForkJoinPool.runWorker(ForkJoinPool.java:1979)

@christophetd
Copy link
Author

I managed to get rid of the second error No configuration setting found for key by setting both play.server.https.keyStore.path and play.server.https.trustStore.path...

But the web UI still doesn't start and the other error stays:

thehive_1        | [error] o.e.s.a.MultiAuthSrv - Authentication failure                                                                                                                                     
thehive_1        | org.elastic4play.AuthenticationError: Operation not supported                                                                                                                             
thehive_1        |      at org.elastic4play.services.AuthSrv.authenticate(UserSrv.scala:44)                                                                                                                  
thehive_1        |      at org.elastic4play.services.AuthSrv.authenticate$(UserSrv.scala:44)                                                                                                                 
thehive_1        |      at org.elastic4play.services.auth.LdapAuthSrv.authenticate(LdapAuthSrv.scala:108)                                                                                                    
thehive_1        |      at org.elastic4play.services.auth.MultiAuthSrv.$anonfun$authenticate$2(MultiAuthSrv.scala:62)                                                                                        
thehive_1        |      at org.elastic4play.services.auth.MultiAuthSrv$$anonfun$$nestedInanonfun$forAllAuthProvider$1$1.applyOrElse(MultiAuthSrv.scala:46)                                                   
thehive_1        |      at org.elastic4play.services.auth.MultiAuthSrv$$anonfun$$nestedInanonfun$forAllAuthProvider$1$1.applyOrElse(MultiAuthSrv.scala:44)                                                   
thehive_1        |      at scala.concurrent.Future.$anonfun$recoverWith$1(Future.scala:413)                                                                                                                  
thehive_1        |      at scala.concurrent.impl.Promise.$anonfun$transformWith$1(Promise.scala:37)                                                                                                          
thehive_1        |      at scala.concurrent.impl.CallbackRunnable.run(Promise.scala:60)                                                                                                                      
thehive_1        |      at akka.dispatch.BatchingExecutor$AbstractBatch.processBatch(BatchingExecutor.scala:55)

@To-om
Copy link
Contributor

To-om commented Aug 20, 2018

Hi,
Your Operation not supported error means that you try an authentication using an API key with an LDAP provider. LDAP doesn't support API key authentication. you should add local provider in application.conf: provider=[local,ldap]

For SSL error, I've created an issue in elastic4play (TheHive-Project/elastic4play#64).
As workaround, you can define a truststore containing your certificate authority.

@To-om To-om self-assigned this Aug 20, 2018
@To-om To-om added the bug label Aug 20, 2018
@christophetd
Copy link
Author

christophetd commented Aug 20, 2018
edited
Loading

Thank you for your answer!

LDAP doesn't support API key authentication. you should add local provider in application.conf: provider=[local,ldap]

I added it (it used to be type=[local,ldap] instead of provider):

auth {                                                                                                                                                                                                                                                                                                                        
        provider = [local,ldap]                                                                                                                                                                                                                                                                                                                                                                               
        ldap {                                                                                                                                                                                                                                                                                          
                serverName = "x.x.x.x:389"                                                                                                                                                                                                                                                                                                                
                useSSL = false 
                bindDN = "uid=ldap_browser,dc=...,dc=.."
                bindPW = "..."
                baseDN="dc=..,dc=.."
                filter = "(&(objectClass=inetOrgPerson)(uid={0}))"
         }
}

But still getting the same error:

thehive_1        | [error] o.e.s.a.MultiAuthSrv - Authentication failure
thehive_1        | org.elastic4play.AuthenticationError: Operation not supported
thehive_1        |      at org.elastic4play.services.AuthSrv.authenticate(UserSrv.scala:44)
thehive_1        |      at org.elastic4play.services.AuthSrv.authenticate$(UserSrv.scala:44)
thehive_1        |      at org.elastic4play.services.auth.LdapAuthSrv.authenticate(LdapAuthSrv.scala:108)
thehive_1        |      at org.elastic4play.services.auth.MultiAuthSrv.$anonfun$authenticate$2(MultiAuthSrv.scala:62)
thehive_1        |      at org.elastic4play.services.auth.MultiAuthSrv$$anonfun$$nestedInanonfun$forAllAuthProvider$1$1.applyOrElse(MultiAuthSrv.scala:46)
thehive_1        |      at org.elastic4play.services.auth.MultiAuthSrv$$anonfun$$nestedInanonfun$forAllAuthProvider$1$1.applyOrElse(MultiAuthSrv.scala:44)
thehive_1        |      at scala.concurrent.Future.$anonfun$recoverWith$1(Future.scala:413)
thehive_1        |      at scala.concurrent.impl.Promise.$anonfun$transformWith$1(Promise.scala:37)
thehive_1        |      at scala.concurrent.impl.CallbackRunnable.run(Promise.scala:60)
thehive_1        |      at akka.dispatch.BatchingExecutor$AbstractBatch.processBatch(BatchingExecutor.scala:55)

@christophetd
Copy link
Author

It's worth noting that also sometimes (but not always) get this error:

thehive_1        | [error] o.e.s.a.LdapAuthSrv - LDAP authentication failure
thehive_1        | org.elastic4play.AuthenticationError: User not found in LDAP server
thehive_1        |      at org.elastic4play.services.auth.LdapConnection.$anonfun$getUserDN$1(LdapAuthSrv.scala:67)
thehive_1        |      at scala.util.Try$.apply(Try.scala:209)
thehive_1        |      at org.elastic4play.services.auth.LdapConnection.getUserDN(LdapAuthSrv.scala:61)
thehive_1        |      at org.elastic4play.services.auth.LdapConnection.$anonfun$authenticate$1(LdapAuthSrv.scala:73)
thehive_1        |      at org.elastic4play.services.auth.LdapConnection.$anonfun$connect$2(LdapAuthSrv.scala:49)
thehive_1        |      at scala.util.Try$.apply(Try.scala:209)
thehive_1        |      at org.elastic4play.services.auth.LdapConnection.$anonfun$connect$1(LdapAuthSrv.scala:47)
thehive_1        |      at scala.collection.LinearSeqOptimized.foldLeft(LinearSeqOptimized.scala:122)
thehive_1        |      at scala.collection.LinearSeqOptimized.foldLeft$(LinearSeqOptimized.scala:118)
thehive_1        |      at scala.collection.immutable.List.foldLeft(List.scala:86)

(I do not log via the web UI at the same time)

@To-om To-om added this to the 3.1.0-RC2 milestone Aug 27, 2018
@To-om To-om closed this as completed Aug 27, 2018
@christophetd
Copy link
Author

Any reason why you closed the issue @To-om?

@To-om
Copy link
Contributor

To-om commented Aug 27, 2018

because the issue is fixed in TheHive 3.1.0-RC2 (planned in few minutes)

@christophetd
Copy link
Author

Great! Thank you for your responsiveness.

@christophetd christophetd mentioned this issue Sep 4, 2018
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@To-om To-om

Labels
bug
Projects
None yet
Milestone
3.1.0-RC2
Development

No branches or pull requests
3 participants
@christophetd @3c7 @To-om