Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add API key ID to error message for invalid credentials #94999

Merged
merged 1 commit into from
Apr 5, 2023
Merged

Add API key ID to error message for invalid credentials #94999

merged 1 commit into from
Apr 5, 2023

Conversation

ywangd
Copy link
Member

@ywangd ywangd commented Apr 4, 2023

When the credentials fails to verify, the error message does not tell which API key fails. This makes it hard for users to fix the issue. This PR adds the API key ID to the error message to help with the situation.

@ywangd
Add API key ID to error message for invalid credentials
df8adcc 
When the credentials fails to verify, the error message does not tell
which API key fails. This makes it hard for users to fix the issue. This
PR adds the API key ID to the error message to help with the situation.
@ywangd ywangd added >non-issue :Security/Security Security issues without another label v8.8.0 labels Apr 4, 2023
@ywangd ywangd requested a review from n1v0lg April 4, 2023 06:07
@elasticsearchmachine elasticsearchmachine added the Team:Security Meta label for security team label Apr 4, 2023
@elasticsearchmachine
Copy link
Collaborator

Pinging @elastic/es-security (Team:Security)

n1v0lg
n1v0lg approved these changes Apr 4, 2023
View reviewed changes
Copy link
Contributor

@n1v0lg n1v0lg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.

I'm wondering if it makes sense to more broadly tweak our generic error message for such cases:

elasticsearch/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/AuthenticatorChain.java

Lines 299 to 303 in 295c6f0

final ElasticsearchSecurityException eseWithPreviousCredentials = new ElasticsearchSecurityException(
"unable to authenticate with provided credentials and anonymous access is not allowed for this request",
ese.status(),
ese.getCause()
);

to include the principal of the most recent authentication token, when available. It's orthogonal, but could potentially cover more useful cases. So something like:

final ElasticsearchSecurityException eseWithPreviousCredentials = new ElasticsearchSecurityException(
    "unable to authenticate with provided credentials with ID [" + getPrincipalOfMostRecentTokenIfAvailable() + "] and anonymous access is not allowed for this request",
    ese.status(),
    ese.getCause()
);

@ywangd
Copy link
Member Author

ywangd commented Apr 5, 2023

I'm wondering if it makes sense to more broadly tweak our generic error message for such cases

Probably. But the original intention for authentication chain is that multiple authentication tokens can be extracted by different Authenticators. That's why Authenticator.Context.authenticationTokens is a List<AuthenticationToken>. But we never got the chance to actually implement the rest of it. So right now it has only 0 or 1 AuthenticationToken. If we ever going to have mulitple authenticaiton tokens, it would be a bit cubmersome to squeeze them all into the single error message. So right now the structure is to let each individual additional_unsuccessful_credentials report more details. I think we will always need the credential ID in the additional messages because otherwise it is not clear which credentials failed for a specific additional message. In this case, listing the credentials IDs in the overall message again is sorta redundant.

@ywangd ywangd merged commit fbd2b1e into elastic:main Apr 5, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@n1v0lg n1v0lg n1v0lg approved these changes

Assignees
No one assigned
Labels
>non-issue :Security/Security Security issues without another label Team:Security Meta label for security team v8.8.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@ywangd @elasticsearchmachine @n1v0lg