Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SSO: Authentication module not found #181

Closed
adl1995 opened this issue Mar 28, 2019 · 8 comments
Closed

SSO: Authentication module not found #181

adl1995 opened this issue Mar 28, 2019 · 8 comments
Assignees
@To-om
Labels
bug
Milestone
3.0.0-RC1

Comments

@adl1995
Copy link
Contributor

adl1995 commented Mar 28, 2019

Request Type

Bug

Problem Description

When trying to use single sign-on for Cortex (branch: develop), this error message appears in the logs:

[error] o.t.c.s.CortexAuthSrv - Authentication module oauth2 not found

I added oauth2 and sso in auth configuration:

auth {
  # "provider" parameter contains authentication provider. It can be multi-valued (useful for migration)
  # available auth types are:
  # services.LocalAuthSrv : passwords are stored in user entity (in Elasticsearch). No configuration is required.
  # services.OAuth2Srv : requires adding configuration including the client ID, client secret, and the redirect URL.
  # ad : use ActiveDirectory to authenticate users. Configuration is under "auth.ad" key
  # ldap : use LDAP to authenticate users. Configuration is under "auth.ldap" key
  provider = ["local", "oauth2"]

    oauth2 {
    # Client ID for OAuth2.
    clientId = "ID

    # Client secret for OAuth2.
    clientSecret = "Secret"

    # Client redirect URI for OAuth2.
    redirectUri = "URI"

    # Client response type for OAuth2.
    responseType = "code"

    # Grant type used for OAuth2.
    grantType = "authorization_code"

    # URL of the authorization server.
    authorizationUrl = "URL"

    # URL from where to get the access token.
    tokenUrl = "URL"

    # User URL used for creating the request header.
    userUrl = "URL"

    # Scope for OAuth2.
    scope = "read:user"
  }

  sso {
    # Name of mapping class from user resource to backend user.
    mapper = "group"

    autocreate = true

    defaultRoles = []

    autologin = true

    attributes {
      login = "username"
      name = "name"
      groups = "groups"
    }

    groups {
      url = "URL"
      mappings {
                  it-dep-di-cso = ["admin"],
      }
    }
  }
}

Detailed logs

[info] o.r.Reflections - Reflections took 205 ms to scan 2 urls, producing 97 keys and 913 values 
[info] module - Loading model class org.thp.cortex.models.WorkerModel
[info] module - Loading model class org.elastic4play.services.AttachmentModel
[info] module - Loading model class org.thp.cortex.models.UserModel
[info] module - Loading model class org.thp.cortex.models.JobModel
[info] module - Loading model class org.thp.cortex.models.ReportModel
[info] module - Loading model class org.elastic4play.services.DBListModel
[info] module - Loading model class org.thp.cortex.models.AuditModel
[info] module - Loading model class org.thp.cortex.models.WorkerConfigModel
[info] module - Loading model class org.thp.cortex.models.OrganizationModel
[info] module - Loading model class org.thp.cortex.models.ArtifactModel
[info] a.e.s.Slf4jLogger - Slf4jLogger started
[info] o.e.p.PluginsService - no modules loaded
[info] o.e.p.PluginsService - loaded plugin [org.elasticsearch.index.reindex.ReindexPlugin]
[info] o.e.p.PluginsService - loaded plugin [org.elasticsearch.join.ParentJoinPlugin]
[info] o.e.p.PluginsService - loaded plugin [org.elasticsearch.percolator.PercolatorPlugin]
[info] o.e.p.PluginsService - loaded plugin [org.elasticsearch.script.mustache.MustachePlugin]
[info] o.e.p.PluginsService - loaded plugin [org.elasticsearch.transport.Netty3Plugin]
[info] o.e.p.PluginsService - loaded plugin [org.elasticsearch.transport.Netty4Plugin]
[info] i.n.u.i.PlatformDependent - Your platform does not provide complete low-level API for accessing direct buffers reliably. Unless explicitly requested, heap buffer will always be preferred to avoid potential system instability.
[error] o.t.c.s.CortexAuthSrv - Authentication module oauth2 not found
@To-om To-om self-assigned this Apr 3, 2019
To-om added a commit that referenced this issue Apr 3, 2019
@To-om
#181 List available authentication module at startup
0224539
@To-om
Copy link
Contributor

To-om commented Apr 3, 2019

If Cortex says that module oauth2 is not found, it means that class org.thp.cortex.services.OAuth2Srv is not found. I can't reproduce this problem.

I've just added message at startup which list available authentication module.
Please check that you see [info] module - Loading authentication module class org.thp.cortex.services.OAuth2Srv when you start Cortex. You must have the commit 0224539

@adl1995
Copy link
Contributor Author

adl1995 commented Apr 4, 2019
edited
Loading

Thanks, after rebuilding the package, I don't get the error message as before.

However, I'm now getting an error from elastic4play: "Attribute organization is missing". Full log:

org.elastic4play.AuthenticationError: Authentication failure
        at org.elastic4play.controllers.Authenticated.$anonfun$getContext$4(Authenticated.scala:261)
        at scala.concurrent.Future.$anonfun$flatMap$1(Future.scala:307)
        at scala.concurrent.impl.Promise.$anonfun$transformWith$1(Promise.scala:41)
        at scala.concurrent.impl.CallbackRunnable.run(Promise.scala:64)
        at akka.dispatch.BatchingExecutor$AbstractBatch.processBatch(BatchingExecutor.scala:55)
        at akka.dispatch.BatchingExecutor$BlockableBatch.$anonfun$run$1(BatchingExecutor.scala:91)
        at scala.runtime.java8.JFunction0$mcV$sp.apply(JFunction0$mcV$sp.java:23)
        at scala.concurrent.BlockContext$.withBlockContext(BlockContext.scala:85)
        at akka.dispatch.BatchingExecutor$BlockableBatch.run(BatchingExecutor.scala:91)
        at akka.dispatch.TaskInvocation.run(AbstractDispatcher.scala:40)
[error] o.e.s.a.MultiAuthSrv - Authentication failure
org.elastic4play.AttributeCheckingError: [Attribute organization is missing]
        at org.elastic4play.services.CreateSrv.$anonfun$checkAttributes$7(CreateSrv.scala:47)
        at org.scalactic.Bad.fold(Or.scala:1387)
        at org.elastic4play.services.CreateSrv.checkAttributes(CreateSrv.scala:47)
        at org.elastic4play.services.CreateSrv.$anonfun$processAttributes$1(CreateSrv.scala:52)
        at scala.concurrent.Future.$anonfun$flatMap$1(Future.scala:307)
        at scala.concurrent.impl.Promise.$anonfun$transformWith$1(Promise.scala:41)
        at scala.concurrent.impl.CallbackRunnable.run(Promise.scala:64)
        at akka.dispatch.BatchingExecutor$AbstractBatch.processBatch(BatchingExecutor.scala:55)
        at akka.dispatch.BatchingExecutor$BlockableBatch.$anonfun$run$1(BatchingExecutor.scala:91)
        at scala.runtime.java8.JFunction0$mcV$sp.apply(JFunction0$mcV$sp.java:23)
[info] o.t.c.s.ErrorHandler - POST /api/ssoLogin?code=126a900983d2493980ad1b42f5554bc1ebe79b3380874ade85434094c7856b9f returned 401
org.elastic4play.AuthenticationError: Authentication failure
        at org.elastic4play.services.auth.MultiAuthSrv$$anonfun$authenticate$6.applyOrElse(MultiAuthSrv.scala:75)
        at org.elastic4play.services.auth.MultiAuthSrv$$anonfun$authenticate$6.applyOrElse(MultiAuthSrv.scala:71)
        at scala.concurrent.Future.$anonfun$recoverWith$1(Future.scala:417)
        at scala.concurrent.impl.Promise.$anonfun$transformWith$1(Promise.scala:41)
        at scala.concurrent.impl.CallbackRunnable.run(Promise.scala:64)
        at akka.dispatch.BatchingExecutor$AbstractBatch.processBatch(BatchingExecutor.scala:55)
        at akka.dispatch.BatchingExecutor$BlockableBatch.$anonfun$run$1(BatchingExecutor.scala:91)
        at scala.runtime.java8.JFunction0$mcV$sp.apply(JFunction0$mcV$sp.java:23)
        at scala.concurrent.BlockContext$.withBlockContext(BlockContext.scala:85)
        at akka.dispatch.BatchingExecutor$BlockableBatch.run(BatchingExecutor.scala:91)
[error] o.e.c.Authenticated - Authentication failure:
        session: AuthenticationError User session not found
        pki: AuthenticationError Certificate authentication is not configured
        key: AuthenticationError Only bearer authentication is supported
        init: AuthenticationError Use of initial user is forbidden because users exist in database

My configuration for oauth2 is:

oauth2 {
  # Client ID for OAuth2.
  clientId = "<ID>"

  # Client secret for OAuth2.
  clientSecret = "<SECRET>"

  # Client redirect URI for OAuth2.
  redirectUri = "<URL>"

  # Client response type for OAuth2.
  responseType = "code"

  # Grant type used for OAuth2.
  grantType = "authorization_code"

  # URL of the authorization server.
  authorizationUrl = "<URL>"

  # URL from where to get the access token.
  tokenUrl = "<URL>"

  # User URL used for creating the request header.
  userUrl = "<URL>"

  # Scope for OAuth2.
  scope = "read:user"
}

sso {
  # Name of mapping class from user resource to backend user.
  mapper = "group"

  autocreate = true

  defaultRoles = []

  autologin = true

  attributes {
    login = "username"
    name = "name"
    groups = "groups"
  }
   groups {
    url = "<URL>"
    mappings {
      users = ["read", "analyze"],
    }
  }
}

These authentication module are being loaded at startup:

[info] module - Loading authentication module class org.thp.cortex.services.KeyAuthSrv
[info] module - Loading authentication module class org.elastic4play.services.auth.LdapAuthSrv
[info] module - Loading authentication module class org.thp.cortex.services.LocalAuthSrv
[info] module - Loading authentication module class org.elastic4play.services.auth.ADAuthSrv
[info] module - Loading authentication module class org.thp.cortex.services.OAuth2Srv

@To-om
Copy link
Contributor

To-om commented Apr 4, 2019

The automatic user creation doesn't work because user must be assigned to an organization (I've used userMapper from TheHive which doesn't have organization). I'll add two more settings:

  • auth.sso.attributes.organization which define which attribute contains the organization
  • auth.sso.defaultOrganization which define the default organization (if none is provided by OAuth2 server).

@To-om To-om added the bug label Apr 4, 2019
@To-om To-om added this to the 3.0.0 milestone Apr 4, 2019
To-om added a commit that referenced this issue Apr 4, 2019
@To-om
#181 Add organization in OAuth2 user mapper
163e736
@To-om
Copy link
Contributor

To-om commented Apr 4, 2019

@adl1995 can you check and confirm this fix your issue ?

@adl1995
Copy link
Contributor Author

adl1995 commented Apr 4, 2019
edited
Loading

I'm now getting a different error message: "User info fails".

Full log:

[error] o.e.c.Authenticated - Authentication failure:
        session: AuthenticationError User session not found
        pki: AuthenticationError Certificate authentication is not configured
        key: AuthenticationError Authentication header not found
        init: AuthenticationError Use of initial user is forbidden because users exist in database
[info] o.t.c.s.ErrorHandler - GET /api/user/current returned 401
org.elastic4play.AuthenticationError: Authentication failure
        at org.elastic4play.controllers.Authenticated.$anonfun$getContext$4(Authenticated.scala:261)
        at scala.concurrent.Future.$anonfun$flatMap$1(Future.scala:307)
        at scala.concurrent.impl.Promise.$anonfun$transformWith$1(Promise.scala:41)
        at scala.concurrent.impl.CallbackRunnable.run(Promise.scala:64)
        at akka.dispatch.BatchingExecutor$AbstractBatch.processBatch(BatchingExecutor.scala:55)
        at akka.dispatch.BatchingExecutor$BlockableBatch.$anonfun$run$1(BatchingExecutor.scala:91)
        at scala.runtime.java8.JFunction0$mcV$sp.apply(JFunction0$mcV$sp.java:23)
        at scala.concurrent.BlockContext$.withBlockContext(BlockContext.scala:85)
        at akka.dispatch.BatchingExecutor$BlockableBatch.run(BatchingExecutor.scala:91)
        at akka.dispatch.TaskInvocation.run(AbstractDispatcher.scala:40)
[error] o.e.s.a.MultiAuthSrv - Authentication failure
org.elastic4play.AuthenticationError: User info fails: 
        at org.thp.cortex.services.mappers.GroupUserMapper.$anonfun$getUserFields$3(GroupUserMapper.scala:68)
        at scala.concurrent.Future.$anonfun$flatMap$1(Future.scala:307)
        at scala.concurrent.impl.Promise.$anonfun$transformWith$1(Promise.scala:41)
        at scala.concurrent.impl.CallbackRunnable.run(Promise.scala:64)
        at akka.dispatch.BatchingExecutor$AbstractBatch.processBatch(BatchingExecutor.scala:55)
        at akka.dispatch.BatchingExecutor$BlockableBatch.$anonfun$run$1(BatchingExecutor.scala:91)
        at scala.runtime.java8.JFunction0$mcV$sp.apply(JFunction0$mcV$sp.java:23)
        at scala.concurrent.BlockContext$.withBlockContext(BlockContext.scala:85)
        at akka.dispatch.BatchingExecutor$BlockableBatch.run(BatchingExecutor.scala:91)
        at akka.dispatch.TaskInvocation.run(AbstractDispatcher.scala:40)
[info] o.t.c.s.ErrorHandler - POST /api/ssoLogin?code=b379c0c07ba94ed1bc77ebe9f053cd7303384cb8c43c4595a9ca1a4fc9eb260f returned 401
org.elastic4play.AuthenticationError: Authentication failure
        at org.elastic4play.services.auth.MultiAuthSrv$$anonfun$authenticate$6.applyOrElse(MultiAuthSrv.scala:75)
        at org.elastic4play.services.auth.MultiAuthSrv$$anonfun$authenticate$6.applyOrElse(MultiAuthSrv.scala:71)
        at scala.concurrent.Future.$anonfun$recoverWith$1(Future.scala:417)
        at scala.concurrent.impl.Promise.$anonfun$transformWith$1(Promise.scala:41)
        at scala.concurrent.impl.CallbackRunnable.run(Promise.scala:64)
        at akka.dispatch.BatchingExecutor$AbstractBatch.processBatch(BatchingExecutor.scala:55)
        at akka.dispatch.BatchingExecutor$BlockableBatch.$anonfun$run$1(BatchingExecutor.scala:91)
        at scala.runtime.java8.JFunction0$mcV$sp.apply(JFunction0$mcV$sp.java:23)
        at scala.concurrent.BlockContext$.withBlockContext(BlockContext.scala:85)
        at akka.dispatch.BatchingExecutor$BlockableBatch.run(BatchingExecutor.scala:91)
[error] o.e.c.Authenticated - Authentication failure:
        session: AuthenticationError User session not found
        pki: AuthenticationError Certificate authentication is not configured
        key: AuthenticationError Only bearer authentication is supported
        init: AuthenticationError Use of initial user is forbidden because users exist in database
[info] o.t.c.s.ErrorHandler - GET /api/user/current returned 401
org.elastic4play.AuthenticationError: Authentication failure
        at org.elastic4play.controllers.Authenticated.$anonfun$getContext$4(Authenticated.scala:261)
        at scala.concurrent.Future.$anonfun$flatMap$1(Future.scala:307)
        at scala.concurrent.impl.Promise.$anonfun$transformWith$1(Promise.scala:41)
        at scala.concurrent.impl.CallbackRunnable.run(Promise.scala:64)
        at akka.dispatch.BatchingExecutor$AbstractBatch.processBatch(BatchingExecutor.scala:55)
        at akka.dispatch.BatchingExecutor$BlockableBatch.$anonfun$run$1(BatchingExecutor.scala:91)
        at scala.runtime.java8.JFunction0$mcV$sp.apply(JFunction0$mcV$sp.java:23)
        at scala.concurrent.BlockContext$.withBlockContext(BlockContext.scala:85)
        at akka.dispatch.BatchingExecutor$BlockableBatch.run(BatchingExecutor.scala:91)
        at akka.dispatch.TaskInvocation.run(AbstractDispatcher.scala:40)
[error] o.e.c.Authenticated - Authentication failure:
        session: AuthenticationError User session not found
        pki: AuthenticationError Certificate authentication is not configured
        key: AuthenticationError Only bearer authentication is supported
        init: AuthenticationError Use of initial user is forbidden because users exist in database
[info] o.t.c.s.ErrorHandler - GET /api/user/current returned 401
org.elastic4play.AuthenticationError: Authentication failure
        at org.elastic4play.controllers.Authenticated.$anonfun$getContext$4(Authenticated.scala:261)
        at scala.concurrent.Future.$anonfun$flatMap$1(Future.scala:307)
        at scala.concurrent.impl.Promise.$anonfun$transformWith$1(Promise.scala:41)
        at scala.concurrent.impl.CallbackRunnable.run(Promise.scala:64)
        at akka.dispatch.BatchingExecutor$AbstractBatch.processBatch(BatchingExecutor.scala:55)
        at akka.dispatch.BatchingExecutor$BlockableBatch.$anonfun$run$1(BatchingExecutor.scala:91)
        at scala.runtime.java8.JFunction0$mcV$sp.apply(JFunction0$mcV$sp.java:23)
        at scala.concurrent.BlockContext$.withBlockContext(BlockContext.scala:85)
        at akka.dispatch.BatchingExecutor$BlockableBatch.run(BatchingExecutor.scala:91)
        at akka.dispatch.TaskInvocation.run(AbstractDispatcher.scala:40)

My attributes now contain:

attributes {
      login = "username"
      name = "name"
      groups = "groups"
      organization = "cortex"
}

@To-om
Copy link
Contributor

To-om commented Apr 4, 2019

Your OAuth2 server does it really return an object with a "cortex" attribute (which contains the organization name) ?
I think that your settings are wrong, it should be:

sso {
  [...]
  attributes {
    login = "username"
    name = "name"
    groups = "groups"
  }
  defaultOrganization = "cortex"
}

@adl1995
Copy link
Contributor Author

adl1995 commented Apr 4, 2019

That fixed the issue.

Will close this issue now. Thanks a lot!

@adl1995 adl1995 closed this as completed Apr 4, 2019
@ananth07reddy
Copy link

Hi,
When we use groups mapper, should we use group.uri? if so, how to get that URI in the Keycloak provider? does the cortex work with simpler mapper like thehive?

Please kindly provide an example config fully that I can understand because I see that group.uri is used in the first question itself after that I don't see anything about that in the discussion

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@To-om To-om

Labels
bug
Projects
None yet
Milestone
3.0.0-RC1
Development

No branches or pull requests
3 participants
@adl1995 @ananth07reddy @To-om