Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Flaky test]: apis Kerberos security Kerberos authentication finishing SPNEGO should properly set cookie and authenticate user #68836

Closed
spalger opened this issue Jun 10, 2020 · 7 comments · Fixed by #69123
Labels
blocker failed-test A test failure on a tracked branch, potentially flaky-test skipped-test Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more! v7.9.0

Comments

@spalger
Copy link
Contributor

spalger commented Jun 10, 2020

We have a flaky test that has only shown up on PRs but is very flaky, failing 48 times in the last 24 hours:

image

stack trace

{ Error: expected { username: 'tester@TEST.ELASTIC.CO',
  roles: [ 'kibana_admin', 'superuser_anonymous' ],
  full_name: null,
  email: null,
  metadata:
   { kerberos_user_principal_name: 'tester@TEST.ELASTIC.CO',
     kerberos_realm: 'TEST.ELASTIC.CO' },
  enabled: true,
  authentication_realm: { name: 'kerb1', type: 'kerberos' },
  lookup_realm: { name: 'kerb1', type: 'kerberos' },
  authentication_provider: 'kerberos' } response body, got { username: 'tester@TEST.ELASTIC.CO',
  roles: [ 'kibana_admin' ],
  full_name: null,
  email: null,
  metadata:
   { kerberos_user_principal_name: 'tester@TEST.ELASTIC.CO',
     kerberos_realm: 'TEST.ELASTIC.CO' },
  enabled: true,
  authentication_realm: { name: 'kerb1', type: 'kerberos' },
  lookup_realm: { name: 'kerb1', type: 'kerberos' },
  authentication_provider: 'kerberos' }
    at error (/dev/shm/workspace/kibana/node_modules/supertest/lib/test.js:301:13)
    at Test._assertBody (/dev/shm/workspace/kibana/node_modules/supertest/lib/test.js:205:14)
    at Test._assertFunction (/dev/shm/workspace/kibana/node_modules/supertest/lib/test.js:283:11)
    at Test.assert (/dev/shm/workspace/kibana/node_modules/supertest/lib/test.js:173:18)
    at assert (/dev/shm/workspace/kibana/node_modules/supertest/lib/test.js:131:12)
    at /dev/shm/workspace/kibana/node_modules/supertest/lib/test.js:128:5
    at Test.Request.callback (/dev/shm/workspace/kibana/node_modules/superagent/lib/node/index.js:706:12)
    at parser (/dev/shm/workspace/kibana/node_modules/superagent/lib/node/index.js:906:18)
    at IncomingMessage.res.on (/dev/shm/workspace/kibana/node_modules/superagent/lib/node/parsers/json.js:19:7)
    at endReadableNT (_stream_readable.js:1145:12)
    at process._tickCallback (internal/process/next_tick.js:63:19)
  expected:
   '{\n  "authentication_provider": "kerberos"\n  "authentication_realm": {\n    "name": "kerb1"\n    "type": "kerberos"\n  }\n  "email": [null]\n  "enabled": true\n  "full_name": [null]\n  "lookup_realm": {\n    "name": "kerb1"\n    "type": "kerberos"\n  }\n  "metadata": {\n    "kerberos_realm": "TEST.ELASTIC.CO"\n    "kerberos_user_principal_name": "tester@TEST.ELASTIC.CO"\n  }\n  "roles": [\n    "kibana_admin"\n    "superuser_anonymous"\n  ]\n  "username": "tester@TEST.ELASTIC.CO"\n}',
  actual:
   '{\n  "authentication_provider": "kerberos"\n  "authentication_realm": {\n    "name": "kerb1"\n    "type": "kerberos"\n  }\n  "email": [null]\n  "enabled": true\n  "full_name": [null]\n  "lookup_realm": {\n    "name": "kerb1"\n    "type": "kerberos"\n  }\n  "metadata": {\n    "kerberos_realm": "TEST.ELASTIC.CO"\n    "kerberos_user_principal_name": "tester@TEST.ELASTIC.CO"\n  }\n  "roles": [\n    "kibana_admin"\n  ]\n  "username": "tester@TEST.ELASTIC.CO"\n}',
  showDiff: true }

stdout

[00:00:00]       │
[00:00:00]         └-: apis Kerberos
[00:00:00]           └-> "before all" hook
[00:00:00]           └-: security
[00:00:00]             └-> "before all" hook
[00:00:00]             └-: Kerberos authentication
[00:00:00]               └-> "before all" hook
[00:00:00]               └-> "before all" hook
[00:00:00]               └-> should reject API requests if client is not authenticated
[00:00:00]                 └-> "before each" hook: global before each
[00:00:00]                 │ info [o.e.x.s.a.AuthenticationService] [kibana-ci-immutable-ubuntu-18-tests-xl-1591824119815273470] Authentication of [<Kerberos Token>] was terminated by realm [kerb1] - failed to authenticate user, gss context negotiation failure
[00:00:00]                 │      org.elasticsearch.ElasticsearchSecurityException: Defective token detected (Mechanism level: GSSHeader did not find the right tag)
[00:00:00]                 │      	at org.elasticsearch.xpack.security.authc.kerberos.KerberosAuthenticationToken.unauthorized(KerberosAuthenticationToken.java:123) ~[x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:00]                 │      	at org.elasticsearch.xpack.security.authc.kerberos.KerberosRealm.handleException(KerberosRealm.java:190) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:00]                 │      	at org.elasticsearch.xpack.security.authc.kerberos.KerberosRealm.lambda$authenticate$1(KerberosRealm.java:175) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:00]                 │      	at org.elasticsearch.action.ActionListener$1.onFailure(ActionListener.java:71) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:00]                 │      	at org.elasticsearch.xpack.security.authc.kerberos.KerberosTicketValidator.validateTicket(KerberosTicketValidator.java:101) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:00]                 │      	at org.elasticsearch.xpack.security.authc.kerberos.KerberosRealm.authenticate(KerberosRealm.java:156) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:00]                 │      	at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.lambda$consumeToken$15(AuthenticationService.java:449) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:00]                 │      	at org.elasticsearch.xpack.core.common.IteratingActionListener.onResponse(IteratingActionListener.java:117) [x-pack-core-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:00]                 │      	at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.lambda$consumeToken$15(AuthenticationService.java:488) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:00]                 │      	at org.elasticsearch.xpack.core.common.IteratingActionListener.run(IteratingActionListener.java:102) [x-pack-core-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:00]                 │      	at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.consumeToken(AuthenticationService.java:504) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:00]                 │      	at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.lambda$extractToken$11(AuthenticationService.java:416) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:00]                 │      	at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.extractToken(AuthenticationService.java:426) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:00]                 │      	at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.lambda$checkForApiKey$3(AuthenticationService.java:367) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:00]                 │      	at org.elasticsearch.action.ActionListener$1.onResponse(ActionListener.java:63) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:00]                 │      	at org.elasticsearch.xpack.security.authc.ApiKeyService.authenticateWithApiKeyIfPresent(ApiKeyService.java:314) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:00]                 │      	at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.checkForApiKey(AuthenticationService.java:347) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:00]                 │      	at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.lambda$authenticateAsync$0(AuthenticationService.java:329) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:00]                 │      	at org.elasticsearch.action.ActionListener$1.onResponse(ActionListener.java:63) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:00]                 │      	at org.elasticsearch.xpack.security.authc.TokenService.getAndValidateToken(TokenService.java:387) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:00]                 │      	at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.lambda$authenticateAsync$2(AuthenticationService.java:325) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:00]                 │      	at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.lambda$lookForExistingAuthentication$6(AuthenticationService.java:385) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:00]                 │      	at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.lookForExistingAuthentication(AuthenticationService.java:396) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:00]                 │      	at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.authenticateAsync(AuthenticationService.java:320) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:00]                 │      	at org.elasticsearch.xpack.security.authc.AuthenticationService.authenticate(AuthenticationService.java:141) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:00]                 │      	at org.elasticsearch.xpack.security.authc.AuthenticationService.authenticate(AuthenticationService.java:126) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:00]                 │      	at org.elasticsearch.xpack.security.rest.SecurityRestFilter.handleRequest(SecurityRestFilter.java:63) [x-pack-security-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:00]                 │      	at org.elasticsearch.rest.RestController.dispatchRequest(RestController.java:234) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:00]                 │      	at org.elasticsearch.rest.RestController.tryAllHandlers(RestController.java:316) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:00]                 │      	at org.elasticsearch.rest.RestController.dispatchRequest(RestController.java:174) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:00]                 │      	at org.elasticsearch.http.AbstractHttpServerTransport.dispatchRequest(AbstractHttpServerTransport.java:318) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:00]                 │      	at org.elasticsearch.http.AbstractHttpServerTransport.handleIncomingRequest(AbstractHttpServerTransport.java:372) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:00]                 │      	at org.elasticsearch.http.AbstractHttpServerTransport.incomingRequest(AbstractHttpServerTransport.java:308) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:00]                 │      	at org.elasticsearch.http.netty4.Netty4HttpRequestHandler.channelRead0(Netty4HttpRequestHandler.java:42) [transport-netty4-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:00]                 │      	at org.elasticsearch.http.netty4.Netty4HttpRequestHandler.channelRead0(Netty4HttpRequestHandler.java:28) [transport-netty4-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:00]                 │      	at io.netty.channel.SimpleChannelInboundHandler.channelRead(SimpleChannelInboundHandler.java:99) [netty-transport-4.1.49.Final.jar:4.1.49.Final]
[00:00:00]                 │      	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379) [netty-transport-4.1.49.Final.jar:4.1.49.Final]
[00:00:00]                 │      	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365) [netty-transport-4.1.49.Final.jar:4.1.49.Final]
[00:00:00]                 │      	at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357) [netty-transport-4.1.49.Final.jar:4.1.49.Final]
[00:00:00]                 │      	at org.elasticsearch.http.netty4.Netty4HttpPipeliningHandler.channelRead(Netty4HttpPipeliningHandler.java:58) [transport-netty4-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:00:00]                 │      	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379) [netty-transport-4.1.49.Final.jar:4.1.49.Final]
[00:00:00]                 │      	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365) [netty-transport-4.1.49.Final.jar:4.1.49.Final]
[00:00:00]                 │      	at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357) [netty-transport-4.1.49.Final.jar:4.1.49.Final]
[00:00:00]                 │      	at io.netty.handler.codec.MessageToMessageDecoder.channelRead(MessageToMessageDecoder.java:103) [netty-codec-4.1.49.Final.jar:4.1.49.Final]
[00:00:00]                 │      	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379) [netty-transport-4.1.49.Final.jar:4.1.49.Final]
[00:00:00]                 │      	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365) [netty-transport-4.1.49.Final.jar:4.1.49.Final]
[00:00:00]                 │      	at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357) [netty-transport-4.1.49.Final.jar:4.1.49.Final]
[00:00:00]                 │      	at io.netty.handler.codec.MessageToMessageDecoder.channelRead(MessageToMessageDecoder.java:103) [netty-codec-4.1.49.Final.jar:4.1.49.Final]
[00:00:00]                 │      	at io.netty.handler.codec.MessageToMessa
[00:00:00]                 │ info geCodec.channelRead(MessageToMessageCodec.java:111) [netty-codec-4.1.49.Final.jar:4.1.49.Final]
[00:00:00]                 │      	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379) [netty-transport-4.1.49.Final.jar:4.1.49.Final]
[00:00:00]                 │      	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365) [netty-transport-4.1.49.Final.jar:4.1.49.Final]
[00:00:00]                 │      	at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357) [netty-transport-4.1.49.Final.jar:4.1.49.Final]
[00:00:00]                 │      	at io.netty.handler.codec.MessageToMessageDecoder.channelRead(MessageToMessageDecoder.java:103) [netty-codec-4.1.49.Final.jar:4.1.49.Final]
[00:00:00]                 │      	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379) [netty-transport-4.1.49.Final.jar:4.1.49.Final]
[00:00:00]                 │      	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365) [netty-transport-4.1.49.Final.jar:4.1.49.Final]
[00:00:00]                 │      	at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357) [netty-transport-4.1.49.Final.jar:4.1.49.Final]
[00:00:00]                 │      	at io.netty.handler.codec.MessageToMessageDecoder.channelRead(MessageToMessageDecoder.java:103) [netty-codec-4.1.49.Final.jar:4.1.49.Final]
[00:00:00]                 │      	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379) [netty-transport-4.1.49.Final.jar:4.1.49.Final]
[00:00:00]                 │      	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365) [netty-transport-4.1.49.Final.jar:4.1.49.Final]
[00:00:00]                 │      	at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357) [netty-transport-4.1.49.Final.jar:4.1.49.Final]
[00:00:00]                 │      	at io.netty.handler.codec.ByteToMessageDecoder.fireChannelRead(ByteToMessageDecoder.java:324) [netty-codec-4.1.49.Final.jar:4.1.49.Final]
[00:00:00]                 │      	at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:296) [netty-codec-4.1.49.Final.jar:4.1.49.Final]
[00:00:00]                 │      	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379) [netty-transport-4.1.49.Final.jar:4.1.49.Final]
[00:00:00]                 │      	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365) [netty-transport-4.1.49.Final.jar:4.1.49.Final]
[00:00:00]                 │      	at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357) [netty-transport-4.1.49.Final.jar:4.1.49.Final]
[00:00:00]                 │      	at io.netty.handler.timeout.IdleStateHandler.channelRead(IdleStateHandler.java:286) [netty-handler-4.1.49.Final.jar:4.1.49.Final]
[00:00:00]                 │      	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379) [netty-transport-4.1.49.Final.jar:4.1.49.Final]
[00:00:00]                 │      	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365) [netty-transport-4.1.49.Final.jar:4.1.49.Final]
[00:00:00]                 │      	at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357) [netty-transport-4.1.49.Final.jar:4.1.49.Final]
[00:00:00]                 │      	at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1410) [netty-transport-4.1.49.Final.jar:4.1.49.Final]
[00:00:00]                 │      	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379) [netty-transport-4.1.49.Final.jar:4.1.49.Final]
[00:00:00]                 │      	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365) [netty-transport-4.1.49.Final.jar:4.1.49.Final]
[00:00:00]                 │      	at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:919) [netty-transport-4.1.49.Final.jar:4.1.49.Final]
[00:00:00]                 │      	at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:163) [netty-transport-4.1.49.Final.jar:4.1.49.Final]
[00:00:00]                 │      	at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:714) [netty-transport-4.1.49.Final.jar:4.1.49.Final]
[00:00:00]                 │      	at io.netty.channel.nio.NioEventLoop.processSelectedKeysPlain(NioEventLoop.java:615) [netty-transport-4.1.49.Final.jar:4.1.49.Final]
[00:00:00]                 │      	at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:578) [netty-transport-4.1.49.Final.jar:4.1.49.Final]
[00:00:00]                 │      	at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:493) [netty-transport-4.1.49.Final.jar:4.1.49.Final]
[00:00:00]                 │      	at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:989) [netty-common-4.1.49.Final.jar:4.1.49.Final]
[00:00:00]                 │      	at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74) [netty-common-4.1.49.Final.jar:4.1.49.Final]
[00:00:00]                 │      	at java.lang.Thread.run(Thread.java:832) [?:?]
[00:00:00]                 │      Caused by: org.ietf.jgss.GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag)
[00:00:00]                 │      	at sun.security.jgss.GSSHeader.<init>(GSSHeader.java:97) ~[?:?]
[00:00:00]                 │      	at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:325) ~[?:?]
[00:00:00]                 │      	at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:303) ~[?:?]
[00:00:00]                 │      	at org.elasticsearch.xpack.security.authc.kerberos.KerberosTicketValidator.lambda$acceptSecContext$0(KerberosTicketValidator.java:143) ~[?:?]
[00:00:00]                 │      	at java.security.AccessController.doPrivileged(AccessController.java:691) ~[?:?]
[00:00:00]                 │      	at javax.security.auth.Subject.doAs(Subject.java:425) ~[?:?]
[00:00:00]                 │      	at org.elasticsearch.xpack.security.authc.kerberos.KerberosTicketValidator.lambda$doAsWrapper$2(KerberosTicketValidator.java:171) ~[?:?]
[00:00:00]                 │      	at java.security.AccessController.doPrivileged(AccessController.java:554) ~[?:?]
[00:00:00]                 │      	at org.elasticsearch.xpack.security.authc.kerberos.KerberosTicketValidator.doAsWrapper(KerberosTicketValidator.java:171) ~[?:?]
[00:00:00]                 │      	at org.elasticsearch.xpack.security.authc.kerberos.KerberosTicketValidator.acceptSecContext(KerberosTicketValidator.java:142) ~[?:?]
[00:00:00]                 │      	at org.elasticsearch.xpack.security.authc.kerberos.KerberosTicketValidator.validateTicket(KerberosTicketValidator.java:91) ~[?:?]
[00:00:00]                 │      	... 76 more
[00:00:00]                 │ proc [kibana]   log   [22:53:27.305] [info][authentication][plugins][security] Authentication attempt failed: Unauthorized
[00:00:00]                 └- ✓ pass  (116ms) "apis Kerberos security Kerberos authentication should reject API requests if client is not authenticated"
[00:00:00]               └-> does not prevent basic login
[00:00:00]                 └-> "before each" hook: global before each
[00:00:00]                 └- ✓ pass  (58ms) "apis Kerberos security Kerberos authentication does not prevent basic login"
[00:00:00]               └-: initiating SPNEGO
[00:00:00]                 └-> "before all" hook
[00:00:00]               └-: finishing SPNEGO
[00:00:00]                 └-> "before all" hook
[00:00:00]                 └-> should properly set cookie and authenticate user
[00:00:00]                   └-> "before each" hook: global before each
[00:00:00]                   │ info [o.e.x.s.s.SecurityIndexManager] [kibana-ci-immutable-ubuntu-18-tests-xl-1591824119815273470] security index does not exist. Creating [.security-tokens-7] with alias [.security-tokens]
[00:00:00]                   │ info [o.e.c.m.MetadataCreateIndexService] [kibana-ci-immutable-ubuntu-18-tests-xl-1591824119815273470] [.security-tokens-7] creating index, cause [api], templates [], shards [1]/[0], mappings [_doc]
[00:00:00]                   │ info [o.e.c.r.a.AllocationService] [kibana-ci-immutable-ubuntu-18-tests-xl-1591824119815273470] current.health="GREEN" message="Cluster health status changed from [YELLOW] to [GREEN] (reason: [shards started [[.security-tokens-7][0]]])." previous.health="YELLOW" reason="shards started [[.security-tokens-7][0]]"
[00:00:02]                   └- ✖ fail: "apis Kerberos security Kerberos authentication finishing SPNEGO should properly set cookie and authenticate user"
[00:00:02]                   │
@spalger spalger added the Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more! label Jun 10, 2020
@elasticmachine
Copy link
Contributor

Pinging @elastic/kibana-security (Team:Security)

spalger added a commit that referenced this issue Jun 10, 2020
spalger added a commit that referenced this issue Jun 10, 2020
(cherry picked from commit 0cfe116)
@spalger
Copy link
Contributor Author

spalger commented Jun 10, 2020

Skipped

master: 0cfe116
7.x/7.9: 29380dc

@spalger spalger added blocker failed-test A test failure on a tracked branch, potentially flaky-test skipped-test v7.9.0 labels Jun 10, 2020
@elasticmachine
Copy link
Contributor

Pinging @elastic/kibana-test-triage (failed-test)

@azasypkin
Copy link
Member

Hmm, that's confusing, @spalger is it possible that these PRs used unverified snapshots? This test failure is clearly due to ES change that we where dealing with in #68720. I'll take a look at it tomorrow if my theory is wrong.

@azasypkin
Copy link
Member

Alternatively these PRs weren't rebased on latest master where we updated this test, but were using the latest promoted snapshot, or something along these lines. Not sure if it is possible

gmmorris added a commit to gmmorris/kibana that referenced this issue Jun 11, 2020
* master: (38 commits)
  Support migrating from reserved feature privileges (elastic#68504)
  add `preference` field to SavedObjectsFindOptions (elastic#68620)
  [ILM] Add "wait for snapshot" policy field to Delete phase (elastic#68505)
  Cleanup old license overwrites (elastic#68744)
  Bump TypeScript to v3.9 (elastic#67666)
  [APM] Service maps - adds new storybook stories to test out various data sets (elastic#68727)
  Fix vega specification parsing (elastic#67963)
  docs: add more api information (elastic#68717)
  [APM] Don't show annotations on charts with no data (elastic#68829)
  [Metrics UI] Fix Inventory View sorting by handling null values (elastic#67889)
  skip flaky suite (elastic#68836)
  [SIEM][Detections Engine] - Fix reference rule url overflow (elastic#68640)
  Index pattern public api => common (elastic#68289)
  [APM] Lazy-load alert triggers (elastic#68806)
  [DOCS] Fix table formatting in ingest manager settings (elastic#68824)
  [Endpoint] Functional Tests cleanup (elastic#68756)
  revert previous commit which was unintentional
  Use Github token instead for project assignments
  [SIEM][Exceptions] - ExceptionsViewer cleanup (elastic#68739)
  move @kbn/storybook to devDeps (elastic#68791)
  ...
@azasypkin
Copy link
Member

@spalger is there any way to figure out what Kibana and ES snapshot revisions these failing PRs used to validate my hypothesises outlined in #68836 (comment) and #68836 (comment)?

I tend to think that it was just an unfortunate coincidence that triggered that false alarm and we should unskip these tests.

@azasypkin
Copy link
Member

I went ahead and re-enabled the tests. If it turns out that my theory was wrong, I'll take a deeper look.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
blocker failed-test A test failure on a tracked branch, potentially flaky-test skipped-test Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more! v7.9.0
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants