Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Don't fallback to anonymous user when anonymous access is enabled for invalid access token/api key #50171

Closed
jkakavas opened this issue Dec 13, 2019 · 2 comments · Fixed by #51042
Closed

Don't fallback to anonymous user when anonymous access is enabled for invalid access token/api key #50171

jkakavas opened this issue Dec 13, 2019 · 2 comments · Fixed by #51042
Labels
>bug :Security/Authentication Logging in, Usernames/passwords, Realms (Native/LDAP/AD/SAML/PKI/etc)

Comments

@jkakavas
Copy link
Member

Currently, when anonymous access is enabled, a request with an invalid/expired/wrong access token or an API Key would fallback to being authenticated as the anonymous user, as if the request wouldn't contain any Authorization header. This might be a confusing behavior for users and we should be explicit in our responses about treating no credentials and wrong credentials differently, even when anonymous access is enabled.
@jkakavas jkakavas added >bug :Security/Authentication Logging in, Usernames/passwords, Realms (Native/LDAP/AD/SAML/PKI/etc) labels Dec 13, 2019
@elasticmachine
Copy link
Collaborator

Pinging @elastic/es-security (:Security/Authentication)

@kibanamachine kibanamachine mentioned this issue Dec 13, 2019
Closed
@kobelb
Copy link
Contributor

kobelb commented Jan 13, 2020
edited
Loading

Hey @jkakavas, is there any chance of getting this addressed for 7.6? Otherwise, any of Kibana's token based auth providers aren't going to work properly after a token expires for long enough that it's purged from the .security-tokens-7 index and anonymous access is enabled. This is compounded by the fact that Cloud uses an anonymous user that has no privileges.

jkakavas added a commit to jkakavas/elasticsearch that referenced this issue Jan 15, 2020
@jkakavas
Don't fallback to anonymous for tokens/apikeys
544a1ea 
This commit changes our behavior so that when we receive a
request with an invalid/expired/wrong access token or API Key
we do not fallback to authenticating as the anonymous user even if
anonymous access is enabled for Elasticsearch.

Resolves:  elastic#50171
@jkakavas jkakavas mentioned this issue Jan 15, 2020
Merged
This was referenced Feb 3, 2020
Closed
Closed
@codebrain codebrain mentioned this issue Apr 1, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
>bug :Security/Authentication Logging in, Usernames/passwords, Realms (Native/LDAP/AD/SAML/PKI/etc)
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Don't fallback to anonymous for tokens/apikeys jkakavas/elasticsearch
3 participants
@kobelb @jkakavas @elasticmachine