Bug 1879748

Summary: elasticsearch-proxy hides 401 auth response from api server by always returning 500
Product: OpenShift Container Platform Reporter: Jeff Cantrill <jcantril>
Component: LoggingAssignee: Jeff Cantrill <jcantril>
Status: CLOSED ERRATA QA Contact: Qiaoling Tang <qitang>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 4.6CC: aos-bugs
Target Milestone: ---   
Target Release: 4.6.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Cause: Auth failures were not evaluated for 401 responses Consequence: The proxy always returns 500 Fix: Return 401 from the api server Result: User's get a correct auth response in lieu of a server failure
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-10-27 15:12:50 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1883663    

Description Jeff Cantrill 2020-09-16 21:17:09 UTC 
Description of problem:

The proxy improperly evaluates responses when making requests against the API server.  If the request fails due to something like a 401, the proxy masks that error returning a 500

Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:

Return the actual error
Comment 2 Qiaoling Tang 2020-09-24 07:11:30 UTC 
@Jeff, I can see the below errors, are these what the bug has fixed?

$ oc logs -c proxy elasticsearch-cdm-7no5abmu-3-6cddf49f9f-tpgzf 
time="2020-09-24T06:52:17Z" level=info msg="mapping path \"/\" => upstream \"https://localhost:9200/\""
time="2020-09-24T06:52:17Z" level=info msg="HTTPS: listening on [::]:60001"
time="2020-09-24T06:52:17Z" level=info msg="HTTPS: listening on [::]:60000"
time="2020-09-24T06:52:17Z" level=info msg="Error processing request in handler authorization: Unable to determine username"
time="2020-09-24T06:52:20Z" level=info msg="Error processing request in handler authorization: Unable to determine username"
time="2020-09-24T06:52:20Z" level=info msg="Error processing request in handler authorization: got 401 [invalid bearer token, token lookup failed]"

image: ose-elasticsearch-proxy/images/v4.6.0-202009231847.p0
Comment 3 Qiaoling Tang 2020-09-25 07:27:51 UTC 
From the Kibana console, I can see the error: Unauthorized xxxx.

Move to verified.
Comment 6 errata-xmlrpc 2020-10-27 15:12:50 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.6.1 extras update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:4198