Bug 1879878

Summary: Messages flooded in thanos-querier pod- oauth-proxy container: Authorization header does not start with 'Basic', skipping basic authentication in Log message in thanos-querier pod the oauth-proxy
Product: OpenShift Container Platform Reporter: Mani <mmohan>
Component: oauth-proxyAssignee: Standa Laznicka <slaznick>
Status: CLOSED ERRATA QA Contact: scheng
Severity: medium Docs Contact:
Priority: high    
Version: 4.5CC: alegrand, anpicker, aos-bugs, apurty, dahernan, erooth, gparente, igreen, kakkoyun, lcosic, mfojtik, pchavan, pkrupa, slaznick, sttts, surbania
Target Milestone: ---   
Target Release: 4.7.0   
Hardware: x86_64   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Cause: Legacy logging of a failed authentication check. Consequence: Requests to services behind the oauth-proxy might cause a line written to the proxy's log, which in turn would cause log flood. Fix: Remove the uninformative log line from the proxy. Result: The proxy should no longer experience log spam.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-02-24 15:18:31 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1915667, 1915668    

Description Mani 2020-09-17 09:20:40 UTC 
Description of problem:

In the thanos-querier pod the oauth-proxy container generate unnecessary logs:
2020/09/17 09:04:51 oauthproxy.go:774: basicauth: 10.129.0.38:39616 Authorization header does not start with 'Basic', skipping basic authentication
2020/09/17 09:04:52 oauthproxy.go:774: basicauth: 10.129.0.38:39616 Authorization header does not start with 'Basic', skipping basic authentication
2020/09/17 09:04:52 oauthproxy.go:774: basicauth: 10.129.0.38:39616 Authorization header does not start with 'Basic', skipping basic authentication
Version-Release number of selected component (if applicable):

RHOCP 4.5

How reproducible:

All Our QuickLab and AWS cluster.

Steps to Reproduce:
1. Install New RHOCP 4.5 Cluster in any platform and  .Check the oauth-proxy container log of thanos-querier
2. oc logs -f thanos-querier-xxxxxx -c oauth-proxy


Actual results:


~~~~
2020/09/17 09:04:51 oauthproxy.go:774: basicauth: 10.129.0.38:39616 Authorization header does not start with 'Basic', skipping basic authentication
2020/09/17 09:04:52 oauthproxy.go:774: basicauth: 10.129.0.38:39616 Authorization header does not start with 'Basic', skipping basic authentication
2020/09/17 09:04:52 oauthproxy.go:774: basicauth: 10.129.0.38:39616 Authorization header does not start with 'Basic', skipping basic authentication
~~~~

Expected results:

We don't expect the above message.

Additional info:
Notice the src IP(10.129.0.38) of the POD is etcd-operator-xxx,console -xxx and
reporting-operator-xxxx.
Comment 1 Sergiusz Urbaniak 2020-09-17 10:33:49 UTC 
Reassigning to oauth-proxy component and lowering severity as this does not have impact on functionality.
Comment 2 Mani 2020-09-23 06:33:31 UTC 
Same message  in promethus proxy logs.

 oc logs prometheus-k8s-0 -c prometheus-proxy

2020/09/23 04:55:33 oauthproxy.go:774: basicauth: 10.128.2.44:44550 Authorization header does not start with 'Basic', skipping basic authentication
2020/09/23 05:00:04 oauthproxy.go:774: basicauth: 10.128.2.44:48430 Authorization header does not start with 'Basic', skipping basic authentication
2020/09/23 05:04:37 oauthproxy.go:774: basicauth: 10.128.2.44:52342 Authorization header does not start with 'Basic', skipping basic authentication
2020/09/23 05:09:08 oauthproxy.go:774: basicauth: 10.128.2.44:56244 Authorization header does not start with 'Basic', skipping basic authentication
2020/09/23 05:13:39 oauthproxy.go:774: basicauth: 10.128.2.44:60132 Authorization header does not start with 'Basic', skipping basic authentication
2020/09/23 05:18:11 oauthproxy.go:774: basicauth: 10.128.2.44:35782 Authorization header does not start with 'Basic', skipping basic authentication
2020/09/23 05:22:43 oauthproxy.go:774: basicauth: 10.128.2.44:39660 Authorization header does not start with 'Basic', skipping basic authentication
2020/09/23 05:27:14 oauthproxy.go:774: basicauth: 10.128.2.44:43536 Authorization header does not start with 'Basic', skipping basic authentication
2020/09/23 05:31:45 oauthproxy.go:774: basicauth: 10.128.2.44:47404 Authorization header does not start with 'Basic', skipping basic authentication
2020/09/23 05:36:16 oauthproxy.go:774: basicauth: 10.128.2.44:51300 Authorization header does not start with 'Basic', skipping basic authentication
2020/09/23 05:40:48 oauthproxy.go:774: basicauth: 10.128.2.44:55190 Authorization header does not start with 'Basic', skipping basic authentication
2020/09/23 05:45:19 oauthproxy.go:774: basicauth: 10.128.2.44:59070 Authorization header does not start with 'Basic', skipping basic authentication
2020/09/23 05:49:50 oauthproxy.go:774: basicauth: 10.128.2.44:34722 Authorization header does not start with 'Basic', skipping basic authentication
2020/09/23 05:54:21 oauthproxy.go:774: basicauth: 10.128.2.44:38588 Authorization header does not start with 'Basic', skipping basic authentication
2020/09/23 05:58:53 oauthproxy.go:774: basicauth: 10.128.2.44:42478 Authorization header does not start with 'Basic', skipping basic authentication
2020/09/23 06:03:24 oauthproxy.go:774: basicauth: 10.128.2.44:46356 Authorization header does not start with 'Basic', skipping basic authentication
2020/09/23 06:07:56 oauthproxy.go:774: basicauth: 10.128.2.44:50256 Authorization header does not start with 'Basic', skipping basic authentication
2020/09/23 06:12:27 oauthproxy.go:774: basicauth: 10.128.2.44:54148 Authorization header does not start with 'Basic', skipping basic authentication
2020/09/23 06:16:59 oauthproxy.go:774: basicauth: 10.128.2.44:58034 Authorization header does not start with 'Basic', skipping basic authentication
2020/09/23 06:21:31 oauthproxy.go:774: basicauth: 10.128.2.44:33702 Authorization header does not start with 'Basic', skipping basic authentication
2020/09/23 06:26:03 oauthproxy.go:774: basicauth: 10.128.2.44:37596 Authorization header does not start with 'Basic', skipping basic authentication
Comment 16 Ilan Green 2021-01-06 18:21:07 UTC 
Can you please tell whether there are plans to clone this BZ for OCP 4.5 / 4.6?
Thanks
Comment 17 Standa Laznicka 2021-01-13 08:14:04 UTC 
There's no shame in asking that publicly -> moving the comment to public.

Yes, I think it's reasonable to do that, I cloned the BZ to those two previous versions and created the backport pull requests.
Comment 21 errata-xmlrpc 2021-02-24 15:18:31 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.7.0 security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:5633