Description of problem: Kibana fails when used with Active Directory authentication user with spaces. In our case we had the user/identity like: "CN=Szabo\\, Steve,OU=Users,OU=TDBFG,DC=d2-tdbfg,DC=com" We got the following error. {"name":"Kibana","hostname":"logging-kibana-1-dm00w","pid":8,"level":30,"req":{"method":"POST","url":"/elasticsearch/_msearch?timeout=0&ignore_unavailable=true&preference=1494510053959","headers":{"forwarded":"for=10.154.235.189;host=kibana.apps.ose101.dynamic.eng-openshift.cloud.td.com;proto=https","x-forwarded-proto":"https","x-forwarded-port":"443","x-forwarded-host":"kibana.apps.ose101.dynamic.eng-openshift.cloud.td.com","accept-language":"en-US,en;q=0.8","accept-encoding":"gzip, deflate, br","referer":"https://kibana.apps.ose101.dynamic.eng-openshift.cloud.td.com/","content-type":"application/json;charset=UTF-8","kbn-xsrf-token":"kibana","user-agent":"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36","origin":"https://kibana.apps.ose101.dynamic.eng-openshift.cloud.td.com","accept":"application/json, text/plain, */*","content-length":"768","host":"kibana.apps.ose101.dynamic.eng-openshift.cloud.td.com","connection":"close","x-proxy-remote-user":"CN=Szabo\\, Steve,OU=Users,OU=TDBFG,DC=d2-tdbfg,DC=com"},"remoteAddress":"127.0.0.1","remotePort":51434},"res":{"statusCode":500,"responseTime":45,"contentLength":227},"msg":"POST /_msearch?timeout=0&ignore_unavailable=true&preference=1494510053959 500 - 45ms","time":"2017-05-11T13:41:10.636Z","v":0} Version-Release number of selected component (if applicable): 3.3.0 How reproducible: Steps to Reproduce: 1. Bind LDAPPasswordIdentityProvider with id as distinguished name(DN) 2. Create a user with spaces (firstname and lastname) 3. Try to access EFK with Kibana Dashboard
1. Are you able to log into the Openshift web console using the same name & password? 2. What exactly are you entering into the login page when you visit the kibana url
1. Are you able to log into the Openshift web console using the same name & password? >Yes 2. What exactly are you entering into the login page when you visit the kibana url > User access the Kibana publicLoggingURL. User is redirect to Openshift Login page and can login with success. When he's redirected to Kibana URL again, it's returned the following ERROR:"Discover: An Error occured with your request. Reset your inputs and try again" Here is my considerations: 1) Not related with https://bugzilla.redhat.com/show_bug.cgi?id=1410694. Because the user has at least a view permission of several projects. 2) There is indexed information between the selected range 3) The problem only occurs when user has slashes and commas on his Distinguished Name. "CN=Szabo\\, Steve,OU=Users,OU=TDBFG,DC=d2-tdbfg,DC=com". I tried with another user with spaces and it's possible to view the logs successfully. Exception: [2017-05-12 11:23:46,402][ERROR][com.floragunn.searchguard.filter.SearchGuardActionFilter] Error while apply() due to com.floragunn.searchguard.tokeneval.MalformedConfigurationException: no bypass or execute filters at all for action indices:data/read/msearch com.floragunn.searchguard.tokeneval.MalformedConfigurationException: no bypass or execute filters at all at com.floragunn.searchguard.tokeneval.TokenEvaluator$Evaluator.validateAndMerge(TokenEvaluator.java:374) at com.floragunn.searchguard.tokeneval.TokenEvaluator$Evaluator.<init>(TokenEvaluator.java:362) at com.floragunn.searchguard.tokeneval.TokenEvaluator.getEvaluator(TokenEvaluator.java:310) at com.floragunn.searchguard.filter.SearchGuardActionFilter.apply0(SearchGuardActionFilter.java:253) at com.floragunn.searchguard.filter.SearchGuardActionFilter.apply(SearchGuardActionFilter.java:90) at org.elasticsearch.action.support.TransportAction$RequestFilterChain.proceed(TransportAction.java:165) at com.floragunn.searchguard.filter.FLSActionFilter.applySecure(FLSActionFilter.java:76) at com.floragunn.searchguard.filter.AbstractActionFilter.apply(AbstractActionFilter.java:97) at org.elasticsearch.action.support.TransportAction$RequestFilterChain.proceed(TransportAction.java:165) at com.floragunn.searchguard.filter.DLSActionFilter.applySecure(DLSActionFilter.java:73) at com.floragunn.searchguard.filter.AbstractActionFilter.apply(AbstractActionFilter.java:97) at org.elasticsearch.action.support.TransportAction$RequestFilterChain.proceed(TransportAction.java:165) at com.floragunn.searchguard.filter.RequestActionFilter.applySecure(RequestActionFilter.java:94) at com.floragunn.searchguard.filter.AbstractActionFilter.apply(AbstractActionFilter.java:97) at org.elasticsearch.action.support.TransportAction$RequestFilterChain.proceed(TransportAction.java:165) at org.elasticsearch.action.support.ActionFilter$Simple.apply(ActionFilter.java:64) at org.elasticsearch.action.support.TransportAction$RequestFilterChain.proceed(TransportAction.java:165) at io.fabric8.elasticsearch.plugin.ActionForbiddenActionFilter.apply(ActionForbiddenActionFilter.java:48) at org.elasticsearch.action.support.TransportAction$RequestFilterChain.proceed(TransportAction.java:165) at org.elasticsearch.action.support.TransportAction.execute(TransportAction.java:82) at org.elasticsearch.client.node.NodeClient.execute(NodeClient.java:98) at org.elasticsearch.client.FilterClient.execute(FilterClient.java:66) at org.elasticsearch.rest.BaseRestHandler$HeadersAndContextCopyClient.execute(BaseRestHandler.java:92) at org.elasticsearch.client.support.AbstractClient.multiSearch(AbstractClient.java:364) at org.elasticsearch.rest.action.search.RestMultiSearchAction.handleRequest(RestMultiSearchAction.java:66) at org.elasticsearch.rest.BaseRestHandler.handleRequest(BaseRestHandler.java:53) at org.elasticsearch.rest.RestController.executeHandler(RestController.java:225) at org.elasticsearch.rest.RestController$RestHandlerFilter.process(RestController.java:299) at org.elasticsearch.rest.RestController$ControllerFilterChain.continueProcessing(RestController.java:280) at io.fabric8.elasticsearch.plugin.KibanaUserReindexFilter.process(KibanaUserReindexFilter.java:76) at org.elasticsearch.rest.RestController$ControllerFilterChain.continueProcessing(RestController.java:283) at com.floragunn.searchguard.rest.DefaultRestFilter.processSecure(DefaultRestFilter.java:37) at com.floragunn.searchguard.rest.AbstractACRestFilter.process(AbstractACRestFilter.java:198) at org.elasticsearch.rest.RestController$ControllerFilterChain.continueProcessing(RestController.java:283) at io.fabric8.elasticsearch.plugin.acl.DynamicACLFilter.process(DynamicACLFilter.java:162) at org.elasticsearch.rest.RestController$ControllerFilterChain.continueProcessing(RestController.java:283) at org.elasticsearch.rest.RestController.dispatchRequest(RestController.java:180) at org.elasticsearch.http.HttpServer.internalDispatchRequest(HttpServer.java:121) at org.elasticsearch.http.HttpServer$Dispatcher.dispatchRequest(HttpServer.java:83) at org.elasticsearch.http.netty.NettyHttpServerTransport.dispatchRequest(NettyHttpServerTransport.java:329) at org.elasticsearch.http.netty.HttpRequestHandler.messageReceived(HttpRequestHandler.java:65) at org.elasticsearch.common.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:70) at org.elasticsearch.common.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564) at org.elasticsearch.common.netty.channel.DefaultChannelPipeline$DefaultChannelHandlerContext.sendUpstream(DefaultChannelPipeline.java:791) at org.elasticsearch.common.netty.channel.SimpleChannelHandler.messageReceived(SimpleChannelHandler.java:142) at com.floragunn.searchguard.http.netty.MutualSSLHandler.messageReceived(MutualSSLHandler.java:80) at org.elasticsearch.common.netty.channel.SimpleChannelHandler.handleUpstream(SimpleChannelHandler.java:88) at org.elasticsearch.common.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564) at org.elasticsearch.common.netty.channel.DefaultChannelPipeline$DefaultChannelHandlerContext.sendUpstream(DefaultChannelPipeline.java:791) at org.elasticsearch.http.netty.pipelining.HttpPipeliningHandler.messageReceived(HttpPipeliningHandler.java:60) at org.elasticsearch.common.netty.channel.SimpleChannelHandler.handleUpstream(SimpleChannelHandler.java:88) at org.elasticsearch.common.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564) at org.elasticsearch.common.netty.channel.DefaultChannelPipeline$DefaultChannelHandlerContext.sendUpstream(DefaultChannelPipeline.java:791) at org.elasticsearch.common.netty.handler.codec.http.HttpChunkAggregator.messageReceived(HttpChunkAggregator.java:145) at org.elasticsearch.common.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:70) at org.elasticsearch.common.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564) at org.elasticsearch.common.netty.channel.DefaultChannelPipeline$DefaultChannelHandlerContext.sendUpstream(DefaultChannelPipeline.java:791) at org.elasticsearch.common.netty.handler.codec.http.HttpContentDecoder.messageReceived(HttpContentDecoder.java:108) at org.elasticsearch.common.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:70) at org.elasticsearch.common.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564) at org.elasticsearch.common.netty.channel.DefaultChannelPipeline$DefaultChannelHandlerContext.sendUpstream(DefaultChannelPipeline.java:791) at org.elasticsearch.common.netty.channel.Channels.fireMessageReceived(Channels.java:296) at org.elasticsearch.common.netty.handler.codec.frame.FrameDecoder.unfoldAndFireMessageReceived(FrameDecoder.java:459) at org.elasticsearch.common.netty.handler.codec.replay.ReplayingDecoder.callDecode(ReplayingDecoder.java:536) at org.elasticsearch.common.netty.handler.codec.replay.ReplayingDecoder.messageReceived(ReplayingDecoder.java:435) at org.elasticsearch.common.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:70) at org.elasticsearch.common.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564) at org.elasticsearch.common.netty.channel.DefaultChannelPipeline$DefaultChannelHandlerContext.sendUpstream(DefaultChannelPipeline.java:791) at org.elasticsearch.common.netty.OpenChannelsHandler.handleUpstream(OpenChannelsHandler.java:74) at org.elasticsearch.common.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564) at org.elasticsearch.common.netty.channel.DefaultChannelPipeline$DefaultChannelHandlerContext.sendUpstream(DefaultChannelPipeline.java:791) at org.elasticsearch.common.netty.channel.Channels.fireMessageReceived(Channels.java:296) at org.elasticsearch.common.netty.handler.codec.frame.FrameDecoder.unfoldAndFireMessageReceived(FrameDecoder.java:462) at org.elasticsearch.common.netty.handler.codec.frame.FrameDecoder.callDecode(FrameDecoder.java:443) at org.elasticsearch.common.netty.handler.codec.frame.FrameDecoder.messageReceived(FrameDecoder.java:303) at org.elasticsearch.common.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:70) at org.elasticsearch.common.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564) at org.elasticsearch.common.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:559) at org.elasticsearch.common.netty.channel.Channels.fireMessageReceived(Channels.java:268) at org.elasticsearch.common.netty.channel.Channels.fireMessageReceived(Channels.java:255) at org.elasticsearch.common.netty.channel.socket.nio.NioWorker.read(NioWorker.java:88) at org.elasticsearch.common.netty.channel.socket.nio.AbstractNioWorker.process(AbstractNioWorker.java:108) at org.elasticsearch.common.netty.channel.socket.nio.AbstractNioSelector.run(AbstractNioSelector.java:337) at org.elasticsearch.common.netty.channel.socket.nio.AbstractNioWorker.run(AbstractNioWorker.java:89) at org.elasticsearch.common.netty.channel.socket.nio.NioWorker.run(NioWorker.java:178) at org.elasticsearch.common.netty.util.ThreadRenamingRunnable.run(ThreadRenamingRunnable.java:108) at org.elasticsearch.common.netty.util.internal.DeadLockProofWorker$1.run(DeadLockProofWorker.java:42) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745)
Created attachment 1285044 [details] User error
Bruno, I am just getting around to looking at this issue again. With regards to what you are entering in the login page: 1. You are directed to the Openshift login page that has username and password 2. You enter "CN=Szabo\\, Steve,OU=Users,OU=TDBFG,DC=d2-tdbfg,DC=com" as the username 3. You are authed, but are presented with the an error message as seen in the attachemnt. Does this properly summarize what you are experiencing?
From our QE who is familiar with Active Directory: " We need to know the logon username, "CN=Szabo\\, Steve,OU=Users,OU=TDBFG,DC=d2-tdbfg,DC=com" is not username, and it is not allowd to use "Szabo\\, Steve" as username. " Can you provide the logon username that was used to expose this issue?
Possibly related: https://bugzilla.redhat.com/show_bug.cgi?id=1491227
*** Bug 1494239 has been marked as a duplicate of this bug. ***
For QE couldn't create user with slashes and comma in our Active directory. I use a fake user [1]. Kibana works with this fake user. so move bug to verified. Please re-open the bug, if you still hit this issue. [1]# oc get users NAME UID FULL NAME IDENTITIES CN=Szabo\\, Steve,OU=Users,OU=TDBFG,DC=d2-tdbfg,DC=com abb8e332-bf9e-11e7-a35f-fa163ea6cdef allow_all:CN=Szabo\\, Steve,OU=Users,OU=TDBFG,DC=d2-tdbfg,DC=com
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2017:3188