Bugzilla (bugzilla.redhat.com) will be under maintenance for infrastructure upgrades and will not be unavailable on July 31st between 12:30 AM - 05:30 AM UTC. We appreciate your understanding and patience. You can follow status.redhat.com for details.
Bug 1879878 - Messages flooded in thanos-querier pod- oauth-proxy container: Authorization header does not start with 'Basic', skipping basic authentication in Log message in thanos-querier pod the oauth-proxy
Summary: Messages flooded in thanos-querier pod- oauth-proxy container: Authorization ...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: oauth-proxy
Version: 4.5
Hardware: x86_64
OS: Unspecified
high
medium
Target Milestone: ---
: 4.7.0
Assignee: Standa Laznicka
QA Contact: scheng
URL:
Whiteboard:
Depends On:
Blocks: 1915667 1915668
TreeView+ depends on / blocked
 
Reported: 2020-09-17 09:20 UTC by Mani
Modified: 2021-03-21 06:41 UTC (History)
16 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Cause: Legacy logging of a failed authentication check. Consequence: Requests to services behind the oauth-proxy might cause a line written to the proxy's log, which in turn would cause log flood. Fix: Remove the uninformative log line from the proxy. Result: The proxy should no longer experience log spam.
Clone Of:
Environment:
Last Closed: 2021-02-24 15:18:31 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift oauth-proxy pull 197 0 None closed Bug 1879878: remove logging when authz header is present but basic auth is not attempted 2021-02-18 15:37:02 UTC
Red Hat Knowledge Base (Solution) 5525631 0 None None None 2021-03-21 06:41:18 UTC
Red Hat Product Errata RHSA-2020:5633 0 None None None 2021-02-24 15:19:03 UTC

Description Mani 2020-09-17 09:20:40 UTC
Description of problem:

In the thanos-querier pod the oauth-proxy container generate unnecessary logs:
2020/09/17 09:04:51 oauthproxy.go:774: basicauth: 10.129.0.38:39616 Authorization header does not start with 'Basic', skipping basic authentication
2020/09/17 09:04:52 oauthproxy.go:774: basicauth: 10.129.0.38:39616 Authorization header does not start with 'Basic', skipping basic authentication
2020/09/17 09:04:52 oauthproxy.go:774: basicauth: 10.129.0.38:39616 Authorization header does not start with 'Basic', skipping basic authentication
Version-Release number of selected component (if applicable):

RHOCP 4.5

How reproducible:

All Our QuickLab and AWS cluster.

Steps to Reproduce:
1. Install New RHOCP 4.5 Cluster in any platform and  .Check the oauth-proxy container log of thanos-querier
2. oc logs -f thanos-querier-xxxxxx -c oauth-proxy


Actual results:


~~~~
2020/09/17 09:04:51 oauthproxy.go:774: basicauth: 10.129.0.38:39616 Authorization header does not start with 'Basic', skipping basic authentication
2020/09/17 09:04:52 oauthproxy.go:774: basicauth: 10.129.0.38:39616 Authorization header does not start with 'Basic', skipping basic authentication
2020/09/17 09:04:52 oauthproxy.go:774: basicauth: 10.129.0.38:39616 Authorization header does not start with 'Basic', skipping basic authentication
~~~~

Expected results:

We don't expect the above message.

Additional info:
Notice the src IP(10.129.0.38) of the POD is etcd-operator-xxx,console -xxx and
reporting-operator-xxxx.

Comment 1 Sergiusz Urbaniak 2020-09-17 10:33:49 UTC
Reassigning to oauth-proxy component and lowering severity as this does not have impact on functionality.

Comment 2 Mani 2020-09-23 06:33:31 UTC
Same message  in promethus proxy logs.

 oc logs prometheus-k8s-0 -c prometheus-proxy

2020/09/23 04:55:33 oauthproxy.go:774: basicauth: 10.128.2.44:44550 Authorization header does not start with 'Basic', skipping basic authentication
2020/09/23 05:00:04 oauthproxy.go:774: basicauth: 10.128.2.44:48430 Authorization header does not start with 'Basic', skipping basic authentication
2020/09/23 05:04:37 oauthproxy.go:774: basicauth: 10.128.2.44:52342 Authorization header does not start with 'Basic', skipping basic authentication
2020/09/23 05:09:08 oauthproxy.go:774: basicauth: 10.128.2.44:56244 Authorization header does not start with 'Basic', skipping basic authentication
2020/09/23 05:13:39 oauthproxy.go:774: basicauth: 10.128.2.44:60132 Authorization header does not start with 'Basic', skipping basic authentication
2020/09/23 05:18:11 oauthproxy.go:774: basicauth: 10.128.2.44:35782 Authorization header does not start with 'Basic', skipping basic authentication
2020/09/23 05:22:43 oauthproxy.go:774: basicauth: 10.128.2.44:39660 Authorization header does not start with 'Basic', skipping basic authentication
2020/09/23 05:27:14 oauthproxy.go:774: basicauth: 10.128.2.44:43536 Authorization header does not start with 'Basic', skipping basic authentication
2020/09/23 05:31:45 oauthproxy.go:774: basicauth: 10.128.2.44:47404 Authorization header does not start with 'Basic', skipping basic authentication
2020/09/23 05:36:16 oauthproxy.go:774: basicauth: 10.128.2.44:51300 Authorization header does not start with 'Basic', skipping basic authentication
2020/09/23 05:40:48 oauthproxy.go:774: basicauth: 10.128.2.44:55190 Authorization header does not start with 'Basic', skipping basic authentication
2020/09/23 05:45:19 oauthproxy.go:774: basicauth: 10.128.2.44:59070 Authorization header does not start with 'Basic', skipping basic authentication
2020/09/23 05:49:50 oauthproxy.go:774: basicauth: 10.128.2.44:34722 Authorization header does not start with 'Basic', skipping basic authentication
2020/09/23 05:54:21 oauthproxy.go:774: basicauth: 10.128.2.44:38588 Authorization header does not start with 'Basic', skipping basic authentication
2020/09/23 05:58:53 oauthproxy.go:774: basicauth: 10.128.2.44:42478 Authorization header does not start with 'Basic', skipping basic authentication
2020/09/23 06:03:24 oauthproxy.go:774: basicauth: 10.128.2.44:46356 Authorization header does not start with 'Basic', skipping basic authentication
2020/09/23 06:07:56 oauthproxy.go:774: basicauth: 10.128.2.44:50256 Authorization header does not start with 'Basic', skipping basic authentication
2020/09/23 06:12:27 oauthproxy.go:774: basicauth: 10.128.2.44:54148 Authorization header does not start with 'Basic', skipping basic authentication
2020/09/23 06:16:59 oauthproxy.go:774: basicauth: 10.128.2.44:58034 Authorization header does not start with 'Basic', skipping basic authentication
2020/09/23 06:21:31 oauthproxy.go:774: basicauth: 10.128.2.44:33702 Authorization header does not start with 'Basic', skipping basic authentication
2020/09/23 06:26:03 oauthproxy.go:774: basicauth: 10.128.2.44:37596 Authorization header does not start with 'Basic', skipping basic authentication

Comment 16 Ilan Green 2021-01-06 18:21:07 UTC
Can you please tell whether there are plans to clone this BZ for OCP 4.5 / 4.6?
Thanks

Comment 17 Standa Laznicka 2021-01-13 08:14:04 UTC
There's no shame in asking that publicly -> moving the comment to public.

Yes, I think it's reasonable to do that, I cloned the BZ to those two previous versions and created the backport pull requests.

Comment 21 errata-xmlrpc 2021-02-24 15:18:31 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.7.0 security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:5633


Note You need to log in before you can comment on or make changes to this bug.