enable x-pack kerberos authentication,and i debug the elasticsearch source code with following method:
- kinit a kerberos principal;
2.send a post request in the termination as follows:
curl -XPOST --negotiate -u : "http://ip:9200/my_index/doc1/?pretty=true" -H 'Content-Type:application/json' -d '{"text":"hello world"}' - check elasticsearch log and find the first handle throws exception “ElasticsearchSecurityException: missing authentication credentials for REST request [/my_index/doc1/?pretty=true]” and the twice handle throws exception "ElasticsearchSecurityException: action [indices:data/write/index] is unauthorized for user [solr/node1.hde.com@TESTES.COM]",i want to know why there are two times handler and the first hander throw "missing authentication",the detail log as follows:
org.elasticsearch.ElasticsearchSecurityException: missing authentication credentials for REST request [/my_index/doc1/?pretty=true]
at org.elasticsearch.xpack.core.security.support.Exceptions.authenticationError(Exceptions.java:18) ~[x-pack-core-7.4.0.jar:7.4.0]
at org.elasticsearch.xpack.core.security.authc.DefaultAuthenticationFailureHandler.createAuthenticationError(DefaultAuthenticationFailureHandler.java:154) ~[x-pack-core-7.4.0.jar:7.4.0]
at org.elasticsearch.xpack.core.security.authc.DefaultAuthenticationFailureHandler.missingToken(DefaultAuthenticationFailureHandler.java:104) ~[x-pack-core-7.4.0.jar:7.4.0]
at org.elasticsearch.xpack.security.authc.AuthenticationService$AuditableRestRequest.anonymousAccessDenied(AuthenticationService.java:729) ~[x-pack-security-7.4.0.jar:7.4.0]
at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.lambda$handleNullToken$19(AuthenticationService.java:474) ~[x-pack-security-7.4.0.jar:7.4.0]
at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.handleNullToken(AuthenticationService.java:479) ~[x-pack-security-7.4.0.jar:7.4.0]
.......................................
at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:551) [netty-transport-4.1.38.Final.jar:4.1.38.Final]
at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:511) [netty-transport-4.1.38.Final.jar:4.1.38.Final]
at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:918) [netty-common-4.1.38.Final.jar:4.1.38.Final]
at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74) [netty-common-4.1.38.Final.jar:4.1.38.Final]
at java.lang.Thread.run(Thread.java:748) [?:1.8.0-internal]
[2019-12-18T14:34:54,440][INFO ][o.e.x.s.a.s.m.NativeRoleMappingStore] [node1.hde.com] The security index is not yet available - no role mappings can be loaded
[2019-12-18T14:34:54,440][DEBUG][o.e.x.s.a.s.m.NativeRoleMappingStore] [node1.hde.com] Security Index [.security] [exists: false] [available: false] [mapping up to date: true]
[2019-12-18T14:34:54,460][DEBUG][o.e.x.s.a.s.m.NativeRoleMappingStore] [node1.hde.com] Mapping user [UserData{username:solr/node1.hde.com@TESTES.COM; dn:null; groups:; metadata:{kerberos_user_principal_name=solr/node1.hde.com@TESTES.COM, kerberos_realm=TESTES.COM}; realm=kerb1}] to roles []
org.elasticsearch.ElasticsearchSecurityException: action [indices:data/write/index] is unauthorized for user [solr/node1.hde.com@TESTES.COM]
org.elasticsearch.ElasticsearchSecurityException: action [indices:data/write/index] is unauthorized for user [solr/node1.hde.com@TESTES.COM]
at org.elasticsearch.xpack.core.security.support.Exceptions.authorizationError(Exceptions.java:34) ~[?:?]
at org.elasticsearch.xpack.security.authz.AuthorizationService.denialException(AuthorizationService.java:585) ~[?:?]
at org.elasticsearch.xpack.security.authz.AuthorizationService.access$300(AuthorizationService.java:89) ~[?:?]
org.elasticsearch.xpack.security.authz.AuthorizationService.maybeAuthorizeRunAs(AuthorizationService.java:225) ~[?:?]
at org.elasticsearch.xpack.security.authz.AuthorizationService.lambda$authorize$1(AuthorizationService.java:191) ~[?:?]
at org.elasticsearch.action.ActionListener$1.onResponse(ActionListener.java:62) ~[elasticsearch-7.4.0.jar:7.4.0]
at org.elasticsearch.action.support.ContextPreservingActionListener.onResponse(ContextPreservingActionListener.java:43) ~[elasticsearch-7.4.0.jar:7.4.0]
at org.elasticsearch.xpack.security.authz.RBACEngine.lambda$resolveAuthorizationInfo$1(RBACEngine.java:117) ~[?:?]
at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:918) [netty-common-4.1.38.Final.jar:4.1.38.Final]
at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74) [netty-common-4.1.38.Final.jar:4.1.38.Final]
at java.lang.Thread.run(Thread.java:748) [?:1.8.0-internal]