Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix bad error handling in api key auth #3935

Merged
merged 4 commits into from
Sep 20, 2024
Merged

Fix bad error handling in api key auth #3935

merged 4 commits into from
Sep 20, 2024

Conversation

blakerouse
Copy link
Contributor

@blakerouse blakerouse commented Sep 20, 2024
edited
Loading

What is the problem this PR solves?

Currently any error returned back to Fleet Server from elasticsearch that is not 401 or 429 is returned as a 401 error. This tells the calling client that the API key is invalidate. That is only true when the error is 401, otherwise the error means something different.

How does this PR solve the problem?

This solves the issue by returning the actual error back elasticsearch to the calling client. This means that a 500 error from elasticsearch will not result in a 401 back to the client, instead it will be a 500 error.

This uses the standard es.ParseError logic to determine the error and return something readable to the calling client.

How to test this PR locally

  • Bootstrap Fleet Server
  • Turn-off elasticsearch
  • See that 401 is not returned to the client

Design Checklist

  • I have ensured my design is stateless and will work when multiple fleet-server instances are behind a load balancer.
  • [ ] I have or intend to scale test my changes, ensuring it will work reliably with 100K+ agents connected. (no effect on scale)
  • [ ] I have included fail safe mechanisms to limit the load on fleet-server: rate limiting, circuit breakers, caching, load shedding, etc. (no effect)

Checklist

  • I have commented my code, particularly in hard-to-understand areas
  • [ ] I have made corresponding changes to the documentation
  • [ ] I have made corresponding change to the default configuration files
  • I have added tests that prove my fix is effective or that my feature works
  • I have added an entry in ./changelog/fragments using the changelog tool

Related issues

@blakerouse blakerouse added the Team:Elastic-Agent-Control-Plane Label for the Agent Control Plane team label Sep 20, 2024
@blakerouse blakerouse self-assigned this Sep 20, 2024
@blakerouse blakerouse requested a review from a team as a code owner September 20, 2024 15:13
@mergify Mergify
Copy link
Contributor

mergify bot commented Sep 20, 2024

This pull request does not have a backport label. Could you fix it @blakerouse? 🙏
To fixup this pull request, you need to add the backport labels for the needed
branches, such as:

  • backport-./d./d is the label to automatically backport to the 8./d branch. /d is the digit

@mergify Mergify
Copy link
Contributor

mergify bot commented Sep 20, 2024

backport-8.x has been added to help with the transition to the new branch 8.x.
If you don't need it please use backport-skip label and remove the backport-8.x label.

@mergify mergify bot added the backport-8.x Automated backport to the 8.x branch with mergify label Sep 20, 2024
@blakerouse blakerouse marked this pull request as draft September 20, 2024 15:17
@blakerouse blakerouse marked this pull request as ready for review September 20, 2024 15:23
@blakerouse
Copy link
Contributor Author

go-lint is very wrong here... idk

@blakerouse blakerouse requested review from michel-laterman and removed request for andrzej-stencel September 20, 2024 15:42
@elastic-sonarqube Elastic SonarQube
Copy link

Quality Gate passed Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
100.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube

michel-laterman
michel-laterman approved these changes Sep 20, 2024
View reviewed changes
Copy link
Contributor

@michel-laterman michel-laterman left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

linter issues are fixed in: #3928

@blakerouse blakerouse merged commit 28e96bf into elastic:main Sep 20, 2024
7 of 8 checks passed
@blakerouse blakerouse deleted the auth-503 branch September 20, 2024 16:57
mergify bot pushed a commit that referenced this pull request Sep 20, 2024
@blakerouse @mergify
Fix bad error handling in api key auth (#3935)
a72957f 
* Fix bad error handling in api key auth.

* Don't return so much information.

* bug-fix

* Remove un-need changes.

(cherry picked from commit 28e96bf)
@mergify mergify bot mentioned this pull request Sep 20, 2024
Merged
4 tasks
blakerouse added a commit that referenced this pull request Sep 20, 2024
@mergify @blakerouse
Fix bad error handling in api key auth (#3935) (#3937)
dc11142 
* Fix bad error handling in api key auth.

* Don't return so much information.

* bug-fix

* Remove un-need changes.

(cherry picked from commit 28e96bf)

Co-authored-by: Blake Rouse <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@michel-laterman michel-laterman michel-laterman approved these changes

@pchila pchila Awaiting requested review from pchila pchila is a code owner automatically assigned from elastic/elastic-agent-control-plane

Assignees

@blakerouse blakerouse

Labels
backport-8.x Automated backport to the 8.x branch with mergify Team:Elastic-Agent-Control-Plane Label for the Agent Control Plane team
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Return 503 Service Unavailable when unable to authenticate with Elasticsearch instead of 401
2 participants
@blakerouse @michel-laterman