Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Rules failed after upgrade: [security_exception] Reason: missing authentication credentials for REST request [/_security/user/_has_privileges] #135386

Closed
wwang500 opened this issue Jun 29, 2022 · 3 comments
Closed

Rules failed after upgrade: [security_exception] Reason: missing authentication credentials for REST request [/_security/user/_has_privileges] #135386

wwang500 opened this issue Jun 29, 2022 · 3 comments
Labels
Feature:Alerting/RuleActions Issues related to the Actions attached to Rules on the Alerting Framework Team:ResponseOps Label for the ResponseOps team (formerly the Cases and Alerting teams)

Comments

@wwang500
Copy link

Step to reproduce:

  1. Deploy a 8.2.3 cluster,
  2. Create a few simple rules, cases and connectors,
      "connectors": [
        {
          "name": "server_log_connector",
          "type": "SERVER_LOG"
        }
      ],
      "cases": [
        {
          "title": "stack_case",
          "description": "This is a case in stack",
          "owner": "cases",
          "tags": ["stack", "generic-tag"]
        },
        {
          "title": "observability_case",
          "description": "This is a case in observability",
          "owner": "observability",
          "tags": ["observability", "generic-tag"]
        },
        {
          "title": "security_case",
          "description": "This is a case in security",
          "owner": "securitySolution",
          "tags": ["security", "generic-tag"]
        }
      ],
      "rules": [
        {
          "name": "cluster_health_rule",
          "notification_type": "ON_ACTIVE_ALERT",
          "consumer": "alerts",
          "schedule": {"interval": "1m"},
          "rule_type": "CLUSTER_HEALTH",
          "tags": ["cluster", "health"],
          "actions": [
            {
              "connector_name": "server_log_connector",
              "group": "default",
              "params": {"level": "info", "message": "{{context.internalFullMessage}}"}
            }
          ]
        },
        {
          "name": "disabled_cluster_health_rule",
          "notification_type": "ON_ACTIVE_ALERT",
          "consumer": "alerts",
          "schedule": {"interval": "1m"},
          "rule_type": "CLUSTER_HEALTH",
          "tags": ["cluster", "health"],
          "actions": [
            {
              "connector_name": "server_log_connector",
              "group": "default",
              "params": {"level": "info", "message": "{{context.internalFullMessage}}"}
            }
          ],
          "enabled": false
        },
        {
          "name": "security_rule",
          "notification_type": "ON_ACTIVE_ALERT",
          "consumer": "siem",
          "schedule": {"interval": "1m"},
          "rule_type": "SIEM_THRESHOLD",
          "tags": [
            "__internal_rule_id:some_internal_rule_id",
            "__internal_immutable:false"
          ],
          "actions": [],
          "params": {
            "author": [],
            "description": "A security threshold rule",
            "falsePositives": [],
            "from": "now-3660s",
            "license": "",
            "outputIndex": ".alerts-security.alerts-default",
            "riskScore": 21,
            "riskScoreMapping": [],
            "severity": "low",
            "severityMapping": [],
            "threat": [],
            "to": "now",
            "references": [],
            "type": "threshold",
            "language": "kuery",
            "index": ["kibana_sample_data_logs"],
            "query": "*",
            "filters": [],
            "threshold": {
              "field": ["bytes"],
              "value": 1,
              "cardinality": []
            },
            "ruleId": "some_internal_rule_id",
            "immutable": false,
            "maxSignals": 100,
            "version": 1,
            "exceptionsList": [],
            "meta":{"from":" 1h", "kibana_siem_app_url": "some_url"}
          },
          "enabled": false
        },
        {
          "name": "observability_rule",
          "notification_type": "ON_ACTIVE_ALERT",
          "consumer": "alerts",
          "schedule": {"interval": "1m"},
          "rule_type": "LOGS_THRESHOLD",
          "tags": ["metrics", "threshold"],
          "actions": [],
          "params":{
            "timeSize": 1,
            "timeUnit": "h",
            "count": {"value": 1, "comparator": "more than"},
            "criteria": [{"field": "bytes", "comparator": "more than", "value": 1}],
            "groupBy": ["geo.dest"],
            "outputIndex": ".alerts-observability.logs.alerts-default"
          },
          "alertCase": "observability_case"
        }
      ],
  1. Upgrade to 8.3.0

Observed:

After upgrade, two of the rules: observability_rule and cluster_health_rule reporting errors:

logs.alert.document.count:270b74f0-f3c2-11ec-9a6e-414bc063a8ba: execution failed - security_exception: [security_exception] Reason: missing authentication credentials for REST request [/_security/user/_has_privileges], caused by: ""
@wwang500 wwang500 added Team:ResponseOps Label for the ResponseOps team (formerly the Cases and Alerting teams) Feature:Alerting/RuleActions Issues related to the Actions attached to Rules on the Alerting Framework labels Jun 29, 2022
@elasticmachine
Copy link
Contributor

Pinging @elastic/response-ops (Team:ResponseOps)

@wwang500 wwang500 changed the title Rules fail after upgrade: security_exception: [security_exception] Reason: missing authentication credentials for REST request [/_security/user/_has_privileges] Rules failed after upgrade: [security_exception] Reason: missing authentication credentials for REST request [/_security/user/_has_privileges] Jun 29, 2022
@pmuellr
Copy link
Member

pmuellr commented Jun 30, 2022

I'm assuming this may be a DUP of #118520

@mikecote
Copy link
Contributor

mikecote commented Jul 7, 2022

Closing as fixed by #135663.

@mikecote mikecote closed this as completed Jul 7, 2022
Repository owner moved this from Awaiting Triage to Done in AppEx: ResponseOps - Execution & Connectors Jul 7, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Feature:Alerting/RuleActions Issues related to the Actions attached to Rules on the Alerting Framework Team:ResponseOps Label for the ResponseOps team (formerly the Cases and Alerting teams)
Projects
No open projects
AppEx: ResponseOps - Execution & Connectors
Archived in project
Milestone
No milestone
Development

No branches or pull requests
4 participants
@pmuellr @mikecote @elasticmachine @wwang500