elastic/elasticsearch

Reduce error logging from security during node startup

Open

#61,182 opened on Aug 17, 2020

View on GitHub
 (2 comments) (2 reactions) (0 assignees)Java (25,882 forks)batch import
:Security/Security>bugTeam:Securityhelp wanted

Repository metrics

Stars
 (76,700 stars)
PR merge metrics
 (Avg merge 2d) (1,000 merged PRs in 30d)

Description

There are places (e.g. NativeUsersStore) where we log a message at ERROR level if the security index exists, but is unavailable.

During normal operation, that's a reasonable things to treat as an error. However, during node/cluster startup, it is normal for the security index to exist, but not yet be recovered. In those cases the ERROR message is extreme and leads to confusions - admins may treat this as a sign of a cluster problem, when it is in fact a normal operation.

We should log something - the admin should be informed at authc is failing because the cluster hasn't fully recovered yet - but the message should reflect "cluster is still starting up, cannot authenticate against native realm".

The native users store is not the only example of this, but it's the main one.

Contributor guide