Optimize 3.8.0 create report missing authentication

LOuuu · August 9, 2022, 9:43pm

Hi Camunda Team,
I am using Optimize version 3.8.0 and have successfuly configured it with ElasticSearch and Camunda Engine using docker images, enabled our user access to Optimize resource in Camunda Admin.

When we tried to create process report, the process can be shown; after clicking “Continue”, no preview can be shown but “Missing Authorization”, the report cannot be created.

I also tried restart and add users to superuserId in environment-config.yml, it doesn’t help.

Does anyone have an idea what can be the issue?

Helene · August 10, 2022, 8:29am

Hi @LOuuu ,
Does your user have all required definition authorizations?

LOuuu · August 10, 2022, 10:26am

Hi @Helene,
I added the optimize group in definition authorizations with all permissions and resources and the users are granted to the optimize group.

LOuuu · August 10, 2022, 10:27am

Definition authorization:

Helene · August 10, 2022, 10:47am

Hi @LOuuu ,
The authorizations in your screenshot are for decision definitions, and from your description it sounds like you’ve created a process report. Can you check if your users have the same authorizations for process definitions as well?

LOuuu · August 10, 2022, 11:21am

Hi @Helene ,
yes it is cofigured as the same.

Besides I also added a single user to both decision and process definition to test, but still no success report.

Helene · August 10, 2022, 12:18pm

Hi @LOuuu ,
in that case lets have a look at your Optimize logs for more detail on which kind of authorizations are causing the issue. Could you please post them here?

LOuuu · August 10, 2022, 3:25pm

Hi @Helene,

I couldn’t find any related exceptions in the optimize container log. Could you tell me how to identify the relative logs?

I found the failed request when creating report is

POST api/report/evaluate/?
Response: 403 Forbidden

Helene · August 10, 2022, 4:03pm

Hi @LOuuu ,

Hm, I would potentially expect at least a ForbiddenException somewhere, but it depends on how your logging is configured. One last authorization to check though, can you confirm that your user also has authorization to the tenant(s) the definition from the report belongs to?

LOuuu · August 10, 2022, 4:30pm

Hi @Helene,
our process ist not assigned to tenants, TenantIDs are null. And I also added the optimize group to all authorizations. The root and optimize debug level are set to DEBUG.
Are there any special configuration supposed to be set in environment-config.yaml?

LOuuu · August 11, 2022, 8:20am

Hi @Helene,

here are some logs I found:

DEBUG o.c.o.r.s.SingleSignOnRequestFilter - Received new request.
DEBUG o.c.o.r.s.SingleSignOnRequestFilter - Received new request.
DEBUG o.c.o.r.s.AuthenticationCookieFilter - Authenticating null
DEBUG o.c.o.r.s.AuthenticationCookieFilter - Authenticating null
DEBUG o.c.o.s.e.r.TerminatedUserSessionReader - Fetching terminated user session with id [8f269be8-****-4674-afb2-edba45bb6c51]
DEBUG o.c.o.s.e.r.TerminatedUserSessionReader - Fetching terminated user session with id [8f269be8-****-4674-afb2-edba45bb6c51]
TRACE tracer - curl -iX GET 'http://<elastichost>:<port>/optimize-terminated-user-session/_doc/8f269be8-****-4674-afb2-edba45bb6c51?_source=false'
# HTTP/1.1 404 Not Found
# X-elastic-product: Elasticsearch
# content-type: application/json; charset=UTF-8
# content-length: 122
#
# 
{
    "_index": "optimize-terminated-user-session_v3",
    "_type": "_doc",
    "_id": "8f269be8-****-4674-afb2-edba45bb6c51",
    "found": false
}

DEBUG o.c.o.r.s.AuthenticationCookieFilter - preAuthenticatedPrincipal = Myuser, trying to authenticate
DEBUG o.c.o.r.s.AuthenticationCookieFilter - Authentication success: PreAuthenticatedAuthenticationToken [Principal=Myuser, Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=myip, SessionId=null], Granted Authorities=[]]
TRACE tracer - curl -iX GET 'http://<elastichost>:<port>/optimize-event-process-mapping/_doc/<processName>?_source_includes=roles'
# HTTP/1.1 404 Not Found
# X-elastic-product: Elasticsearch
# content-type: application/json; charset=UTF-8
# content-length: 102
#
# 
{
    "_index": "optimize-event-process-mapping_v4",
    "_type": "_doc",
    "_id": "<processName>",
    "found": false
}```

Helene · August 11, 2022, 10:34am

Hi @LOuuu ,
There’s a good chance those logs are not related to the issue you’re experiencing.
I had a quick go to try and recreate the issue locally with a couple of different authorization combinations but was unsuccessful, at this stage it would make sense to have an even closer look at your setup and the data stored in Elastic. This requires some more hands on assistance though, so I would suggest you open a support ticket with us if you have a licence. That way a support engineer can spend a bit more time looking into it in more detail to try and resolve the problem.

LOuuu · August 31, 2022, 8:56am

The problem was solved by modifying a firewall rule which blocked the request of creating report.

Helene · August 31, 2022, 8:58am

Ah good to know, thanks for the update!

system · January 31, 2024, 10:24am