Lower JWKS static-key fallback logs from WARN to INFO#6264
Conversation
When a JWT auth domain is configured with a static signing_key instead of a jwks_uri, HTTPJwtKeyByJWKSAuthenticator logged two WARN messages on startup even though static-key JWT is a supported configuration. Lower both messages to INFO and add a unit test asserting the level. Fixes opensearch-project#6104 Signed-off-by: Matt Van Horn <mvanhorn@gmail.com>
PR Code Analyzer ❗AI-powered 'Code-Diff-Analyzer' found issues on commit 65734e4.
The table above displays the top 10 most important findings. Pull Requests Author(s): Please update your Pull Request according to the report above. Repository Maintainer(s): You can Thanks. |
PR Reviewer Guide 🔍Here are some key observations to aid the review process:
|
PR Code Suggestions ✨Explore these optional code suggestions:
|
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #6264 +/- ##
==========================================
+ Coverage 75.02% 75.07% +0.05%
==========================================
Files 451 451
Lines 29248 29248
Branches 4407 4407
==========================================
+ Hits 21942 21958 +16
+ Misses 5270 5251 -19
- Partials 2036 2039 +3
🚀 New features to boost your workflow:
|
|
Thanks for this PR @mvanhorn The log level change makes sense — static signing_key is a supported config and shouldn't warn on every startup. Left a couple of minor comments. |
| // Initialize static JWT authenticator as fallback if jwks_uri is not configured | ||
| if (!useJwks) { | ||
| log.warn("jwks_uri is not configured, falling back to static JWT authentication"); | ||
| log.info("jwks_uri is not configured, using static JWT authentication with the configured signing_key"); |
There was a problem hiding this comment.
Both initKeyProvider and the constructor log the same message back-to-back for the same condition. Consider rewording them slightly so they're distinguishable in logs.
- initKeyProvider: "jwks_uri is not configured, skipping JWKS key provider initialization"
- Constructor: "jwks_uri is not configured, using static JWT authentication with the configured 'signing_key'"
| import org.opensearch.security.user.AuthCredentials; | ||
| import org.opensearch.security.util.FakeRestRequest; | ||
|
|
||
| import org.apache.logging.log4j.Level; |
There was a problem hiding this comment.
The CI is failing due to import ordering.
Can you run ./gradlew :spotlessApply to remove spotlessApply violations ?
Description
When a JWT auth domain is configured with a static
signing_keyinstead of ajwks_uri,HTTPJwtKeyByJWKSAuthenticatorlogged two WARN messages on every startup ("jwks_uri is not configured, falling back to static JWT authentication" and "jwks_uri is not configured, will use static JWT authentication fallback"). Static-key JWT is a fully supported, intentional configuration, so warning-level logging is noisy and misleading. As confirmed on the issue, these should be INFO-level messages.Old behavior: the two static-key messages were logged at WARN in
HTTPJwtKeyByJWKSAuthenticator(the constructor andinitKeyProvider). New behavior: both are logged at INFO. No control flow or authentication behavior is changed.Issues Resolved
Fixes #6104
Testing
Added
testStaticFallbackIsLoggedAtInfoNotWarninHTTPJwtKeyByJWKSAuthenticatorTest, which attaches a mock appender to the authenticator's logger, constructs the authenticator with a staticsigning_keyand nojwks_uri, and asserts the "jwks_uri is not configured" message is emitted at INFO. The existing JWKS and static-fallback tests continue to cover authentication behavior. The targeted Gradle test could not be run locally because no Java runtime is available in this environment.Check List
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.