lucene-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Geza Nagy (JIRA)" <j...@apache.org>
Subject [jira] [Created] (SOLR-13127) Solr doesn't make difference by request methods
Date Tue, 08 Jan 2019 09:43:00 GMT
Geza Nagy created SOLR-13127:
--------------------------------

             Summary: Solr doesn't make difference by request methods
                 Key: SOLR-13127
                 URL: https://issues.apache.org/jira/browse/SOLR-13127
             Project: Solr
          Issue Type: Bug
      Security Level: Public (Default Security Level. Issues are Public)
    Affects Versions: 7.4
         Environment: Ubuntu 16.04

Solr 7.4

Kerberos

Java 8
            Reporter: Geza Nagy


I tested SolrCloud with Kerberos auth and found an interesting scenario.

+*Symptom:*+

I tried to call the solr admin api to add a collection and I got back a response of 400 because
the collection is already exists.

+*What I used:*+

HTTPUrlConnection + hadoop security's Kerberos Authenticator.

[https://docs.oracle.com/javase/8/docs/api/java/net/HttpURLConnection.html]

[https://github.com/apache/hadoop/blob/trunk/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/client/KerberosAuthenticator.java]

 

+*Root cause:*+

The Kerberos Authenticator uses OPTIONS as request method when checks if the client is already
authenticated and if it is the OPTIONS request reaches the solr endpoint and runs the action
included in the uri (as per I provide the full url to the authenticator.)

So during the authentication the action is performed and when my original request hits the
endpoint the collection is already made.

And it can happen because there is no functionality in SOLR to handle properly the different
request methods.

 

In my opinion it's not a proper functionality if I can call any endpoint with any request
method and accidently perform action while I just want to check if I'm authenticated or not.  



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lucene.apache.org
For additional commands, e-mail: dev-help@lucene.apache.org


Mime
View raw message