lucene-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Amrit Sarkar (JIRA)" <>
Subject [jira] [Commented] (SOLR-11959) CDCR unauthorized to replicate to a target collection that is update protected in security.json
Date Thu, 25 Apr 2019 14:26:00 GMT


Amrit Sarkar commented on SOLR-11959:

Since SOLR-8389 didn't get enough traction, I would like to complete this Jira with the existing

{{CdcrReplicator}} at the Source internally creates SolrClient for the target and issues UpdateRequest.
We can pass details for Basic Auth in the classic manner, part of the Request Header.
For this to work -- 
1. We can put Basic Auth -- username password details for the target at the source, which
can result in more security issues since plain text password will be mentioned in solrconfig.xml
which is exposed at multiple facets, unlike security.json.
2. Read security.json of the target collection at source (since source cluster has all access
to all the files at target), unhash the password and pass it in the UpdateRequest. At the
solrconfig.xml level at source, we need to provide the user only, whose password will be fetched.
This is a better security solution than above, as reading security doc for a cluster is restricted
to one module, Cdcr.

Looking forward to feedback on this.

> CDCR unauthorized to replicate to a target collection that is update protected in security.json
> -----------------------------------------------------------------------------------------------
>                 Key: SOLR-11959
>                 URL:
>             Project: Solr
>          Issue Type: Bug
>      Security Level: Public(Default Security Level. Issues are Public) 
>          Components: Authentication, CDCR
>    Affects Versions: 7.2
>            Reporter: Donny Andrews
>            Priority: Major
>         Attachments: SOLR-11959.patch
> Steps to reproduce: 
>  # Create a source and a target collection in their respective clusters. 
>  # Update security.json to require a non-admin role to read and write. 
>  # Index to source collection 
> Expected: 
> The target collection should receive the update
> Actual:
> {code:java}
> org.apache.solr.client.solrj.impl.HttpSolrClient$RemoteSolrException: Error from server
at http://redacted/solr/redacted: Expected mime type application/octet-stream but got text/html.
>  <head>
>  <meta http-equiv="Content-Type" content="text/html;charset=utf-8"/>
>  <title>Error 401 Unauthorized request, Response code: 401</title>
>  </head>
>  <body><h2>HTTP ERROR 401</h2>
>  <p>Problem accessing /solr/redacted/update. Reason:
>  <pre> Unauthorized request, Response code: 401</pre></p>
>  </body>
>  </html>at org.apache.solr.client.solrj.impl.HttpSolrClient.executeMethod(
>  at org.apache.solr.client.solrj.impl.HttpSolrClient.request(
>  at org.apache.solr.client.solrj.impl.HttpSolrClient.request(
>  at org.apache.solr.client.solrj.impl.LBHttpSolrClient.doRequest(
>  at org.apache.solr.client.solrj.impl.LBHttpSolrClient.request(
>  at org.apache.solr.client.solrj.impl.CloudSolrClient.sendRequest(
>  at org.apache.solr.client.solrj.impl.CloudSolrClient.requestWithRetryOnStaleState(
>  at org.apache.solr.client.solrj.impl.CloudSolrClient.request(
>  at org.apache.solr.client.solrj.SolrRequest.process(
>  at org.apache.solr.client.solrj.SolrRequest.process(
>  at org.apache.solr.handler.CdcrReplicator.sendRequest(
>  at
>  at org.apache.solr.handler.CdcrReplicatorScheduler.lambda$null$0(
>  at org.apache.solr.common.util.ExecutorUtil$MDCAwareThreadPoolExecutor.lambda$execute$0(
>  at java.util.concurrent.ThreadPoolExecutor.runWorker(
>  at java.util.concurrent.ThreadPoolExecutor$
>  at{code}

This message was sent by Atlassian JIRA

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message