lucene-solr-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Colvin Cowie <colvin.cowie....@gmail.com>
Subject Re: Intermittent error 401 with JSON Facet query to retrieve count all collections
Date Sun, 02 Jun 2019 13:53:06 GMT
Hello. I encountered this issue too and wrote this up before I found this
thread, but I thought I might as well post it still, if it helps...

Currently I'm trying to move our product on to Solr 8.1.1. We are currently
using 6.6.6, so things have definitely moved on.

We use the BasicAuthPlugin + RuleBasedAuthorizationPlugin to lock down Solr
(and we also secure our zookeeper). Here's an example for solradmin as the
user and password

{
    "authentication": {
        "blockUnknown": true,
        "class": "solr.BasicAuthPlugin",
        "credentials": {
            "solradmin": "PIWZwkGnEKxKnqUs3X08xmbmYBaYyAeP3FiKp7fmeHc=
Lnbp6bEbE7Ap8lXvQDKkUX2Xw53QDgP6Ae8QRT0P5/A="
        }
    },
    "authorization": {
        "class": "solr.RuleBasedAuthorizationPlugin",
        "permissions": [
            {
                "name": "all",
                "role": "admin"
            }
        ],
        "user-role": {
            "solradmin": "admin"
        }
    }
}


On Solr 8.1.1, using our previously working security.json, running queries
(through the admin UI currently) I non-deterministically get 401 responses
on queries when a collection has more than 1 shard. Increasing the number
of shards in the collection makes the errors more likely.

{
  "responseHeader":{
    "zkConnected":true,
    "status":401,
    "QTime":30,
    "params":{
      "q":"*:*",
      "_":"1559474550365"}},
  "error":{
    "metadata":[

"error-class","org.apache.solr.client.solrj.impl.BaseHttpSolrClient$RemoteSolrException",

"root-error-class","org.apache.solr.client.solrj.impl.BaseHttpSolrClient$RemoteSolrException"],
    "msg":"Error from server at null: Expected mime type
application/octet-stream but got text/html. <html>\n<head>\n<meta
http-equiv=\"Content-Type\"
content=\"text/html;charset=utf-8\"/>\n<title>Error 401 require
authentication</title>\n</head>\n<body><h2>HTTP ERROR 401</h2>\n<p>Problem
accessing /solr/gettingstarted_shard4_replica_n6/select. Reason:\n<pre>
 require authentication</pre></p>\n</body>\n</html>\n",
    "code":401}}

The security stats indicate this is happening because the requests do not
have credentials with them, e.g.
http://localhost:8983/solr/#/gettingstarted_shard4_replica_n6/plugins?type=security&entry=org.apache.solr.security.BasicAuthPlugin

 org.apache.solr.security.BasicAuthPlugin
    class:
        org.apache.solr.security.BasicAuthPlugin
    description:
        Authentication Plugin org.apache.solr.security.BasicAuthPlugin
    stats
        SECURITY./authentication.authenticated:
            182
        SECURITY./authentication.errors.count:
            0
        SECURITY./authentication.failMissingCredentials:
            58
        SECURITY./authentication.failWrongCredentials:
            0
        SECURITY./authentication.passThrough:
            0
        SECURITY./authentication.requestTimes.meanRate:
            0.4183414110946125
        SECURITY./authentication.requests:
            240
        SECURITY./authentication.totalTime:
            117791100

I assume that this is connected to the changes around
https://issues.apache.org/jira/browse/SOLR-7896 and
https://issues.apache.org/jira/browse/SOLR-13344 I've tested with Solr
7.6.0 and it appears to be unaffected

Repro steps:
   # Extract solr 8.1.1.
   # bin\solr start -e cloud
        1 node / [default port] / [default collection name] / 4 shards / 1
replica / [_default configuration]
   # server\scripts\cloud-scripts\zkcli -zkhost localhost:9983 -cmd putfile
/security.json <example-security.json file with content from example above>

   # Execute repeated GETS to
http://localhost:8983/solr/gettingstarted/select?q=*%3A* - a lot of them,
but not all, will fail with 401s


Also as a side note, because the authentication is now done through the
form login rather than the browser basic auth, if you go directly to a non
UI url (e.g. http://localhost:8983/solr/main_index/select?q=*%3A*) you have
to authenticate to it using the browser's basic auth prompt. Which is
slightly annoying since the query page in the Admin UI generates links to
it for the queries you run, and you've already authenticated to get there.
But it's not a massive burden or anything... I guess I just preferred
having the browser BA prompt.

Thanks

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message