lucene-solr-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jan Høydahl <jan....@cominvent.com>
Subject Re: REINDEXCOLLECTION does not work with (basic) authentication
Date Thu, 20 Jun 2019 08:13:54 GMT
I think this may be a case where the (background) job should use PKI auth. Can you file a JIRA
issue?

--
Jan Høydahl, search solution architect
Cominvent AS - www.cominvent.com

> 19. jun. 2019 kl. 20:50 skrev Colvin Cowie <colvin.cowie.dev@gmail.com>:
> 
> Hello
> 
> I'm on the Solr 8.1 branch off commit
> f26388d034fe5eadca7416aa63b509b8db2c7688 so I have the authentication fixes
> from SOLR-13510 (intermittent 401s for internode requests)
> 
> When trying to use the new REINDEXCOLLECTION command with basic auth
> enabled, the daemon stream fails with repeated 401s when trying to access
> the target collection.
> 
> This might be the same problem as SOLR-13472, except it applies even with a
> single node, and this doesn't require role based configuration.
> 
> Repro: I added a reindex request in BasicAuthIntegrationTest and it is
> reproducible in there... I don't know what effect it should have on the
> auth metrics, if it were working correctly, so I don't know how to update
> the test properly. But you can add the request towards the end of
> org.apache.solr.security.BasicAuthIntegrationTest.testBasicAuth()
> 
> 
> 
> *      CollectionAdminRequest.ReindexCollection reindexReq =
> CollectionAdminRequest.reindexCollection(COLLECTION);
> reindexReq.setBasicAuthCredentials("harry", "HarryIsUberCool");
> cluster.getSolrClient().request(reindexReq, COLLECTION);*
> 
> Manual Repro:
> run bin/solr -e cloud
> Choose 1 node / 1 shard / 1 replica
> In browser GET
> http://localhost:8983/solr/admin/collections?action=REINDEXCOLLECTION&name=gettingstarted
> will succeed
> Enable security: server\scripts\cloud-scripts\zkcli -zkhost localhost:9983
> -cmd putfile /security.json <path to file with this>
> 
> {
>    "authentication": {
>        "blockUnknown": true,
>        "class": "solr.BasicAuthPlugin",
>        "credentials": {
>            "solradmin": "fskh17INKrOTSRCJ8HkamA0L6Uiq1dSMgn4OVy8htME=
> /Q4VgOkwVlP6AMVY+ML+IuodbfV81WEfZ3lFb390bws="
>        }
>    }
> }
> 
> In browser authenticate (as solradmin : solradmin) and GET
> http://localhost:8983/solr/admin/collections?action=REINDEXCOLLECTION&name=gettingstarted
> will time out after 180 seconds
> 
> The solr log will show repeated 401s
> 
> Setting "forwardCredentials" : true in the security.json does not appear to
> change the outcome.
> 
> 
> responses.txt
> <https://drive.google.com/file/d/1h_vQCrf5KyZAK6TIG6fPzMNxBL1Rx1bT/view?usp=drive_web>
> 
> solr.log
> <https://drive.google.com/file/d/10oYL3AtECxmei7cVOKAM5JPKEt8lFh67/view?usp=drive_web>
> 
> security.json
> <https://drive.google.com/file/d/1xVbXcDEq2btbTycBdXLe3Evz5zIYxm9o/view?usp=drive_web>


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message