Re: what is SolrAuthV2 and why does it break replication

[Jan Høydahl <ja...@cominvent.com>]

> nor does it work to set up security.json to allow replication without a password

Exactly how did you configure security.json for this? It could be that you succeeded disabling security for the collection but not for the core URL?

Have you tried to hit http://[REDACTED]/solr/sequence2_shard1_replica_n1/replication URL directly using cURL without basicAuth?

Jan

> 27. jul. 2023 kl. 18:17 skrev Oakley, Craig (NIH/NLM/NCBI) [C] <cr...@nih.gov.INVALID>:
> 
> I have still not received any suggestions or clarifications, so I am resending this with a different subject.
> 
> I found that if I completely eliminate security.json, Leader/Follower replication succeeds; but for obvious reasons, we do want security.json to be there.
> 
> Setting -Dsolr.pki.sendVersion=v1 -Dsolr.pki.acceptVersions=v1,v2 does not help; nor does it work to set up security.json to allow replication without a password and to remove httpBasicAuthUser and httpBasicAuthPassword from solrconfig.xml on the Follower side
> 
> Does anybody have any suggestions?
> 
> -----Original Message-----
> From: Oakley, Craig (NIH/NLM/NCBI) [C] <cr...@nih.gov.INVALID> 
> Sent: Tuesday, July 18, 2023 3:12 PM
> To: users@solr.apache.org
> Subject: RE: authentication for Leader/Follower replication
> 
> I am wondering whether anyone yet has any suggestions how to proceed
> 
> -----Original Message-----
> From: Oakley, Craig (NIH/NLM/NCBI) [C] <cr...@nih.gov.INVALID> 
> Sent: Thursday, July 6, 2023 4:00 PM
> To: users@solr.apache.org
> Subject: authentication for Leader/Follower replication
> 
> We are having problems transitioning Leader/Follower replication to Solr9.2.1
> 
> In Solr8.5 and below, what was then called Master/Slave replication had the annoying problem that, even though we specified httpBasicAuthUser and httpBasicAuthPassword, it would always attempt to connect first without a password before retrying with a password. This made solr.log noisy with lots of unnecessary login failures: but at least it worked.
> 
> When we transitioned to Solr8.11 (with the nomenclature changed to be less oppressive) we found that this version of Leader/Follower replication refused to retry (and refused to do anything with the values specified httpBasicAuthUser and httpBasicAuthPassword). We needed to open up replication in security.json to be available without password.
> 
> Now when we are preparing to upgrade to Solr9.2.1, we are having issues with the following:
> 2023-07-06 15:46:53.315 INFO  (indexFetcher-39-thread-1) [   ] o.a.s.h.IndexFetcher Last replication failed, so I'll force replication
> 2023-07-06 15:46:53.320 WARN  (indexFetcher-39-thread-1) [   ] o.a.s.h.IndexFetcher Leader at: http://[REDACTED]/solr/sequence2_shard1_replica_n1 is not available. Index fetch failed by exception: org.apache.solr.client.solrj.impl.BaseHttpSolrClient$RemoteSolrException: Error from server at http://[REDACTED]/solr/sequence2_shard1_replica_n1: Expected mime type in [application/octet-stream, application/vnd.apache.solr.javabin] but got text/html. <html>
> <head>
> <meta http-equiv="Content-Type" content="text/html;charset=ISO-8859-1"/>
> <title>Error 401 Could not load principal from SolrAuthV2 header.</title>
> </head>
> <body><h2>HTTP ERROR 401 Could not load principal from SolrAuthV2 header.</h2>
> <table>
> <tr><th>URI:</th><td>/solr/sequence2_shard1_replica_n1/replication</td></tr>
> <tr><th>STATUS:</th><td>401</td></tr>
> <tr><th>MESSAGE:</th><td>Could not load principal from SolrAuthV2 header.</td></tr>
> <tr><th>SERVLET:</th><td>default</td></tr>
> </table>
> 
> </body>
> </html>
> 
> I have added "blockUnknown":false to security.json and have confirmed that the replication?command=indexversion command can be run without a password, and that it can be run with the login and password specified in httpBasicAuthUser and httpBasicAuthPassword
> 
> I have tried tweaking security.json with forwardCredentials values, but that has not helped
> 
> Any suggestions?
> 
> 
> 

RE: [EXTERNAL] Re: what is SolrAuthV2 and why does it break replication

["Oakley, Craig (NIH/NLM/NCBI) [C]" <cr...@nih.gov.INVALID>]

Yes, and indeed http://[REDACTED]/solr/sequence2_shard1_replica_n1/replication works without password. I have also tried http://[REDACTED]/solr/sequence2/replication which I remember working when I tried it in Solr8 but which does not work in Solr9.2

Have you any other recommendations?

-----Original Message-----
From: Jan Høydahl <ja...@cominvent.com> 
Sent: Saturday, August 5, 2023 11:03 AM
To: users@solr.apache.org
Subject: [EXTERNAL] Re: what is SolrAuthV2 and why does it break replication

> nor does it work to set up security.json to allow replication without a password

Exactly how did you configure security.json for this? It could be that you succeeded disabling security for the collection but not for the core URL?

Have you tried to hit http://[REDACTED]/solr/sequence2_shard1_replica_n1/replication URL directly using cURL without basicAuth?

Jan

> 27. jul. 2023 kl. 18:17 skrev Oakley, Craig (NIH/NLM/NCBI) [C] <cr...@nih.gov.INVALID>:
>
> I have still not received any suggestions or clarifications, so I am resending this with a different subject.
>
> I found that if I completely eliminate security.json, Leader/Follower replication succeeds; but for obvious reasons, we do want security.json to be there.
>
> Setting -Dsolr.pki.sendVersion=v1 -Dsolr.pki.acceptVersions=v1,v2 does not help; nor does it work to set up security.json to allow replication without a password and to remove httpBasicAuthUser and httpBasicAuthPassword from solrconfig.xml on the Follower side
>
> Does anybody have any suggestions?
>
> -----Original Message-----
> From: Oakley, Craig (NIH/NLM/NCBI) [C] <cr...@nih.gov.INVALID>
> Sent: Tuesday, July 18, 2023 3:12 PM
> To: users@solr.apache.org
> Subject: RE: authentication for Leader/Follower replication
>
> I am wondering whether anyone yet has any suggestions how to proceed
>
> -----Original Message-----
> From: Oakley, Craig (NIH/NLM/NCBI) [C] <cr...@nih.gov.INVALID>
> Sent: Thursday, July 6, 2023 4:00 PM
> To: users@solr.apache.org
> Subject: authentication for Leader/Follower replication
>
> We are having problems transitioning Leader/Follower replication to Solr9.2.1
>
> In Solr8.5 and below, what was then called Master/Slave replication had the annoying problem that, even though we specified httpBasicAuthUser and httpBasicAuthPassword, it would always attempt to connect first without a password before retrying with a password. This made solr.log noisy with lots of unnecessary login failures: but at least it worked.
>
> When we transitioned to Solr8.11 (with the nomenclature changed to be less oppressive) we found that this version of Leader/Follower replication refused to retry (and refused to do anything with the values specified httpBasicAuthUser and httpBasicAuthPassword). We needed to open up replication in security.json to be available without password.
>
> Now when we are preparing to upgrade to Solr9.2.1, we are having issues with the following:
> 2023-07-06 15:46:53.315 INFO  (indexFetcher-39-thread-1) [   ] o.a.s.h.IndexFetcher Last replication failed, so I'll force replication
> 2023-07-06 15:46:53.320 WARN  (indexFetcher-39-thread-1) [   ] o.a.s.h.IndexFetcher Leader at: http://[REDACTED]/solr/sequence2_shard1_replica_n1 is not available. Index fetch failed by exception: org.apache.solr.client.solrj.impl.BaseHttpSolrClient$RemoteSolrException: Error from server at http://[REDACTED]/solr/sequence2_shard1_replica_n1: Expected mime type in [application/octet-stream, application/vnd.apache.solr.javabin] but got text/html. <html>
> <head>
> <meta http-equiv="Content-Type" content="text/html;charset=ISO-8859-1"/>
> <title>Error 401 Could not load principal from SolrAuthV2 header.</title>
> </head>
> <body><h2>HTTP ERROR 401 Could not load principal from SolrAuthV2 header.</h2>
> <table>
> <tr><th>URI:</th><td>/solr/sequence2_shard1_replica_n1/replication</td></tr>
> <tr><th>STATUS:</th><td>401</td></tr>
> <tr><th>MESSAGE:</th><td>Could not load principal from SolrAuthV2 header.</td></tr>
> <tr><th>SERVLET:</th><td>default</td></tr>
> </table>
>
> </body>
> </html>
>
> I have added "blockUnknown":false to security.json and have confirmed that the replication?command=indexversion command can be run without a password, and that it can be run with the login and password specified in httpBasicAuthUser and httpBasicAuthPassword
>
> I have tried tweaking security.json with forwardCredentials values, but that has not helped
>
> Any suggestions?
>
>
>

CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and are confident the content is safe.