You are viewing a plain text version of this content. The canonical link for it is here.

Posted to solr-user@lucene.apache.org by Colvin Cowie <co...@gmail.com> on 2019/06/19 18:50:50 UTC

REINDEXCOLLECTION does not work with (basic) authentication

Hello

I'm on the Solr 8.1 branch off commit
f26388d034fe5eadca7416aa63b509b8db2c7688 so I have the authentication fixes
from SOLR-13510 (intermittent 401s for internode requests)

When trying to use the new REINDEXCOLLECTION command with basic auth
enabled, the daemon stream fails with repeated 401s when trying to access
the target collection.

This might be the same problem as SOLR-13472, except it applies even with a
single node, and this doesn't require role based configuration.

Repro: I added a reindex request in BasicAuthIntegrationTest and it is
reproducible in there... I don't know what effect it should have on the
auth metrics, if it were working correctly, so I don't know how to update
the test properly. But you can add the request towards the end of
org.apache.solr.security.BasicAuthIntegrationTest.testBasicAuth()



*      CollectionAdminRequest.ReindexCollection reindexReq =
CollectionAdminRequest.reindexCollection(COLLECTION);
reindexReq.setBasicAuthCredentials("harry", "HarryIsUberCool");
cluster.getSolrClient().request(reindexReq, COLLECTION);*

Manual Repro:
run bin/solr -e cloud
Choose 1 node / 1 shard / 1 replica
In browser GET
http://localhost:8983/solr/admin/collections?action=REINDEXCOLLECTION&name=gettingstarted
will succeed
Enable security: server\scripts\cloud-scripts\zkcli -zkhost localhost:9983
-cmd putfile /security.json <path to file with this>

{
    "authentication": {
        "blockUnknown": true,
        "class": "solr.BasicAuthPlugin",
        "credentials": {
            "solradmin": "fskh17INKrOTSRCJ8HkamA0L6Uiq1dSMgn4OVy8htME=
/Q4VgOkwVlP6AMVY+ML+IuodbfV81WEfZ3lFb390bws="
        }
    }
}

In browser authenticate (as solradmin : solradmin) and GET
http://localhost:8983/solr/admin/collections?action=REINDEXCOLLECTION&name=gettingstarted
will time out after 180 seconds

The solr log will show repeated 401s

Setting "forwardCredentials" : true in the security.json does not appear to
change the outcome.


 responses.txt
<https://drive.google.com/file/d/1h_vQCrf5KyZAK6TIG6fPzMNxBL1Rx1bT/view?usp=drive_web>

 solr.log
<https://drive.google.com/file/d/10oYL3AtECxmei7cVOKAM5JPKEt8lFh67/view?usp=drive_web>

 security.json
<https://drive.google.com/file/d/1xVbXcDEq2btbTycBdXLe3Evz5zIYxm9o/view?usp=drive_web>

Re: REINDEXCOLLECTION does not work with (basic) authentication

Posted by Colvin Cowie <co...@gmail.com>.

Patch available for review on
https://issues.apache.org/jira/browse/SOLR-13566

On Thu, 20 Jun 2019 at 10:02, Colvin Cowie <co...@gmail.com>
wrote:

> I've raised SOLR-13566
>
> On Thu, 20 Jun 2019 at 09:14, Jan Høydahl <ja...@cominvent.com> wrote:
>
>> I think this may be a case where the (background) job should use PKI
>> auth. Can you file a JIRA issue?
>>
>> --
>> Jan Høydahl, search solution architect
>> Cominvent AS - www.cominvent.com
>>
>> > 19. jun. 2019 kl. 20:50 skrev Colvin Cowie <colvin.cowie.dev@gmail.com
>> >:
>> >
>> > Hello
>> >
>> > I'm on the Solr 8.1 branch off commit
>> > f26388d034fe5eadca7416aa63b509b8db2c7688 so I have the authentication
>> fixes
>> > from SOLR-13510 (intermittent 401s for internode requests)
>> >
>> > When trying to use the new REINDEXCOLLECTION command with basic auth
>> > enabled, the daemon stream fails with repeated 401s when trying to
>> access
>> > the target collection.
>> >
>> > This might be the same problem as SOLR-13472, except it applies even
>> with a
>> > single node, and this doesn't require role based configuration.
>> >
>> > Repro: I added a reindex request in BasicAuthIntegrationTest and it is
>> > reproducible in there... I don't know what effect it should have on the
>> > auth metrics, if it were working correctly, so I don't know how to
>> update
>> > the test properly. But you can add the request towards the end of
>> > org.apache.solr.security.BasicAuthIntegrationTest.testBasicAuth()
>> >
>> >
>> >
>> > *      CollectionAdminRequest.ReindexCollection reindexReq =
>> > CollectionAdminRequest.reindexCollection(COLLECTION);
>> > reindexReq.setBasicAuthCredentials("harry", "HarryIsUberCool");
>> > cluster.getSolrClient().request(reindexReq, COLLECTION);*
>> >
>> > Manual Repro:
>> > run bin/solr -e cloud
>> > Choose 1 node / 1 shard / 1 replica
>> > In browser GET
>> >
>> http://localhost:8983/solr/admin/collections?action=REINDEXCOLLECTION&name=gettingstarted
>> > will succeed
>> > Enable security: server\scripts\cloud-scripts\zkcli -zkhost
>> localhost:9983
>> > -cmd putfile /security.json <path to file with this>
>> >
>> > {
>> >    "authentication": {
>> >        "blockUnknown": true,
>> >        "class": "solr.BasicAuthPlugin",
>> >        "credentials": {
>> >            "solradmin": "fskh17INKrOTSRCJ8HkamA0L6Uiq1dSMgn4OVy8htME=
>> > /Q4VgOkwVlP6AMVY+ML+IuodbfV81WEfZ3lFb390bws="
>> >        }
>> >    }
>> > }
>> >
>> > In browser authenticate (as solradmin : solradmin) and GET
>> >
>> http://localhost:8983/solr/admin/collections?action=REINDEXCOLLECTION&name=gettingstarted
>> > will time out after 180 seconds
>> >
>> > The solr log will show repeated 401s
>> >
>> > Setting "forwardCredentials" : true in the security.json does not
>> appear to
>> > change the outcome.
>> >
>> >
>> > responses.txt
>> > <
>> https://drive.google.com/file/d/1h_vQCrf5KyZAK6TIG6fPzMNxBL1Rx1bT/view?usp=drive_web
>> >
>> >
>> > solr.log
>> > <
>> https://drive.google.com/file/d/10oYL3AtECxmei7cVOKAM5JPKEt8lFh67/view?usp=drive_web
>> >
>> >
>> > security.json
>> > <
>> https://drive.google.com/file/d/1xVbXcDEq2btbTycBdXLe3Evz5zIYxm9o/view?usp=drive_web
>> >
>>
>>

Re: REINDEXCOLLECTION does not work with (basic) authentication

Posted by Colvin Cowie <co...@gmail.com>.

I've raised SOLR-13566

On Thu, 20 Jun 2019 at 09:14, Jan Høydahl <ja...@cominvent.com> wrote:

> I think this may be a case where the (background) job should use PKI auth.
> Can you file a JIRA issue?
>
> --
> Jan Høydahl, search solution architect
> Cominvent AS - www.cominvent.com
>
> > 19. jun. 2019 kl. 20:50 skrev Colvin Cowie <co...@gmail.com>:
> >
> > Hello
> >
> > I'm on the Solr 8.1 branch off commit
> > f26388d034fe5eadca7416aa63b509b8db2c7688 so I have the authentication
> fixes
> > from SOLR-13510 (intermittent 401s for internode requests)
> >
> > When trying to use the new REINDEXCOLLECTION command with basic auth
> > enabled, the daemon stream fails with repeated 401s when trying to access
> > the target collection.
> >
> > This might be the same problem as SOLR-13472, except it applies even
> with a
> > single node, and this doesn't require role based configuration.
> >
> > Repro: I added a reindex request in BasicAuthIntegrationTest and it is
> > reproducible in there... I don't know what effect it should have on the
> > auth metrics, if it were working correctly, so I don't know how to update
> > the test properly. But you can add the request towards the end of
> > org.apache.solr.security.BasicAuthIntegrationTest.testBasicAuth()
> >
> >
> >
> > *      CollectionAdminRequest.ReindexCollection reindexReq =
> > CollectionAdminRequest.reindexCollection(COLLECTION);
> > reindexReq.setBasicAuthCredentials("harry", "HarryIsUberCool");
> > cluster.getSolrClient().request(reindexReq, COLLECTION);*
> >
> > Manual Repro:
> > run bin/solr -e cloud
> > Choose 1 node / 1 shard / 1 replica
> > In browser GET
> >
> http://localhost:8983/solr/admin/collections?action=REINDEXCOLLECTION&name=gettingstarted
> > will succeed
> > Enable security: server\scripts\cloud-scripts\zkcli -zkhost
> localhost:9983
> > -cmd putfile /security.json <path to file with this>
> >
> > {
> >    "authentication": {
> >        "blockUnknown": true,
> >        "class": "solr.BasicAuthPlugin",
> >        "credentials": {
> >            "solradmin": "fskh17INKrOTSRCJ8HkamA0L6Uiq1dSMgn4OVy8htME=
> > /Q4VgOkwVlP6AMVY+ML+IuodbfV81WEfZ3lFb390bws="
> >        }
> >    }
> > }
> >
> > In browser authenticate (as solradmin : solradmin) and GET
> >
> http://localhost:8983/solr/admin/collections?action=REINDEXCOLLECTION&name=gettingstarted
> > will time out after 180 seconds
> >
> > The solr log will show repeated 401s
> >
> > Setting "forwardCredentials" : true in the security.json does not appear
> to
> > change the outcome.
> >
> >
> > responses.txt
> > <
> https://drive.google.com/file/d/1h_vQCrf5KyZAK6TIG6fPzMNxBL1Rx1bT/view?usp=drive_web
> >
> >
> > solr.log
> > <
> https://drive.google.com/file/d/10oYL3AtECxmei7cVOKAM5JPKEt8lFh67/view?usp=drive_web
> >
> >
> > security.json
> > <
> https://drive.google.com/file/d/1xVbXcDEq2btbTycBdXLe3Evz5zIYxm9o/view?usp=drive_web
> >
>
>

Re: REINDEXCOLLECTION does not work with (basic) authentication

Posted by Jan Høydahl <ja...@cominvent.com>.

I think this may be a case where the (background) job should use PKI auth. Can you file a JIRA issue?

--
Jan Høydahl, search solution architect
Cominvent AS - www.cominvent.com

> 19. jun. 2019 kl. 20:50 skrev Colvin Cowie <co...@gmail.com>:
> 
> Hello
> 
> I'm on the Solr 8.1 branch off commit
> f26388d034fe5eadca7416aa63b509b8db2c7688 so I have the authentication fixes
> from SOLR-13510 (intermittent 401s for internode requests)
> 
> When trying to use the new REINDEXCOLLECTION command with basic auth
> enabled, the daemon stream fails with repeated 401s when trying to access
> the target collection.
> 
> This might be the same problem as SOLR-13472, except it applies even with a
> single node, and this doesn't require role based configuration.
> 
> Repro: I added a reindex request in BasicAuthIntegrationTest and it is
> reproducible in there... I don't know what effect it should have on the
> auth metrics, if it were working correctly, so I don't know how to update
> the test properly. But you can add the request towards the end of
> org.apache.solr.security.BasicAuthIntegrationTest.testBasicAuth()
> 
> 
> 
> *      CollectionAdminRequest.ReindexCollection reindexReq =
> CollectionAdminRequest.reindexCollection(COLLECTION);
> reindexReq.setBasicAuthCredentials("harry", "HarryIsUberCool");
> cluster.getSolrClient().request(reindexReq, COLLECTION);*
> 
> Manual Repro:
> run bin/solr -e cloud
> Choose 1 node / 1 shard / 1 replica
> In browser GET
> http://localhost:8983/solr/admin/collections?action=REINDEXCOLLECTION&name=gettingstarted
> will succeed
> Enable security: server\scripts\cloud-scripts\zkcli -zkhost localhost:9983
> -cmd putfile /security.json <path to file with this>
> 
> {
>    "authentication": {
>        "blockUnknown": true,
>        "class": "solr.BasicAuthPlugin",
>        "credentials": {
>            "solradmin": "fskh17INKrOTSRCJ8HkamA0L6Uiq1dSMgn4OVy8htME=
> /Q4VgOkwVlP6AMVY+ML+IuodbfV81WEfZ3lFb390bws="
>        }
>    }
> }
> 
> In browser authenticate (as solradmin : solradmin) and GET
> http://localhost:8983/solr/admin/collections?action=REINDEXCOLLECTION&name=gettingstarted
> will time out after 180 seconds
> 
> The solr log will show repeated 401s
> 
> Setting "forwardCredentials" : true in the security.json does not appear to
> change the outcome.
> 
> 
> responses.txt
> <https://drive.google.com/file/d/1h_vQCrf5KyZAK6TIG6fPzMNxBL1Rx1bT/view?usp=drive_web>
> 
> solr.log
> <https://drive.google.com/file/d/10oYL3AtECxmei7cVOKAM5JPKEt8lFh67/view?usp=drive_web>
> 
> security.json
> <https://drive.google.com/file/d/1xVbXcDEq2btbTycBdXLe3Evz5zIYxm9o/view?usp=drive_web>