You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@lucene.apache.org by "Ishan Chattopadhyaya (JIRA)" <ji...@apache.org> on 2019/07/03 03:48:00 UTC

[jira] [Commented] (SOLR-13480) Collection creation failure when using Kerberos authentication combined with rule-base authorization

    [ https://issues.apache.org/jira/browse/SOLR-13480?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16877462#comment-16877462 ] 

Ishan Chattopadhyaya commented on SOLR-13480:
---------------------------------------------

Looking into this..

> Collection creation failure when using Kerberos authentication combined with rule-base authorization
> ----------------------------------------------------------------------------------------------------
>
>                 Key: SOLR-13480
>                 URL: https://issues.apache.org/jira/browse/SOLR-13480
>             Project: Solr
>          Issue Type: Bug
>          Components: Authorization, security
>    Affects Versions: 7.7.1
>            Reporter: mosh
>            Assignee: Ishan Chattopadhyaya
>            Priority: Major
>              Labels: kerberos
>
> Creation of collection with an authorized user fails with the following error:
> {code:java}
> org.apache.solr.common.SolrException: Error getting replica locations : unable to get autoscaling policy session{code}
> At first it may seem like SOLR-13355 duplication as we are using “all” permission, but bug is specific to Kerberos (tested and found ok using basic auth) plus we verified the failure with 7.7.2 snapshot that included the relevant patch.
> +How to reproduce:+
> 1. Configure solr cloud with kerberos authentication and rule-based authorization plugins using the following security.json file:
> {code:java}
> {
> "authentication":{
>    "class":"org.apache.solr.security.KerberosPlugin"
> },
> "authorization":{
>    "class":"solr.RuleBasedAuthorizationPlugin",
>    "permissions":[
>      {
>        "name":"read",
>        "role":"*"
>      },
>      {
>        "name":"all",
>        "role":"admin_user"
>      }
>    ],
>    "user-role":{
>      "admin_user@OUR_REALM":"admin_user"
>    }
> }}{code}
> 2. Create collection using an authorized user:
> {code:java}
> kinit admin_user@OUR_REALM
> curl --negotiate -u : "http://<HOST:PORT>/solr/admin/collections?action=CREATE&name=mycoll&numShards=1&collection.configName=_default"{code}
> {color:#d04437}==> request fails with the error written above.{color}
> 3. Disable authorization by removing _authorization_ section from security.json, so file should be as follow:
> {code:java}
> {
>   "authentication":{
>     "class":"org.apache.solr.security.KerberosPlugin"
>   }
> }{code}
> 4. Create collection again as in step 2.
> {color:#14892c}==> request succeeds.{color}
> 5. Return authorization section to security.json (file from step 1) and make sure authorization works as expected by inserting documents and executing search queries with different users.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lucene.apache.org
For additional commands, e-mail: dev-help@lucene.apache.org