[jira] [Comment Edited] (SOLR-11959) CDCR unauthorized to replicate to a target collection that is update protected in security.json

["Jan Høydahl (JIRA)" <ji...@apache.org>]

    [ https://issues.apache.org/jira/browse/SOLR-11959?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16826146#comment-16826146 ] 

Jan Høydahl edited comment on SOLR-11959 at 4/25/19 3:10 PM:
-------------------------------------------------------------

Remember that the solution must also work with Kerberos, Hadoop, JWT and other Auth methods.

So perhaps better would be to extend the PKI concept to work cross cluster. Right now PKI will only accept requests from nodes found in local ZK. I could imagine a pluggable thing here that could allow nodes from another cluster e.g. by providing zk addr(s) for external trusted clusters. This must of course also support zk ACL etc.


was (Author: janhoy):
Remember that the solution must also work with Kerberos, Hadoop, JWT and other Auth methods.

So perhaps better would be to extend the PKI concept to work cross collection. Right now PKI will only accept requests from nodes found in local ZK. I could imagine a pluggable thing here that could allow nodes from another cluster e.g. by providing zk addr(s) for external trusted clusters. This must of course also support zk ACL etc.

> CDCR unauthorized to replicate to a target collection that is update protected in security.json
> -----------------------------------------------------------------------------------------------
>
>                 Key: SOLR-11959
>                 URL: https://issues.apache.org/jira/browse/SOLR-11959
>             Project: Solr
>          Issue Type: Bug
>      Security Level: Public(Default Security Level. Issues are Public) 
>          Components: Authentication, CDCR
>    Affects Versions: 7.2
>            Reporter: Donny Andrews
>            Priority: Major
>         Attachments: SOLR-11959.patch
>
>
> Steps to reproduce: 
>  # Create a source and a target collection in their respective clusters. 
>  # Update security.json to require a non-admin role to read and write. 
>  # Index to source collection 
> Expected: 
> The target collection should receive the update
> Actual:
> {code:java}
> org.apache.solr.client.solrj.impl.HttpSolrClient$RemoteSolrException: Error from server at http://redacted/solr/redacted: Expected mime type application/octet-stream but got text/html. <html>
>  <head>
>  <meta http-equiv="Content-Type" content="text/html;charset=utf-8"/>
>  <title>Error 401 Unauthorized request, Response code: 401</title>
>  </head>
>  <body><h2>HTTP ERROR 401</h2>
>  <p>Problem accessing /solr/redacted/update. Reason:
>  <pre> Unauthorized request, Response code: 401</pre></p>
>  </body>
>  </html>at org.apache.solr.client.solrj.impl.HttpSolrClient.executeMethod(HttpSolrClient.java:607)
>  at org.apache.solr.client.solrj.impl.HttpSolrClient.request(HttpSolrClient.java:255)
>  at org.apache.solr.client.solrj.impl.HttpSolrClient.request(HttpSolrClient.java:244)
>  at org.apache.solr.client.solrj.impl.LBHttpSolrClient.doRequest(LBHttpSolrClient.java:483)
>  at org.apache.solr.client.solrj.impl.LBHttpSolrClient.request(LBHttpSolrClient.java:413)
>  at org.apache.solr.client.solrj.impl.CloudSolrClient.sendRequest(CloudSolrClient.java:1103)
>  at org.apache.solr.client.solrj.impl.CloudSolrClient.requestWithRetryOnStaleState(CloudSolrClient.java:883)
>  at org.apache.solr.client.solrj.impl.CloudSolrClient.request(CloudSolrClient.java:816)
>  at org.apache.solr.client.solrj.SolrRequest.process(SolrRequest.java:194)
>  at org.apache.solr.client.solrj.SolrRequest.process(SolrRequest.java:211)
>  at org.apache.solr.handler.CdcrReplicator.sendRequest(CdcrReplicator.java:140)
>  at org.apache.solr.handler.CdcrReplicator.run(CdcrReplicator.java:104)
>  at org.apache.solr.handler.CdcrReplicatorScheduler.lambda$null$0(CdcrReplicatorScheduler.java:81)
>  at org.apache.solr.common.util.ExecutorUtil$MDCAwareThreadPoolExecutor.lambda$execute$0(ExecutorUtil.java:188)
>  at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
>  at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
>  at java.lang.Thread.run(Thread.java:748){code}



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lucene.apache.org
For additional commands, e-mail: dev-help@lucene.apache.org