You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@lucene.apache.org by "Anshum Gupta (JIRA)" <ji...@apache.org> on 2015/11/25 18:41:11 UTC

[jira] [Comment Edited] (SOLR-8326) PKIAuthenticationPlugin doesn't report any errors in case of stale or wrong keys and returns garbage

    [ https://issues.apache.org/jira/browse/SOLR-8326?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15018581#comment-15018581 ] 

Anshum Gupta edited comment on SOLR-8326 at 11/25/15 5:40 PM:
--------------------------------------------------------------

PKIAuthenticationPlugin doesn't report errors in case the key provided is invalid and instead just returns garbage. This causes the authorization to break as well.

Original text:

Here are the list of steps that you'd need to run to see that things are fine for you without the read permission:
* Untar and setup Solr, don't start it yet
* Start clean zookeeper
* Put the security.json in zk, without anything other than a security-edit permission. Find the content of the file below. Upload it using your own zk client or through the solr script:
> solr-5.3.1/server/scripts/cloud-scripts/zkcli.sh -zkhost localhost:2181 -cmd putfile /security.json ~/security.json

security.json:
{"authentication":{"class":"solr.BasicAuthPlugin","credentials":{"solr":"IV0EHq1OnNrj6gvRCwvFwTrZ1+z1oBbnQdiVC3otuq0= Ndd7LKvVBAaZIF0QAVi1ekCfAJXr1GGfLtRUXhgrF8c="}},"authorization":{"class":"solr.RuleBasedAuthorizationPlugin","user-role":{"solr":["admin"]},"permissions":[{"name":"security-edit","role":"admin"}]}}

* Start solr: 
> solr-5.3.1/bin/solr start -e cloud -z localhost:2181

You would need to key in a few things e.g. #nodes and ports, leave them at the default values of 2 nodes and 8983/7574, unless you want to run Solr on a different port. Then let it create a default collection to just make sure that everything works fine.

* Add the collection-admin-edit command:
> curl --user solr:SolrRocks http://localhost:8983/solr/admin/authorization -H 'Content-type:application/json' -d '{"set-permission" : {"name":"collection-admin-edit", "role":"admin"}}'

At this point, everything should be working fine. Restarting the nodes  should also work fine. You can try 2 things at this point:
1. Create a new collection with 1 shard and 1 replica and then try adding a replica, here's how:
> curl --user solr:SolrRocks http://localhost:8983/solr/admin/collections?action=CREATE&name=testcollection&collection.configName=gettingstarted&numShards=1

> curl --user solr:SolrRocks http://localhost:8983/solr/admin/collections?action=ADDREPLICA&collection=testcollection&shard=shard1

This should work fine.

2. After this, try restarting the solr cluster. Here's how you can do so, assuming you didn't change any of the defaults and you are running zk on localhost:2181. If not, just change those values below:
> bin/solr stop -all

After this, check that Solr was actually stopped. I'd also suggest you tail the logs on both nodes when they are coming up to see any errors, if any. The logs would be here: example/cloud/node1/logs/solr.log and example/cloud/node2/logs/solr.log

> bin/solr start -c -p 8983 -s "example/cloud/node1/solr" -z localhost:2181
> bin/solr start -c -p 7574 -s "example/cloud/node2/solr" -z localhost:2181

If you get to this checkpoint fine, try adding a read permission.
Add a permission:
> curl --user solr:SolrRocks http://localhost:8983/solr/admin/authorization -H 'Content-type:application/json' -d '{"set-permission" : {"name":"read", "role":"read"}}'

Add a user:
> curl --user solr:SolrRocks http://localhost:8983/solr/admin/authentication -H 'Content-type:application/json' -d '{"set-user" : {"solrread":"solrRocks"}}'

Assign a role to the user:
>curl --user solr:SolrRocks http://localhost:8983/solr/admin/authorization -H 'Content-type:application/json' -d '{"set-user-role" : {"solrread":["read"]}}'

After this, you should start having issues with ADDREPLICA.
Also, as you would at this point have a collection with a shard that has a replication factor > 1 (remember the ADDREPLICA we did earlier), you would have issues when you restart the cluster again using the steps I mentioned above.


was (Author: anshumg):
Here are the list of steps that you'd need to run to see that things are fine for you without the read permission:
* Untar and setup Solr, don't start it yet
* Start clean zookeeper
* Put the security.json in zk, without anything other than a security-edit permission. Find the content of the file below. Upload it using your own zk client or through the solr script:
> solr-5.3.1/server/scripts/cloud-scripts/zkcli.sh -zkhost localhost:2181 -cmd putfile /security.json ~/security.json

security.json:
{"authentication":{"class":"solr.BasicAuthPlugin","credentials":{"solr":"IV0EHq1OnNrj6gvRCwvFwTrZ1+z1oBbnQdiVC3otuq0= Ndd7LKvVBAaZIF0QAVi1ekCfAJXr1GGfLtRUXhgrF8c="}},"authorization":{"class":"solr.RuleBasedAuthorizationPlugin","user-role":{"solr":["admin"]},"permissions":[{"name":"security-edit","role":"admin"}]}}

* Start solr: 
> solr-5.3.1/bin/solr start -e cloud -z localhost:2181

You would need to key in a few things e.g. #nodes and ports, leave them at the default values of 2 nodes and 8983/7574, unless you want to run Solr on a different port. Then let it create a default collection to just make sure that everything works fine.

* Add the collection-admin-edit command:
> curl --user solr:SolrRocks http://localhost:8983/solr/admin/authorization -H 'Content-type:application/json' -d '{"set-permission" : {"name":"collection-admin-edit", "role":"admin"}}'

At this point, everything should be working fine. Restarting the nodes  should also work fine. You can try 2 things at this point:
1. Create a new collection with 1 shard and 1 replica and then try adding a replica, here's how:
> curl --user solr:SolrRocks http://localhost:8983/solr/admin/collections?action=CREATE&name=testcollection&collection.configName=gettingstarted&numShards=1

> curl --user solr:SolrRocks http://localhost:8983/solr/admin/collections?action=ADDREPLICA&collection=testcollection&shard=shard1

This should work fine.

2. After this, try restarting the solr cluster. Here's how you can do so, assuming you didn't change any of the defaults and you are running zk on localhost:2181. If not, just change those values below:
> bin/solr stop -all

After this, check that Solr was actually stopped. I'd also suggest you tail the logs on both nodes when they are coming up to see any errors, if any. The logs would be here: example/cloud/node1/logs/solr.log and example/cloud/node2/logs/solr.log

> bin/solr start -c -p 8983 -s "example/cloud/node1/solr" -z localhost:2181
> bin/solr start -c -p 7574 -s "example/cloud/node2/solr" -z localhost:2181

If you get to this checkpoint fine, try adding a read permission.
Add a permission:
> curl --user solr:SolrRocks http://localhost:8983/solr/admin/authorization -H 'Content-type:application/json' -d '{"set-permission" : {"name":"read", "role":"read"}}'

Add a user:
> curl --user solr:SolrRocks http://localhost:8983/solr/admin/authentication -H 'Content-type:application/json' -d '{"set-user" : {"solrread":"solrRocks"}}'

Assign a role to the user:
>curl --user solr:SolrRocks http://localhost:8983/solr/admin/authorization -H 'Content-type:application/json' -d '{"set-user-role" : {"solrread":["read"]}}'

After this, you should start having issues with ADDREPLICA.
Also, as you would at this point have a collection with a shard that has a replication factor > 1 (remember the ADDREPLICA we did earlier), you would have issues when you restart the cluster again using the steps I mentioned above.

> PKIAuthenticationPlugin doesn't report any errors in case of stale or wrong keys and returns garbage
> ----------------------------------------------------------------------------------------------------
>
>                 Key: SOLR-8326
>                 URL: https://issues.apache.org/jira/browse/SOLR-8326
>             Project: Solr
>          Issue Type: Bug
>    Affects Versions: 5.3, 5.3.1
>            Reporter: Anshum Gupta
>            Assignee: Noble Paul
>            Priority: Blocker
>             Fix For: 5.4
>
>         Attachments: SOLR-8326.patch, SOLR-8326.patch
>
>
> This was reported on the mailing list:
> https://www.mail-archive.com/solr-user@lucene.apache.org/msg115921.html
> I tested it out as follows to confirm that adding a 'read' rule causes replication to break. 



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lucene.apache.org
For additional commands, e-mail: dev-help@lucene.apache.org