[jira] [Commented] (SOLR-11959) CDCR unauthorized to replicate to a target collection that is update protected in security.json

["Amrit Sarkar (JIRA)" <ji...@apache.org>]

    [ https://issues.apache.org/jira/browse/SOLR-11959?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16826114#comment-16826114 ] 

Amrit Sarkar commented on SOLR-11959:
-------------------------------------

Since SOLR-8389 didn't get enough traction, I would like to complete this Jira with the existing design.

{{CdcrReplicator}} at the Source internally creates SolrClient for the target and issues UpdateRequest. We can pass details for Basic Auth in the classic manner, part of the Request Header.
For this to work -- 
1. We can put Basic Auth -- username password details for the target at the source, which can result in more security issues since plain text password will be mentioned in solrconfig.xml which is exposed at multiple facets, unlike security.json.
2. Read security.json of the target collection at source (since source cluster has all access to all the files at target), unhash the password and pass it in the UpdateRequest. At the solrconfig.xml level at source, we need to provide the user only, whose password will be fetched. This is a better security solution than above, as reading security doc for a cluster is restricted to one module, Cdcr.

Looking forward to feedback on this.

> CDCR unauthorized to replicate to a target collection that is update protected in security.json
> -----------------------------------------------------------------------------------------------
>
>                 Key: SOLR-11959
>                 URL: https://issues.apache.org/jira/browse/SOLR-11959
>             Project: Solr
>          Issue Type: Bug
>      Security Level: Public(Default Security Level. Issues are Public) 
>          Components: Authentication, CDCR
>    Affects Versions: 7.2
>            Reporter: Donny Andrews
>            Priority: Major
>         Attachments: SOLR-11959.patch
>
>
> Steps to reproduce: 
>  # Create a source and a target collection in their respective clusters. 
>  # Update security.json to require a non-admin role to read and write. 
>  # Index to source collection 
> Expected: 
> The target collection should receive the update
> Actual:
> {code:java}
> org.apache.solr.client.solrj.impl.HttpSolrClient$RemoteSolrException: Error from server at http://redacted/solr/redacted: Expected mime type application/octet-stream but got text/html. <html>
>  <head>
>  <meta http-equiv="Content-Type" content="text/html;charset=utf-8"/>
>  <title>Error 401 Unauthorized request, Response code: 401</title>
>  </head>
>  <body><h2>HTTP ERROR 401</h2>
>  <p>Problem accessing /solr/redacted/update. Reason:
>  <pre> Unauthorized request, Response code: 401</pre></p>
>  </body>
>  </html>at org.apache.solr.client.solrj.impl.HttpSolrClient.executeMethod(HttpSolrClient.java:607)
>  at org.apache.solr.client.solrj.impl.HttpSolrClient.request(HttpSolrClient.java:255)
>  at org.apache.solr.client.solrj.impl.HttpSolrClient.request(HttpSolrClient.java:244)
>  at org.apache.solr.client.solrj.impl.LBHttpSolrClient.doRequest(LBHttpSolrClient.java:483)
>  at org.apache.solr.client.solrj.impl.LBHttpSolrClient.request(LBHttpSolrClient.java:413)
>  at org.apache.solr.client.solrj.impl.CloudSolrClient.sendRequest(CloudSolrClient.java:1103)
>  at org.apache.solr.client.solrj.impl.CloudSolrClient.requestWithRetryOnStaleState(CloudSolrClient.java:883)
>  at org.apache.solr.client.solrj.impl.CloudSolrClient.request(CloudSolrClient.java:816)
>  at org.apache.solr.client.solrj.SolrRequest.process(SolrRequest.java:194)
>  at org.apache.solr.client.solrj.SolrRequest.process(SolrRequest.java:211)
>  at org.apache.solr.handler.CdcrReplicator.sendRequest(CdcrReplicator.java:140)
>  at org.apache.solr.handler.CdcrReplicator.run(CdcrReplicator.java:104)
>  at org.apache.solr.handler.CdcrReplicatorScheduler.lambda$null$0(CdcrReplicatorScheduler.java:81)
>  at org.apache.solr.common.util.ExecutorUtil$MDCAwareThreadPoolExecutor.lambda$execute$0(ExecutorUtil.java:188)
>  at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
>  at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
>  at java.lang.Thread.run(Thread.java:748){code}



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lucene.apache.org
For additional commands, e-mail: dev-help@lucene.apache.org