You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@solr.apache.org by "pgnd (Jira)" <ji...@apache.org> on 2022/05/15 12:54:00 UTC
[jira] [Updated] (SOLR-16197) solr 8x -> 9.0.0 upgrade; BasicAuth security FAILs @ "o.a.s.s.BasicAuthPlugin Bad auth credentials supplied in Authorization header"
[ https://issues.apache.org/jira/browse/SOLR-16197?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
pgnd updated SOLR-16197:
------------------------
Description:
on
```
lsb_release -rd
Description: Fedora release 36 (Thirty Six)
Release: 36
java -version
Picked up JAVA_TOOL_OPTIONS: -Xmx512M
openjdk version "18.0.1" 2022-04-19
OpenJDK Runtime Environment 22.3 (build 18.0.1+10)
OpenJDK 64-Bit Server VM 22.3 (build 18.0.1+10, mixed mode, sharing)
```
i've clean-installed solr 9.0.0
sudo -u solr /srv/webapps/solr/solr/bin/solr version
9.0.0
it's up/running
systemctl status solr
● solr.service - LSB: Controls Apache Solr as a Service
Loaded: loaded (/etc/rc.d/init.d/solr; generated)
Active: active (exited) since Fri 2022-05-13 06:22:40 EDT; 2min 54s ago
Docs: man:systemd-sysv-generator(8)
Process: 56877 ExecStart=/etc/rc.d/init.d/solr start (code=exited, status=0/SUCCESS)
CPU: 43ms
with no user/auth security,
ls -al /data/solr/data/security.json
ls: cannot access '/data/solr/data/security.json': No such file or directory
nav to & admin @,
https:///solr.example.com:8983/solr
works as expected.
deploying user BasicAuth security
https://solr.apache.org/guide/solr/latest/deployment-guide/basic-authentication-plugin.html
with
MY_USER_PASS="aaaaaaaaaaaaaa_bbbbbbbbbbbb_111111111+ccccccc_22"
MY_USER_HASH=$( echo -n $MY_USER_PASS | shasum -a 256 | awk '{print $1}' | tr -d ' ')
echo $MY_USER_HASH
79a054509e27e20b16fb85caf221ac8d488168afa6715f2543d761269a72d832
and
egrep "Dbasicauth|SOLR_LOG_LEVEL" /etc/default/solr.in.sh
SOLR_LOG_LEVEL=DEBUG
SOLR_AUTHENTICATION_OPTS="-Dbasicauth=testuser:aaaaaaaaaaaaaa_bbbbbbbbbbbb_111111111+ccccccc_22"
and
cat /data/solr/data/security.json
{
"authentication":{
"blockUnknown": true,
"class":"solr.BasicAuthPlugin",
"credentials":{"testuser":"79a054509e27e20b16fb85caf221ac8d488168afa6715f2543d761269a72d832"},
"realm":"MyRealm Solr",
"forwardCredentials": false
},
"authorization":{
"class":"solr.RuleBasedAuthorizationPlugin",
"permissions":[{"name":"security-edit",
"role":"admin"}],
"user-role":{"solr":"admin"}
}}
nav to:
https:///solr.example.com:8983/solr
returns the expected
Basic Authentication
form.
entering credentials
username: testuser
password: aaaaaaaaaaaaaa_bbbbbbbbbbbb_111111111+ccccccc_22
fails with
Basic Authentication
Unauthorized
Solr requires authentication for resource Dashboard.
Please log in with your username and password for realm MyRealm Solr.
and DEBUG logs,
--> https://pastebin.com/raw/aHVCgGKF
there, this looks possibly suspect,
...
2022-05-13 06:33:00.651 DEBUG (qtp1777443462-23) [] o.a.s.s.SolrDispatchFilter Request to authenticate: org.apache.solr.servlet.ServletUtils$1@3acaf4f, domain: 10.1.1.27, port: 8983
2022-05-13 06:33:00.656 DEBUG (qtp1777443462-22) [] o.a.s.s.SolrDispatchFilter Request to authenticate: org.apache.solr.servlet.ServletUtils$1@540dbd19, domain: 10.1.1.27, port: 8983
2022-05-13 06:33:00.660 DEBUG (qtp1777443462-23) [] o.a.s.s.BasicAuthPlugin Bad auth credentials supplied in Authorization header
2022-05-13 06:33:00.650 DEBUG (qtp1777443462-20) [] o.a.s.s.SolrDispatchFilter Request to authenticate: org.apache.solr.servlet.ServletUtils$1@7e6b57df, domain: 10.1.1.27, port: 8983
2022-05-13 06:33:00.661 DEBUG (qtp1777443462-20) [] o.a.s.s.BasicAuthPlugin Bad auth credentials supplied in Authorization header
2022-05-13 06:33:00.662 DEBUG (qtp1777443462-20) [] o.a.s.s.BasicAuthPlugin Prefixing WWW-Authenticate header for Basic Auth with 'x' to prevent browser basic auth popup
?? 2022-05-13 06:33:00.663 DEBUG (qtp1777443462-22) [] o.a.s.s.BasicAuthPlugin Bad auth credentials supplied in Authorization header
?? 2022-05-13 06:33:00.663 DEBUG (qtp1777443462-22) [] o.a.s.s.BasicAuthPlugin Prefixing WWW-Authenticate header for Basic Auth with 'x' to prevent browser basic auth popup
2022-05-13 06:33:00.667 DEBUG (qtp1777443462-22) [] o.e.j.s.HttpChannelState sendError HttpChannelState@191ce1ad{s=HANDLING rs=BLOCKING os=OPEN is=IDLE awp=false se=false i=true al=0}
...
dropping back to solr 8x, i've no issues with basicauth.
was:
on
lsb_release -rd
Description: Fedora release 36 (Thirty Six)
Release: 36
java -version
Picked up JAVA_TOOL_OPTIONS: -Xmx512M
openjdk version "18.0.1" 2022-04-19
OpenJDK Runtime Environment 22.3 (build 18.0.1+10)
OpenJDK 64-Bit Server VM 22.3 (build 18.0.1+10, mixed mode, sharing)
i've clean-installed solr 9.0.0
sudo -u solr /srv/webapps/solr/solr/bin/solr version
9.0.0
it's up/running
systemctl status solr
● solr.service - LSB: Controls Apache Solr as a Service
Loaded: loaded (/etc/rc.d/init.d/solr; generated)
Active: active (exited) since Fri 2022-05-13 06:22:40 EDT; 2min 54s ago
Docs: man:systemd-sysv-generator(8)
Process: 56877 ExecStart=/etc/rc.d/init.d/solr start (code=exited, status=0/SUCCESS)
CPU: 43ms
with no user/auth security,
ls -al /data/solr/data/security.json
ls: cannot access '/data/solr/data/security.json': No such file or directory
nav to & admin @,
https:///solr.example.com:8983/solr
works as expected.
deploying user BasicAuth security
https://solr.apache.org/guide/solr/latest/deployment-guide/basic-authentication-plugin.html
with
MY_USER_PASS="aaaaaaaaaaaaaa_bbbbbbbbbbbb_111111111+ccccccc_22"
MY_USER_HASH=$( echo -n $MY_USER_PASS | shasum -a 256 | awk '{print $1}' | tr -d ' ')
echo $MY_USER_HASH
79a054509e27e20b16fb85caf221ac8d488168afa6715f2543d761269a72d832
and
egrep "Dbasicauth|SOLR_LOG_LEVEL" /etc/default/solr.in.sh
SOLR_LOG_LEVEL=DEBUG
SOLR_AUTHENTICATION_OPTS="-Dbasicauth=testuser:aaaaaaaaaaaaaa_bbbbbbbbbbbb_111111111+ccccccc_22"
and
cat /data/solr/data/security.json
{
"authentication":{
"blockUnknown": true,
"class":"solr.BasicAuthPlugin",
"credentials":{"testuser":"79a054509e27e20b16fb85caf221ac8d488168afa6715f2543d761269a72d832"},
"realm":"MyRealm Solr",
"forwardCredentials": false
},
"authorization":{
"class":"solr.RuleBasedAuthorizationPlugin",
"permissions":[{"name":"security-edit",
"role":"admin"}],
"user-role":{"solr":"admin"}
}}
nav to:
https:///solr.example.com:8983/solr
returns the expected
Basic Authentication
form.
entering credentials
username: testuser
password: aaaaaaaaaaaaaa_bbbbbbbbbbbb_111111111+ccccccc_22
fails with
Basic Authentication
Unauthorized
Solr requires authentication for resource Dashboard.
Please log in with your username and password for realm MyRealm Solr.
and DEBUG logs,
--> https://pastebin.com/raw/aHVCgGKF
there, this looks possibly suspect,
...
2022-05-13 06:33:00.651 DEBUG (qtp1777443462-23) [] o.a.s.s.SolrDispatchFilter Request to authenticate: org.apache.solr.servlet.ServletUtils$1@3acaf4f, domain: 10.1.1.27, port: 8983
2022-05-13 06:33:00.656 DEBUG (qtp1777443462-22) [] o.a.s.s.SolrDispatchFilter Request to authenticate: org.apache.solr.servlet.ServletUtils$1@540dbd19, domain: 10.1.1.27, port: 8983
2022-05-13 06:33:00.660 DEBUG (qtp1777443462-23) [] o.a.s.s.BasicAuthPlugin Bad auth credentials supplied in Authorization header
2022-05-13 06:33:00.650 DEBUG (qtp1777443462-20) [] o.a.s.s.SolrDispatchFilter Request to authenticate: org.apache.solr.servlet.ServletUtils$1@7e6b57df, domain: 10.1.1.27, port: 8983
2022-05-13 06:33:00.661 DEBUG (qtp1777443462-20) [] o.a.s.s.BasicAuthPlugin Bad auth credentials supplied in Authorization header
2022-05-13 06:33:00.662 DEBUG (qtp1777443462-20) [] o.a.s.s.BasicAuthPlugin Prefixing WWW-Authenticate header for Basic Auth with 'x' to prevent browser basic auth popup
?? 2022-05-13 06:33:00.663 DEBUG (qtp1777443462-22) [] o.a.s.s.BasicAuthPlugin Bad auth credentials supplied in Authorization header
?? 2022-05-13 06:33:00.663 DEBUG (qtp1777443462-22) [] o.a.s.s.BasicAuthPlugin Prefixing WWW-Authenticate header for Basic Auth with 'x' to prevent browser basic auth popup
2022-05-13 06:33:00.667 DEBUG (qtp1777443462-22) [] o.e.j.s.HttpChannelState sendError HttpChannelState@191ce1ad{s=HANDLING rs=BLOCKING os=OPEN is=IDLE awp=false se=false i=true al=0}
...
dropping back to solr 8x, i've no issues with basicauth.
> solr 8x -> 9.0.0 upgrade; BasicAuth security FAILs @ "o.a.s.s.BasicAuthPlugin Bad auth credentials supplied in Authorization header"
> -------------------------------------------------------------------------------------------------------------------------------------
>
> Key: SOLR-16197
> URL: https://issues.apache.org/jira/browse/SOLR-16197
> Project: Solr
> Issue Type: Bug
> Security Level: Public(Default Security Level. Issues are Public)
> Components: Authentication
> Affects Versions: 9.0
> Reporter: pgnd
> Priority: Major
> Labels: BasicAuth, authentication, upgrade
>
> on
> ```
> lsb_release -rd
> Description: Fedora release 36 (Thirty Six)
> Release: 36
> java -version
> Picked up JAVA_TOOL_OPTIONS: -Xmx512M
> openjdk version "18.0.1" 2022-04-19
> OpenJDK Runtime Environment 22.3 (build 18.0.1+10)
> OpenJDK 64-Bit Server VM 22.3 (build 18.0.1+10, mixed mode, sharing)
> ```
> i've clean-installed solr 9.0.0
> sudo -u solr /srv/webapps/solr/solr/bin/solr version
> 9.0.0
> it's up/running
> systemctl status solr
> ● solr.service - LSB: Controls Apache Solr as a Service
> Loaded: loaded (/etc/rc.d/init.d/solr; generated)
> Active: active (exited) since Fri 2022-05-13 06:22:40 EDT; 2min 54s ago
> Docs: man:systemd-sysv-generator(8)
> Process: 56877 ExecStart=/etc/rc.d/init.d/solr start (code=exited, status=0/SUCCESS)
> CPU: 43ms
> with no user/auth security,
> ls -al /data/solr/data/security.json
> ls: cannot access '/data/solr/data/security.json': No such file or directory
> nav to & admin @,
> https:///solr.example.com:8983/solr
> works as expected.
> deploying user BasicAuth security
> https://solr.apache.org/guide/solr/latest/deployment-guide/basic-authentication-plugin.html
> with
> MY_USER_PASS="aaaaaaaaaaaaaa_bbbbbbbbbbbb_111111111+ccccccc_22"
> MY_USER_HASH=$( echo -n $MY_USER_PASS | shasum -a 256 | awk '{print $1}' | tr -d ' ')
> echo $MY_USER_HASH
> 79a054509e27e20b16fb85caf221ac8d488168afa6715f2543d761269a72d832
> and
> egrep "Dbasicauth|SOLR_LOG_LEVEL" /etc/default/solr.in.sh
> SOLR_LOG_LEVEL=DEBUG
> SOLR_AUTHENTICATION_OPTS="-Dbasicauth=testuser:aaaaaaaaaaaaaa_bbbbbbbbbbbb_111111111+ccccccc_22"
> and
> cat /data/solr/data/security.json
> {
> "authentication":{
> "blockUnknown": true,
> "class":"solr.BasicAuthPlugin",
> "credentials":{"testuser":"79a054509e27e20b16fb85caf221ac8d488168afa6715f2543d761269a72d832"},
> "realm":"MyRealm Solr",
> "forwardCredentials": false
> },
> "authorization":{
> "class":"solr.RuleBasedAuthorizationPlugin",
> "permissions":[{"name":"security-edit",
> "role":"admin"}],
> "user-role":{"solr":"admin"}
> }}
> nav to:
> https:///solr.example.com:8983/solr
> returns the expected
> Basic Authentication
> form.
> entering credentials
> username: testuser
> password: aaaaaaaaaaaaaa_bbbbbbbbbbbb_111111111+ccccccc_22
> fails with
> Basic Authentication
> Unauthorized
> Solr requires authentication for resource Dashboard.
> Please log in with your username and password for realm MyRealm Solr.
> and DEBUG logs,
> --> https://pastebin.com/raw/aHVCgGKF
> there, this looks possibly suspect,
> ...
> 2022-05-13 06:33:00.651 DEBUG (qtp1777443462-23) [] o.a.s.s.SolrDispatchFilter Request to authenticate: org.apache.solr.servlet.ServletUtils$1@3acaf4f, domain: 10.1.1.27, port: 8983
> 2022-05-13 06:33:00.656 DEBUG (qtp1777443462-22) [] o.a.s.s.SolrDispatchFilter Request to authenticate: org.apache.solr.servlet.ServletUtils$1@540dbd19, domain: 10.1.1.27, port: 8983
> 2022-05-13 06:33:00.660 DEBUG (qtp1777443462-23) [] o.a.s.s.BasicAuthPlugin Bad auth credentials supplied in Authorization header
> 2022-05-13 06:33:00.650 DEBUG (qtp1777443462-20) [] o.a.s.s.SolrDispatchFilter Request to authenticate: org.apache.solr.servlet.ServletUtils$1@7e6b57df, domain: 10.1.1.27, port: 8983
> 2022-05-13 06:33:00.661 DEBUG (qtp1777443462-20) [] o.a.s.s.BasicAuthPlugin Bad auth credentials supplied in Authorization header
> 2022-05-13 06:33:00.662 DEBUG (qtp1777443462-20) [] o.a.s.s.BasicAuthPlugin Prefixing WWW-Authenticate header for Basic Auth with 'x' to prevent browser basic auth popup
> ?? 2022-05-13 06:33:00.663 DEBUG (qtp1777443462-22) [] o.a.s.s.BasicAuthPlugin Bad auth credentials supplied in Authorization header
> ?? 2022-05-13 06:33:00.663 DEBUG (qtp1777443462-22) [] o.a.s.s.BasicAuthPlugin Prefixing WWW-Authenticate header for Basic Auth with 'x' to prevent browser basic auth popup
> 2022-05-13 06:33:00.667 DEBUG (qtp1777443462-22) [] o.e.j.s.HttpChannelState sendError HttpChannelState@191ce1ad{s=HANDLING rs=BLOCKING os=OPEN is=IDLE awp=false se=false i=true al=0}
> ...
> dropping back to solr 8x, i've no issues with basicauth.
--
This message was sent by Atlassian Jira
(v8.20.7#820007)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org
For additional commands, e-mail: issues-help@solr.apache.org