[ https://issues.apache.org/jira/browse/SOLR-10718?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16028513#comment-16028513 ]
Hrishikesh Gadre edited comment on SOLR-10718 at 5/29/17 4:56 PM: ------------------------------------------------------------------ [~janhoy] [~ichattopadhyaya] I found the issue and the fix is attached. Here is the summary of the problem, - Since we are using embedded ZK, the security.json needs to be uploaded after starting Solr server. - But since the basic authentication is configured during the server startup (via SOLR_AUTH_TYPE env variable), the default HTTP client in HttpShardHandler is configured with PreemptiveAuth request interceptor. - When we upload security.json file, we invoke HttpShardHandlerFactory#reconfigureHttpClient(...) API to configure PKI authentication scheme. In this process, HttpClientUtil#setBasicAuth(...) API is invoked. - In the setBasicAuth(...) method we are cleaning only the credentials but not the PreemptiveAuth request interceptor. Hence when this HTTP client is used subsequently, we observe IllegalArgumentException since PreemptiveAuth request interceptor *requires* non-null credentials. So the fix in this case is to remove PreemptiveAuth request interceptor when basic auth is not to be used. was (Author: hgadre): [~janhoy] [~ichattopadhyaya] I found the issue and the fix is attached. Here is the summary of the problem, - Since we are using embedded ZK, the security.json needs to be uploaded after starting Solr server. - But since the basic authentication is configured during the server startup (via SOLR_AUTH_TYPE env variable), the default HTTP client in HttpShardHandler is configured with PreemptiveAuth request interceptor. - When we upload security.json file, we invoke HttpShardHandlerFactory#reconfigureHttpClient(...) API to configure PKI authentication scheme. In this process, HttpClientUtil#setBasicAuth(...) API is invoked. - In the setBasicAuth(...) method we are cleaning only the credentials but not the PreemptiveAuth request interceptor. Hence when this HTTP client is used subsequently, we observe NPE since PreemptiveAuth request interceptor *requires* non-null credentials. So the fix in this case is to remove PreemptiveAuth request interceptor when basic auth is not to be used. > Configuring Basic auth prevents adding a collection > --------------------------------------------------- > > Key: SOLR-10718 > URL: https://issues.apache.org/jira/browse/SOLR-10718 > Project: Solr > Issue Type: Bug > Security Level: Public(Default Security Level. Issues are Public) > Components: Server > Affects Versions: 6.5, 6.5.1 > Reporter: Shawn Feldman > Priority: Critical > Fix For: 6.6 > > Attachments: repro.sh, SOLR-10718.patch, SOLR-10718.patch > > > Configure Basic auth according to documentation > Add basic auth params > SOLR_AUTH_TYPE="basic" > SOLR_AUTHENTICATION_OPTS="-Dbasicauth=solr:SolrRocks" > Try to add a collection > Receive a timeout and error in the logs > {code} > java.lang.IllegalArgumentException: Credentials may not be null > at org.apache.http.util.Args.notNull(Args.java:54) > at org.apache.http.auth.AuthState.update(AuthState.java:113) > at > org.apache.solr.client.solrj.impl.PreemptiveAuth.process(PreemptiveAuth.java:56) > at > org.apache.http.protocol.ImmutableHttpProcessor.process(ImmutableHttpProcessor.java:132) > at > org.apache.http.protocol.HttpRequestExecutor.preProcess(HttpRequestExecutor.java:166) > at > org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:485) > at > org.apache.http.impl.client.AbstractHttpClient.doExecute(AbstractHttpClient.java:882) > at > org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82) > at > org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:55) > at > org.apache.solr.client.solrj.impl.HttpSolrClient.executeMethod(HttpSolrClient.java:515) > at > org.apache.solr.client.solrj.impl.HttpSolrClient.request(HttpSolrClient.java:279) > at > org.apache.solr.client.solrj.impl.HttpSolrClient.request(HttpSolrClient.java:268) > {code} -- This message was sent by Atlassian JIRA (v6.3.15#6346) --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org