[
https://issues.apache.org/jira/browse/SOLR-10718?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16028513#comment-16028513
]
Hrishikesh Gadre edited comment on SOLR-10718 at 5/29/17 4:56 PM:
------------------------------------------------------------------
[~janhoy] [~ichattopadhyaya] I found the issue and the fix is attached.
Here is the summary of the problem,
- Since we are using embedded ZK, the security.json needs to be uploaded after
starting Solr server.
- But since the basic authentication is configured during the server startup
(via SOLR_AUTH_TYPE env variable), the default HTTP client in HttpShardHandler
is configured with PreemptiveAuth request interceptor.
- When we upload security.json file, we invoke
HttpShardHandlerFactory#reconfigureHttpClient(...) API to configure PKI
authentication scheme. In this process, HttpClientUtil#setBasicAuth(...) API is
invoked.
- In the setBasicAuth(...) method we are cleaning only the credentials but not
the PreemptiveAuth request interceptor. Hence when this HTTP client is used
subsequently, we observe IllegalArgumentException since PreemptiveAuth request
interceptor *requires* non-null credentials.
So the fix in this case is to remove PreemptiveAuth request interceptor when
basic auth is not to be used.
was (Author: hgadre):
[~janhoy] [~ichattopadhyaya] I found the issue and the fix is attached.
Here is the summary of the problem,
- Since we are using embedded ZK, the security.json needs to be uploaded after
starting Solr server.
- But since the basic authentication is configured during the server startup
(via SOLR_AUTH_TYPE env variable), the default HTTP client in HttpShardHandler
is configured with PreemptiveAuth request interceptor.
- When we upload security.json file, we invoke
HttpShardHandlerFactory#reconfigureHttpClient(...) API to configure PKI
authentication scheme. In this process, HttpClientUtil#setBasicAuth(...) API is
invoked.
- In the setBasicAuth(...) method we are cleaning only the credentials but not
the PreemptiveAuth request interceptor. Hence when this HTTP client is used
subsequently, we observe NPE since PreemptiveAuth request interceptor
*requires* non-null credentials.
So the fix in this case is to remove PreemptiveAuth request interceptor when
basic auth is not to be used.
> Configuring Basic auth prevents adding a collection
> ---------------------------------------------------
>
> Key: SOLR-10718
> URL: https://issues.apache.org/jira/browse/SOLR-10718
> Project: Solr
> Issue Type: Bug
> Security Level: Public(Default Security Level. Issues are Public)
> Components: Server
> Affects Versions: 6.5, 6.5.1
> Reporter: Shawn Feldman
> Priority: Critical
> Fix For: 6.6
>
> Attachments: repro.sh, SOLR-10718.patch, SOLR-10718.patch
>
>
> Configure Basic auth according to documentation
> Add basic auth params
> SOLR_AUTH_TYPE="basic"
> SOLR_AUTHENTICATION_OPTS="-Dbasicauth=solr:SolrRocks"
> Try to add a collection
> Receive a timeout and error in the logs
> {code}
> java.lang.IllegalArgumentException: Credentials may not be null
> at org.apache.http.util.Args.notNull(Args.java:54)
> at org.apache.http.auth.AuthState.update(AuthState.java:113)
> at
> org.apache.solr.client.solrj.impl.PreemptiveAuth.process(PreemptiveAuth.java:56)
> at
> org.apache.http.protocol.ImmutableHttpProcessor.process(ImmutableHttpProcessor.java:132)
> at
> org.apache.http.protocol.HttpRequestExecutor.preProcess(HttpRequestExecutor.java:166)
> at
> org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:485)
> at
> org.apache.http.impl.client.AbstractHttpClient.doExecute(AbstractHttpClient.java:882)
> at
> org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82)
> at
> org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:55)
> at
> org.apache.solr.client.solrj.impl.HttpSolrClient.executeMethod(HttpSolrClient.java:515)
> at
> org.apache.solr.client.solrj.impl.HttpSolrClient.request(HttpSolrClient.java:279)
> at
> org.apache.solr.client.solrj.impl.HttpSolrClient.request(HttpSolrClient.java:268)
> {code}
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org
For additional commands, e-mail: dev-h...@lucene.apache.org
