[ 
https://issues.apache.org/jira/browse/SOLR-13566?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Colvin Cowie updated SOLR-13566:
--------------------------------
    Status: Patch Available  (was: Open)

> REINDEXCOLLECTION does not work with (basic) authentication
> -----------------------------------------------------------
>
>                 Key: SOLR-13566
>                 URL: https://issues.apache.org/jira/browse/SOLR-13566
>             Project: Solr
>          Issue Type: Bug
>      Security Level: Public(Default Security Level. Issues are Public) 
>    Affects Versions: 8.1.1
>            Reporter: Colvin Cowie
>            Priority: Major
>         Attachments: SOLR-13566.patch, responses.txt, security.json, solr.log
>
>
> I'm on the Solr 8.1 branch off commit 
> f26388d034fe5eadca7416aa63b509b8db2c7688 so I have the authentication fixes 
> from SOLR-13510 (intermittent 401s for internode requests)
>   
>  When trying to use the new REINDEXCOLLECTION command introduced in 
> SOLR-11127 with basic auth enabled, the daemon stream fails with repeated 
> 401s when trying to access the target collection.
>   
>  This might be the same problem as SOLR-13472, except it applies even with a 
> single node, and this doesn't require role based configuration.
>   
>  Repro: I added a reindex request in BasicAuthIntegrationTest and it is 
> reproducible in there... I don't know what effect it should have on the auth 
> metrics, if it were working correctly, so I don't know how to update the test 
> properly. But you can add the request towards the end of 
> org.apache.solr.security.BasicAuthIntegrationTest.testBasicAuth()
>   
>        _CollectionAdminRequest.ReindexCollection reindexReq = 
> CollectionAdminRequest.reindexCollection(COLLECTION);_
>        _reindexReq.setBasicAuthCredentials("harry", "HarryIsUberCool");_
>        _cluster.getSolrClient().request(reindexReq, COLLECTION);_
>   
>  Manual Repro:
>  run bin/solr -e cloud
>  Choose 1 node / 1 shard / 1 replica
>  In browser GET 
> [http://localhost:8983/solr/admin/collections?action=REINDEXCOLLECTION&name=gettingstarted]
>  will succeed
>  Enable security: server\scripts\cloud-scripts\zkcli -zkhost localhost:9983 
> -cmd putfile /security.json <path to file with this>
>   
>  {
>      "authentication": {
>          "blockUnknown": true,
>          "class": "solr.BasicAuthPlugin",
>          "credentials":
> {             "solradmin": "fskh17INKrOTSRCJ8HkamA0L6Uiq1dSMgn4OVy8htME= 
> /Q4VgOkwVlP6AMVY+ML+IuodbfV81WEfZ3lFb390bws="         }
>     }
>  }
>   
>   
>  In browser authenticate (as solradmin : solradmin) and GET 
> [http://localhost:8983/solr/admin/collections?action=REINDEXCOLLECTION&name=gettingstarted]
>  will time out after 180 seconds
>   
>  The solr log will show repeated 401s
>   
>  Setting "forwardCredentials" : true in the security.json does not appear to 
> change the outcome.
>   
>   
>  The daemon stream should probably be using PKI auth for the internal request.
>   



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org
For additional commands, e-mail: dev-h...@lucene.apache.org

Reply via email to