[
https://issues.apache.org/jira/browse/SOLR-13566?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Colvin Cowie updated SOLR-13566:
--------------------------------
Status: Patch Available (was: Open)
> REINDEXCOLLECTION does not work with (basic) authentication
> -----------------------------------------------------------
>
> Key: SOLR-13566
> URL: https://issues.apache.org/jira/browse/SOLR-13566
> Project: Solr
> Issue Type: Bug
> Security Level: Public(Default Security Level. Issues are Public)
> Affects Versions: 8.1.1
> Reporter: Colvin Cowie
> Priority: Major
> Attachments: SOLR-13566.patch, responses.txt, security.json, solr.log
>
>
> I'm on the Solr 8.1 branch off commit
> f26388d034fe5eadca7416aa63b509b8db2c7688 so I have the authentication fixes
> from SOLR-13510 (intermittent 401s for internode requests)
>
> When trying to use the new REINDEXCOLLECTION command introduced in
> SOLR-11127 with basic auth enabled, the daemon stream fails with repeated
> 401s when trying to access the target collection.
>
> This might be the same problem as SOLR-13472, except it applies even with a
> single node, and this doesn't require role based configuration.
>
> Repro: I added a reindex request in BasicAuthIntegrationTest and it is
> reproducible in there... I don't know what effect it should have on the auth
> metrics, if it were working correctly, so I don't know how to update the test
> properly. But you can add the request towards the end of
> org.apache.solr.security.BasicAuthIntegrationTest.testBasicAuth()
>
> _CollectionAdminRequest.ReindexCollection reindexReq =
> CollectionAdminRequest.reindexCollection(COLLECTION);_
> _reindexReq.setBasicAuthCredentials("harry", "HarryIsUberCool");_
> _cluster.getSolrClient().request(reindexReq, COLLECTION);_
>
> Manual Repro:
> run bin/solr -e cloud
> Choose 1 node / 1 shard / 1 replica
> In browser GET
> [http://localhost:8983/solr/admin/collections?action=REINDEXCOLLECTION&name=gettingstarted]
> will succeed
> Enable security: server\scripts\cloud-scripts\zkcli -zkhost localhost:9983
> -cmd putfile /security.json <path to file with this>
>
> {
> "authentication": {
> "blockUnknown": true,
> "class": "solr.BasicAuthPlugin",
> "credentials":
> { "solradmin": "fskh17INKrOTSRCJ8HkamA0L6Uiq1dSMgn4OVy8htME=
> /Q4VgOkwVlP6AMVY+ML+IuodbfV81WEfZ3lFb390bws=" }
> }
> }
>
>
> In browser authenticate (as solradmin : solradmin) and GET
> [http://localhost:8983/solr/admin/collections?action=REINDEXCOLLECTION&name=gettingstarted]
> will time out after 180 seconds
>
> The solr log will show repeated 401s
>
> Setting "forwardCredentials" : true in the security.json does not appear to
> change the outcome.
>
>
> The daemon stream should probably be using PKI auth for the internal request.
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org
For additional commands, e-mail: dev-h...@lucene.apache.org
