[
https://issues.apache.org/jira/browse/SOLR-12813?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17840607#comment-17840607
]
Rudi Seitz commented on SOLR-12813:
-----------------------------------
Yes, this issue is about BasicAuthPlugin, configured similarly to what is
described in the reference guide
[here|https://solr.apache.org/guide/solr/latest/deployment-guide/basic-authentication-plugin.html#enable-basic-authentication]
This ticket is basically saying that the transparent instrumentation of
AuthenticationPlugin can break in some cases – specifically in the scenario of
a subquery executed in a multi-shard environment.
So why does it break in this particular scenario and not elsewhere? I'll try to
provide more detail later, but the basic idea is that the
SubQueryAgumenterFactory generates _new_ queries that do not share all the
state of the incoming request. And these queries are processed using an
EmbeddedSolrServer that doesn't respect the way BasicAuthPlugin is trying to be
transparently instrumented. My [PR|https://github.com/apache/solr/pull/2404]
shows the specific places where these problems arise and how they can be fixed.
To quickly reproduce the issue described in this issue, one can apply the
changes I made to TestSubQueryTransformerDistrib so that basic auth is enabled.
The modified test should fail against main, without also applying the other
changes in the PR that fix the underlying issue.
https://github.com/apache/solr/commit/d2503ffd9a7cd58c4449c83ff940b63541fce251
> SolrCloud + 2 shards + subquery + auth = 401 Exception
> ------------------------------------------------------
>
> Key: SOLR-12813
> URL: https://issues.apache.org/jira/browse/SOLR-12813
> Project: Solr
> Issue Type: Bug
> Components: security, SolrCloud
> Affects Versions: 6.4.1, 7.5, 8.11
> Reporter: Igor Fedoryn
> Priority: Major
> Attachments: screen1.png, screen2.png
>
> Time Spent: 40m
> Remaining Estimate: 0h
>
> Environment: * Solr 6.4.1
> * Zookeeper 3.4.6
> * Java 1.8
> Run Zookeeper
> Upload simple configuration wherein the Solr schema has fields for a
> relationship between parent/child
> Run two Solr instance (2 nodes)
> Create the collection with 1 shard on each Solr nodes
>
> Add parent document to one shard and child document to another shard.
> The response for: *
> /select?q=ChildIdField:VALUE&fl=*,parents:[subqery]&parents.q=\{!term f=id
> v=$row.ParentIdsField}
> correct.
>
> After that add Basic Authentication with some user for collection.
> Restart Solr or reload Solr collection.
> If the simple request /select?q=*:* with authorization on Solr server is a
> success then run previously request
> with authorization on Solr server and you get the exception: "Solr HTTP
> error: Unauthorized (401) "
>
> Screens in the attachment.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org
For additional commands, e-mail: issues-h...@solr.apache.org
