[jira] [Resolved] (SOLR-13127) Solr doesn't make difference by request methods

Mon, 17 Feb 2025 02:01:03 -0800 


     [ 
https://issues.apache.org/jira/browse/SOLR-13127?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Eric Pugh resolved SOLR-13127.
------------------------------
    Resolution: Won't Fix

I believe since the hadoop-auth module was removed in 10, that this is no 
longer a valid issue.  Please reopen if this issue is independent/doesn't rely 
on the hadoop-auth module.

> Solr doesn't make difference by request methods
> -----------------------------------------------
>
>                 Key: SOLR-13127
>                 URL: https://issues.apache.org/jira/browse/SOLR-13127
>             Project: Solr
>          Issue Type: Bug
>    Affects Versions: 7.4
>         Environment: Ubuntu 16.04
> Solr 7.4
> Kerberos
> Java 8
>            Reporter: Geza Nagy
>            Priority: Major
>
> I tested SolrCloud with Kerberos auth and found an interesting scenario.
> +*Symptom:*+
> I tried to call the solr admin api to add a collection and I got back a 
> response of 400 because the collection is already exists.
> +*What I used:*+
> HTTPUrlConnection + hadoop security's Kerberos Authenticator.
> [https://docs.oracle.com/javase/8/docs/api/java/net/HttpURLConnection.html]
> [https://github.com/apache/hadoop/blob/trunk/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/client/KerberosAuthenticator.java]
>  
> +*Root cause:*+
> The Kerberos Authenticator uses OPTIONS as request method when checks if the 
> client is already authenticated and if it is the OPTIONS request reaches the 
> solr endpoint and runs the action included in the uri (as per I provide the 
> full url to the authenticator.)
> So during the authentication the action is performed and when my original 
> request hits the endpoint the collection is already made.
> And it can happen because there is no functionality in SOLR to handle 
> properly the different request methods.
>  
> In my opinion it's not a proper functionality if I can call any endpoint with 
> any request method and accidently perform action while I just want to check 
> if I'm authenticated or not.  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to