DanielSchinaider opened a new issue, #830:
URL: https://github.com/apache/solr-operator/issues/830
## Summary
When creating a user via the Solr Admin UI (Security / Authentication), Solr
writes an invalid security.json into ZooKeeper by adding an unexpected property
"v".
This corrupts the JSON and prevents all Solr nodes in the SolrCloud cluster
from starting.
## Environment
Solr: 9.10 (SolrCloud)
Cluster: 3 nodes
ZooKeeper
Authentication: BasicAuthPlugin
Authorization: RuleBasedAuthorizationPlugin
## Steps to Reproduce
Start a SolrCloud cluster with BasicAuth + RuleBasedAuthorization enabled.
security.json is initially valid and Solr starts normally.
Open the Admin UI → Security → Authentication.
Use the user interface to create a new user (username + password), set their
permissions, and save.
Solr updates security.json in ZooKeeper.
Restart the Solr pods/nodes (or wait until they are restarted by the
orchestrator).
Actual Behavior
After the user is created via the UI, the updated security.json in ZooKeeper
contains an extra property "v" that breaks the JSON structure.
Example (simplified):
json
```
{
"authentication": {
"class": "solr.BasicAuthPlugin",
"credentials": {
"solr": "xxxx",
"new_user": "yyyy"
},
"v": 0 // <-- this property is added in an invalid position
}
}
```
On restart, all Solr nodes fail to start. The pods go into CrashLoopBackOff
and the Solr web UI is unavailable.
In solr.log, Solr reports errors while parsing security.json (JSON parse
exception / invalid JSON).
This effectively brings down the entire SolrCloud cluster just by creating a
user through the Admin UI.
## Expected Behavior
Creating a user via the Admin UI should update security.json with valid JSON.
Solr should continue to start normally after the change.
Any internal "v" (version) field used by Solr should be written in a way
that does not break the JSON structure.
Impact
A simple administrative action (creating a user via UI) can:
Corrupt security.json,
Prevent the whole SolrCloud cluster from starting,
Require manual intervention in ZooKeeper to fix or restore security.json.
## Impact
A simple administrative action (creating a user via UI) can:
- Corrupt security.json,
- Prevent the whole SolrCloud cluster from starting,
- Require manual intervention in ZooKeeper to fix or restore security.json.
## Additional Notes
Manually fixing security.json in ZooKeeper (removing or relocating the "v"
property and restoring valid JSON) allows the cluster to start again.
Creating users via the authentication API (/admin/authentication with
set-user) does not appear to cause this issue (please confirm).
It looks like the Admin UI path for updating users is writing the version
field "v" into the wrong place in security.json.
## Request
- Please investigate the Admin UI path for updating security.json when
creating/modifying users under BasicAuth.
- Ensure that any internal version metadata (such as "v") is written in a
JSON-safe way and does not corrupt the security.json structure.
- Ideally, add validation and error handling so that an invalid
security.json cannot be written to ZooKeeper.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
