[jira] [Commented] (SOLR-12813) SolrCloud + 2 shards + subquery + auth = 401 Exception
[
https://issues.apache.org/jira/browse/SOLR-12813?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17851500#comment-17851500
]
ASF subversion and git services commented on SOLR-12813:
Commit 0551589dffb13e25c25d6237914e2b35e2238e98 in solr's branch
refs/heads/jira/17134 from Rudi Seitz
[ https://gitbox.apache.org/repos/asf?p=solr.git;h=0551589dffb ]
SOLR-12813 followup -- preserve user Principal in alternate codepath in
EmbeddedSolrServer (#2429)
EmbeddedSolrServer#request() has two separate codepaths where a
SolrQueryRequest is created using the _parser.buildRequestFrom() utility
method. The first codepath is active when the relevant SolrRequestHandler can
be gotten from the CoreContainer. The second codepath is active when
coreContainer.getRequestHandler(path) returns null and instead we have to get
the SolrRequestHandler directly from the SolrCore. This second codepath is the
one that's used in subquery execution. It was updated in the initial fix for
SOLR-12813 so that the call to _parser.buildRequestFrom() would now include the
user Principal. However, the first codepath was left alone because it was not
found to be involved in subquery execution. In the present commit, the first
codepath is being updated as well. This change is not needed for addressing the
issue described in SOLR-12813, but it is being made in the interest of keeping
the logic as consistent as possible across the two codepaths in
EmbeddedSolrServer.request()
> SolrCloud + 2 shards + subquery + auth = 401 Exception
> --
>
> Key: SOLR-12813
> URL: https://issues.apache.org/jira/browse/SOLR-12813
> Project: Solr
> Issue Type: Bug
> Components: security, SolrCloud
>Affects Versions: 6.4.1, 7.5, 8.11
>Reporter: Igor Fedoryn
>Assignee: Eric Pugh
>Priority: Major
> Fix For: 9.7
>
> Attachments: screen1.png, screen2.png
>
> Time Spent: 4h 10m
> Remaining Estimate: 0h
>
> Environment: * Solr 6.4.1
> * Zookeeper 3.4.6
> * Java 1.8
> Run Zookeeper
> Upload simple configuration wherein the Solr schema has fields for a
> relationship between parent/child
> Run two Solr instance (2 nodes)
> Create the collection with 1 shard on each Solr nodes
>
> Add parent document to one shard and child document to another shard.
> The response for: *
> /select?q=ChildIdField:VALUE&fl=*,parents:[subqery]&parents.q=\{!term f=id
> v=$row.ParentIdsField}
> correct.
>
> After that add Basic Authentication with some user for collection.
> Restart Solr or reload Solr collection.
> If the simple request /select?q=*:* with authorization on Solr server is a
> success then run previously request
> with authorization on Solr server and you get the exception: "Solr HTTP
> error: Unauthorized (401) "
>
> Screens in the attachment.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
-
To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org
For additional commands, e-mail: issues-h...@solr.apache.org
[jira] [Commented] (SOLR-12813) SolrCloud + 2 shards + subquery + auth = 401 Exception
[
https://issues.apache.org/jira/browse/SOLR-12813?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17848745#comment-17848745
]
ASF subversion and git services commented on SOLR-12813:
Commit 2a84def1cccbac76bc0df791f66458663fe35f9b in solr's branch
refs/heads/branch_9x from Rudi Seitz
[ https://gitbox.apache.org/repos/asf?p=solr.git;h=2a84def1ccc ]
SOLR-12813 followup -- preserve user Principal in alternate codepath in
EmbeddedSolrServer (#2429)
EmbeddedSolrServer#request() has two separate codepaths where a
SolrQueryRequest is created using the _parser.buildRequestFrom() utility
method. The first codepath is active when the relevant SolrRequestHandler can
be gotten from the CoreContainer. The second codepath is active when
coreContainer.getRequestHandler(path) returns null and instead we have to get
the SolrRequestHandler directly from the SolrCore. This second codepath is the
one that's used in subquery execution. It was updated in the initial fix for
SOLR-12813 so that the call to _parser.buildRequestFrom() would now include the
user Principal. However, the first codepath was left alone because it was not
found to be involved in subquery execution. In the present commit, the first
codepath is being updated as well. This change is not needed for addressing the
issue described in SOLR-12813, but it is being made in the interest of keeping
the logic as consistent as possible across the two codepaths in
EmbeddedSolrServer.request()
> SolrCloud + 2 shards + subquery + auth = 401 Exception
> --
>
> Key: SOLR-12813
> URL: https://issues.apache.org/jira/browse/SOLR-12813
> Project: Solr
> Issue Type: Bug
> Components: security, SolrCloud
>Affects Versions: 6.4.1, 7.5, 8.11
>Reporter: Igor Fedoryn
>Assignee: Eric Pugh
>Priority: Major
> Fix For: 9.7
>
> Attachments: screen1.png, screen2.png
>
> Time Spent: 4h 10m
> Remaining Estimate: 0h
>
> Environment: * Solr 6.4.1
> * Zookeeper 3.4.6
> * Java 1.8
> Run Zookeeper
> Upload simple configuration wherein the Solr schema has fields for a
> relationship between parent/child
> Run two Solr instance (2 nodes)
> Create the collection with 1 shard on each Solr nodes
>
> Add parent document to one shard and child document to another shard.
> The response for: *
> /select?q=ChildIdField:VALUE&fl=*,parents:[subqery]&parents.q=\{!term f=id
> v=$row.ParentIdsField}
> correct.
>
> After that add Basic Authentication with some user for collection.
> Restart Solr or reload Solr collection.
> If the simple request /select?q=*:* with authorization on Solr server is a
> success then run previously request
> with authorization on Solr server and you get the exception: "Solr HTTP
> error: Unauthorized (401) "
>
> Screens in the attachment.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
-
To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org
For additional commands, e-mail: issues-h...@solr.apache.org
[jira] [Commented] (SOLR-12813) SolrCloud + 2 shards + subquery + auth = 401 Exception
[
https://issues.apache.org/jira/browse/SOLR-12813?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17848744#comment-17848744
]
ASF subversion and git services commented on SOLR-12813:
Commit 0551589dffb13e25c25d6237914e2b35e2238e98 in solr's branch
refs/heads/main from Rudi Seitz
[ https://gitbox.apache.org/repos/asf?p=solr.git;h=0551589dffb ]
SOLR-12813 followup -- preserve user Principal in alternate codepath in
EmbeddedSolrServer (#2429)
EmbeddedSolrServer#request() has two separate codepaths where a
SolrQueryRequest is created using the _parser.buildRequestFrom() utility
method. The first codepath is active when the relevant SolrRequestHandler can
be gotten from the CoreContainer. The second codepath is active when
coreContainer.getRequestHandler(path) returns null and instead we have to get
the SolrRequestHandler directly from the SolrCore. This second codepath is the
one that's used in subquery execution. It was updated in the initial fix for
SOLR-12813 so that the call to _parser.buildRequestFrom() would now include the
user Principal. However, the first codepath was left alone because it was not
found to be involved in subquery execution. In the present commit, the first
codepath is being updated as well. This change is not needed for addressing the
issue described in SOLR-12813, but it is being made in the interest of keeping
the logic as consistent as possible across the two codepaths in
EmbeddedSolrServer.request()
> SolrCloud + 2 shards + subquery + auth = 401 Exception
> --
>
> Key: SOLR-12813
> URL: https://issues.apache.org/jira/browse/SOLR-12813
> Project: Solr
> Issue Type: Bug
> Components: security, SolrCloud
>Affects Versions: 6.4.1, 7.5, 8.11
>Reporter: Igor Fedoryn
>Assignee: Eric Pugh
>Priority: Major
> Fix For: 9.7
>
> Attachments: screen1.png, screen2.png
>
> Time Spent: 4h 10m
> Remaining Estimate: 0h
>
> Environment: * Solr 6.4.1
> * Zookeeper 3.4.6
> * Java 1.8
> Run Zookeeper
> Upload simple configuration wherein the Solr schema has fields for a
> relationship between parent/child
> Run two Solr instance (2 nodes)
> Create the collection with 1 shard on each Solr nodes
>
> Add parent document to one shard and child document to another shard.
> The response for: *
> /select?q=ChildIdField:VALUE&fl=*,parents:[subqery]&parents.q=\{!term f=id
> v=$row.ParentIdsField}
> correct.
>
> After that add Basic Authentication with some user for collection.
> Restart Solr or reload Solr collection.
> If the simple request /select?q=*:* with authorization on Solr server is a
> success then run previously request
> with authorization on Solr server and you get the exception: "Solr HTTP
> error: Unauthorized (401) "
>
> Screens in the attachment.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
-
To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org
For additional commands, e-mail: issues-h...@solr.apache.org
[jira] [Commented] (SOLR-12813) SolrCloud + 2 shards + subquery + auth = 401 Exception
[
https://issues.apache.org/jira/browse/SOLR-12813?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17841461#comment-17841461
]
ASF subversion and git services commented on SOLR-12813:
Commit 25d5f6988e9cb290ab68928c84df5eb6bc641bd0 in solr's branch
refs/heads/branch_9x from Rudi Seitz
[ https://gitbox.apache.org/repos/asf?p=solr.git;h=25d5f6988e9 ]
SOLR-12813: subqueries should respect basic auth (#2404)
Fix issue where a basic auth user principal is lost when issuing a subquery in
a way that spans multiple shards:
- SubQueryAugmenterFactory now passes the user principal from the main
SolrQueryRequest down into each QueryRequest created for the subquery.
- EmbeddedSolrServer now preserves the user principal when it transforms a
SolrRequest into a SolrQueryRequest. The method that does this transformation
is SolrRequestParsers.buildRequestFrom(). This method now accepts a user
principal and returns a SolrQueryRequestBase that returns the same principal
provided.
-
Co-authored-by: Eric Pugh
> SolrCloud + 2 shards + subquery + auth = 401 Exception
> --
>
> Key: SOLR-12813
> URL: https://issues.apache.org/jira/browse/SOLR-12813
> Project: Solr
> Issue Type: Bug
> Components: security, SolrCloud
>Affects Versions: 6.4.1, 7.5, 8.11
>Reporter: Igor Fedoryn
>Priority: Major
> Attachments: screen1.png, screen2.png
>
> Time Spent: 2h 10m
> Remaining Estimate: 0h
>
> Environment: * Solr 6.4.1
> * Zookeeper 3.4.6
> * Java 1.8
> Run Zookeeper
> Upload simple configuration wherein the Solr schema has fields for a
> relationship between parent/child
> Run two Solr instance (2 nodes)
> Create the collection with 1 shard on each Solr nodes
>
> Add parent document to one shard and child document to another shard.
> The response for: *
> /select?q=ChildIdField:VALUE&fl=*,parents:[subqery]&parents.q=\{!term f=id
> v=$row.ParentIdsField}
> correct.
>
> After that add Basic Authentication with some user for collection.
> Restart Solr or reload Solr collection.
> If the simple request /select?q=*:* with authorization on Solr server is a
> success then run previously request
> with authorization on Solr server and you get the exception: "Solr HTTP
> error: Unauthorized (401) "
>
> Screens in the attachment.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
-
To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org
For additional commands, e-mail: issues-h...@solr.apache.org
[jira] [Commented] (SOLR-12813) SolrCloud + 2 shards + subquery + auth = 401 Exception
[
https://issues.apache.org/jira/browse/SOLR-12813?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17841457#comment-17841457
]
ASF subversion and git services commented on SOLR-12813:
Commit 54aa923f008108c54bfa608d4770ea86b15ae291 in solr's branch
refs/heads/main from Rudi Seitz
[ https://gitbox.apache.org/repos/asf?p=solr.git;h=54aa923f008 ]
SOLR-12813: subqueries should respect basic auth (#2404)
Fix issue where a basic auth user principal is lost when issuing a subquery in
a way that spans multiple shards:
- SubQueryAugmenterFactory now passes the user principal from the main
SolrQueryRequest down into each QueryRequest created for the subquery.
- EmbeddedSolrServer now preserves the user principal when it transforms a
SolrRequest into a SolrQueryRequest. The method that does this transformation
is SolrRequestParsers.buildRequestFrom(). This method now accepts a user
principal and returns a SolrQueryRequestBase that returns the same principal
provided.
-
Co-authored-by: Eric Pugh
> SolrCloud + 2 shards + subquery + auth = 401 Exception
> --
>
> Key: SOLR-12813
> URL: https://issues.apache.org/jira/browse/SOLR-12813
> Project: Solr
> Issue Type: Bug
> Components: security, SolrCloud
>Affects Versions: 6.4.1, 7.5, 8.11
>Reporter: Igor Fedoryn
>Priority: Major
> Attachments: screen1.png, screen2.png
>
> Time Spent: 2h 10m
> Remaining Estimate: 0h
>
> Environment: * Solr 6.4.1
> * Zookeeper 3.4.6
> * Java 1.8
> Run Zookeeper
> Upload simple configuration wherein the Solr schema has fields for a
> relationship between parent/child
> Run two Solr instance (2 nodes)
> Create the collection with 1 shard on each Solr nodes
>
> Add parent document to one shard and child document to another shard.
> The response for: *
> /select?q=ChildIdField:VALUE&fl=*,parents:[subqery]&parents.q=\{!term f=id
> v=$row.ParentIdsField}
> correct.
>
> After that add Basic Authentication with some user for collection.
> Restart Solr or reload Solr collection.
> If the simple request /select?q=*:* with authorization on Solr server is a
> success then run previously request
> with authorization on Solr server and you get the exception: "Solr HTTP
> error: Unauthorized (401) "
>
> Screens in the attachment.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
-
To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org
For additional commands, e-mail: issues-h...@solr.apache.org
[jira] [Commented] (SOLR-12813) SolrCloud + 2 shards + subquery + auth = 401 Exception
[
https://issues.apache.org/jira/browse/SOLR-12813?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17840607#comment-17840607
]
Rudi Seitz commented on SOLR-12813:
---
Yes, this issue is about BasicAuthPlugin, configured similarly to what is
described in the reference guide
[here|https://solr.apache.org/guide/solr/latest/deployment-guide/basic-authentication-plugin.html#enable-basic-authentication]
This ticket is basically saying that the transparent instrumentation of
AuthenticationPlugin can break in some cases – specifically in the scenario of
a subquery executed in a multi-shard environment.
So why does it break in this particular scenario and not elsewhere? I'll try to
provide more detail later, but the basic idea is that the
SubQueryAgumenterFactory generates _new_ queries that do not share all the
state of the incoming request. And these queries are processed using an
EmbeddedSolrServer that doesn't respect the way BasicAuthPlugin is trying to be
transparently instrumented. My [PR|https://github.com/apache/solr/pull/2404]
shows the specific places where these problems arise and how they can be fixed.
To quickly reproduce the issue described in this issue, one can apply the
changes I made to TestSubQueryTransformerDistrib so that basic auth is enabled.
The modified test should fail against main, without also applying the other
changes in the PR that fix the underlying issue.
https://github.com/apache/solr/commit/d2503ffd9a7cd58c4449c83ff940b63541fce251
> SolrCloud + 2 shards + subquery + auth = 401 Exception
> --
>
> Key: SOLR-12813
> URL: https://issues.apache.org/jira/browse/SOLR-12813
> Project: Solr
> Issue Type: Bug
> Components: security, SolrCloud
>Affects Versions: 6.4.1, 7.5, 8.11
>Reporter: Igor Fedoryn
>Priority: Major
> Attachments: screen1.png, screen2.png
>
> Time Spent: 40m
> Remaining Estimate: 0h
>
> Environment: * Solr 6.4.1
> * Zookeeper 3.4.6
> * Java 1.8
> Run Zookeeper
> Upload simple configuration wherein the Solr schema has fields for a
> relationship between parent/child
> Run two Solr instance (2 nodes)
> Create the collection with 1 shard on each Solr nodes
>
> Add parent document to one shard and child document to another shard.
> The response for: *
> /select?q=ChildIdField:VALUE&fl=*,parents:[subqery]&parents.q=\{!term f=id
> v=$row.ParentIdsField}
> correct.
>
> After that add Basic Authentication with some user for collection.
> Restart Solr or reload Solr collection.
> If the simple request /select?q=*:* with authorization on Solr server is a
> success then run previously request
> with authorization on Solr server and you get the exception: "Solr HTTP
> error: Unauthorized (401) "
>
> Screens in the attachment.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
-
To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org
For additional commands, e-mail: issues-h...@solr.apache.org
[jira] [Commented] (SOLR-12813) SolrCloud + 2 shards + subquery + auth = 401 Exception
[
https://issues.apache.org/jira/browse/SOLR-12813?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17840566#comment-17840566
]
David Smiley commented on SOLR-12813:
-
When using basic auth, is this a reference to BasicAuthPlugin, subclass of
AuthenticationPlugin?
Secondly, does anyone know why only PKIAuthenticationPlugin instruments clients
AFAIK, AuthenticationPlugin (of whatever type) is instrumented transparently
within Solr so that Solr code usually just-works correctly.
> SolrCloud + 2 shards + subquery + auth = 401 Exception
> --
>
> Key: SOLR-12813
> URL: https://issues.apache.org/jira/browse/SOLR-12813
> Project: Solr
> Issue Type: Bug
> Components: security, SolrCloud
>Affects Versions: 6.4.1, 7.5, 8.11
>Reporter: Igor Fedoryn
>Priority: Major
> Attachments: screen1.png, screen2.png
>
> Time Spent: 40m
> Remaining Estimate: 0h
>
> Environment: * Solr 6.4.1
> * Zookeeper 3.4.6
> * Java 1.8
> Run Zookeeper
> Upload simple configuration wherein the Solr schema has fields for a
> relationship between parent/child
> Run two Solr instance (2 nodes)
> Create the collection with 1 shard on each Solr nodes
>
> Add parent document to one shard and child document to another shard.
> The response for: *
> /select?q=ChildIdField:VALUE&fl=*,parents:[subqery]&parents.q=\{!term f=id
> v=$row.ParentIdsField}
> correct.
>
> After that add Basic Authentication with some user for collection.
> Restart Solr or reload Solr collection.
> If the simple request /select?q=*:* with authorization on Solr server is a
> success then run previously request
> with authorization on Solr server and you get the exception: "Solr HTTP
> error: Unauthorized (401) "
>
> Screens in the attachment.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
-
To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org
For additional commands, e-mail: issues-h...@solr.apache.org
[jira] [Commented] (SOLR-12813) SolrCloud + 2 shards + subquery + auth = 401 Exception
[
https://issues.apache.org/jira/browse/SOLR-12813?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17837906#comment-17837906
]
Rudi Seitz commented on SOLR-12813:
---
Here's a PR: https://github.com/apache/solr/pull/2404
> SolrCloud + 2 shards + subquery + auth = 401 Exception
> --
>
> Key: SOLR-12813
> URL: https://issues.apache.org/jira/browse/SOLR-12813
> Project: Solr
> Issue Type: Bug
> Components: security, SolrCloud
>Affects Versions: 6.4.1, 7.5, 8.11
>Reporter: Igor Fedoryn
>Priority: Major
> Attachments: screen1.png, screen2.png
>
> Time Spent: 10m
> Remaining Estimate: 0h
>
> Environment: * Solr 6.4.1
> * Zookeeper 3.4.6
> * Java 1.8
> Run Zookeeper
> Upload simple configuration wherein the Solr schema has fields for a
> relationship between parent/child
> Run two Solr instance (2 nodes)
> Create the collection with 1 shard on each Solr nodes
>
> Add parent document to one shard and child document to another shard.
> The response for: *
> /select?q=ChildIdField:VALUE&fl=*,parents:[subqery]&parents.q=\{!term f=id
> v=$row.ParentIdsField}
> correct.
>
> After that add Basic Authentication with some user for collection.
> Restart Solr or reload Solr collection.
> If the simple request /select?q=*:* with authorization on Solr server is a
> success then run previously request
> with authorization on Solr server and you get the exception: "Solr HTTP
> error: Unauthorized (401) "
>
> Screens in the attachment.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
-
To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org
For additional commands, e-mail: issues-h...@solr.apache.org
[jira] [Commented] (SOLR-12813) SolrCloud + 2 shards + subquery + auth = 401 Exception
[
https://issues.apache.org/jira/browse/SOLR-12813?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17837803#comment-17837803
]
Rudi Seitz commented on SOLR-12813:
---
I have begun implementing a fix here:
[https://github.com/rseitz/solr/commit/c51f038f33b21411ce5c01ccf6d9f4d17690d82b]
I found two separate places where credentials are lost. First, the
SubQueryAugmenterFactor never sets credentials on the subqueries that it
generates. Second, when a subquery is handled by EmbeddedSolrServer, the query
goes through various transformations that would drop credentials if they had
been present in the first place. The code I'm sharing here fixes both issues
and I've tested it manually with collection with 2 shards in a 2-node cluster.
The fix only works with forwardCredentials=true.
I am working on writing a unit test and creating a PR. In the meantime, I'm
eager for any feedback on the proposed changes.
> SolrCloud + 2 shards + subquery + auth = 401 Exception
> --
>
> Key: SOLR-12813
> URL: https://issues.apache.org/jira/browse/SOLR-12813
> Project: Solr
> Issue Type: Bug
> Components: security, SolrCloud
>Affects Versions: 6.4.1, 7.5, 8.11
>Reporter: Igor Fedoryn
>Priority: Major
> Attachments: screen1.png, screen2.png
>
>
> Environment: * Solr 6.4.1
> * Zookeeper 3.4.6
> * Java 1.8
> Run Zookeeper
> Upload simple configuration wherein the Solr schema has fields for a
> relationship between parent/child
> Run two Solr instance (2 nodes)
> Create the collection with 1 shard on each Solr nodes
>
> Add parent document to one shard and child document to another shard.
> The response for: *
> /select?q=ChildIdField:VALUE&fl=*,parents:[subqery]&parents.q=\{!term f=id
> v=$row.ParentIdsField}
> correct.
>
> After that add Basic Authentication with some user for collection.
> Restart Solr or reload Solr collection.
> If the simple request /select?q=*:* with authorization on Solr server is a
> success then run previously request
> with authorization on Solr server and you get the exception: "Solr HTTP
> error: Unauthorized (401) "
>
> Screens in the attachment.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
-
To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org
For additional commands, e-mail: issues-h...@solr.apache.org
[jira] [Commented] (SOLR-12813) SolrCloud + 2 shards + subquery + auth = 401 Exception
[
https://issues.apache.org/jira/browse/SOLR-12813?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17700579#comment-17700579
]
Jan Høydahl commented on SOLR-12813:
I felt this Jira describes the issue better than SOLR-12583, so re-openening to
treat this as a bug in [subquery
transformer|https://solr.apache.org/guide/solr/latest/query-guide/document-transformers.html#subquery]
rather than a feature request for "basic auth" support.
The [subquery] transformer performs *internal* queries to other nodes by itself
in a background thread, and thus auth credentials are lost. In my opinion such
sub queries should either inherit the auth of original request (if
{{{}forwardCredentials=true{}}}) or use PKI auth.
Patches are welcome.
> SolrCloud + 2 shards + subquery + auth = 401 Exception
> --
>
> Key: SOLR-12813
> URL: https://issues.apache.org/jira/browse/SOLR-12813
> Project: Solr
> Issue Type: Bug
> Components: security, SolrCloud
>Affects Versions: 6.4.1, 7.5, 8.11
>Reporter: Igor Fedoryn
>Priority: Major
> Attachments: screen1.png, screen2.png
>
>
> Environment: * Solr 6.4.1
> * Zookeeper 3.4.6
> * Java 1.8
> Run Zookeeper
> Upload simple configuration wherein the Solr schema has fields for a
> relationship between parent/child
> Run two Solr instance (2 nodes)
> Create the collection with 1 shard on each Solr nodes
>
> Add parent document to one shard and child document to another shard.
> The response for: *
> /select?q=ChildIdField:VALUE&fl=*,parents:[subqery]&parents.q=\{!term f=id
> v=$row.ParentIdsField}
> correct.
>
> After that add Basic Authentication with some user for collection.
> Restart Solr or reload Solr collection.
> If the simple request /select?q=*:* with authorization on Solr server is a
> success then run previously request
> with authorization on Solr server and you get the exception: "Solr HTTP
> error: Unauthorized (401) "
>
> Screens in the attachment.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
-
To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org
For additional commands, e-mail: issues-h...@solr.apache.org
