Re: Need help on Solr authorization
My guess is that you're using a self-signed cert and the certificate path can't be verified. Either that or your cert was signed by a CA that your JVM doesn't recognize. There's a good article about diagnosing SSL problems here: https://confluence.atlassian.com/kb/unable-to-connect-to-ssl-services-due-to-pkix-path-building-failed-779355358.html Good luck! -Scott On Fri, Jan 18, 2019 at 6:03 AM sathish kumar wrote: > Hi, > Anyone got a chance to have a look at the issue i had posted? > Please throw some inputs. > > -Sathish > > On Fri, 11 Jan 2019, 8:10 pm sathish kumar, > wrote: > > > Hi, > > > > We have a two node Solr setup(version is 7.2.1) with embedded zookeeper > > running in Solr Server 1. > > > > We have recently enabled SSL and also enabled basic authentication and > > RuleBasedAuthorizationPlugin. > > > > As part of testing, created new user with admin role and assigned the > > permissions "collection-admin-read" & “read” to this role. > > > > When I try to query a data for any collection name, the system is unable > > to talk with shards of other server. > > > > I am getting the following error in both command line and Solr admin > > browser. > > > > Can someone help me to identify what configurations I am missing? Let me > > know if you need any more info. > > > > > > > > Followed this url for SSL setup: > > https://lucene.apache.org/solr/guide/7_2/enabling-ssl.html > > > > Command used: curl --cacert solr-ssl.cacert.pem --user solr:SolrRocks > > https://solr-node-1:8080/solr//select?q=*:* > > > > > > Error: > > > > { > > > > "error":{ > > > > "metadata":[ > > > > "error-class","org.apache.solr.common.SolrException", > > > > > > > "root-error-class","sun.security.provider.certpath.SunCertPathBuilderException"], > > > > "msg":"Error trying to proxy request for url: > > https://solr-node-2:8080/solr/ba_test/select";, > > > > "trace":"org.apache.solr.common.SolrException: Error trying to proxy > > request for url: https://solr-node-2:8080/solr/ba_test/select\n\tat > > > org.apache.solr.servlet.HttpSolrCall.remoteQuery(HttpSolrCall.java:646)\n\tat > > org.apache.solr.servlet.HttpSolrCall.call(HttpSolrCall.java:500)\n\tat > > > org.apache.solr.servlet.SolrDispatchFilter.doFilter(SolrDispatchFilter.java:382)\n\tat > > > org.apache.solr.servlet.SolrDispatchFilter.doFilter(SolrDispatchFilter.java:326)\n\tat > > > org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1751)\n\tat > > > org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:582)\n\tat > > > org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143)\n\tat > > > org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:548)\n\tat > > > org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:226)\n\tat > > > org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1180)\n\tat > > > org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:512)\n\tat > > > org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:185)\n\tat > > > org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1112)\n\tat > > > org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)\n\tat > > > org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:213)\n\tat > > > org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:119)\n\tat > > > org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:134)\n\tat > > > org.eclipse.jetty.rewrite.handler.RewriteHandler.handle(RewriteHandler.java:335)\n\tat > > > org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:134)\n\tat > > org.eclipse.jetty.server.Server.handle(Server.java:534)\n\tat > > org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:320)\n\tat > > > org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:251)\n\tat > > org.eclipse.jetty.io > .AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:283)\n\tat > > org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:108)\n\tat > > > org.eclipse.jetty.io.ssl.SslConnection.onFillable(SslConnection.java:251)\n\tat > > org.eclipse.jetty.io > .AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:283)\n\tat > > org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:108)\n\tat > > org.eclipse.jetty.io > .SelectChannelEndPoint$2.run(SelectChannelEndPoint.java:93)\n\tat > > > org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume.executeProduceConsume(ExecuteProduceConsume.java:303)\n\tat > > > org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume.produceConsume(ExecuteProduceConsume.java:148)\n\tat > > > org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume.run(ExecuteProduceConsume.java:136)\n\tat > > > org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:671)\n
Re: Need help on Solr authorization
Hi, Anyone got a chance to have a look at the issue i had posted? Please throw some inputs. -Sathish On Fri, 11 Jan 2019, 8:10 pm sathish kumar, wrote: > Hi, > > We have a two node Solr setup(version is 7.2.1) with embedded zookeeper > running in Solr Server 1. > > We have recently enabled SSL and also enabled basic authentication and > RuleBasedAuthorizationPlugin. > > As part of testing, created new user with admin role and assigned the > permissions "collection-admin-read" & “read” to this role. > > When I try to query a data for any collection name, the system is unable > to talk with shards of other server. > > I am getting the following error in both command line and Solr admin > browser. > > Can someone help me to identify what configurations I am missing? Let me > know if you need any more info. > > > > Followed this url for SSL setup: > https://lucene.apache.org/solr/guide/7_2/enabling-ssl.html > > Command used: curl --cacert solr-ssl.cacert.pem --user solr:SolrRocks > https://solr-node-1:8080/solr//select?q=*:* > > > Error: > > { > > "error":{ > > "metadata":[ > > "error-class","org.apache.solr.common.SolrException", > > > > "root-error-class","sun.security.provider.certpath.SunCertPathBuilderException"], > > "msg":"Error trying to proxy request for url: > https://solr-node-2:8080/solr/ba_test/select";, > > "trace":"org.apache.solr.common.SolrException: Error trying to proxy > request for url: https://solr-node-2:8080/solr/ba_test/select\n\tat > org.apache.solr.servlet.HttpSolrCall.remoteQuery(HttpSolrCall.java:646)\n\tat > org.apache.solr.servlet.HttpSolrCall.call(HttpSolrCall.java:500)\n\tat > org.apache.solr.servlet.SolrDispatchFilter.doFilter(SolrDispatchFilter.java:382)\n\tat > org.apache.solr.servlet.SolrDispatchFilter.doFilter(SolrDispatchFilter.java:326)\n\tat > org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1751)\n\tat > org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:582)\n\tat > org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143)\n\tat > org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:548)\n\tat > org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:226)\n\tat > org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1180)\n\tat > org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:512)\n\tat > org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:185)\n\tat > org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1112)\n\tat > org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)\n\tat > org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:213)\n\tat > org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:119)\n\tat > org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:134)\n\tat > org.eclipse.jetty.rewrite.handler.RewriteHandler.handle(RewriteHandler.java:335)\n\tat > org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:134)\n\tat > org.eclipse.jetty.server.Server.handle(Server.java:534)\n\tat > org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:320)\n\tat > org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:251)\n\tat > org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:283)\n\tat > org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:108)\n\tat > org.eclipse.jetty.io.ssl.SslConnection.onFillable(SslConnection.java:251)\n\tat > org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:283)\n\tat > org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:108)\n\tat > org.eclipse.jetty.io.SelectChannelEndPoint$2.run(SelectChannelEndPoint.java:93)\n\tat > org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume.executeProduceConsume(ExecuteProduceConsume.java:303)\n\tat > org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume.produceConsume(ExecuteProduceConsume.java:148)\n\tat > org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume.run(ExecuteProduceConsume.java:136)\n\tat > org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:671)\n\tat > org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:589)\n\tat > java.lang.Thread.run(Thread.java:748)\nCaused by: > javax.net.ssl.SSLHandshakeException: > sun.security.validator.ValidatorException: PKIX path building failed: > sun.security.provider.certpath.SunCertPathBuilderException: unable to find > valid certification path to requested target\n\tat > sun.security.ssl.Alerts.getSSLException(Alerts.java:192)\n\tat > sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1959)\n\tat > sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)\n\tat > sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)\n\tat
Need help on Solr authorization
Hi, We have a two node Solr setup(version is 7.2.1) with embedded zookeeper running in Solr Server 1. We have recently enabled SSL and also enabled basic authentication and RuleBasedAuthorizationPlugin. As part of testing, created new user with admin role and assigned the permissions "collection-admin-read" & “read” to this role. When I try to query a data for any collection name, the system is unable to talk with shards of other server. I am getting the following error in both command line and Solr admin browser. Can someone help me to identify what configurations I am missing? Let me know if you need any more info. Followed this url for SSL setup: https://lucene.apache.org/solr/guide/7_2/enabling-ssl.html Command used: curl --cacert solr-ssl.cacert.pem --user solr:SolrRocks https://solr-node-1:8080/solr//select?q=*:* Error: { "error":{ "metadata":[ "error-class","org.apache.solr.common.SolrException", "root-error-class","sun.security.provider.certpath.SunCertPathBuilderException"], "msg":"Error trying to proxy request for url: https://solr-node-2:8080/solr/ba_test/select";, "trace":"org.apache.solr.common.SolrException: Error trying to proxy request for url: https://solr-node-2:8080/solr/ba_test/select\n\tat org.apache.solr.servlet.HttpSolrCall.remoteQuery(HttpSolrCall.java:646)\n\tat org.apache.solr.servlet.HttpSolrCall.call(HttpSolrCall.java:500)\n\tat org.apache.solr.servlet.SolrDispatchFilter.doFilter(SolrDispatchFilter.java:382)\n\tat org.apache.solr.servlet.SolrDispatchFilter.doFilter(SolrDispatchFilter.java:326)\n\tat org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1751)\n\tat org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:582)\n\tat org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143)\n\tat org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:548)\n\tat org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:226)\n\tat org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1180)\n\tat org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:512)\n\tat org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:185)\n\tat org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1112)\n\tat org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)\n\tat org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:213)\n\tat org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:119)\n\tat org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:134)\n\tat org.eclipse.jetty.rewrite.handler.RewriteHandler.handle(RewriteHandler.java:335)\n\tat org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:134)\n\tat org.eclipse.jetty.server.Server.handle(Server.java:534)\n\tat org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:320)\n\tat org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:251)\n\tat org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:283)\n\tat org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:108)\n\tat org.eclipse.jetty.io.ssl.SslConnection.onFillable(SslConnection.java:251)\n\tat org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:283)\n\tat org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:108)\n\tat org.eclipse.jetty.io.SelectChannelEndPoint$2.run(SelectChannelEndPoint.java:93)\n\tat org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume.executeProduceConsume(ExecuteProduceConsume.java:303)\n\tat org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume.produceConsume(ExecuteProduceConsume.java:148)\n\tat org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume.run(ExecuteProduceConsume.java:136)\n\tat org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:671)\n\tat org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:589)\n\tat java.lang.Thread.run(Thread.java:748)\nCaused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target\n\tat sun.security.ssl.Alerts.getSSLException(Alerts.java:192)\n\tat sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1959)\n\tat sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)\n\tat sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)\n\tat sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1514)\n\tat sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)\n\tat sun.security.ssl.Handshaker.processLoop(Handshaker.java:1026)\n\tat sun.security.ssl.Handshaker.process_record(Handshaker.java:961)\n\tat sun.securi