Hello again; I have managed to reproduce the issue in a unit test. I should probably add a Jira ticket with a patch for the unit test.... On Solr 8.5.0, not master.
Meanwhile, for your suggested queries: 1. Query on the collection: curl -i -u admin:admin http://10.5.106.115:8985/solr/test1/select?q=*:*&wt=xml HTTP/1.1 200 OK Content-Security-Policy: default-src 'none'; base-uri 'none'; connect-src 'self'; form-action 'self'; font-src 'self'; frame-ancestors 'none'; img-src 'self'; media-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self'; worker-src 'self'; X-Content-Type-Options: nosniff X-Frame-Options: SAMEORIGIN X-XSS-Protection: 1; mode=block Content-Type: application/xml; charset=UTF-8 Content-Length: 8214 <?xml version="1.0" encoding="UTF-8"?> <response> <lst name="responseHeader"> <bool name="zkConnected">true</bool> <int name="status">0</int> <int name="QTime">2</int> <lst name="params"> <str name="q">*:*</str> </lst> </lst> <result name="response" numFound="1" start="0"> Response contains the Solr document, of course 2. Query on the alias curl -i -u admin:admin http://10.5.106.115:8985/solr/test/select?q=*:*&wt=xml<http://10.5.106.115:8985/solr/test1/select?q=*:*&wt=xml> HTTP/1.1 401 Unauthorized Content-Security-Policy: default-src 'none'; base-uri 'none'; connect-src 'self'; form-action 'self'; font-src 'self'; frame-ancestors 'none'; img-src 'self'; media-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self'; worker-src 'self'; X-Content-Type-Options: nosniff X-Frame-Options: SAMEORIGIN X-XSS-Protection: 1; mode=block Cache-Control: no-cache, no-store Pragma: no-cache Expires: Sat, 01 Jan 2000 01:00:00 GMT Last-Modified: Fri, 12 Jun 2020 22:30:20 GMT ETag: "172aaa7c1eb" Content-Type: application/xml; charset=UTF-8 Content-Length: 1332 <?xml version="1.0" encoding="UTF-8"?> <response> <lst name="responseHeader"> <bool name="zkConnected">true</bool> <int name="status">401</int> <int name="QTime">16</int> <lst name="params"> <str name="q">*:*</str> </lst> </lst> <lst name="error"> Error contains the full html HTTP 401 message (with escaped characters, of course) Gist of it : HTTP ERROR 401 require authentication Thanks; Isabelle Giguère Computational Linguist & Java Developer Linguiste informaticienne & développeur java ________________________________ De : Jan Høydahl <jan....@cominvent.com> Envoyé : 12 juin 2020 17:30 À : solr-user@lucene.apache.org <solr-user@lucene.apache.org> Objet : Re: [EXTERNAL] - Re: HTTP 401 when searching on alias in secured Solr I’d say, try the query with curl and enable http headers curl -i —user admin:admin http://localhost:8983/solr/mycollection/select?q=*:* curl -i —user admin:admin http://localhost:8983/solr/myalias/select?q=*:* Are you saying that you see a difference between the two? What are the headers? Jan > 12. jun. 2020 kl. 20:06 skrev Isabelle Giguere > <igigu...@opentext.com.INVALID>: > > Hi Jan > > Thank you for your time on this. > > If I send a /select request directly on the alias (/solr/test/select), the > browser asks for credentials, but the Solr response returns status=401 and an > html error message with "HTTP ERROR 401 require authentication" > > Obviously, my expectation was that some query results would be returned. > > Since you can't reproduce the issue, I have to assume it's a configuration > issue. > > So, if I may, let me provide as much details as I can about my setup. > > Can anyone see something wrong here, some incompatibility ? > > Solr 8.5.0 > > solrconfig.xml > <luceneMatchVersion>7.1.0</luceneMatchVersion> > <lib dir="../../lib-plugins" /> > <schemaFactory class="ClassicIndexSchemaFactory"/> > <httpCaching never304="true" /> > <requestHandler name="/select" class="solr.SearchHandler"> > <shardHandlerFactory class="HttpShardHandlerFactory"> > <int name="socketTimeOut">50000</int> > <int name="connTimeOut">50000</int> > <int name="corePoolSize">5</int> > </shardHandlerFactory> > > schema.xml > version=1.6 > Some warnings on start-up about Trie* fields and deprecated filters (we > should fix that) > > security.json in Zookeeper, at the Solr ZK root (provided on this thread) > blockUnknown : (true|false) = no change in behavior for me, for this issue > forwardCredentials : (true|false) = no change in behavior for me, for this > issue > > No SSL > > solr.in.sh > SOLR_AUTH_TYPE="basic" > SOLR_AUTHENTICATION_OPTS="-Dbasicauth=admin:admin" > > start command params: > solr start -force -c -m 4g -h <host> -p <port> -z > <zk_host>:<zk_port>/<solr_root> > > > Am I missing anything ? > > Thank you. > > ******** > > My investigation so far: > > I have set logging levels to TRACE for anything related to HTTP, HTTP2, > Authorization, Authentication... > > Judging by a comment in > org.apache.solr.core.CoreContainer.setupHttpClientForAuthPlugin(Object), I > should see some logging from PKIAuthenticationPlugin, no matter what plugin > is actually used, and regardless if forwardCredentials is true or false: > Comment: > // Always register PKI auth interceptor, which will then delegate the > decision of who should secure > // each request to the configured authentication plugin. > > Expected log message from > org.apache.solr.security.PKIAuthenticationPlugin.setup(Http2SolrClient) > and/or from > org.apache.solr.security.PKIAuthenticationPlugin.HttpHeaderClientInterceptor.process(HttpRequest, > HttpContext) > > When running a request on an alias, I only see the expected log message from > /admin requests, never for /select requests. > > Of course, if my configuration is wrong, then my code and log analysis is > useless. > > ********** > > > Isabelle Giguère > Computational Linguist & Java Developer > Linguiste informaticienne & développeur java > > > ________________________________ > De : Jan Høydahl <jan....@cominvent.com> > Envoyé : 12 juin 2020 06:55 > À : solr-user@lucene.apache.org <solr-user@lucene.apache.org> > Objet : Re: [EXTERNAL] - Re: HTTP 401 when searching on alias in secured Solr > > Hi > > I tried to reproduce, but I can successfully search both the collection and > the alias. Both collection and alias promt for password, and when giving the > password the search succeeds. > > What was your expectation? > > Jan > >> 11. jun. 2020 kl. 16:53 skrev Isabelle Giguere >> <igigu...@opentext.com.INVALID>: >> >> Some extra info: >> Collections have 1 shard, 1 replica. Only 1 Solr node running. >> >> The HTTP 401 is not intermittent, as reported in SOLR-13421 and SOLR-13510. >> >> Any request to the alias fails. >> >> Thanks; >> >> Isabelle Giguère >> Computational Linguist & Java Developer >> Linguiste informaticienne & développeur java >> >> >> ________________________________ >> De : Isabelle Giguere <igigu...@opentext.com.INVALID> >> Envoyé : 10 juin 2020 16:11 >> À : solr-user@lucene.apache.org <solr-user@lucene.apache.org> >> Objet : Re: [EXTERNAL] - Re: HTTP 401 when searching on alias in secured Solr >> >> Hi Jan; >> >> Thank you for your reply. >> >> This is security.json as seen in Zookeeper. Credentials are admin / admin >> >> { >> "authentication":{ >> "blockUnknown":false, >> "realm":"MTM Solr", >> "forwardCredentials":true, >> "class":"solr.BasicAuthPlugin", >> "credentials":{"admin":"0rTOgObKYwzSyPoYuj2su2/90eQCfysF1aasxTx+wrc= >> +tCMmpawYYtTsp3JfkG9avb8bKZlm/IGTZirsufYvns="}, >> "":{"v":2}}, >> "authorization":{ >> "class":"solr.RuleBasedAuthorizationPlugin", >> "permissions":[{ >> "name":"all", >> "role":"admin"}], >> "user-role":{"admin":"admin"}, >> "":{"v":8}}} >> >> Thanks for feedback >> >> Isabelle Giguère >> Computational Linguist & Java Developer >> Linguiste informaticienne & développeur java >> >> >> ________________________________ >> De : Jan Høydahl <jan....@cominvent.com> >> Envoyé : 10 juin 2020 16:01 >> À : solr-user@lucene.apache.org <solr-user@lucene.apache.org> >> Objet : [EXTERNAL] - Re: HTTP 401 when searching on alias in secured Solr >> >> Please share your security.json file >> >> Jan Høydahl >> >>> 10. jun. 2020 kl. 21:53 skrev Isabelle Giguere >>> <igigu...@opentext.com.invalid>: >>> >>> Hi; >>> >>> I'm using Solr 8.5.0. I have uploaded security.json to Zookeeper. I can >>> log in the Solr Admin UI. I can create collections and aliases, and I can >>> index documents in Solr. >>> >>> Collections : test1, test2 >>> Alias: test (combines test1, test2) >>> >>> Indexed document "solr-word.pdf" in collection test1 >>> >>> Searching on a collection works: >>> http://localhost:8983/solr/test1/select?q=*:*&wt=xml >>> <result name="response" numFound="1" start="0"> >>> >>> But searching on an alias results in HTTP 401 >>> http://localhost:8983/solr/test/select?q=*:*&wt=xml >>> >>> Error from server at null: Expected mime type application/octet-stream but >>> got text/html. <html> <head> <meta http-equiv="Content-Type" >>> content="text/html;charset=utf-8"/> <title>Error 401 Authentication failed, >>> Response code: 401</title> </head> <body><h2>HTTP ERROR 401 Authentication >>> failed, Response code: 401</h2> <table> >>> <tr><th>URI:</th><td>/solr/test1_shard1_replica_n1/select</td></tr> >>> <tr><th>STATUS:</th><td>401</td></tr> >>> <tr><th>MESSAGE:</th><td>Authentication failed, Response code: >>> 401</td></tr> <tr><th>SERVLET:</th><td>default</td></tr> </table> </body> >>> </html> >>> >>> Even if >>> https://urldefense.com/v3/__https://issues.apache.org/jira/browse/SOLR-13510__;!!Obbck6kTJA!P6ugA-rw1I80PaH0U_GVasNqn8EXwmVQ33lwcPOU-cvNgTJK6-3zAf8ukzvv3ynJ$ >>> is fixed in Solr 8.5.0, I did try to start Solr with -Dsolr.http1=true, >>> and I set "forwardCredentials":true in security.json. >>> >>> Nothing works. I just cannot use aliases when Solr is secured. >>> >>> Can anyone confirm if this may be a configuration issue, or if this could >>> possibly be a bug ? >>> >>> Thank you; >>> >>> Isabelle Giguère >>> Computational Linguist & Java Developer >>> Linguiste informaticienne & développeur java >>> >>> >
