Thank you for the input, Aroop. It is probably a red herring. I will have to pick the configuration apart piece by piece. Sigh.
It's probably not a node down issue, since I'm only setting up one node. (Reporting an unrelated error message should probably be considered a bug anyways.) Isabelle Giguère Computational Linguist & Java Developer Linguiste informaticienne & développeur java ________________________________ De : Aroop Ganguly <aroopgang...@icloud.com.INVALID> Envoyé : 14 juin 2020 17:37 À : solr-user@lucene.apache.org <solr-user@lucene.apache.org> Objet : Re: [EXTERNAL] - Re: HTTP 401 when searching on alias in secured Solr Isabele sometime 401’s are a red herring for other issues un related to auth. We have had issues on 7.7 where an underlying transient replica recovery and/or leader down situation where the only message we got back from Solr was a 401. Please see if u have any down replicas or other issues where certain nodes may have trouble getting more current information from zookeeper. > On Jun 14, 2020, at 2:13 PM, Isabelle Giguere <igigu...@opentext.com.INVALID > <mailto:igigu...@opentext.com.INVALID>> wrote: > > I have created > https://urldefense.com/v3/__https://issues.apache.org/jira/browse/SOLR-14569__;!!Obbck6kTJA!PBs90R0pHCmvm6hGqjUeowZNMwhTEibIfLyr8_szdm0Jh-s9okdbuGya_nBlsjED$ > > <https://urldefense.com/v3/__https://issues.apache.org/jira/browse/SOLR-14569__;!!Obbck6kTJA!PBs90R0pHCmvm6hGqjUeowZNMwhTEibIfLyr8_szdm0Jh-s9okdbuGya_nBlsjED$ > > > It includes a patch with the unit test to reproduce the issue, and a > simplification of our product-specific configuration, with instructions. > > Let's catch up on Jira. > > Isabelle Giguère > Computational Linguist & Java Developer > Linguiste informaticienne & développeur java > > > ________________________________ > De : Jan Høydahl <jan....@cominvent.com <mailto:jan....@cominvent.com>> > Envoyé : 13 juin 2020 17:50 > À : solr-user <solr-user@lucene.apache.org > <mailto:solr-user@lucene.apache.org>> > Objet : Re: [EXTERNAL] - Re: HTTP 401 when searching on alias in secured Solr > > I did not manage to reproduce. Feel free to open the JIRA and attach the > failing test. In the issue description, it is great if you manage to describe > the reproduction steps in a clean way, so anyone can reproduce with a minimal > neccessary config. > > Jan > >> 13. jun. 2020 kl. 00:41 skrev Isabelle Giguere >> <igigu...@opentext.com.INVALID <mailto:igigu...@opentext.com.INVALID>>: >> >> Hello again; >> >> I have managed to reproduce the issue in a unit test. I should probably add >> a Jira ticket with a patch for the unit test.... On Solr 8.5.0, not master. >> >> Meanwhile, for your suggested queries: >> >> 1. Query on the collection: >> >> curl -i -u admin:admin >> https://urldefense.com/v3/__http://10.5.106.115:8985/solr/test1/select?q=*:*&wt=xml__;Kio!!Obbck6kTJA!LvZRdkAwPGTDqWqS-BYMmyuuwAp9coGzkDzz5BG7hTCLmCSV2bOZBM9A7JzikWgk$ >> >> <https://urldefense.com/v3/__http://10.5.106.115:8985/solr/test1/select?q=*:*&wt=xml__;Kio!!Obbck6kTJA!LvZRdkAwPGTDqWqS-BYMmyuuwAp9coGzkDzz5BG7hTCLmCSV2bOZBM9A7JzikWgk$> >> HTTP/1.1 200 OK >> Content-Security-Policy: default-src 'none'; base-uri 'none'; connect-src >> 'self'; form-action 'self'; font-src 'self'; frame-ancestors 'none'; img-src >> 'self'; media-src 'self'; style-src 'self' 'unsafe-inline'; script-src >> 'self'; worker-src 'self'; >> X-Content-Type-Options: nosniff >> X-Frame-Options: SAMEORIGIN >> X-XSS-Protection: 1; mode=block >> Content-Type: application/xml; charset=UTF-8 >> Content-Length: 8214 >> >> <?xml version="1.0" encoding="UTF-8"?> >> <response> >> >> <lst name="responseHeader"> >> <bool name="zkConnected">true</bool> >> <int name="status">0</int> >> <int name="QTime">2</int> >> <lst name="params"> >> <str name="q">*:*</str> >> </lst> >> </lst> >> <result name="response" numFound="1" start="0"> >> Response contains the Solr document, of course >> >> >> 2. Query on the alias >> >> curl -i -u admin:admin >> https://urldefense.com/v3/__http://10.5.106.115:8985/solr/test/select?q=*:*&wt=xml__;Kio!!Obbck6kTJA!LvZRdkAwPGTDqWqS-BYMmyuuwAp9coGzkDzz5BG7hTCLmCSV2bOZBM9A7PZyiHWo$ >> >> <https://urldefense.com/v3/__http://10.5.106.115:8985/solr/test/select?q=*:*&wt=xml__;Kio!!Obbck6kTJA!LvZRdkAwPGTDqWqS-BYMmyuuwAp9coGzkDzz5BG7hTCLmCSV2bOZBM9A7PZyiHWo$><https://urldefense.com/v3/__http://10.5.106.115:8985/solr/test1/select?q=*:*&wt=xml__;Kio!!Obbck6kTJA!LvZRdkAwPGTDqWqS-BYMmyuuwAp9coGzkDzz5BG7hTCLmCSV2bOZBM9A7JzikWgk$ >> >> <https://urldefense.com/v3/__http://10.5.106.115:8985/solr/test1/select?q=*:*&wt=xml__;Kio!!Obbck6kTJA!LvZRdkAwPGTDqWqS-BYMmyuuwAp9coGzkDzz5BG7hTCLmCSV2bOZBM9A7JzikWgk$> >> > >> HTTP/1.1 401 Unauthorized >> Content-Security-Policy: default-src 'none'; base-uri 'none'; connect-src >> 'self'; form-action 'self'; font-src 'self'; frame-ancestors 'none'; img-src >> 'self'; media-src 'self'; style-src 'self' 'unsafe-inline'; script-src >> 'self'; worker-src 'self'; >> X-Content-Type-Options: nosniff >> X-Frame-Options: SAMEORIGIN >> X-XSS-Protection: 1; mode=block >> Cache-Control: no-cache, no-store >> Pragma: no-cache >> Expires: Sat, 01 Jan 2000 01:00:00 GMT >> Last-Modified: Fri, 12 Jun 2020 22:30:20 GMT >> ETag: "172aaa7c1eb" >> Content-Type: application/xml; charset=UTF-8 >> Content-Length: 1332 >> >> <?xml version="1.0" encoding="UTF-8"?> >> <response> >> >> <lst name="responseHeader"> >> <bool name="zkConnected">true</bool> >> <int name="status">401</int> >> <int name="QTime">16</int> >> <lst name="params"> >> <str name="q">*:*</str> >> </lst> >> </lst> >> <lst name="error"> >> Error contains the full html HTTP 401 message (with escaped characters, of >> course) >> Gist of it : HTTP ERROR 401 require authentication >> >> Thanks; >> >> >> Isabelle Giguère >> Computational Linguist & Java Developer >> Linguiste informaticienne & développeur java >> >> >> ________________________________ >> De : Jan Høydahl <jan....@cominvent.com <mailto:jan....@cominvent.com>> >> Envoyé : 12 juin 2020 17:30 >> À : solr-user@lucene.apache.org <mailto:solr-user@lucene.apache.org> >> <solr-user@lucene.apache.org <mailto:solr-user@lucene.apache.org>> >> Objet : Re: [EXTERNAL] - Re: HTTP 401 when searching on alias in secured Solr >> >> I’d say, try the query with curl and enable http headers >> >> curl -i —user admin:admin >> http://localhost:8983/solr/mycollection/select?q=*:* >> <http://localhost:8983/solr/mycollection/select?q=*:*> >> curl -i —user admin:admin http://localhost:8983/solr/myalias/select?q=*:* >> <http://localhost:8983/solr/myalias/select?q=*:*> >> >> Are you saying that you see a difference between the two? What are the >> headers? >> >> Jan >> >>> 12. jun. 2020 kl. 20:06 skrev Isabelle Giguere >>> <igigu...@opentext.com.INVALID <mailto:igigu...@opentext.com.INVALID>>: >>> >>> Hi Jan >>> >>> Thank you for your time on this. >>> >>> If I send a /select request directly on the alias (/solr/test/select), the >>> browser asks for credentials, but the Solr response returns status=401 and >>> an html error message with "HTTP ERROR 401 require authentication" >>> >>> Obviously, my expectation was that some query results would be returned. >>> >>> Since you can't reproduce the issue, I have to assume it's a configuration >>> issue. >>> >>> So, if I may, let me provide as much details as I can about my setup. >>> >>> Can anyone see something wrong here, some incompatibility ? >>> >>> Solr 8.5.0 >>> >>> solrconfig.xml >>> <luceneMatchVersion>7.1.0</luceneMatchVersion> >>> <lib dir="../../lib-plugins" /> >>> <schemaFactory class="ClassicIndexSchemaFactory"/> >>> <httpCaching never304="true" /> >>> <requestHandler name="/select" class="solr.SearchHandler"> >>> <shardHandlerFactory class="HttpShardHandlerFactory"> >>> <int name="socketTimeOut">50000</int> >>> <int name="connTimeOut">50000</int> >>> <int name="corePoolSize">5</int> >>> </shardHandlerFactory> >>> >>> schema.xml >>> version=1.6 >>> Some warnings on start-up about Trie* fields and deprecated filters (we >>> should fix that) >>> >>> security.json in Zookeeper, at the Solr ZK root (provided on this thread) >>> blockUnknown : (true|false) = no change in behavior for me, for this issue >>> forwardCredentials : (true|false) = no change in behavior for me, for this >>> issue >>> >>> No SSL >>> >>> solr.in.sh >>> SOLR_AUTH_TYPE="basic" >>> SOLR_AUTHENTICATION_OPTS="-Dbasicauth=admin:admin" >>> >>> start command params: >>> solr start -force -c -m 4g -h <host> -p <port> -z >>> <zk_host>:<zk_port>/<solr_root> >>> >>> >>> Am I missing anything ? >>> >>> Thank you. >>> >>> ******** >>> >>> My investigation so far: >>> >>> I have set logging levels to TRACE for anything related to HTTP, HTTP2, >>> Authorization, Authentication... >>> >>> Judging by a comment in >>> org.apache.solr.core.CoreContainer.setupHttpClientForAuthPlugin(Object), I >>> should see some logging from PKIAuthenticationPlugin, no matter what plugin >>> is actually used, and regardless if forwardCredentials is true or false: >>> Comment: >>> // Always register PKI auth interceptor, which will then delegate the >>> decision of who should secure >>> // each request to the configured authentication plugin. >>> >>> Expected log message from >>> org.apache.solr.security.PKIAuthenticationPlugin.setup(Http2SolrClient) >>> and/or from >>> org.apache.solr.security.PKIAuthenticationPlugin.HttpHeaderClientInterceptor.process(HttpRequest, >>> HttpContext) >>> >>> When running a request on an alias, I only see the expected log message >>> from /admin requests, never for /select requests. >>> >>> Of course, if my configuration is wrong, then my code and log analysis is >>> useless. >>> >>> ********** >>> >>> >>> Isabelle Giguère >>> Computational Linguist & Java Developer >>> Linguiste informaticienne & développeur java >>> >>> >>> ________________________________ >>> De : Jan Høydahl <jan....@cominvent.com <mailto:jan....@cominvent.com>> >>> Envoyé : 12 juin 2020 06:55 >>> À : solr-user@lucene.apache.org <mailto:solr-user@lucene.apache.org> >>> <solr-user@lucene.apache.org <mailto:solr-user@lucene.apache.org>> >>> Objet : Re: [EXTERNAL] - Re: HTTP 401 when searching on alias in secured >>> Solr >>> >>> Hi >>> >>> I tried to reproduce, but I can successfully search both the collection and >>> the alias. Both collection and alias promt for password, and when giving >>> the password the search succeeds. >>> >>> What was your expectation? >>> >>> Jan >>> >>>> 11. jun. 2020 kl. 16:53 skrev Isabelle Giguere >>>> <igigu...@opentext.com.INVALID <mailto:igigu...@opentext.com.INVALID>>: >>>> >>>> Some extra info: >>>> Collections have 1 shard, 1 replica. Only 1 Solr node running. >>>> >>>> The HTTP 401 is not intermittent, as reported in SOLR-13421 and SOLR-13510. >>>> >>>> Any request to the alias fails. >>>> >>>> Thanks; >>>> >>>> Isabelle Giguère >>>> Computational Linguist & Java Developer >>>> Linguiste informaticienne & développeur java >>>> >>>> >>>> ________________________________ >>>> De : Isabelle Giguere <igigu...@opentext.com.INVALID >>>> <mailto:igigu...@opentext.com.INVALID>> >>>> Envoyé : 10 juin 2020 16:11 >>>> À : solr-user@lucene.apache.org <mailto:solr-user@lucene.apache.org> >>>> <solr-user@lucene.apache.org <mailto:solr-user@lucene.apache.org>> >>>> Objet : Re: [EXTERNAL] - Re: HTTP 401 when searching on alias in secured >>>> Solr >>>> >>>> Hi Jan; >>>> >>>> Thank you for your reply. >>>> >>>> This is security.json as seen in Zookeeper. Credentials are admin / admin >>>> >>>> { >>>> "authentication":{ >>>> "blockUnknown":false, >>>> "realm":"MTM Solr", >>>> "forwardCredentials":true, >>>> "class":"solr.BasicAuthPlugin", >>>> "credentials":{"admin":"0rTOgObKYwzSyPoYuj2su2/90eQCfysF1aasxTx+wrc= >>>> +tCMmpawYYtTsp3JfkG9avb8bKZlm/IGTZirsufYvns="}, >>>> "":{"v":2}}, >>>> "authorization":{ >>>> "class":"solr.RuleBasedAuthorizationPlugin", >>>> "permissions":[{ >>>> "name":"all", >>>> "role":"admin"}], >>>> "user-role":{"admin":"admin"}, >>>> "":{"v":8}}} >>>> >>>> Thanks for feedback >>>> >>>> Isabelle Giguère >>>> Computational Linguist & Java Developer >>>> Linguiste informaticienne & développeur java >>>> >>>> >>>> ________________________________ >>>> De : Jan Høydahl <jan....@cominvent.com <mailto:jan....@cominvent.com>> >>>> Envoyé : 10 juin 2020 16:01 >>>> À : solr-user@lucene.apache.org <mailto:solr-user@lucene.apache.org> >>>> <solr-user@lucene.apache.org <mailto:solr-user@lucene.apache.org>> >>>> Objet : [EXTERNAL] - Re: HTTP 401 when searching on alias in secured Solr >>>> >>>> Please share your security.json file >>>> >>>> Jan Høydahl >>>> >>>>> 10. jun. 2020 kl. 21:53 skrev Isabelle Giguere >>>>> <igigu...@opentext.com.invalid <mailto:igigu...@opentext.com.invalid>>: >>>>> >>>>> Hi; >>>>> >>>>> I'm using Solr 8.5.0. I have uploaded security.json to Zookeeper. I can >>>>> log in the Solr Admin UI. I can create collections and aliases, and I >>>>> can index documents in Solr. >>>>> >>>>> Collections : test1, test2 >>>>> Alias: test (combines test1, test2) >>>>> >>>>> Indexed document "solr-word.pdf" in collection test1 >>>>> >>>>> Searching on a collection works: >>>>> http://localhost:8983/solr/test1/select?q=*:*&wt=xml >>>>> <http://localhost:8983/solr/test1/select?q=*:*&wt=xml> >>>>> <result name="response" numFound="1" start="0"> >>>>> >>>>> But searching on an alias results in HTTP 401 >>>>> http://localhost:8983/solr/test/select?q=*:*&wt=xml >>>>> >>>>> Error from server at null: Expected mime type application/octet-stream >>>>> but got text/html. <html> <head> <meta http-equiv="Content-Type" >>>>> content="text/html;charset=utf-8"/> <title>Error 401 Authentication >>>>> failed, Response code: 401</title> </head> <body><h2>HTTP ERROR 401 >>>>> Authentication failed, Response code: 401</h2> <table> >>>>> <tr><th>URI:</th><td>/solr/test1_shard1_replica_n1/select</td></tr> >>>>> <tr><th>STATUS:</th><td>401</td></tr> >>>>> <tr><th>MESSAGE:</th><td>Authentication failed, Response code: >>>>> 401</td></tr> <tr><th>SERVLET:</th><td>default</td></tr> </table> </body> >>>>> </html> >>>>> >>>>> Even if >>>>> https://urldefense.com/v3/__https://issues.apache.org/jira/browse/SOLR-13510__;!!Obbck6kTJA!P6ugA-rw1I80PaH0U_GVasNqn8EXwmVQ33lwcPOU-cvNgTJK6-3zAf8ukzvv3ynJ$ >>>>> is fixed in Solr 8.5.0, I did try to start Solr with -Dsolr.http1=true, >>>>> and I set "forwardCredentials":true in security.json. >>>>> >>>>> Nothing works. I just cannot use aliases when Solr is secured. >>>>> >>>>> Can anyone confirm if this may be a configuration issue, or if this could >>>>> possibly be a bug ? >>>>> >>>>> Thank you; >>>>> >>>>> Isabelle Giguère >>>>> Computational Linguist & Java Developer >>>>> Linguiste informaticienne & développeur java
