I’m mostly trying to identify whether what you are trying to to is a supported option at all, or of perhaps CDCR is only tested without authentication in place. You would also be interested in the fact that CDCR might be deprecated really soon now, see https://issues.apache.org/jira/browse/SOLR-11718 <https://issues.apache.org/jira/browse/SOLR-11718> CDCR is complex. JWT is complex. Combining the two might bee too much unknown territory for beginners.
However, if this turns out to be not supported or a bug, then we can file a JIRA issue. So far I hope that someone else with CDCR can give JWT a try to reproduce what you are seeing. Jan > 25. jun. 2020 kl. 15:06 skrev Phatkar, Swapnil (Contractor) > <swapnil.phat...@transunion.com.INVALID>: > > Hi, > > > 1. Solr is relying on PKI for the request (one cluster sends PKI header to > the node in the other cluster) > -- > I have not configured anything explicitly. Just followed the steps > mention @https://lucene.apache.org/solr/guide/8_4/cdcr-config.html. Is there > any additional step ? > > 2. That fails since the sending node is unknown to the receiving node since > it is in another cluster > --> I think that obvious because Source cluster and Target clusters are > different. What I know is once we configure zkhost of Target cluster in > Source cluster in solrconfig.xml it establish connection. But I will > like to know is there any other setting ? > > 3. Have you tried BasicAuth and do you have the same issue then? > --> Nope . We were using "class":"solr.JWTAuthPlugin" . Do I need to add > authorization also to overcome JWT authorization ?? > > > Can you please guide me considering me as newbie :) . And it will be also > good to get sample security.json > > Thanks > > -----Original Message----- > From: Jan Høydahl <jan....@cominvent.com> > Sent: Thursday, June 25, 2020 5:25 PM > To: solr-user@lucene.apache.org > Subject: Re: SOLR CDCR fails with JWT authorization configuration > > EXTERNAL SENDER: Exercise caution with links and attachments. > > Sorry, there is no forwardCredentials parameter for JWT, it is implicit. > > But from the response we can see two things: > > 1. Solr is relying on PKI for the request (one cluster sends PKI header to > the node in the other cluster) 2. That fails since the sending node is > unknown to the receiving node since it is in another cluster > > I’m not familiar with the CDCR code used here. Have you tried BasicAuth and > do you have the same issue then? > > Jan > > >> 25. jun. 2020 kl. 13:20 skrev Phatkar, Swapnil (Contractor) >> <swapnil.phat...@transunion.com.INVALID>: >> >> >> >> Whoever is sending calls to /solr/express_shard1_replica_n3/cdcr will have >> to make sure to forward JWT -- How do I forward JWT from source to target >> server ?? >> You could try 'forwardCredentials:true' in security.json -- How can I try >> this ? >> >> Can you suggest me sample security.json which will address my issue mention >> in below mail trail: >> >> I have security.json as given below : ( its just the format and values >> are removed as per policy ) >> >> { >> "authentication":{ >> "class":"solr.JWTAuthPlugin", >> "blockUnknown":true, >> "requireIss":false, >> "requireExp":false, >> "issuers":[ >> { >> "name": >> "clientId": >> "jwk":{ >> "kty":"RSA", >> "n": >> "e": >> "d": >> "p": >> "q": >> "dp": >> "dq": >> "qi": >> "alg":"RS256", >> "kid": >> "use": >> } >> } >> ] >> } >> } >> >> >> >> >> -----Original Message----- >> From: Jan Høydahl <jan....@cominvent.com> >> Sent: Thursday, June 25, 2020 1:19 PM >> To: solr-user@lucene.apache.org >> Subject: Re: SOLR CDCR fails with JWT authorization configuration >> >> EXTERNAL SENDER: Exercise caution with links and attachments. >> >> Are both clusters setup with the same Identity Provider, so the same JWT >> token would be valid for both clusters? >> >> If so, it should be (theoretically) possible to have the clusters talk to >> each other, if you can get them to forward the Authorization header with the >> JWT. >> Whoever is sending calls to /solr/express_shard1_replica_n3/cdcr will have >> to make sure to forward JWT and not just rely on PKI. >> PKI won’t work since the two clusters have different ZK and Solr by default >> only trust PKI between nodes registered in ZK. >> >> You could try 'forwardCredentials:true' in security.json, but I’m not sure >> that is enough here. There may be code changes needed in CDCR components. >> >> Jan >> >>> 24. jun. 2020 kl. 19:42 skrev Phatkar, Swapnil (Contractor) >>> <swapnil.phat...@transunion.com.INVALID>: >>> >>> Hi Team , >>> >>> I am trying to configure CDCR for SOLR 8.4.1 . >>> With the provided configuration I can able to replicate the indexes from >>> Source server to Target server. This setup even works with SSL >>> configuration using Https protocol. >>> But the moment I have introduced JWT authorization by enforcing >>> security.json on both the server. I got an error at Target server side as >>> shown below. >>> Due to which the index were not getting replicated at target server. >>> >>> ERROR : >>> >>> 0200623 12:29:55.956 [ERROR] {qtp892083096-82} [ ] >>> [org.apache.solr.security.PKIAuthenticationPlugin, 119] | >>> Could not decipher a header <SouceIp>:8983_solr $$$$$$$. No principal >>> set >>> >>> Caused by: java.util.concurrent.ExecutionException: >>> org.apache.solr.client.solrj.impl.HttpSolrClient$RemoteSolrException: >>> Error from server at >>> https://<TargetIP>:8983/solr/express_shard1_replica_n3: Expected mime >>> type application/octet-stream but got text/html. <html> <head> <meta >>> http-equiv="Content-Type" content="text/html;charset=utf-8"/> >>> <title>Error 401 Require authentication</title> </head> >>> <body><h2>HTTP ERROR 401</h2> <p>Problem accessing >>> /solr/express_shard1_replica_n3/cdcr. Reason: >>> <pre> Require authentication</pre></p> >>> </body> >>> </html> >>> >>> >>> Caused by: >>> org.apache.solr.client.solrj.impl.HttpSolrClient$RemoteSolrException: >>> Error from server at >>> https://<TargetIP>:8983/solr/express_shard1_replica_n3: Expected mime >>> type application/octet-stream but got text/html. <html> <head> <meta >>> http-equiv="Content-Type" content="text/html;charset=utf-8"/> >>> <title>Error 401 Require authentication</title> </head> >>> <body><h2>HTTP ERROR 401</h2> <p>Problem accessing >>> /solr/express_shard1_replica_n3/cdcr. Reason: >>> <pre> Require authentication</pre></p> >>> </body> >>> </html> >>> >>> at >>> org.apache.solr.client.solrj.impl.HttpSolrClient.executeMethod(HttpSolrClient.java:629) >>> at >>> org.apache.solr.client.solrj.impl.HttpSolrClient.request(HttpSolrClient.java:265) >>> at >>> org.apache.solr.client.solrj.impl.HttpSolrClient.request(HttpSolrClient.java:248) >>> at >>> org.apache.solr.client.solrj.SolrClient.request(SolrClient.java:1290) >>> at >>> org.apache.solr.handler.CdcrRequestHandler$SliceCheckpointCallable.call(CdcrRequestHandler.java:868) >>> at >>> org.apache.solr.handler.CdcrRequestHandler$SliceCheckpointCallable.ca >>> l >>> l(CdcrRequestHandler.java:845) >>> >>> >>> Thanks and Regards, >>> Swapnil Phatkar >>> 9167320216 >>> >> >
