and this behavior of not failing update.process() with bad credentials only seen within the test / for the test cluster created within the BasicAuthIntegrationTest. If I point it to external cluster, the same code i.e. update.process() fails for bad credentials. Something is weird / missing in test. I debugged deep to the SolrHttpClient yesterday which ultimately sends the update POST request and it returns 200 status when run from BasicAuthIntegrationTest while same returns 401 when point to external cluster. Does that tells anything. Not sure if retry/PKI auth may have any role.
HttpSolrClient.java --- final HttpResponse response = httpClient.execute(method, httpClientRequestContext); int httpStatus = response.getStatusLine().getStatusCode(); On Fri, Oct 21, 2016 at 7:59 AM, Jan Høydahl (JIRA) <j...@apache.org> wrote: > > [ https://issues.apache.org/jira/browse/SOLR-9399?page= > com.atlassian.jira.plugin.system.issuetabpanels:comment- > tabpanel&focusedCommentId=15594893#comment-15594893 ] > > Jan Høydahl commented on SOLR-9399: > ----------------------------------- > > Did some more testing and managed to have the CloudSolrClient actually > fail with 401, but only when calling update.commit() and patching > CloudSolrClient, adding in line 799 > {code} > > nonRoutableRequest.setBasicAuthCredentials(updateRequest.getBasicAuthUser(), > updateRequest.getBasicAuthPassword()); > {code} > > However, when calling update.process() the update request succeeds even > with wrong credentials. I even verified that the doc gets added/deleted > from the index when using wrong credentials. The process() method is using > some retry logic, could it be that the retry succeeds using PKI auth? > > > Delete requests do not send credentials & fails for Basic Authentication > > ------------------------------------------------------------------------ > > > > Key: SOLR-9399 > > URL: https://issues.apache.org/jira/browse/SOLR-9399 > > Project: Solr > > Issue Type: Bug > > Security Level: Public(Default Security Level. Issues are Public) > > Components: SolrJ > > Affects Versions: 6.0, 6.0.1, 6.x > > Reporter: Susheel Kumar > > Labels: security > > > > The getRoutes(..) func of UpdateRequest do not pass credentials to > LBHttpSolrClient when deleteById is set while for updates it passes the > credentials. See below code snippet > > if (deleteById != null) { > > > > Iterator<Map.Entry<String,Map<String,Object>>> entries = > deleteById.entrySet() > > .iterator(); > > while (entries.hasNext()) { > > > > Map.Entry<String,Map<String,Object>> entry = entries.next(); > > > > String deleteId = entry.getKey(); > > Map<String,Object> map = entry.getValue(); > > Long version = null; > > if (map != null) { > > version = (Long) map.get(VER); > > } > > Slice slice = router.getTargetSlice(deleteId, null, null, null, > col); > > if (slice == null) { > > return null; > > } > > List<String> urls = urlMap.get(slice.getName()); > > if (urls == null) { > > return null; > > } > > String leaderUrl = urls.get(0); > > LBHttpSolrClient.Req request = routes.get(leaderUrl); > > if (request != null) { > > UpdateRequest urequest = (UpdateRequest) request.getRequest(); > > urequest.deleteById(deleteId, version); > > } else { > > UpdateRequest urequest = new UpdateRequest(); > > urequest.setParams(params); > > urequest.deleteById(deleteId, version); > > urequest.setCommitWithin(getCommitWithin()); > > request = new LBHttpSolrClient.Req(urequest, urls); > > routes.put(leaderUrl, request); > > } > > } > > } > > > > -- > This message was sent by Atlassian JIRA > (v6.3.4#6332) > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org > For additional commands, e-mail: dev-h...@lucene.apache.org > >
