[
https://issues.apache.org/jira/browse/SOLR-13566?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16870396#comment-16870396
]
Colvin Cowie commented on SOLR-13566:
-------------------------------------
[~janhoy] Hi, I think you wrote SolrCloudAuthTestCase which has the
assertAuthMetricsMinimums methods. Apologies if it's been discussed elsewhere,
but while looking at adding the authentication metric counts for the test for
reindex command, it seemed like having absolute counts (of minimums) on each
step is quite error prone and also makes it hard to update the test. e.g. I
added the reindex request half way through the test case (I couldn't add it
directly to the end, because the test changes the security configuration near
the end), so adding it in the middle made sense. Except I then had to update
the expected counts for all of the later assertions.
The other thing is that the minimums for later calls were too low, especially
after I added the reindex request (since the daemon created 30 odd PKI
interactions internally), but all the minimum count assertions obviously passed
despite being far too low. It's kind of hard to work out why the assertions are
what they are, since they are a combination of multiple different requests some
of which affect some metrics and not others.
So, it seems like a better strategy would be to (optionally) take the exact
count before the request and do a relative count against that after the
request(s) of interest. That way an earlier request that generated an excess
number of requests won't impact on the assertions for later requests. And
modifying the test won't require changes to auth metric assertions outside of
the part being changed.
With the changes locally it seems that this way the assertions can use exact
counts rather than minimums (but I may be missing something because I'm only
running the tests locally so there may be non-deterministic behaviour I've not
encountered yet that means exact counts aren't reliable)?
How do you feel about that? I can submit a Pull Request separate to the patch
for fixing this issue itself.
> REINDEXCOLLECTION does not work with (basic) authentication
> -----------------------------------------------------------
>
> Key: SOLR-13566
> URL: https://issues.apache.org/jira/browse/SOLR-13566
> Project: Solr
> Issue Type: Bug
> Security Level: Public(Default Security Level. Issues are Public)
> Affects Versions: 8.1.1
> Reporter: Colvin Cowie
> Priority: Major
> Attachments: SOLR-13566.patch, responses.txt, security.json, solr.log
>
>
> I'm on the Solr 8.1 branch off commit
> f26388d034fe5eadca7416aa63b509b8db2c7688 so I have the authentication fixes
> from SOLR-13510 (intermittent 401s for internode requests)
>
> When trying to use the new REINDEXCOLLECTION command introduced in
> SOLR-11127 with basic auth enabled, the daemon stream fails with repeated
> 401s when trying to access the target collection.
>
> This might be the same problem as SOLR-13472, except it applies even with a
> single node, and this doesn't require role based configuration.
>
> Repro: I added a reindex request in BasicAuthIntegrationTest and it is
> reproducible in there... I don't know what effect it should have on the auth
> metrics, if it were working correctly, so I don't know how to update the test
> properly. But you can add the request towards the end of
> org.apache.solr.security.BasicAuthIntegrationTest.testBasicAuth()
>
> _CollectionAdminRequest.ReindexCollection reindexReq =
> CollectionAdminRequest.reindexCollection(COLLECTION);_
> _reindexReq.setBasicAuthCredentials("harry", "HarryIsUberCool");_
> _cluster.getSolrClient().request(reindexReq, COLLECTION);_
>
> Manual Repro:
> run bin/solr -e cloud
> Choose 1 node / 1 shard / 1 replica
> In browser GET
> [http://localhost:8983/solr/admin/collections?action=REINDEXCOLLECTION&name=gettingstarted]
> will succeed
> Enable security: server\scripts\cloud-scripts\zkcli -zkhost localhost:9983
> -cmd putfile /security.json <path to file with this>
>
> {
> "authentication": {
> "blockUnknown": true,
> "class": "solr.BasicAuthPlugin",
> "credentials":
> { "solradmin": "fskh17INKrOTSRCJ8HkamA0L6Uiq1dSMgn4OVy8htME=
> /Q4VgOkwVlP6AMVY+ML+IuodbfV81WEfZ3lFb390bws=" }
> }
> }
>
>
> In browser authenticate (as solradmin : solradmin) and GET
> [http://localhost:8983/solr/admin/collections?action=REINDEXCOLLECTION&name=gettingstarted]
> will time out after 180 seconds
>
> The solr log will show repeated 401s
>
> Setting "forwardCredentials" : true in the security.json does not appear to
> change the outcome.
>
>
> The daemon stream should probably be using PKI auth for the internal request.
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
