[ https://issues.apache.org/jira/browse/SOLR-13480?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16885212#comment-16885212 ]
Ishan Chattopadhyaya commented on SOLR-13480: --------------------------------------------- Hi [~moshebla], after I committed SOLR-13472 and SOLR-13619, I was able to successfully create the collection with the following change to the security.json.: {code:java} { "authentication":{ "class":"org.apache.solr.security.KerberosPlugin" }, "authorization":{ "class":"solr.RuleBasedAuthorizationPlugin", "permissions":[ { "name":"read", "role":"*" }, { "name":"all", "role":"admin_user" } ], "user-role":{ "admin_user@OUR_REALM":"admin_user", "HTTP/solr1@OUR_REALM":"admin_user", "HTTP/solr2@OUR_REALM":"admin_user", "HTTP/solr3@OUR_REALM":"admin_user" } }}{code} Currently, internode communication with Kerberos requires all the Solr's service principals to be added the security.json as an admin user (with "all" permissions). That means every time a new Solr node is added, its principal should be added to the security.json. Please feel free to re-open if this doesn't work for any other reason (custom autoscaling policies?). > Collection creation failure when using Kerberos authentication combined with > rule-base authorization > ---------------------------------------------------------------------------------------------------- > > Key: SOLR-13480 > URL: https://issues.apache.org/jira/browse/SOLR-13480 > Project: Solr > Issue Type: Bug > Components: Authorization, security > Affects Versions: 7.7.1 > Reporter: mosh > Assignee: Ishan Chattopadhyaya > Priority: Major > Labels: kerberos > > Creation of collection with an authorized user fails with the following error: > {code:java} > org.apache.solr.common.SolrException: Error getting replica locations : > unable to get autoscaling policy session{code} > At first it may seem like SOLR-13355 duplication as we are using “all” > permission, but bug is specific to Kerberos (tested and found ok using basic > auth) plus we verified the failure with 7.7.2 snapshot that included the > relevant patch. > +How to reproduce:+ > 1. Configure solr cloud with kerberos authentication and rule-based > authorization plugins using the following security.json file: > {code:java} > { > "authentication":{ > "class":"org.apache.solr.security.KerberosPlugin" > }, > "authorization":{ > "class":"solr.RuleBasedAuthorizationPlugin", > "permissions":[ > { > "name":"read", > "role":"*" > }, > { > "name":"all", > "role":"admin_user" > } > ], > "user-role":{ > "admin_user@OUR_REALM":"admin_user" > } > }}{code} > 2. Create collection using an authorized user: > {code:java} > kinit admin_user@OUR_REALM > curl --negotiate -u : > "http://<HOST:PORT>/solr/admin/collections?action=CREATE&name=mycoll&numShards=1&collection.configName=_default"{code} > {color:#d04437}==> request fails with the error written above.{color} > 3. Disable authorization by removing _authorization_ section from > security.json, so file should be as follow: > {code:java} > { > "authentication":{ > "class":"org.apache.solr.security.KerberosPlugin" > } > }{code} > 4. Create collection again as in step 2. > {color:#14892c}==> request succeeds.{color} > 5. Return authorization section to security.json (file from step 1) and make > sure authorization works as expected by inserting documents and executing > search queries with different users. -- This message was sent by Atlassian JIRA (v7.6.14#76016) --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org