[ https://issues.apache.org/jira/browse/SOLR-12859?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17018213#comment-17018213 ]
Chris M. Hostetter commented on SOLR-12859: ------------------------------------------- [~caomanhdat] - i can't find your patch, did you already delete it? (or forget to add it) I think what' you were saying... {quote}if isSolrThread == true, set usr = "$" even incase of principal == null {quote} ...is pretty similar to what i had hypothosized... {quote}My initial reaction was to "swap" the order of the Principle/isSolrThread() checks... {quote} ...but i still have the same concerns... {quote}...that seems risky (especially since AFAICT, every SolrClient used for distributed Solr requests will return "true" for isSolrThread() – meaning PKI would probably completely stop forwarding credentials if we did that? {quote} To put it another way: * Assume {{blockUnknown=false}} * So unauthenticated request that gets accepted by the AuthenticationPlugin will have a null Principal. * as things stand right now, if that "principal==null" request gets forwarded to a distributed node, it will _never_ have a PKI header added * With your proposed change, if it does get forwarded _by another thread_ such as ConcurrentUpdateSolrClient (where {{isSolrThread == true}}) then a PKI header will be added initiating it is a "principal == '$' (Super User)" request ** ie: anonymous requests will be "promoted" to being super user requests on the distributed nodes i have no idea what practical problems that may cause, but it certainly sounds bad. ---- {quote}...think that the Hoss's initial approach is more valid than mine because * it makes less significant change to the code base.{quote} Yeah, it seems like there are a lot of weird edge cases of the way PKI for "background server threads" works that really needs to be discussed/re-considered -- particularly since even forwarding updates from leader to replicas happens in a background thread (inside of the update client) ... but that should probably happen in a new jira with wider discussion & visibility. My patch seems like the minimum amount of change needed to fix the current bug, so unless someone sees a security problem with it (that doesn't already exist) i would suggest we move forward using my patch and re-consider the overall "isSolrThread" concept in a new jira? > DocExpirationUpdateProcessorFactory does not work with BasicAuth > ---------------------------------------------------------------- > > Key: SOLR-12859 > URL: https://issues.apache.org/jira/browse/SOLR-12859 > Project: Solr > Issue Type: Bug > Affects Versions: 7.5 > Reporter: Varun Thacker > Priority: Major > Attachments: SOLR-12859.patch > > > I setup a cluster with basic auth and then wanted to use Solr's TTL feature ( > DocExpirationUpdateProcessorFactory ) to auto-delete documents. > > Turns out it doesn't work when Basic Auth is enabled. I get the following > stacktrace from the logs > {code:java} > 2018-10-12 22:06:38.967 ERROR (autoExpireDocs-42-thread-1) [ ] > o.a.s.u.p.DocExpirationUpdateProcessorFactory Runtime error in periodic > deletion of expired docs: Async exception during distributed update: Error > from server at http://192.168.0.8:8983/solr/gettingstarted_shard2_replica_n6: > require authentication > request: > http://192.168.0.8:8983/solr/gettingstarted_shard2_replica_n6/update?update.distrib=TOLEADER&distrib.from=http%3A%2F%2F192.168.0.8%3A8983%2Fsolr%2Fgettingstarted_shard1_replica_n2%2F&wt=javabin&version=2 > org.apache.solr.update.processor.DistributedUpdateProcessor$DistributedUpdatesAsyncException: > Async exception during distributed update: Error from server at > http://192.168.0.8:8983/solr/gettingstarted_shard2_replica_n6: require > authentication > request: > http://192.168.0.8:8983/solr/gettingstarted_shard2_replica_n6/update?update.distrib=TOLEADER&distrib.from=http%3A%2F%2F192.168.0.8%3A8983%2Fsolr%2Fgettingstarted_shard1_replica_n2%2F&wt=javabin&version=2 > at > org.apache.solr.update.processor.DistributedUpdateProcessor.doFinish(DistributedUpdateProcessor.java:964) > ~[solr-core-7.5.0.jar:7.5.0 b5bf70b7e32d7ddd9742cc821d471c5fabd4e3df - > jimczi - 2018-09-18 13:07:55] > at > org.apache.solr.update.processor.DistributedUpdateProcessor.finish(DistributedUpdateProcessor.java:1976) > ~[solr-core-7.5.0.jar:7.5.0 b5bf70b7e32d7ddd9742cc821d471c5fabd4e3df - > jimczi - 2018-09-18 13:07:55] > at > org.apache.solr.update.processor.LogUpdateProcessorFactory$LogUpdateProcessor.finish(LogUpdateProcessorFactory.java:182) > ~[solr-core-7.5.0.jar:7.5.0 b5bf70b7e32d7ddd9742cc821d471c5fabd4e3df - > jimczi - 2018-09-18 13:07:55] > at > org.apache.solr.update.processor.UpdateRequestProcessor.finish(UpdateRequestProcessor.java:80) > ~[solr-core-7.5.0.jar:7.5.0 b5bf70b7e32d7ddd9742cc821d471c5fabd4e3df - > jimczi - 2018-09-18 13:07:55] > at > org.apache.solr.update.processor.UpdateRequestProcessor.finish(UpdateRequestProcessor.java:80) > ~[solr-core-7.5.0.jar:7.5.0 b5bf70b7e32d7ddd9742cc821d471c5fabd4e3df - > jimczi - 2018-09-18 13:07:55] > at > org.apache.solr.update.processor.UpdateRequestProcessor.finish(UpdateRequestProcessor.java:80) > ~[solr-core-7.5.0.jar:7.5.0 b5bf70b7e32d7ddd9742cc821d471c5fabd4e3df - > jimczi - 2018-09-18 13:07:55] > at > org.apache.solr.update.processor.UpdateRequestProcessor.finish(UpdateRequestProcessor.java:80) > ~[solr-core-7.5.0.jar:7.5.0 b5bf70b7e32d7ddd9742cc821d471c5fabd4e3df - > jimczi - 2018-09-18 13:07:55] > at > org.apache.solr.update.processor.UpdateRequestProcessor.finish(UpdateRequestProcessor.java:80) > ~[solr-core-7.5.0.jar:7.5.0 b5bf70b7e32d7ddd9742cc821d471c5fabd4e3df - > jimczi - 2018-09-18 13:07:55] > at > org.apache.solr.update.processor.UpdateRequestProcessor.finish(UpdateRequestProcessor.java:80) > ~[solr-core-7.5.0.jar:7.5.0 b5bf70b7e32d7ddd9742cc821d471c5fabd4e3df - > jimczi - 2018-09-18 13:07:55] > at > org.apache.solr.update.processor.UpdateRequestProcessor.finish(UpdateRequestProcessor.java:80) > ~[solr-core-7.5.0.jar:7.5.0 b5bf70b7e32d7ddd9742cc821d471c5fabd4e3df - > jimczi - 2018-09-18 13:07:55] > at > org.apache.solr.update.processor.UpdateRequestProcessor.finish(UpdateRequestProcessor.java:80) > ~[solr-core-7.5.0.jar:7.5.0 b5bf70b7e32d7ddd9742cc821d471c5fabd4e3df - > jimczi - 2018-09-18 13:07:55] > at > org.apache.solr.update.processor.UpdateRequestProcessor.finish(UpdateRequestProcessor.java:80) > ~[solr-core-7.5.0.jar:7.5.0 b5bf70b7e32d7ddd9742cc821d471c5fabd4e3df - > jimczi - 2018-09-18 13:07:55] > at > org.apache.solr.update.processor.UpdateRequestProcessor.finish(UpdateRequestProcessor.java:80) > ~[solr-core-7.5.0.jar:7.5.0 b5bf70b7e32d7ddd9742cc821d471c5fabd4e3df - > jimczi - 2018-09-18 13:07:55] > at > org.apache.solr.update.processor.UpdateRequestProcessor.finish(UpdateRequestProcessor.java:80) > ~[solr-core-7.5.0.jar:7.5.0 b5bf70b7e32d7ddd9742cc821d471c5fabd4e3df - > jimczi - 2018-09-18 13:07:55] > at > org.apache.solr.update.processor.DocExpirationUpdateProcessorFactory$DeleteExpiredDocsRunnable.run(DocExpirationUpdateProcessorFactory.java:419) > [solr-core-7.5.0.jar:7.5.0 b5bf70b7e32d7ddd9742cc821d471c5fabd4e3df - jimczi > - 2018-09-18 13:07:55] > at > java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) > [?:1.8.0_112] > at java.util.concurrent.FutureTask.runAndReset(FutureTask.java:308) > [?:1.8.0_112] > at > java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$301(ScheduledThreadPoolExecutor.java:180) > [?:1.8.0_112] > at > java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:294) > [?:1.8.0_112] > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) > [?:1.8.0_112] > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) > [?:1.8.0_112] > at java.lang.Thread.run(Thread.java:745) [?:1.8.0_112]{code} > -- This message was sent by Atlassian Jira (v8.3.4#803005) --------------------------------------------------------------------- To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org For additional commands, e-mail: issues-h...@lucene.apache.org