[jira] [Commented] (SOLR-4470) Support for basic http auth in internal solr requests
[ https://issues.apache.org/jira/browse/SOLR-4470?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13768980#comment-13768980 ] Sea Marie commented on SOLR-4470: - Hi, I am running a simple two-node SolrCloud cluster with this patch (pulled from Jan's GitHub and built from there) using the built-in ZooKeeper and Jetty. I made a few small changes to the Jetty configs to restrict access via basic auth on all SOLR resources. After rebooting with these changes, the SolrCore on my second node is not coming up - it seems like the credentials are not being used in the core recovery code, or not being passed to ZooKeeper, or something. Have I missed some configuration step? Or am I confused and this scenario is not supported by this patch? Here are the changes I made in Jetty to enable basic auth: etc/webdefault.xml (perhaps protecting everything is overly general?): security-constraint web-resource-collection web-resource-nameSolr authenticated application/web-resource-name url-pattern//url-pattern /web-resource-collection auth-constraint role-nameaccess-role/role-name /auth-constraint /security-constraint login-config auth-methodBASIC/auth-method realm-nameAccess Realm/realm-name /login-config etc/jetty.xml: Call name=addBean Arg New class=org.eclipse.jetty.security.HashLoginService Set name=nameAccess Realm/Set Set name=configSystemProperty name=jetty.home default=.//etc/realm.properties/Set Set name=refreshInterval0/Set /New /Arg /Call etc/realm.properties (redacted for obvious reasons :)) user: password, access-role And the changes to SOLR-related things: scripts/ctl.sh (on host2): SOLR=$JAVABIN -Dbootstrap_confdir=$SOLR_HOME/collection1/conf -Dcollection.configName=myconf -DzkRun -DzkHost=host1:9983 -Dsolr.solr.home=$SOLR_HOME -Djetty.logs=$INSTALL_PATH/logs/ -Djetty.home=$INSTALL_PATH/ -jar -DinternalAuthCredentialsBasicAuthUsername=user -DinternalAuthCredentialsBasicAuthPassword=password $INSTALL_PATH/start.jar $INSTALL_PATH/etc/jetty.xml (on host1, same as above w/o the -DzkHost param) And then the error I'm getting (on host2, the second node, only. host1, the leader is fine): INFO - 2013-09-16 23:36:58.409; org.apache.solr.client.solrj.impl.HttpClientUtil; Creating new http client, config:maxConnections=128maxConnectionsPerHost=32followRedirects=false ERROR - 2013-09-16 23:36:58.433; org.apache.solr.common.SolrException; Error while trying to recover. core=collection1:org.apache.solr.client.solrj.impl.HttpSolrServer$RemoteSolrException: Server at http://host1:8983/solr returned non ok status:401, message:Unauthorized at org.apache.solr.client.solrj.impl.HttpSolrServer.request(HttpSolrServer.java:385) at org.apache.solr.client.solrj.impl.HttpSolrServer.request(HttpSolrServer.java:180) at org.apache.solr.cloud.RecoveryStrategy.sendPrepRecoveryCmd(RecoveryStrategy.java:198) at org.apache.solr.cloud.RecoveryStrategy.doRecovery(RecoveryStrategy.java:342) at org.apache.solr.cloud.RecoveryStrategy.run(RecoveryStrategy.java:219) Support for basic http auth in internal solr requests - Key: SOLR-4470 URL: https://issues.apache.org/jira/browse/SOLR-4470 Project: Solr Issue Type: New Feature Components: clients - java, multicore, replication (java), SolrCloud Affects Versions: 4.0 Reporter: Per Steffensen Assignee: Jan Høydahl Labels: authentication, https, solrclient, solrcloud, ssl Fix For: 4.5, 5.0 Attachments: SOLR-4470_branch_4x_r1452629.patch, SOLR-4470_branch_4x_r1452629.patch, SOLR-4470_branch_4x_r145.patch, SOLR-4470.patch, SOLR-4470.patch We want to protect any HTTP-resource (url). We want to require credentials no matter what kind of HTTP-request you make to a Solr-node. It can faily easy be acheived as described on http://wiki.apache.org/solr/SolrSecurity. This problem is that Solr-nodes also make internal request to other Solr-nodes, and for it to work credentials need to be provided here also. Ideally we would like to forward credentials from a particular request to all the internal sub-requests it triggers. E.g. for search and update request. But there are also internal requests * that only indirectly/asynchronously triggered from outside requests (e.g. shard creation/deletion/etc based on calls to the Collection API) * that do not in any way have relation to an outside super-request (e.g. replica synching stuff) We would like to aim at a solution where original credentials are forwarded when a request directly/synchronously trigger a subrequest, and fallback to a configured internal
[jira] [Comment Edited] (SOLR-4470) Support for basic http auth in internal solr requests
[ https://issues.apache.org/jira/browse/SOLR-4470?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13768980#comment-13768980 ] Sea Marie edited comment on SOLR-4470 at 9/17/13 12:02 AM: --- Hi, I am running a simple two-node SolrCloud cluster with this patch (pulled from Jan's GitHub and built from there) using the built-in ZooKeeper and Jetty. I made a few small changes to the Jetty configs to restrict access via basic auth on all SOLR resources. After rebooting with these changes, the SolrCore on my second node is not coming up - it seems like the credentials are not being used in the core recovery code, or not being passed to ZooKeeper, or something. Have I missed some configuration step? Or am I confused and this scenario is not supported by this patch? h5. Changes I made in Jetty to enable basic auth: h6. etc/webdefault.xml (perhaps protecting everything is overly general?): security-constraint web-resource-collection web-resource-nameSolr authenticated application/web-resource-name url-pattern//url-pattern /web-resource-collection auth-constraint role-nameaccess-role/role-name /auth-constraint /security-constraint login-config auth-methodBASIC/auth-method realm-nameAccess Realm/realm-name /login-config h6. etc/jetty.xml: Call name=addBean Arg New class=org.eclipse.jetty.security.HashLoginService Set name=nameAccess Realm/Set Set name=configSystemProperty name=jetty.home default=.//etc/realm.properties/Set Set name=refreshInterval0/Set /New /Arg /Call h6. etc/realm.properties (redacted for obvious reasons :)) user: password, access-role h5. Changes to SOLR-related things: scripts/ctl.sh (on host2): SOLR=$JAVABIN -Dbootstrap_confdir=$SOLR_HOME/collection1/conf -Dcollection.configName=myconf -DzkRun -DzkHost=host1:9983 -Dsolr.solr.home=$SOLR_HOME -Djetty.logs=$INSTALL_PATH/logs/ -Djetty.home=$INSTALL_PATH/ -jar -DinternalAuthCredentialsBasicAuthUsername=user -DinternalAuthCredentialsBasicAuthPassword=password $INSTALL_PATH/start.jar $INSTALL_PATH/etc/jetty.xml (on host1, same as above w/o the -DzkHost param) h5. The error I'm seeing (on host2, the second node, only. host1, the leader is fine): INFO - 2013-09-16 23:36:58.409; org.apache.solr.client.solrj.impl.HttpClientUtil; Creating new http client, config:maxConnections=128maxConnectionsPerHost=32followRedirects=false ERROR - 2013-09-16 23:36:58.433; org.apache.solr.common.SolrException; Error while trying to recover. core=collection1:org.apache.solr.client.solrj.impl.HttpSolrServer$RemoteSolrException: Server at http://host1:8983/solr returned non ok status:401, message:Unauthorized at org.apache.solr.client.solrj.impl.HttpSolrServer.request(HttpSolrServer.java:385) at org.apache.solr.client.solrj.impl.HttpSolrServer.request(HttpSolrServer.java:180) at org.apache.solr.cloud.RecoveryStrategy.sendPrepRecoveryCmd(RecoveryStrategy.java:198) at org.apache.solr.cloud.RecoveryStrategy.doRecovery(RecoveryStrategy.java:342) at org.apache.solr.cloud.RecoveryStrategy.run(RecoveryStrategy.java:219) was (Author: sapphiremirage): Hi, I am running a simple two-node SolrCloud cluster with this patch (pulled from Jan's GitHub and built from there) using the built-in ZooKeeper and Jetty. I made a few small changes to the Jetty configs to restrict access via basic auth on all SOLR resources. After rebooting with these changes, the SolrCore on my second node is not coming up - it seems like the credentials are not being used in the core recovery code, or not being passed to ZooKeeper, or something. Have I missed some configuration step? Or am I confused and this scenario is not supported by this patch? Here are the changes I made in Jetty to enable basic auth: etc/webdefault.xml (perhaps protecting everything is overly general?): security-constraint web-resource-collection web-resource-nameSolr authenticated application/web-resource-name url-pattern//url-pattern /web-resource-collection auth-constraint role-nameaccess-role/role-name /auth-constraint /security-constraint login-config auth-methodBASIC/auth-method realm-nameAccess Realm/realm-name /login-config etc/jetty.xml: Call name=addBean Arg New class=org.eclipse.jetty.security.HashLoginService Set name=nameAccess Realm/Set Set name=configSystemProperty name=jetty.home default=.//etc/realm.properties/Set Set name=refreshInterval0/Set /New /Arg /Call etc/realm.properties (redacted for obvious reasons :)) user: password, access-role And the changes to SOLR-related things: scripts/ctl.sh (on host2): SOLR=$JAVABIN -Dbootstrap_confdir=$SOLR_HOME/collection1/conf
[jira] [Comment Edited] (SOLR-4470) Support for basic http auth in internal solr requests
[ https://issues.apache.org/jira/browse/SOLR-4470?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13768980#comment-13768980 ] Sea Marie edited comment on SOLR-4470 at 9/17/13 12:04 AM: --- Hi, I am running a simple two-node SolrCloud cluster with this patch (pulled from Jan's GitHub and built from there) using the built-in ZooKeeper and Jetty. I made a few small changes to the Jetty configs to restrict access via basic auth on all SOLR resources. After rebooting with these changes, the SolrCore on my second node is not coming up - it seems like the credentials are not being used in the core recovery code, or not being passed to ZooKeeper, or something. Have I missed some configuration step? Or am I confused and this scenario is not supported by this patch? h5. Changes I made in Jetty to enable basic auth: h6. etc/webdefault.xml (perhaps protecting everything is overly general?): {noformat} security-constraint web-resource-collection web-resource-nameSolr authenticated application/web-resource-name url-pattern//url-pattern /web-resource-collection auth-constraint role-nameaccess-role/role-name /auth-constraint /security-constraint login-config auth-methodBASIC/auth-method realm-nameAccess Realm/realm-name /login-config {noformat} h6. etc/jetty.xml: {noformat} Call name=addBean Arg New class=org.eclipse.jetty.security.HashLoginService Set name=nameAccess Realm/Set Set name=configSystemProperty name=jetty.home default=.//etc/realm.properties/Set Set name=refreshInterval0/Set /New /Arg /Call {noformat} h6. etc/realm.properties (redacted for obvious reasons :)) {noformat} user: password, access-role {noformat} h5. Changes to SOLR-related things: scripts/ctl.sh (on host2): {noformat} SOLR=$JAVABIN -Dbootstrap_confdir=$SOLR_HOME/collection1/conf -Dcollection.configName=myconf -DzkRun -DzkHost=host1:9983 -Dsolr.solr.home=$SOLR_HOME -Djetty.logs=$INSTALL_PATH/logs/ -Djetty.home=$INSTALL_PATH/ -jar -DinternalAuthCredentialsBasicAuthUsername=user -DinternalAuthCredentialsBasicAuthPassword=password $INSTALL_PATH/start.jar $INSTALL_PATH/etc/jetty.xml {noformat} (on host1, same as above w/o the -DzkHost param) h5. The error I'm seeing (on host2, the second node, only. host1, the leader is fine): {noformat} INFO - 2013-09-16 23:36:58.409; org.apache.solr.client.solrj.impl.HttpClientUtil; Creating new http client, config:maxConnections=128maxConnectionsPerHost=32followRedirects=false ERROR - 2013-09-16 23:36:58.433; org.apache.solr.common.SolrException; Error while trying to recover. core=collection1:org.apache.solr.client.solrj.impl.HttpSolrServer$RemoteSolrException: Server at http://host1:8983/solr returned non ok status:401, message:Unauthorized at org.apache.solr.client.solrj.impl.HttpSolrServer.request(HttpSolrServer.java:385) at org.apache.solr.client.solrj.impl.HttpSolrServer.request(HttpSolrServer.java:180) at org.apache.solr.cloud.RecoveryStrategy.sendPrepRecoveryCmd(RecoveryStrategy.java:198) at org.apache.solr.cloud.RecoveryStrategy.doRecovery(RecoveryStrategy.java:342) at org.apache.solr.cloud.RecoveryStrategy.run(RecoveryStrategy.java:219) {noformat} was (Author: sapphiremirage): Hi, I am running a simple two-node SolrCloud cluster with this patch (pulled from Jan's GitHub and built from there) using the built-in ZooKeeper and Jetty. I made a few small changes to the Jetty configs to restrict access via basic auth on all SOLR resources. After rebooting with these changes, the SolrCore on my second node is not coming up - it seems like the credentials are not being used in the core recovery code, or not being passed to ZooKeeper, or something. Have I missed some configuration step? Or am I confused and this scenario is not supported by this patch? h5. Changes I made in Jetty to enable basic auth: h6. etc/webdefault.xml (perhaps protecting everything is overly general?): security-constraint web-resource-collection web-resource-nameSolr authenticated application/web-resource-name url-pattern//url-pattern /web-resource-collection auth-constraint role-nameaccess-role/role-name /auth-constraint /security-constraint login-config auth-methodBASIC/auth-method realm-nameAccess Realm/realm-name /login-config h6. etc/jetty.xml: Call name=addBean Arg New class=org.eclipse.jetty.security.HashLoginService Set name=nameAccess Realm/Set Set name=configSystemProperty name=jetty.home default=.//etc/realm.properties/Set Set name=refreshInterval0/Set /New /Arg /Call h6. etc/realm.properties (redacted for obvious reasons :)) user: password, access-role h5. Changes to
[jira] [Issue Comment Deleted] (SOLR-4470) Support for basic http auth in internal solr requests
[ https://issues.apache.org/jira/browse/SOLR-4470?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sea Marie updated SOLR-4470: Comment: was deleted (was: Hi, I am running a simple two-node SolrCloud cluster with this patch (pulled from Jan's GitHub and built from there) using the built-in ZooKeeper and Jetty. I made a few small changes to the Jetty configs to restrict access via basic auth on all SOLR resources. After rebooting with these changes, the SolrCore on my second node is not coming up - it seems like the credentials are not being used in the core recovery code, or not being passed to ZooKeeper, or something. Have I missed some configuration step? Or am I confused and this scenario is not supported by this patch? h5. Changes I made in Jetty to enable basic auth: h6. etc/webdefault.xml (perhaps protecting everything is overly general?): {noformat} security-constraint web-resource-collection web-resource-nameSolr authenticated application/web-resource-name url-pattern//url-pattern /web-resource-collection auth-constraint role-nameaccess-role/role-name /auth-constraint /security-constraint login-config auth-methodBASIC/auth-method realm-nameAccess Realm/realm-name /login-config {noformat} h6. etc/jetty.xml: {noformat} Call name=addBean Arg New class=org.eclipse.jetty.security.HashLoginService Set name=nameAccess Realm/Set Set name=configSystemProperty name=jetty.home default=.//etc/realm.properties/Set Set name=refreshInterval0/Set /New /Arg /Call {noformat} h6. etc/realm.properties (redacted for obvious reasons :)) {noformat} user: password, access-role {noformat} h5. Changes to SOLR-related things: scripts/ctl.sh (on host2): {noformat} SOLR=$JAVABIN -Dbootstrap_confdir=$SOLR_HOME/collection1/conf -Dcollection.configName=myconf -DzkRun -DzkHost=host1:9983 -Dsolr.solr.home=$SOLR_HOME -Djetty.logs=$INSTALL_PATH/logs/ -Djetty.home=$INSTALL_PATH/ -jar -DinternalAuthCredentialsBasicAuthUsername=user -DinternalAuthCredentialsBasicAuthPassword=password $INSTALL_PATH/start.jar $INSTALL_PATH/etc/jetty.xml {noformat} (on host1, same as above w/o the -DzkHost param) h5. The error I'm seeing (on host2, the second node, only. host1, the leader is fine): {noformat} INFO - 2013-09-16 23:36:58.409; org.apache.solr.client.solrj.impl.HttpClientUtil; Creating new http client, config:maxConnections=128maxConnectionsPerHost=32followRedirects=false ERROR - 2013-09-16 23:36:58.433; org.apache.solr.common.SolrException; Error while trying to recover. core=collection1:org.apache.solr.client.solrj.impl.HttpSolrServer$RemoteSolrException: Server at http://host1:8983/solr returned non ok status:401, message:Unauthorized at org.apache.solr.client.solrj.impl.HttpSolrServer.request(HttpSolrServer.java:385) at org.apache.solr.client.solrj.impl.HttpSolrServer.request(HttpSolrServer.java:180) at org.apache.solr.cloud.RecoveryStrategy.sendPrepRecoveryCmd(RecoveryStrategy.java:198) at org.apache.solr.cloud.RecoveryStrategy.doRecovery(RecoveryStrategy.java:342) at org.apache.solr.cloud.RecoveryStrategy.run(RecoveryStrategy.java:219) {noformat} ) Support for basic http auth in internal solr requests - Key: SOLR-4470 URL: https://issues.apache.org/jira/browse/SOLR-4470 Project: Solr Issue Type: New Feature Components: clients - java, multicore, replication (java), SolrCloud Affects Versions: 4.0 Reporter: Per Steffensen Assignee: Jan Høydahl Labels: authentication, https, solrclient, solrcloud, ssl Fix For: 4.5, 5.0 Attachments: SOLR-4470_branch_4x_r1452629.patch, SOLR-4470_branch_4x_r1452629.patch, SOLR-4470_branch_4x_r145.patch, SOLR-4470.patch, SOLR-4470.patch We want to protect any HTTP-resource (url). We want to require credentials no matter what kind of HTTP-request you make to a Solr-node. It can faily easy be acheived as described on http://wiki.apache.org/solr/SolrSecurity. This problem is that Solr-nodes also make internal request to other Solr-nodes, and for it to work credentials need to be provided here also. Ideally we would like to forward credentials from a particular request to all the internal sub-requests it triggers. E.g. for search and update request. But there are also internal requests * that only indirectly/asynchronously triggered from outside requests (e.g. shard creation/deletion/etc based on calls to the Collection API) * that do not in any way have relation to an outside super-request (e.g. replica synching stuff) We would like to aim at a solution where original credentials are forwarded when a request directly/synchronously