Re: [EXTERNAL] - Re: HTTP 401 when searching on alias in secured Solr
Thank you for the input, Aroop. It is probably a red herring. I will have to pick the configuration apart piece by piece. Sigh. It's probably not a node down issue, since I'm only setting up one node. (Reporting an unrelated error message should probably be considered a bug anyways.) Isabelle Giguère Computational Linguist & Java Developer Linguiste informaticienne & développeur java De : Aroop Ganguly Envoyé : 14 juin 2020 17:37 À : solr-user@lucene.apache.org Objet : Re: [EXTERNAL] - Re: HTTP 401 when searching on alias in secured Solr Isabele sometime 401’s are a red herring for other issues un related to auth. We have had issues on 7.7 where an underlying transient replica recovery and/or leader down situation where the only message we got back from Solr was a 401. Please see if u have any down replicas or other issues where certain nodes may have trouble getting more current information from zookeeper. > On Jun 14, 2020, at 2:13 PM, Isabelle Giguere <mailto:igigu...@opentext.com.INVALID>> wrote: > > I have created > https://urldefense.com/v3/__https://issues.apache.org/jira/browse/SOLR-14569__;!!Obbck6kTJA!PBs90R0pHCmvm6hGqjUeowZNMwhTEibIfLyr8_szdm0Jh-s9okdbuGya_nBlsjED$ > > <https://urldefense.com/v3/__https://issues.apache.org/jira/browse/SOLR-14569__;!!Obbck6kTJA!PBs90R0pHCmvm6hGqjUeowZNMwhTEibIfLyr8_szdm0Jh-s9okdbuGya_nBlsjED$ > > > It includes a patch with the unit test to reproduce the issue, and a > simplification of our product-specific configuration, with instructions. > > Let's catch up on Jira. > > Isabelle Giguère > Computational Linguist & Java Developer > Linguiste informaticienne & développeur java > > > > De : Jan Høydahl mailto:jan@cominvent.com>> > Envoyé : 13 juin 2020 17:50 > À : solr-user <mailto:solr-user@lucene.apache.org>> > Objet : Re: [EXTERNAL] - Re: HTTP 401 when searching on alias in secured Solr > > I did not manage to reproduce. Feel free to open the JIRA and attach the > failing test. In the issue description, it is great if you manage to describe > the reproduction steps in a clean way, so anyone can reproduce with a minimal > neccessary config. > > Jan > >> 13. jun. 2020 kl. 00:41 skrev Isabelle Giguere >> mailto:igigu...@opentext.com.INVALID>>: >> >> Hello again; >> >> I have managed to reproduce the issue in a unit test. I should probably add >> a Jira ticket with a patch for the unit test On Solr 8.5.0, not master. >> >> Meanwhile, for your suggested queries: >> >> 1. Query on the collection: >> >> curl -i -u admin:admin >> https://urldefense.com/v3/__http://10.5.106.115:8985/solr/test1/select?q=*:*=xml__;Kio!!Obbck6kTJA!LvZRdkAwPGTDqWqS-BYMmyuuwAp9coGzkDzz5BG7hTCLmCSV2bOZBM9A7JzikWgk$ >> >> <https://urldefense.com/v3/__http://10.5.106.115:8985/solr/test1/select?q=*:*=xml__;Kio!!Obbck6kTJA!LvZRdkAwPGTDqWqS-BYMmyuuwAp9coGzkDzz5BG7hTCLmCSV2bOZBM9A7JzikWgk$> >> HTTP/1.1 200 OK >> Content-Security-Policy: default-src 'none'; base-uri 'none'; connect-src >> 'self'; form-action 'self'; font-src 'self'; frame-ancestors 'none'; img-src >> 'self'; media-src 'self'; style-src 'self' 'unsafe-inline'; script-src >> 'self'; worker-src 'self'; >> X-Content-Type-Options: nosniff >> X-Frame-Options: SAMEORIGIN >> X-XSS-Protection: 1; mode=block >> Content-Type: application/xml; charset=UTF-8 >> Content-Length: 8214 >> >> >> >> >> >> true >> 0 >> 2 >> >> *:* >> >> >> >> Response contains the Solr document, of course >> >> >> 2. Query on the alias >> >> curl -i -u admin:admin >> https://urldefense.com/v3/__http://10.5.106.115:8985/solr/test/select?q=*:*=xml__;Kio!!Obbck6kTJA!LvZRdkAwPGTDqWqS-BYMmyuuwAp9coGzkDzz5BG7hTCLmCSV2bOZBM9A7PZyiHWo$ >> >> <https://urldefense.com/v3/__http://10.5.106.115:8985/solr/test/select?q=*:*=xml__;Kio!!Obbck6kTJA!LvZRdkAwPGTDqWqS-BYMmyuuwAp9coGzkDzz5BG7hTCLmCSV2bOZBM9A7PZyiHWo$><https://urldefense.com/v3/__http://10.5.106.115:8985/solr/test1/select?q=*:*=xml__;Kio!!Obbck6kTJA!LvZRdkAwPGTDqWqS-BYMmyuuwAp9coGzkDzz5BG7hTCLmCSV2bOZBM9A7JzikWgk$ >> >> <https://urldefense.com/v3/__http://10.5.106.115:8985/solr/test1/select?q=*:*=xml__;Kio!!Obbck6kTJA!LvZRdkAwPGTDqWqS-BYMmyuuwAp9coGzkDzz5BG7hTCLmCSV2bOZBM9A7JzikWgk$> >> > >> HTTP/1.1 401 Unauthorized >> Content-Security-Policy: default-src 'none'; base-uri 'none'; connect-src >> 'self'; form-action 'self'; font-src 'self'; frame-ancestors 'none'; img-src >> 'self'; media-src 'self'; style-src 'se
Re: [EXTERNAL] - Re: HTTP 401 when searching on alias in secured Solr
Isabele sometime 401’s are a red herring for other issues un related to auth. We have had issues on 7.7 where an underlying transient replica recovery and/or leader down situation where the only message we got back from Solr was a 401. Please see if u have any down replicas or other issues where certain nodes may have trouble getting more current information from zookeeper. > On Jun 14, 2020, at 2:13 PM, Isabelle Giguere <mailto:igigu...@opentext.com.INVALID>> wrote: > > I have created https://issues.apache.org/jira/browse/SOLR-14569 > <https://issues.apache.org/jira/browse/SOLR-14569> > It includes a patch with the unit test to reproduce the issue, and a > simplification of our product-specific configuration, with instructions. > > Let's catch up on Jira. > > Isabelle Giguère > Computational Linguist & Java Developer > Linguiste informaticienne & développeur java > > > > De : Jan Høydahl mailto:jan@cominvent.com>> > Envoyé : 13 juin 2020 17:50 > À : solr-user <mailto:solr-user@lucene.apache.org>> > Objet : Re: [EXTERNAL] - Re: HTTP 401 when searching on alias in secured Solr > > I did not manage to reproduce. Feel free to open the JIRA and attach the > failing test. In the issue description, it is great if you manage to describe > the reproduction steps in a clean way, so anyone can reproduce with a minimal > neccessary config. > > Jan > >> 13. jun. 2020 kl. 00:41 skrev Isabelle Giguere >> mailto:igigu...@opentext.com.INVALID>>: >> >> Hello again; >> >> I have managed to reproduce the issue in a unit test. I should probably add >> a Jira ticket with a patch for the unit test On Solr 8.5.0, not master. >> >> Meanwhile, for your suggested queries: >> >> 1. Query on the collection: >> >> curl -i -u admin:admin >> https://urldefense.com/v3/__http://10.5.106.115:8985/solr/test1/select?q=*:*=xml__;Kio!!Obbck6kTJA!LvZRdkAwPGTDqWqS-BYMmyuuwAp9coGzkDzz5BG7hTCLmCSV2bOZBM9A7JzikWgk$ >> >> <https://urldefense.com/v3/__http://10.5.106.115:8985/solr/test1/select?q=*:*=xml__;Kio!!Obbck6kTJA!LvZRdkAwPGTDqWqS-BYMmyuuwAp9coGzkDzz5BG7hTCLmCSV2bOZBM9A7JzikWgk$> >> HTTP/1.1 200 OK >> Content-Security-Policy: default-src 'none'; base-uri 'none'; connect-src >> 'self'; form-action 'self'; font-src 'self'; frame-ancestors 'none'; img-src >> 'self'; media-src 'self'; style-src 'self' 'unsafe-inline'; script-src >> 'self'; worker-src 'self'; >> X-Content-Type-Options: nosniff >> X-Frame-Options: SAMEORIGIN >> X-XSS-Protection: 1; mode=block >> Content-Type: application/xml; charset=UTF-8 >> Content-Length: 8214 >> >> >> >> >> >> true >> 0 >> 2 >> >> *:* >> >> >> >> Response contains the Solr document, of course >> >> >> 2. Query on the alias >> >> curl -i -u admin:admin >> https://urldefense.com/v3/__http://10.5.106.115:8985/solr/test/select?q=*:*=xml__;Kio!!Obbck6kTJA!LvZRdkAwPGTDqWqS-BYMmyuuwAp9coGzkDzz5BG7hTCLmCSV2bOZBM9A7PZyiHWo$ >> >> <https://urldefense.com/v3/__http://10.5.106.115:8985/solr/test/select?q=*:*=xml__;Kio!!Obbck6kTJA!LvZRdkAwPGTDqWqS-BYMmyuuwAp9coGzkDzz5BG7hTCLmCSV2bOZBM9A7PZyiHWo$><https://urldefense.com/v3/__http://10.5.106.115:8985/solr/test1/select?q=*:*=xml__;Kio!!Obbck6kTJA!LvZRdkAwPGTDqWqS-BYMmyuuwAp9coGzkDzz5BG7hTCLmCSV2bOZBM9A7JzikWgk$ >> >> <https://urldefense.com/v3/__http://10.5.106.115:8985/solr/test1/select?q=*:*=xml__;Kio!!Obbck6kTJA!LvZRdkAwPGTDqWqS-BYMmyuuwAp9coGzkDzz5BG7hTCLmCSV2bOZBM9A7JzikWgk$> >> > >> HTTP/1.1 401 Unauthorized >> Content-Security-Policy: default-src 'none'; base-uri 'none'; connect-src >> 'self'; form-action 'self'; font-src 'self'; frame-ancestors 'none'; img-src >> 'self'; media-src 'self'; style-src 'self' 'unsafe-inline'; script-src >> 'self'; worker-src 'self'; >> X-Content-Type-Options: nosniff >> X-Frame-Options: SAMEORIGIN >> X-XSS-Protection: 1; mode=block >> Cache-Control: no-cache, no-store >> Pragma: no-cache >> Expires: Sat, 01 Jan 2000 01:00:00 GMT >> Last-Modified: Fri, 12 Jun 2020 22:30:20 GMT >> ETag: "172aaa7c1eb" >> Content-Type: application/xml; charset=UTF-8 >> Content-Length: 1332 >> >> >> >> >> >> true >> 401 >> 16 >> >> *:* >> >> >> >> Error contains the full html HTTP 401 message (with escaped characters, of >> course) >> Gist of it : HTTP ERROR 401 require authentication >> >> Thanks;
Re: [EXTERNAL] - Re: HTTP 401 when searching on alias in secured Solr
I have created https://issues.apache.org/jira/browse/SOLR-14569 It includes a patch with the unit test to reproduce the issue, and a simplification of our product-specific configuration, with instructions. Let's catch up on Jira. Isabelle Giguère Computational Linguist & Java Developer Linguiste informaticienne & développeur java De : Jan Høydahl Envoyé : 13 juin 2020 17:50 À : solr-user Objet : Re: [EXTERNAL] - Re: HTTP 401 when searching on alias in secured Solr I did not manage to reproduce. Feel free to open the JIRA and attach the failing test. In the issue description, it is great if you manage to describe the reproduction steps in a clean way, so anyone can reproduce with a minimal neccessary config. Jan > 13. jun. 2020 kl. 00:41 skrev Isabelle Giguere > : > > Hello again; > > I have managed to reproduce the issue in a unit test. I should probably add > a Jira ticket with a patch for the unit test On Solr 8.5.0, not master. > > Meanwhile, for your suggested queries: > > 1. Query on the collection: > > curl -i -u admin:admin > https://urldefense.com/v3/__http://10.5.106.115:8985/solr/test1/select?q=*:*=xml__;Kio!!Obbck6kTJA!LvZRdkAwPGTDqWqS-BYMmyuuwAp9coGzkDzz5BG7hTCLmCSV2bOZBM9A7JzikWgk$ > HTTP/1.1 200 OK > Content-Security-Policy: default-src 'none'; base-uri 'none'; connect-src > 'self'; form-action 'self'; font-src 'self'; frame-ancestors 'none'; img-src > 'self'; media-src 'self'; style-src 'self' 'unsafe-inline'; script-src > 'self'; worker-src 'self'; > X-Content-Type-Options: nosniff > X-Frame-Options: SAMEORIGIN > X-XSS-Protection: 1; mode=block > Content-Type: application/xml; charset=UTF-8 > Content-Length: 8214 > > > > > > true > 0 > 2 > >*:* > > > > Response contains the Solr document, of course > > > 2. Query on the alias > > curl -i -u admin:admin > https://urldefense.com/v3/__http://10.5.106.115:8985/solr/test/select?q=*:*=xml__;Kio!!Obbck6kTJA!LvZRdkAwPGTDqWqS-BYMmyuuwAp9coGzkDzz5BG7hTCLmCSV2bOZBM9A7PZyiHWo$ > > <https://urldefense.com/v3/__http://10.5.106.115:8985/solr/test1/select?q=*:*=xml__;Kio!!Obbck6kTJA!LvZRdkAwPGTDqWqS-BYMmyuuwAp9coGzkDzz5BG7hTCLmCSV2bOZBM9A7JzikWgk$ > > > HTTP/1.1 401 Unauthorized > Content-Security-Policy: default-src 'none'; base-uri 'none'; connect-src > 'self'; form-action 'self'; font-src 'self'; frame-ancestors 'none'; img-src > 'self'; media-src 'self'; style-src 'self' 'unsafe-inline'; script-src > 'self'; worker-src 'self'; > X-Content-Type-Options: nosniff > X-Frame-Options: SAMEORIGIN > X-XSS-Protection: 1; mode=block > Cache-Control: no-cache, no-store > Pragma: no-cache > Expires: Sat, 01 Jan 2000 01:00:00 GMT > Last-Modified: Fri, 12 Jun 2020 22:30:20 GMT > ETag: "172aaa7c1eb" > Content-Type: application/xml; charset=UTF-8 > Content-Length: 1332 > > > > > > true > 401 > 16 > >*:* > > > > Error contains the full html HTTP 401 message (with escaped characters, of > course) > Gist of it : HTTP ERROR 401 require authentication > > Thanks; > > > Isabelle Giguère > Computational Linguist & Java Developer > Linguiste informaticienne & développeur java > > > > De : Jan Høydahl > Envoyé : 12 juin 2020 17:30 > À : solr-user@lucene.apache.org > Objet : Re: [EXTERNAL] - Re: HTTP 401 when searching on alias in secured Solr > > I’d say, try the query with curl and enable http headers > > curl -i —user admin:admin http://localhost:8983/solr/mycollection/select?q=*:* > curl -i —user admin:admin http://localhost:8983/solr/myalias/select?q=*:* > > Are you saying that you see a difference between the two? What are the > headers? > > Jan > >> 12. jun. 2020 kl. 20:06 skrev Isabelle Giguere >> : >> >> Hi Jan >> >> Thank you for your time on this. >> >> If I send a /select request directly on the alias (/solr/test/select), the >> browser asks for credentials, but the Solr response returns status=401 and >> an html error message with "HTTP ERROR 401 require authentication" >> >> Obviously, my expectation was that some query results would be returned. >> >> Since you can't reproduce the issue, I have to assume it's a configuration >> issue. >> >> So, if I may, let me provide as much details as I can about my setup. >> >> Can anyone see something wrong here, some incompatibility ? >> >> Solr 8.5.0 >> >> solrconfig.xml >> 7.1.0 >> >> >> >> >> >> 5 >> 5 >>
Re: [EXTERNAL] - Re: HTTP 401 when searching on alias in secured Solr
I did not manage to reproduce. Feel free to open the JIRA and attach the failing test. In the issue description, it is great if you manage to describe the reproduction steps in a clean way, so anyone can reproduce with a minimal neccessary config. Jan > 13. jun. 2020 kl. 00:41 skrev Isabelle Giguere > : > > Hello again; > > I have managed to reproduce the issue in a unit test. I should probably add > a Jira ticket with a patch for the unit test On Solr 8.5.0, not master. > > Meanwhile, for your suggested queries: > > 1. Query on the collection: > > curl -i -u admin:admin http://10.5.106.115:8985/solr/test1/select?q=*:*=xml > HTTP/1.1 200 OK > Content-Security-Policy: default-src 'none'; base-uri 'none'; connect-src > 'self'; form-action 'self'; font-src 'self'; frame-ancestors 'none'; img-src > 'self'; media-src 'self'; style-src 'self' 'unsafe-inline'; script-src > 'self'; worker-src 'self'; > X-Content-Type-Options: nosniff > X-Frame-Options: SAMEORIGIN > X-XSS-Protection: 1; mode=block > Content-Type: application/xml; charset=UTF-8 > Content-Length: 8214 > > > > > > true > 0 > 2 > >*:* > > > > Response contains the Solr document, of course > > > 2. Query on the alias > > curl -i -u admin:admin > http://10.5.106.115:8985/solr/test/select?q=*:*=xml<http://10.5.106.115:8985/solr/test1/select?q=*:*=xml> > HTTP/1.1 401 Unauthorized > Content-Security-Policy: default-src 'none'; base-uri 'none'; connect-src > 'self'; form-action 'self'; font-src 'self'; frame-ancestors 'none'; img-src > 'self'; media-src 'self'; style-src 'self' 'unsafe-inline'; script-src > 'self'; worker-src 'self'; > X-Content-Type-Options: nosniff > X-Frame-Options: SAMEORIGIN > X-XSS-Protection: 1; mode=block > Cache-Control: no-cache, no-store > Pragma: no-cache > Expires: Sat, 01 Jan 2000 01:00:00 GMT > Last-Modified: Fri, 12 Jun 2020 22:30:20 GMT > ETag: "172aaa7c1eb" > Content-Type: application/xml; charset=UTF-8 > Content-Length: 1332 > > > > > > true > 401 > 16 > >*:* > > > > Error contains the full html HTTP 401 message (with escaped characters, of > course) > Gist of it : HTTP ERROR 401 require authentication > > Thanks; > > > Isabelle Giguère > Computational Linguist & Java Developer > Linguiste informaticienne & développeur java > > > > De : Jan Høydahl > Envoyé : 12 juin 2020 17:30 > À : solr-user@lucene.apache.org > Objet : Re: [EXTERNAL] - Re: HTTP 401 when searching on alias in secured Solr > > I’d say, try the query with curl and enable http headers > > curl -i —user admin:admin http://localhost:8983/solr/mycollection/select?q=*:* > curl -i —user admin:admin http://localhost:8983/solr/myalias/select?q=*:* > > Are you saying that you see a difference between the two? What are the > headers? > > Jan > >> 12. jun. 2020 kl. 20:06 skrev Isabelle Giguere >> : >> >> Hi Jan >> >> Thank you for your time on this. >> >> If I send a /select request directly on the alias (/solr/test/select), the >> browser asks for credentials, but the Solr response returns status=401 and >> an html error message with "HTTP ERROR 401 require authentication" >> >> Obviously, my expectation was that some query results would be returned. >> >> Since you can't reproduce the issue, I have to assume it's a configuration >> issue. >> >> So, if I may, let me provide as much details as I can about my setup. >> >> Can anyone see something wrong here, some incompatibility ? >> >> Solr 8.5.0 >> >> solrconfig.xml >> 7.1.0 >> >> >> >> >> >> 5 >> 5 >> 5 >> >> >> schema.xml >> version=1.6 >> Some warnings on start-up about Trie* fields and deprecated filters (we >> should fix that) >> >> security.json in Zookeeper, at the Solr ZK root (provided on this thread) >> blockUnknown : (true|false) = no change in behavior for me, for this issue >> forwardCredentials : (true|false) = no change in behavior for me, for this >> issue >> >> No SSL >> >> solr.in.sh >> SOLR_AUTH_TYPE="basic" >> SOLR_AUTHENTICATION_OPTS="-Dbasicauth=admin:admin" >> >> start command params: >> solr start -force -c -m 4g -h -p -z >> :/ >> >> >> Am I missing anything ? >> >> Thank you. >> >> >>
Re: [EXTERNAL] - Re: HTTP 401 when searching on alias in secured Solr
Hello again; I have managed to reproduce the issue in a unit test. I should probably add a Jira ticket with a patch for the unit test On Solr 8.5.0, not master. Meanwhile, for your suggested queries: 1. Query on the collection: curl -i -u admin:admin http://10.5.106.115:8985/solr/test1/select?q=*:*=xml HTTP/1.1 200 OK Content-Security-Policy: default-src 'none'; base-uri 'none'; connect-src 'self'; form-action 'self'; font-src 'self'; frame-ancestors 'none'; img-src 'self'; media-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self'; worker-src 'self'; X-Content-Type-Options: nosniff X-Frame-Options: SAMEORIGIN X-XSS-Protection: 1; mode=block Content-Type: application/xml; charset=UTF-8 Content-Length: 8214 true 0 2 *:* Response contains the Solr document, of course 2. Query on the alias curl -i -u admin:admin http://10.5.106.115:8985/solr/test/select?q=*:*=xml<http://10.5.106.115:8985/solr/test1/select?q=*:*=xml> HTTP/1.1 401 Unauthorized Content-Security-Policy: default-src 'none'; base-uri 'none'; connect-src 'self'; form-action 'self'; font-src 'self'; frame-ancestors 'none'; img-src 'self'; media-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self'; worker-src 'self'; X-Content-Type-Options: nosniff X-Frame-Options: SAMEORIGIN X-XSS-Protection: 1; mode=block Cache-Control: no-cache, no-store Pragma: no-cache Expires: Sat, 01 Jan 2000 01:00:00 GMT Last-Modified: Fri, 12 Jun 2020 22:30:20 GMT ETag: "172aaa7c1eb" Content-Type: application/xml; charset=UTF-8 Content-Length: 1332 true 401 16 *:* Error contains the full html HTTP 401 message (with escaped characters, of course) Gist of it : HTTP ERROR 401 require authentication Thanks; Isabelle Giguère Computational Linguist & Java Developer Linguiste informaticienne & développeur java De : Jan Høydahl Envoyé : 12 juin 2020 17:30 À : solr-user@lucene.apache.org Objet : Re: [EXTERNAL] - Re: HTTP 401 when searching on alias in secured Solr I’d say, try the query with curl and enable http headers curl -i —user admin:admin http://localhost:8983/solr/mycollection/select?q=*:* curl -i —user admin:admin http://localhost:8983/solr/myalias/select?q=*:* Are you saying that you see a difference between the two? What are the headers? Jan > 12. jun. 2020 kl. 20:06 skrev Isabelle Giguere > : > > Hi Jan > > Thank you for your time on this. > > If I send a /select request directly on the alias (/solr/test/select), the > browser asks for credentials, but the Solr response returns status=401 and an > html error message with "HTTP ERROR 401 require authentication" > > Obviously, my expectation was that some query results would be returned. > > Since you can't reproduce the issue, I have to assume it's a configuration > issue. > > So, if I may, let me provide as much details as I can about my setup. > > Can anyone see something wrong here, some incompatibility ? > > Solr 8.5.0 > > solrconfig.xml > 7.1.0 > > > > > >5 >5 >5 > > > schema.xml > version=1.6 > Some warnings on start-up about Trie* fields and deprecated filters (we > should fix that) > > security.json in Zookeeper, at the Solr ZK root (provided on this thread) > blockUnknown : (true|false) = no change in behavior for me, for this issue > forwardCredentials : (true|false) = no change in behavior for me, for this > issue > > No SSL > > solr.in.sh > SOLR_AUTH_TYPE="basic" > SOLR_AUTHENTICATION_OPTS="-Dbasicauth=admin:admin" > > start command params: > solr start -force -c -m 4g -h -p -z > :/ > > > Am I missing anything ? > > Thank you. > > > > My investigation so far: > > I have set logging levels to TRACE for anything related to HTTP, HTTP2, > Authorization, Authentication... > > Judging by a comment in > org.apache.solr.core.CoreContainer.setupHttpClientForAuthPlugin(Object), I > should see some logging from PKIAuthenticationPlugin, no matter what plugin > is actually used, and regardless if forwardCredentials is true or false: > Comment: > // Always register PKI auth interceptor, which will then delegate the > decision of who should secure > // each request to the configured authentication plugin. > > Expected log message from > org.apache.solr.security.PKIAuthenticationPlugin.setup(Http2SolrClient) > and/or from > org.apache.solr.security.PKIAuthenticationPlugin.HttpHeaderClientInterceptor.process(HttpRequest, > HttpContext) > > When running a request on an alias, I only see the expected log message from > /admin requests, never for /select requests. > > Of course, if my configura
Re: [EXTERNAL] - Re: HTTP 401 when searching on alias in secured Solr
I’d say, try the query with curl and enable http headers
curl -i —user admin:admin http://localhost:8983/solr/mycollection/select?q=*:*
curl -i —user admin:admin http://localhost:8983/solr/myalias/select?q=*:*
Are you saying that you see a difference between the two? What are the headers?
Jan
> 12. jun. 2020 kl. 20:06 skrev Isabelle Giguere
> :
>
> Hi Jan
>
> Thank you for your time on this.
>
> If I send a /select request directly on the alias (/solr/test/select), the
> browser asks for credentials, but the Solr response returns status=401 and an
> html error message with "HTTP ERROR 401 require authentication"
>
> Obviously, my expectation was that some query results would be returned.
>
> Since you can't reproduce the issue, I have to assume it's a configuration
> issue.
>
> So, if I may, let me provide as much details as I can about my setup.
>
> Can anyone see something wrong here, some incompatibility ?
>
> Solr 8.5.0
>
> solrconfig.xml
> 7.1.0
>
>
>
>
>
>5
>5
>5
>
>
> schema.xml
> version=1.6
> Some warnings on start-up about Trie* fields and deprecated filters (we
> should fix that)
>
> security.json in Zookeeper, at the Solr ZK root (provided on this thread)
> blockUnknown : (true|false) = no change in behavior for me, for this issue
> forwardCredentials : (true|false) = no change in behavior for me, for this
> issue
>
> No SSL
>
> solr.in.sh
> SOLR_AUTH_TYPE="basic"
> SOLR_AUTHENTICATION_OPTS="-Dbasicauth=admin:admin"
>
> start command params:
> solr start -force -c -m 4g -h -p -z
> :/
>
>
> Am I missing anything ?
>
> Thank you.
>
>
>
> My investigation so far:
>
> I have set logging levels to TRACE for anything related to HTTP, HTTP2,
> Authorization, Authentication...
>
> Judging by a comment in
> org.apache.solr.core.CoreContainer.setupHttpClientForAuthPlugin(Object), I
> should see some logging from PKIAuthenticationPlugin, no matter what plugin
> is actually used, and regardless if forwardCredentials is true or false:
> Comment:
> // Always register PKI auth interceptor, which will then delegate the
> decision of who should secure
> // each request to the configured authentication plugin.
>
> Expected log message from
> org.apache.solr.security.PKIAuthenticationPlugin.setup(Http2SolrClient)
> and/or from
> org.apache.solr.security.PKIAuthenticationPlugin.HttpHeaderClientInterceptor.process(HttpRequest,
> HttpContext)
>
> When running a request on an alias, I only see the expected log message from
> /admin requests, never for /select requests.
>
> Of course, if my configuration is wrong, then my code and log analysis is
> useless.
>
> **
>
>
> Isabelle Giguère
> Computational Linguist & Java Developer
> Linguiste informaticienne & développeur java
>
>
>
> De : Jan Høydahl
> Envoyé : 12 juin 2020 06:55
> À : solr-user@lucene.apache.org
> Objet : Re: [EXTERNAL] - Re: HTTP 401 when searching on alias in secured Solr
>
> Hi
>
> I tried to reproduce, but I can successfully search both the collection and
> the alias. Both collection and alias promt for password, and when giving the
> password the search succeeds.
>
> What was your expectation?
>
> Jan
>
>> 11. jun. 2020 kl. 16:53 skrev Isabelle Giguere
>> :
>>
>> Some extra info:
>> Collections have 1 shard, 1 replica. Only 1 Solr node running.
>>
>> The HTTP 401 is not intermittent, as reported in SOLR-13421 and SOLR-13510.
>>
>> Any request to the alias fails.
>>
>> Thanks;
>>
>> Isabelle Giguère
>> Computational Linguist & Java Developer
>> Linguiste informaticienne & développeur java
>>
>>
>>
>> De : Isabelle Giguere
>> Envoyé : 10 juin 2020 16:11
>> À : solr-user@lucene.apache.org
>> Objet : Re: [EXTERNAL] - Re: HTTP 401 when searching on alias in secured Solr
>>
>> Hi Jan;
>>
>> Thank you for your reply.
>>
>> This is security.json as seen in Zookeeper. Credentials are admin / admin
>>
>> {
>> "authentication":{
>> "blockUnknown":false,
>> "realm":"MTM Solr",
>> "forwardCredentials":true,
>> "class":"solr.BasicAuthPlugin",
>> "credentials":{"admin":"0rTOgObKYwzSyPoYuj2su2/90eQCfysF1aasxTx+wrc=
>> +tCMmpawYYtTsp3JfkG9avb8bKZ
Re: [EXTERNAL] - Re: HTTP 401 when searching on alias in secured Solr
Hi Jan
Thank you for your time on this.
If I send a /select request directly on the alias (/solr/test/select), the
browser asks for credentials, but the Solr response returns status=401 and an
html error message with "HTTP ERROR 401 require authentication"
Obviously, my expectation was that some query results would be returned.
Since you can't reproduce the issue, I have to assume it's a configuration
issue.
So, if I may, let me provide as much details as I can about my setup.
Can anyone see something wrong here, some incompatibility ?
Solr 8.5.0
solrconfig.xml
7.1.0
5
5
5
schema.xml
version=1.6
Some warnings on start-up about Trie* fields and deprecated filters (we should
fix that)
security.json in Zookeeper, at the Solr ZK root (provided on this thread)
blockUnknown : (true|false) = no change in behavior for me, for this issue
forwardCredentials : (true|false) = no change in behavior for me, for this issue
No SSL
solr.in.sh
SOLR_AUTH_TYPE="basic"
SOLR_AUTHENTICATION_OPTS="-Dbasicauth=admin:admin"
start command params:
solr start -force -c -m 4g -h -p -z
:/
Am I missing anything ?
Thank you.
My investigation so far:
I have set logging levels to TRACE for anything related to HTTP, HTTP2,
Authorization, Authentication...
Judging by a comment in
org.apache.solr.core.CoreContainer.setupHttpClientForAuthPlugin(Object), I
should see some logging from PKIAuthenticationPlugin, no matter what plugin is
actually used, and regardless if forwardCredentials is true or false:
Comment:
// Always register PKI auth interceptor, which will then delegate the decision
of who should secure
// each request to the configured authentication plugin.
Expected log message from
org.apache.solr.security.PKIAuthenticationPlugin.setup(Http2SolrClient) and/or
from
org.apache.solr.security.PKIAuthenticationPlugin.HttpHeaderClientInterceptor.process(HttpRequest,
HttpContext)
When running a request on an alias, I only see the expected log message from
/admin requests, never for /select requests.
Of course, if my configuration is wrong, then my code and log analysis is
useless.
**
Isabelle Giguère
Computational Linguist & Java Developer
Linguiste informaticienne & développeur java
De : Jan Høydahl
Envoyé : 12 juin 2020 06:55
À : solr-user@lucene.apache.org
Objet : Re: [EXTERNAL] - Re: HTTP 401 when searching on alias in secured Solr
Hi
I tried to reproduce, but I can successfully search both the collection and the
alias. Both collection and alias promt for password, and when giving the
password the search succeeds.
What was your expectation?
Jan
> 11. jun. 2020 kl. 16:53 skrev Isabelle Giguere
> :
>
> Some extra info:
> Collections have 1 shard, 1 replica. Only 1 Solr node running.
>
> The HTTP 401 is not intermittent, as reported in SOLR-13421 and SOLR-13510.
>
> Any request to the alias fails.
>
> Thanks;
>
> Isabelle Giguère
> Computational Linguist & Java Developer
> Linguiste informaticienne & développeur java
>
>
>
> De : Isabelle Giguere
> Envoyé : 10 juin 2020 16:11
> À : solr-user@lucene.apache.org
> Objet : Re: [EXTERNAL] - Re: HTTP 401 when searching on alias in secured Solr
>
> Hi Jan;
>
> Thank you for your reply.
>
> This is security.json as seen in Zookeeper. Credentials are admin / admin
>
> {
> "authentication":{
>"blockUnknown":false,
>"realm":"MTM Solr",
>"forwardCredentials":true,
>"class":"solr.BasicAuthPlugin",
>"credentials":{"admin":"0rTOgObKYwzSyPoYuj2su2/90eQCfysF1aasxTx+wrc=
> +tCMmpawYYtTsp3JfkG9avb8bKZlm/IGTZirsufYvns="},
>"":{"v":2}},
> "authorization":{
>"class":"solr.RuleBasedAuthorizationPlugin",
>"permissions":[{
>"name":"all",
> "role":"admin"}],
> "user-role":{"admin":"admin"},
>"":{"v":8}}}
>
> Thanks for feedback
>
> Isabelle Giguère
> Computational Linguist & Java Developer
> Linguiste informaticienne & développeur java
>
>
>
> De : Jan Høydahl
> Envoyé : 10 juin 2020 16:01
> À : solr-user@lucene.apache.org
> Objet : [EXTERNAL] - Re: HTTP 401 when searching on alias in secured Solr
>
> Please share your security.json file
>
> Jan Høydahl
>
>> 10. jun. 2020 kl. 21:53 skrev Isabelle Giguere
>> :
>>
>> Hi;
>>
>> I'm using Solr 8.5.0. I have uploaded security.json to Zookeeper. I can
&g
Re: [EXTERNAL] - Re: HTTP 401 when searching on alias in secured Solr
Hi
I tried to reproduce, but I can successfully search both the collection and the
alias. Both collection and alias promt for password, and when giving the
password the search succeeds.
What was your expectation?
Jan
> 11. jun. 2020 kl. 16:53 skrev Isabelle Giguere
> :
>
> Some extra info:
> Collections have 1 shard, 1 replica. Only 1 Solr node running.
>
> The HTTP 401 is not intermittent, as reported in SOLR-13421 and SOLR-13510.
>
> Any request to the alias fails.
>
> Thanks;
>
> Isabelle Giguère
> Computational Linguist & Java Developer
> Linguiste informaticienne & développeur java
>
>
>
> De : Isabelle Giguere
> Envoyé : 10 juin 2020 16:11
> À : solr-user@lucene.apache.org
> Objet : Re: [EXTERNAL] - Re: HTTP 401 when searching on alias in secured Solr
>
> Hi Jan;
>
> Thank you for your reply.
>
> This is security.json as seen in Zookeeper. Credentials are admin / admin
>
> {
> "authentication":{
>"blockUnknown":false,
>"realm":"MTM Solr",
>"forwardCredentials":true,
>"class":"solr.BasicAuthPlugin",
>"credentials":{"admin":"0rTOgObKYwzSyPoYuj2su2/90eQCfysF1aasxTx+wrc=
> +tCMmpawYYtTsp3JfkG9avb8bKZlm/IGTZirsufYvns="},
>"":{"v":2}},
> "authorization":{
>"class":"solr.RuleBasedAuthorizationPlugin",
>"permissions":[{
>"name":"all",
>"role":"admin"}],
> "user-role":{"admin":"admin"},
>"":{"v":8}}}
>
> Thanks for feedback
>
> Isabelle Giguère
> Computational Linguist & Java Developer
> Linguiste informaticienne & développeur java
>
>
>
> De : Jan Høydahl
> Envoyé : 10 juin 2020 16:01
> À : solr-user@lucene.apache.org
> Objet : [EXTERNAL] - Re: HTTP 401 when searching on alias in secured Solr
>
> Please share your security.json file
>
> Jan Høydahl
>
>> 10. jun. 2020 kl. 21:53 skrev Isabelle Giguere
>> :
>>
>> Hi;
>>
>> I'm using Solr 8.5.0. I have uploaded security.json to Zookeeper. I can
>> log in the Solr Admin UI. I can create collections and aliases, and I can
>> index documents in Solr.
>>
>> Collections : test1, test2
>> Alias: test (combines test1, test2)
>>
>> Indexed document "solr-word.pdf" in collection test1
>>
>> Searching on a collection works:
>> http://localhost:8983/solr/test1/select?q=*:*=xml
>>
>>
>> But searching on an alias results in HTTP 401
>> http://localhost:8983/solr/test/select?q=*:*=xml
>>
>> Error from server at null: Expected mime type application/octet-stream but
>> got text/html. > content="text/html;charset=utf-8"/> Error 401 Authentication failed,
>> Response code: 401 HTTP ERROR 401 Authentication
>> failed, Response code: 401
>> URI:/solr/test1_shard1_replica_n1/select
>> STATUS:401
>> MESSAGE:Authentication failed, Response code: 401
>> SERVLET:default
>>
>> Even if
>> https://urldefense.com/v3/__https://issues.apache.org/jira/browse/SOLR-13510__;!!Obbck6kTJA!P6ugA-rw1I80PaH0U_GVasNqn8EXwmVQ33lwcPOU-cvNgTJK6-3zAf8ukzvv3ynJ$
>> is fixed in Solr 8.5.0, I did try to start Solr with -Dsolr.http1=true,
>> and I set "forwardCredentials":true in security.json.
>>
>> Nothing works. I just cannot use aliases when Solr is secured.
>>
>> Can anyone confirm if this may be a configuration issue, or if this could
>> possibly be a bug ?
>>
>> Thank you;
>>
>> Isabelle Giguère
>> Computational Linguist & Java Developer
>> Linguiste informaticienne & développeur java
>>
>>
Re: [EXTERNAL] - Re: HTTP 401 when searching on alias in secured Solr
Some extra info:
Collections have 1 shard, 1 replica. Only 1 Solr node running.
The HTTP 401 is not intermittent, as reported in SOLR-13421 and SOLR-13510.
Any request to the alias fails.
Thanks;
Isabelle Giguère
Computational Linguist & Java Developer
Linguiste informaticienne & développeur java
De : Isabelle Giguere
Envoyé : 10 juin 2020 16:11
À : solr-user@lucene.apache.org
Objet : Re: [EXTERNAL] - Re: HTTP 401 when searching on alias in secured Solr
Hi Jan;
Thank you for your reply.
This is security.json as seen in Zookeeper. Credentials are admin / admin
{
"authentication":{
"blockUnknown":false,
"realm":"MTM Solr",
"forwardCredentials":true,
"class":"solr.BasicAuthPlugin",
"credentials":{"admin":"0rTOgObKYwzSyPoYuj2su2/90eQCfysF1aasxTx+wrc=
+tCMmpawYYtTsp3JfkG9avb8bKZlm/IGTZirsufYvns="},
"":{"v":2}},
"authorization":{
"class":"solr.RuleBasedAuthorizationPlugin",
"permissions":[{
"name":"all",
"role":"admin"}],
"user-role":{"admin":"admin"},
"":{"v":8}}}
Thanks for feedback
Isabelle Giguère
Computational Linguist & Java Developer
Linguiste informaticienne & développeur java
De : Jan Høydahl
Envoyé : 10 juin 2020 16:01
À : solr-user@lucene.apache.org
Objet : [EXTERNAL] - Re: HTTP 401 when searching on alias in secured Solr
Please share your security.json file
Jan Høydahl
> 10. jun. 2020 kl. 21:53 skrev Isabelle Giguere
> :
>
> Hi;
>
> I'm using Solr 8.5.0. I have uploaded security.json to Zookeeper. I can log
> in the Solr Admin UI. I can create collections and aliases, and I can index
> documents in Solr.
>
> Collections : test1, test2
> Alias: test (combines test1, test2)
>
> Indexed document "solr-word.pdf" in collection test1
>
> Searching on a collection works:
> http://localhost:8983/solr/test1/select?q=*:*=xml
>
>
> But searching on an alias results in HTTP 401
> http://localhost:8983/solr/test/select?q=*:*=xml
>
> Error from server at null: Expected mime type application/octet-stream but
> got text/html.content="text/html;charset=utf-8"/> Error 401 Authentication failed,
> Response code: 401 HTTP ERROR 401 Authentication
> failed, Response code: 401
> URI:/solr/test1_shard1_replica_n1/select
> STATUS:401 MESSAGE:Authentication
> failed, Response code: 401
> SERVLET:default
>
> Even if
> https://urldefense.com/v3/__https://issues.apache.org/jira/browse/SOLR-13510__;!!Obbck6kTJA!P6ugA-rw1I80PaH0U_GVasNqn8EXwmVQ33lwcPOU-cvNgTJK6-3zAf8ukzvv3ynJ$
> is fixed in Solr 8.5.0, I did try to start Solr with -Dsolr.http1=true, and
> I set "forwardCredentials":true in security.json.
>
> Nothing works. I just cannot use aliases when Solr is secured.
>
> Can anyone confirm if this may be a configuration issue, or if this could
> possibly be a bug ?
>
> Thank you;
>
> Isabelle Giguère
> Computational Linguist & Java Developer
> Linguiste informaticienne & développeur java
>
>
Re: [EXTERNAL] - Re: HTTP 401 when searching on alias in secured Solr
Hi Jan;
Thank you for your reply.
This is security.json as seen in Zookeeper. Credentials are admin / admin
{
"authentication":{
"blockUnknown":false,
"realm":"MTM Solr",
"forwardCredentials":true,
"class":"solr.BasicAuthPlugin",
"credentials":{"admin":"0rTOgObKYwzSyPoYuj2su2/90eQCfysF1aasxTx+wrc=
+tCMmpawYYtTsp3JfkG9avb8bKZlm/IGTZirsufYvns="},
"":{"v":2}},
"authorization":{
"class":"solr.RuleBasedAuthorizationPlugin",
"permissions":[{
"name":"all",
"role":"admin"}],
"user-role":{"admin":"admin"},
"":{"v":8}}}
Thanks for feedback
Isabelle Giguère
Computational Linguist & Java Developer
Linguiste informaticienne & développeur java
De : Jan Høydahl
Envoyé : 10 juin 2020 16:01
À : solr-user@lucene.apache.org
Objet : [EXTERNAL] - Re: HTTP 401 when searching on alias in secured Solr
Please share your security.json file
Jan Høydahl
> 10. jun. 2020 kl. 21:53 skrev Isabelle Giguere
> :
>
> Hi;
>
> I'm using Solr 8.5.0. I have uploaded security.json to Zookeeper. I can log
> in the Solr Admin UI. I can create collections and aliases, and I can index
> documents in Solr.
>
> Collections : test1, test2
> Alias: test (combines test1, test2)
>
> Indexed document "solr-word.pdf" in collection test1
>
> Searching on a collection works:
> http://localhost:8983/solr/test1/select?q=*:*=xml
>
>
> But searching on an alias results in HTTP 401
> http://localhost:8983/solr/test/select?q=*:*=xml
>
> Error from server at null: Expected mime type application/octet-stream but
> got text/html.content="text/html;charset=utf-8"/> Error 401 Authentication failed,
> Response code: 401 HTTP ERROR 401 Authentication
> failed, Response code: 401
> URI:/solr/test1_shard1_replica_n1/select
> STATUS:401 MESSAGE:Authentication
> failed, Response code: 401
> SERVLET:default
>
> Even if
> https://urldefense.com/v3/__https://issues.apache.org/jira/browse/SOLR-13510__;!!Obbck6kTJA!P6ugA-rw1I80PaH0U_GVasNqn8EXwmVQ33lwcPOU-cvNgTJK6-3zAf8ukzvv3ynJ$
> is fixed in Solr 8.5.0, I did try to start Solr with -Dsolr.http1=true, and
> I set "forwardCredentials":true in security.json.
>
> Nothing works. I just cannot use aliases when Solr is secured.
>
> Can anyone confirm if this may be a configuration issue, or if this could
> possibly be a bug ?
>
> Thank you;
>
> Isabelle Giguère
> Computational Linguist & Java Developer
> Linguiste informaticienne & développeur java
>
>
