Geza Nagy created SOLR-13127:
--------------------------------
Summary: Solr doesn't make difference by request methods
Key: SOLR-13127
URL: https://issues.apache.org/jira/browse/SOLR-13127
Project: Solr
Issue Type: Bug
Security Level: Public (Default Security Level. Issues are Public)
Affects Versions: 7.4
Environment: Ubuntu 16.04
Solr 7.4
Kerberos
Java 8
Reporter: Geza Nagy
I tested SolrCloud with Kerberos auth and found an interesting scenario.
+*Symptom:*+
I tried to call the solr admin api to add a collection and I got back a
response of 400 because the collection is already exists.
+*What I used:*+
HTTPUrlConnection + hadoop security's Kerberos Authenticator.
[https://docs.oracle.com/javase/8/docs/api/java/net/HttpURLConnection.html]
[https://github.com/apache/hadoop/blob/trunk/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/client/KerberosAuthenticator.java]
+*Root cause:*+
The Kerberos Authenticator uses OPTIONS as request method when checks if the
client is already authenticated and if it is the OPTIONS request reaches the
solr endpoint and runs the action included in the uri (as per I provide the
full url to the authenticator.)
So during the authentication the action is performed and when my original
request hits the endpoint the collection is already made.
And it can happen because there is no functionality in SOLR to handle properly
the different request methods.
In my opinion it's not a proper functionality if I can call any endpoint with
any request method and accidently perform action while I just want to check if
I'm authenticated or not.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org
For additional commands, e-mail: dev-h...@lucene.apache.org
