Geza Nagy created SOLR-13127: -------------------------------- Summary: Solr doesn't make difference by request methods Key: SOLR-13127 URL: https://issues.apache.org/jira/browse/SOLR-13127 Project: Solr Issue Type: Bug Security Level: Public (Default Security Level. Issues are Public) Affects Versions: 7.4 Environment: Ubuntu 16.04
Solr 7.4 Kerberos Java 8 Reporter: Geza Nagy I tested SolrCloud with Kerberos auth and found an interesting scenario. +*Symptom:*+ I tried to call the solr admin api to add a collection and I got back a response of 400 because the collection is already exists. +*What I used:*+ HTTPUrlConnection + hadoop security's Kerberos Authenticator. [https://docs.oracle.com/javase/8/docs/api/java/net/HttpURLConnection.html] [https://github.com/apache/hadoop/blob/trunk/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/client/KerberosAuthenticator.java] +*Root cause:*+ The Kerberos Authenticator uses OPTIONS as request method when checks if the client is already authenticated and if it is the OPTIONS request reaches the solr endpoint and runs the action included in the uri (as per I provide the full url to the authenticator.) So during the authentication the action is performed and when my original request hits the endpoint the collection is already made. And it can happen because there is no functionality in SOLR to handle properly the different request methods. In my opinion it's not a proper functionality if I can call any endpoint with any request method and accidently perform action while I just want to check if I'm authenticated or not. -- This message was sent by Atlassian JIRA (v7.6.3#76005) --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org