Implementing security.json is breaking ADDREPLICA

Wed, 18 Nov 2015 11:21:24 -0800 

Implementing security.json is breaking ADDREPLICA

I have been able to reproduce this issue with minimal changes from an 
out-of-the-box Zookeeper (3.4.6) and Solr (5.3.1): loading 
configsets/basic_configs/conf into Zookeeper, creating the security.json listed 
below, creating two nodes (one with a core named xmpl and one without any 
core)- I can provide details if helpful.

The security.json is as follows:

{
  "authentication":{
    "class":"solr.BasicAuthPlugin",
    "credentials":{
      "solr":"IV0EHq1OnNrj6gvRCwvFwTrZ1+z1oBbnQdiVC3otuq0= 
Ndd7LKvVBAaZIF0QAVi1ekCfAJXr1GGfLtRUXhgrF8c=",
      "solruser":"VgZX1TAMNHT2IJikoGdKtxQdXc+MbNwfqzf89YqcLEE= 
37pPWQ9v4gciIKHuTmFmN0Rv66rnlMOFEWfEy9qjJfY="},
    "":{"v":9}},
  "authorization":{
    "class":"solr.RuleBasedAuthorizationPlugin",
    "user-role":{
      "solr":[
        "admin",
        "read",
        "xmpladmin",
        "xmplgen",
        "xmplsel"],
      "solruser":[
        "read",
        "xmplgen",
        "xmplsel"]},
    "permissions":[
      {
        "name":"security-edit",
        "role":"admin"},
      {
        "name":"xmpl_admin",
        "collection":"xmpl",
        "path":"/admin/*",
        "role":"xmpladmin"},
      {
        "name":"xmpl_sel",
        "collection":"xmpl",
        "path":"/select/*",
        "role":null},
      {
        "name":"xmpl_gen",
        "collection":"xmpl",
        "path":"/*",
        "role":"xmplgen"}],
    "":{"v":42}}}





When I then execute admin/collections?action=ADDREPLICA, I get errors such as 
the following in the solr.log of the node which was created without a core.

INFO  - 2015-11-17 21:03:54.157; [c:xmpl s:shard1 r:core_node2 
x:xmpl_shard1_replica1] org.apache.solr.cloud.RecoveryStrategy; Starting 
Replication Recovery.
INFO  - 2015-11-17 21:03:54.158; [c:xmpl s:shard1 r:core_node2 
x:xmpl_shard1_replica1] org.apache.solr.cloud.RecoveryStrategy; Begin buffering 
updates.
INFO  - 2015-11-17 21:03:54.158; [c:xmpl s:shard1 r:core_node2 
x:xmpl_shard1_replica1] org.apache.solr.update.UpdateLog; Starting to buffer 
updates. FSUpdateLog{state=ACTIVE, tlog=null}
INFO  - 2015-11-17 21:03:54.159; [c:xmpl s:shard1 r:core_node2 
x:xmpl_shard1_replica1] org.apache.solr.cloud.RecoveryStrategy; Attempting to 
replicate from http://{IP-address-redacted}:4565/solr/xmpl/.
ERROR - 2015-11-17 21:03:54.166; [c:xmpl s:shard1 r:core_node2 
x:xmpl_shard1_replica1] org.apache.solr.common.SolrException; Error while 
trying to 
recover:org.apache.solr.client.solrj.impl.HttpSolrClient$RemoteSolrException: 
Error from server at http://{IP-address-redacted}:4565/solr/xmpl: Expected mime 
type application/octet-stream but got text/html. <html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/>
<title>Error 401 Unauthorized request, Response code: 401</title>
</head>
<body><h2>HTTP ERROR 401</h2>
<p>Problem accessing /solr/xmpl/update. Reason:
<pre>    Unauthorized request, Response code: 
401</pre></p><hr><i><small>Powered by Jetty://</small></i><hr/>

</body>
</html>

        at 
org.apache.solr.client.solrj.impl.HttpSolrClient.executeMethod(HttpSolrClient.java:528)
        at 
org.apache.solr.client.solrj.impl.HttpSolrClient.request(HttpSolrClient.java:234)
        at 
org.apache.solr.client.solrj.impl.HttpSolrClient.request(HttpSolrClient.java:226)
        at 
org.apache.solr.client.solrj.SolrRequest.process(SolrRequest.java:135)
        at 
org.apache.solr.client.solrj.SolrRequest.process(SolrRequest.java:152)
        at 
org.apache.solr.cloud.RecoveryStrategy.commitOnLeader(RecoveryStrategy.java:207)
        at 
org.apache.solr.cloud.RecoveryStrategy.replicate(RecoveryStrategy.java:147)
        at 
org.apache.solr.cloud.RecoveryStrategy.doRecovery(RecoveryStrategy.java:437)
        at org.apache.solr.cloud.RecoveryStrategy.run(RecoveryStrategy.java:227)

INFO  - 2015-11-17 21:03:54.166; [c:xmpl s:shard1 r:core_node2 
x:xmpl_shard1_replica1] org.apache.solr.update.UpdateLog; Dropping buffered 
updates FSUpdateLog{state=BUFFERING, tlog=null}
ERROR - 2015-11-17 21:03:54.166; [c:xmpl s:shard1 r:core_node2 
x:xmpl_shard1_replica1] org.apache.solr.cloud.RecoveryStrategy; Recovery failed 
- trying again... (2)
INFO  - 2015-11-17 21:03:54.166; [c:xmpl s:shard1 r:core_node2 
x:xmpl_shard1_replica1] org.apache.solr.cloud.RecoveryStrategy; Wait 8.0 
seconds before trying to recover again (3)



And (after modifying Logging Levels), the solr.log of the node which already 
had a core gets errors such as the following:

2015-11-17 21:03:50.743 DEBUG (qtp59559151-87) [   ] o.e.j.s.Server REQUEST GET 
/solr/tpl/cloud.html on 
HttpChannelOverHttp@37cf94f4{r=1,c=false,a=DISPATCHED,uri=/solr/tpl/cloud.html}
2015-11-17 21:03:50.744 DEBUG (qtp59559151-87) [   ] o.e.j.s.Server RESPONSE 
/solr/tpl/cloud.html  200 handled=true
2015-11-17 21:03:50.802 DEBUG (qtp59559151-91) [   ] o.e.j.s.Server REQUEST GET 
/solr/zookeeper on 
HttpChannelOverHttp@37cf94f4{r=2,c=false,a=DISPATCHED,uri=/solr/zookeeper}
2015-11-17 21:03:50.803 INFO  (qtp59559151-91) [   ] o.a.s.s.HttpSolrCall 
userPrincipal: [null] type: [UNKNOWN], collections: [], Path: [/zookeeper]
2015-11-17 21:03:50.831 DEBUG (qtp59559151-91) [   ] o.e.j.s.Server RESPONSE 
/solr/zookeeper  200 handled=true
2015-11-17 21:03:50.837 DEBUG (qtp59559151-87) [   ] o.e.j.s.Server REQUEST GET 
/solr/zookeeper on 
HttpChannelOverHttp@37cf94f4{r=3,c=false,a=DISPATCHED,uri=/solr/zookeeper}
2015-11-17 21:03:50.838 INFO  (qtp59559151-87) [   ] o.a.s.s.HttpSolrCall 
userPrincipal: [null] type: [UNKNOWN], collections: [], Path: [/zookeeper]
2015-11-17 21:03:50.841 DEBUG (qtp59559151-87) [   ] o.e.j.s.Server RESPONSE 
/solr/zookeeper  200 handled=true
2015-11-17 21:03:50.857 DEBUG (qtp59559151-91) [   ] o.e.j.s.Server REQUEST GET 
/solr/zookeeper on 
HttpChannelOverHttp@37cf94f4{r=4,c=false,a=DISPATCHED,uri=/solr/zookeeper}
2015-11-17 21:03:50.858 INFO  (qtp59559151-91) [   ] o.a.s.s.HttpSolrCall 
userPrincipal: [null] type: [UNKNOWN], collections: [], Path: [/zookeeper]
2015-11-17 21:03:50.860 DEBUG (qtp59559151-91) [   ] o.e.j.s.Server RESPONSE 
/solr/zookeeper  200 handled=true
2015-11-17 21:03:54.162 DEBUG (qtp59559151-87) [   ] o.e.j.s.Server REQUEST 
POST /solr/xmpl/update on 
HttpChannelOverHttp@1cf967f0{r=1,c=false,a=DISPATCHED,uri=/solr/xmpl/update}
2015-11-17 21:03:54.164 INFO  (qtp59559151-87) [c:xmpl s:shard1 r:core_node1 
x:xmpl] o.a.s.s.HttpSolrCall userPrincipal: [null] type: [WRITE], collections: 
[xmpl,], Path: [/update]
2015-11-17 21:03:54.164 DEBUG (qtp59559151-87) [c:xmpl s:shard1 r:core_node1 
x:xmpl] o.e.j.s.Server RESPONSE /solr/xmpl/update  401 handled=true



My impression from Anshum Gupta's 10/16/15 talk in Austin at the Solr 
conference was that this was supposed to work. It does seem that one might be 
able to add security to replication, but there does not seem to be a way to add 
SolrCloud replication to this type of security.

Also, on a side note, I notice that http://hostname:port/solr/ does bring up 
the GUI without prompting for a password: the Security team here would like us 
to implement security.json in such a way that even the front page of the GUI 
will require a password (although they will allow us to allow select access 
without a password): I have not yet found a way via security.json to implement 
that a password would be required in order to access the GUI front page.



Please advise.

Reply via email to