Re: [EXTERNAL] - Re: HTTP 401 when searching on alias in secured Solr

Fri, 12 Jun 2020 11:07:10 -0700 

Hi Jan

Thank you for your time on this.

If I send a /select request directly on the alias (/solr/test/select), the 
browser asks for credentials, but the Solr response returns status=401 and an 
html error message with "HTTP ERROR 401 require authentication"

Obviously, my expectation was that some query results would be returned.

Since you can't reproduce the issue, I have to assume it's a configuration 
issue.

So, if I may, let me provide as much details as I can about my setup.

Can anyone see something wrong here, some incompatibility ?

Solr 8.5.0

solrconfig.xml
<luceneMatchVersion>7.1.0</luceneMatchVersion>
<lib dir="../../lib-plugins" />
<schemaFactory class="ClassicIndexSchemaFactory"/>
<httpCaching never304="true" />
<requestHandler name="/select" class="solr.SearchHandler">
        <shardHandlerFactory class="HttpShardHandlerFactory">
            <int name="socketTimeOut">50000</int>
            <int name="connTimeOut">50000</int>
            <int name="corePoolSize">5</int>
        </shardHandlerFactory>

schema.xml
version=1.6
Some warnings on start-up about Trie* fields and deprecated filters (we should 
fix that)

security.json in Zookeeper, at the Solr ZK root (provided on this thread)
blockUnknown : (true|false) = no change in behavior for me, for this issue
forwardCredentials : (true|false) = no change in behavior for me, for this issue

No SSL

solr.in.sh
SOLR_AUTH_TYPE="basic"
SOLR_AUTHENTICATION_OPTS="-Dbasicauth=admin:admin"

start command params:
solr start -force -c -m 4g -h <host> -p <port> -z 
<zk_host>:<zk_port>/<solr_root>


Am I missing anything ?

Thank you.

********

My investigation so far:

I have set logging levels to TRACE for anything related to HTTP, HTTP2, 
Authorization, Authentication...

Judging by a comment in 
org.apache.solr.core.CoreContainer.setupHttpClientForAuthPlugin(Object), I 
should see some logging from PKIAuthenticationPlugin, no matter what plugin is 
actually used, and regardless if forwardCredentials is true or false:
Comment:
// Always register PKI auth interceptor, which will then delegate the decision 
of who should secure
// each request to the configured authentication plugin.

Expected log message from 
org.apache.solr.security.PKIAuthenticationPlugin.setup(Http2SolrClient) and/or 
from 
org.apache.solr.security.PKIAuthenticationPlugin.HttpHeaderClientInterceptor.process(HttpRequest,
 HttpContext)

When running a request on an alias, I only see the expected log message from 
/admin requests, never for /select requests.

Of course, if my configuration is wrong, then my code and log analysis is 
useless.

**********


Isabelle Giguère
Computational Linguist & Java Developer
Linguiste informaticienne & développeur java


________________________________
De : Jan Høydahl <jan....@cominvent.com>
Envoyé : 12 juin 2020 06:55
À : solr-user@lucene.apache.org <solr-user@lucene.apache.org>
Objet : Re: [EXTERNAL] - Re: HTTP 401 when searching on alias in secured Solr

Hi

I tried to reproduce, but I can successfully search both the collection and the 
alias. Both collection and alias promt for password, and when giving the 
password the search succeeds.

What was your expectation?

Jan

> 11. jun. 2020 kl. 16:53 skrev Isabelle Giguere 
> <igigu...@opentext.com.INVALID>:
>
> Some extra info:
> Collections have 1 shard, 1 replica.  Only 1 Solr node running.
>
> The HTTP 401 is not intermittent, as reported in SOLR-13421 and SOLR-13510.
>
> Any request to the alias fails.
>
> Thanks;
>
> Isabelle Giguère
> Computational Linguist & Java Developer
> Linguiste informaticienne & développeur java
>
>
> ________________________________
> De : Isabelle Giguere <igigu...@opentext.com.INVALID>
> Envoyé : 10 juin 2020 16:11
> À : solr-user@lucene.apache.org <solr-user@lucene.apache.org>
> Objet : Re: [EXTERNAL] - Re: HTTP 401 when searching on alias in secured Solr
>
> Hi Jan;
>
> Thank you for your reply.
>
> This is security.json as seen in Zookeeper.  Credentials are admin / admin
>
> {
>  "authentication":{
>    "blockUnknown":false,
>    "realm":"MTM Solr",
>    "forwardCredentials":true,
>    "class":"solr.BasicAuthPlugin",
>    "credentials":{"admin":"0rTOgObKYwzSyPoYuj2su2/90eQCfysF1aasxTx+wrc= 
> +tCMmpawYYtTsp3JfkG9avb8bKZlm/IGTZirsufYvns="},
>    "":{"v":2}},
>  "authorization":{
>    "class":"solr.RuleBasedAuthorizationPlugin",
>    "permissions":[{
>        "name":"all",
>        "role":"admin"}],
>    "user-role":{"admin":"admin"},
>    "":{"v":8}}}
>
> Thanks for feedback
>
> Isabelle Giguère
> Computational Linguist & Java Developer
> Linguiste informaticienne & développeur java
>
>
> ________________________________
> De : Jan Høydahl <jan....@cominvent.com>
> Envoyé : 10 juin 2020 16:01
> À : solr-user@lucene.apache.org <solr-user@lucene.apache.org>
> Objet : [EXTERNAL] - Re: HTTP 401 when searching on alias in secured Solr
>
> Please share your security.json file
>
> Jan Høydahl
>
>> 10. jun. 2020 kl. 21:53 skrev Isabelle Giguere 
>> <igigu...@opentext.com.invalid>:
>>
>> Hi;
>>
>> I'm using Solr 8.5.0.  I have uploaded security.json to Zookeeper.  I can 
>> log in the Solr Admin UI.  I can create collections and aliases, and I can 
>> index documents in Solr.
>>
>> Collections : test1, test2
>> Alias: test (combines test1, test2)
>>
>> Indexed document "solr-word.pdf" in collection test1
>>
>> Searching on a collection works:
>> http://localhost:8983/solr/test1/select?q=*:*&wt=xml
>> <result name="response" numFound="1" start="0">
>>
>> But searching on an alias results in HTTP 401
>> http://localhost:8983/solr/test/select?q=*:*&wt=xml
>>
>> Error from server at null: Expected mime type application/octet-stream but 
>> got text/html. <html> <head> <meta http-equiv="Content-Type" 
>> content="text/html;charset=utf-8"/> <title>Error 401 Authentication failed, 
>> Response code: 401</title> </head> <body><h2>HTTP ERROR 401 Authentication 
>> failed, Response code: 401</h2> <table> 
>> <tr><th>URI:</th><td>/solr/test1_shard1_replica_n1/select</td></tr> 
>> <tr><th>STATUS:</th><td>401</td></tr> 
>> <tr><th>MESSAGE:</th><td>Authentication failed, Response code: 401</td></tr> 
>> <tr><th>SERVLET:</th><td>default</td></tr> </table> </body> </html>
>>
>> Even if 
>> https://urldefense.com/v3/__https://issues.apache.org/jira/browse/SOLR-13510__;!!Obbck6kTJA!P6ugA-rw1I80PaH0U_GVasNqn8EXwmVQ33lwcPOU-cvNgTJK6-3zAf8ukzvv3ynJ$
>>   is fixed in Solr 8.5.0, I did try to start Solr with -Dsolr.http1=true, 
>> and I set "forwardCredentials":true in security.json.
>>
>> Nothing works.  I just cannot use aliases when Solr is secured.
>>
>> Can anyone confirm if this may be a configuration issue, or if this could 
>> possibly be a bug ?
>>
>> Thank you;
>>
>> Isabelle Giguère
>> Computational Linguist & Java Developer
>> Linguiste informaticienne & développeur java
>>
>>

Reply via email to