I have created https://issues.apache.org/jira/browse/SOLR-14569 It includes a patch with the unit test to reproduce the issue, and a simplification of our product-specific configuration, with instructions.
Let's catch up on Jira. Isabelle Giguère Computational Linguist & Java Developer Linguiste informaticienne & développeur java ________________________________ De : Jan Høydahl <jan....@cominvent.com> Envoyé : 13 juin 2020 17:50 À : solr-user <solr-user@lucene.apache.org> Objet : Re: [EXTERNAL] - Re: HTTP 401 when searching on alias in secured Solr I did not manage to reproduce. Feel free to open the JIRA and attach the failing test. In the issue description, it is great if you manage to describe the reproduction steps in a clean way, so anyone can reproduce with a minimal neccessary config. Jan > 13. jun. 2020 kl. 00:41 skrev Isabelle Giguere > <igigu...@opentext.com.INVALID>: > > Hello again; > > I have managed to reproduce the issue in a unit test. I should probably add > a Jira ticket with a patch for the unit test.... On Solr 8.5.0, not master. > > Meanwhile, for your suggested queries: > > 1. Query on the collection: > > curl -i -u admin:admin > https://urldefense.com/v3/__http://10.5.106.115:8985/solr/test1/select?q=*:*&wt=xml__;Kio!!Obbck6kTJA!LvZRdkAwPGTDqWqS-BYMmyuuwAp9coGzkDzz5BG7hTCLmCSV2bOZBM9A7JzikWgk$ > HTTP/1.1 200 OK > Content-Security-Policy: default-src 'none'; base-uri 'none'; connect-src > 'self'; form-action 'self'; font-src 'self'; frame-ancestors 'none'; img-src > 'self'; media-src 'self'; style-src 'self' 'unsafe-inline'; script-src > 'self'; worker-src 'self'; > X-Content-Type-Options: nosniff > X-Frame-Options: SAMEORIGIN > X-XSS-Protection: 1; mode=block > Content-Type: application/xml; charset=UTF-8 > Content-Length: 8214 > > <?xml version="1.0" encoding="UTF-8"?> > <response> > > <lst name="responseHeader"> > <bool name="zkConnected">true</bool> > <int name="status">0</int> > <int name="QTime">2</int> > <lst name="params"> > <str name="q">*:*</str> > </lst> > </lst> > <result name="response" numFound="1" start="0"> > Response contains the Solr document, of course > > > 2. Query on the alias > > curl -i -u admin:admin > https://urldefense.com/v3/__http://10.5.106.115:8985/solr/test/select?q=*:*&wt=xml__;Kio!!Obbck6kTJA!LvZRdkAwPGTDqWqS-BYMmyuuwAp9coGzkDzz5BG7hTCLmCSV2bOZBM9A7PZyiHWo$ > > <https://urldefense.com/v3/__http://10.5.106.115:8985/solr/test1/select?q=*:*&wt=xml__;Kio!!Obbck6kTJA!LvZRdkAwPGTDqWqS-BYMmyuuwAp9coGzkDzz5BG7hTCLmCSV2bOZBM9A7JzikWgk$ > > > HTTP/1.1 401 Unauthorized > Content-Security-Policy: default-src 'none'; base-uri 'none'; connect-src > 'self'; form-action 'self'; font-src 'self'; frame-ancestors 'none'; img-src > 'self'; media-src 'self'; style-src 'self' 'unsafe-inline'; script-src > 'self'; worker-src 'self'; > X-Content-Type-Options: nosniff > X-Frame-Options: SAMEORIGIN > X-XSS-Protection: 1; mode=block > Cache-Control: no-cache, no-store > Pragma: no-cache > Expires: Sat, 01 Jan 2000 01:00:00 GMT > Last-Modified: Fri, 12 Jun 2020 22:30:20 GMT > ETag: "172aaa7c1eb" > Content-Type: application/xml; charset=UTF-8 > Content-Length: 1332 > > <?xml version="1.0" encoding="UTF-8"?> > <response> > > <lst name="responseHeader"> > <bool name="zkConnected">true</bool> > <int name="status">401</int> > <int name="QTime">16</int> > <lst name="params"> > <str name="q">*:*</str> > </lst> > </lst> > <lst name="error"> > Error contains the full html HTTP 401 message (with escaped characters, of > course) > Gist of it : HTTP ERROR 401 require authentication > > Thanks; > > > Isabelle Giguère > Computational Linguist & Java Developer > Linguiste informaticienne & développeur java > > > ________________________________ > De : Jan Høydahl <jan....@cominvent.com> > Envoyé : 12 juin 2020 17:30 > À : solr-user@lucene.apache.org <solr-user@lucene.apache.org> > Objet : Re: [EXTERNAL] - Re: HTTP 401 when searching on alias in secured Solr > > I’d say, try the query with curl and enable http headers > > curl -i —user admin:admin http://localhost:8983/solr/mycollection/select?q=*:* > curl -i —user admin:admin http://localhost:8983/solr/myalias/select?q=*:* > > Are you saying that you see a difference between the two? What are the > headers? > > Jan > >> 12. jun. 2020 kl. 20:06 skrev Isabelle Giguere >> <igigu...@opentext.com.INVALID>: >> >> Hi Jan >> >> Thank you for your time on this. >> >> If I send a /select request directly on the alias (/solr/test/select), the >> browser asks for credentials, but the Solr response returns status=401 and >> an html error message with "HTTP ERROR 401 require authentication" >> >> Obviously, my expectation was that some query results would be returned. >> >> Since you can't reproduce the issue, I have to assume it's a configuration >> issue. >> >> So, if I may, let me provide as much details as I can about my setup. >> >> Can anyone see something wrong here, some incompatibility ? >> >> Solr 8.5.0 >> >> solrconfig.xml >> <luceneMatchVersion>7.1.0</luceneMatchVersion> >> <lib dir="../../lib-plugins" /> >> <schemaFactory class="ClassicIndexSchemaFactory"/> >> <httpCaching never304="true" /> >> <requestHandler name="/select" class="solr.SearchHandler"> >> <shardHandlerFactory class="HttpShardHandlerFactory"> >> <int name="socketTimeOut">50000</int> >> <int name="connTimeOut">50000</int> >> <int name="corePoolSize">5</int> >> </shardHandlerFactory> >> >> schema.xml >> version=1.6 >> Some warnings on start-up about Trie* fields and deprecated filters (we >> should fix that) >> >> security.json in Zookeeper, at the Solr ZK root (provided on this thread) >> blockUnknown : (true|false) = no change in behavior for me, for this issue >> forwardCredentials : (true|false) = no change in behavior for me, for this >> issue >> >> No SSL >> >> solr.in.sh >> SOLR_AUTH_TYPE="basic" >> SOLR_AUTHENTICATION_OPTS="-Dbasicauth=admin:admin" >> >> start command params: >> solr start -force -c -m 4g -h <host> -p <port> -z >> <zk_host>:<zk_port>/<solr_root> >> >> >> Am I missing anything ? >> >> Thank you. >> >> ******** >> >> My investigation so far: >> >> I have set logging levels to TRACE for anything related to HTTP, HTTP2, >> Authorization, Authentication... >> >> Judging by a comment in >> org.apache.solr.core.CoreContainer.setupHttpClientForAuthPlugin(Object), I >> should see some logging from PKIAuthenticationPlugin, no matter what plugin >> is actually used, and regardless if forwardCredentials is true or false: >> Comment: >> // Always register PKI auth interceptor, which will then delegate the >> decision of who should secure >> // each request to the configured authentication plugin. >> >> Expected log message from >> org.apache.solr.security.PKIAuthenticationPlugin.setup(Http2SolrClient) >> and/or from >> org.apache.solr.security.PKIAuthenticationPlugin.HttpHeaderClientInterceptor.process(HttpRequest, >> HttpContext) >> >> When running a request on an alias, I only see the expected log message from >> /admin requests, never for /select requests. >> >> Of course, if my configuration is wrong, then my code and log analysis is >> useless. >> >> ********** >> >> >> Isabelle Giguère >> Computational Linguist & Java Developer >> Linguiste informaticienne & développeur java >> >> >> ________________________________ >> De : Jan Høydahl <jan....@cominvent.com> >> Envoyé : 12 juin 2020 06:55 >> À : solr-user@lucene.apache.org <solr-user@lucene.apache.org> >> Objet : Re: [EXTERNAL] - Re: HTTP 401 when searching on alias in secured Solr >> >> Hi >> >> I tried to reproduce, but I can successfully search both the collection and >> the alias. Both collection and alias promt for password, and when giving the >> password the search succeeds. >> >> What was your expectation? >> >> Jan >> >>> 11. jun. 2020 kl. 16:53 skrev Isabelle Giguere >>> <igigu...@opentext.com.INVALID>: >>> >>> Some extra info: >>> Collections have 1 shard, 1 replica. Only 1 Solr node running. >>> >>> The HTTP 401 is not intermittent, as reported in SOLR-13421 and SOLR-13510. >>> >>> Any request to the alias fails. >>> >>> Thanks; >>> >>> Isabelle Giguère >>> Computational Linguist & Java Developer >>> Linguiste informaticienne & développeur java >>> >>> >>> ________________________________ >>> De : Isabelle Giguere <igigu...@opentext.com.INVALID> >>> Envoyé : 10 juin 2020 16:11 >>> À : solr-user@lucene.apache.org <solr-user@lucene.apache.org> >>> Objet : Re: [EXTERNAL] - Re: HTTP 401 when searching on alias in secured >>> Solr >>> >>> Hi Jan; >>> >>> Thank you for your reply. >>> >>> This is security.json as seen in Zookeeper. Credentials are admin / admin >>> >>> { >>> "authentication":{ >>> "blockUnknown":false, >>> "realm":"MTM Solr", >>> "forwardCredentials":true, >>> "class":"solr.BasicAuthPlugin", >>> "credentials":{"admin":"0rTOgObKYwzSyPoYuj2su2/90eQCfysF1aasxTx+wrc= >>> +tCMmpawYYtTsp3JfkG9avb8bKZlm/IGTZirsufYvns="}, >>> "":{"v":2}}, >>> "authorization":{ >>> "class":"solr.RuleBasedAuthorizationPlugin", >>> "permissions":[{ >>> "name":"all", >>> "role":"admin"}], >>> "user-role":{"admin":"admin"}, >>> "":{"v":8}}} >>> >>> Thanks for feedback >>> >>> Isabelle Giguère >>> Computational Linguist & Java Developer >>> Linguiste informaticienne & développeur java >>> >>> >>> ________________________________ >>> De : Jan Høydahl <jan....@cominvent.com> >>> Envoyé : 10 juin 2020 16:01 >>> À : solr-user@lucene.apache.org <solr-user@lucene.apache.org> >>> Objet : [EXTERNAL] - Re: HTTP 401 when searching on alias in secured Solr >>> >>> Please share your security.json file >>> >>> Jan Høydahl >>> >>>> 10. jun. 2020 kl. 21:53 skrev Isabelle Giguere >>>> <igigu...@opentext.com.invalid>: >>>> >>>> Hi; >>>> >>>> I'm using Solr 8.5.0. I have uploaded security.json to Zookeeper. I can >>>> log in the Solr Admin UI. I can create collections and aliases, and I can >>>> index documents in Solr. >>>> >>>> Collections : test1, test2 >>>> Alias: test (combines test1, test2) >>>> >>>> Indexed document "solr-word.pdf" in collection test1 >>>> >>>> Searching on a collection works: >>>> http://localhost:8983/solr/test1/select?q=*:*&wt=xml >>>> <result name="response" numFound="1" start="0"> >>>> >>>> But searching on an alias results in HTTP 401 >>>> http://localhost:8983/solr/test/select?q=*:*&wt=xml >>>> >>>> Error from server at null: Expected mime type application/octet-stream but >>>> got text/html. <html> <head> <meta http-equiv="Content-Type" >>>> content="text/html;charset=utf-8"/> <title>Error 401 Authentication >>>> failed, Response code: 401</title> </head> <body><h2>HTTP ERROR 401 >>>> Authentication failed, Response code: 401</h2> <table> >>>> <tr><th>URI:</th><td>/solr/test1_shard1_replica_n1/select</td></tr> >>>> <tr><th>STATUS:</th><td>401</td></tr> >>>> <tr><th>MESSAGE:</th><td>Authentication failed, Response code: >>>> 401</td></tr> <tr><th>SERVLET:</th><td>default</td></tr> </table> </body> >>>> </html> >>>> >>>> Even if >>>> https://urldefense.com/v3/__https://issues.apache.org/jira/browse/SOLR-13510__;!!Obbck6kTJA!P6ugA-rw1I80PaH0U_GVasNqn8EXwmVQ33lwcPOU-cvNgTJK6-3zAf8ukzvv3ynJ$ >>>> is fixed in Solr 8.5.0, I did try to start Solr with -Dsolr.http1=true, >>>> and I set "forwardCredentials":true in security.json. >>>> >>>> Nothing works. I just cannot use aliases when Solr is secured. >>>> >>>> Can anyone confirm if this may be a configuration issue, or if this could >>>> possibly be a bug ? >>>> >>>> Thank you; >>>> >>>> Isabelle Giguère >>>> Computational Linguist & Java Developer >>>> Linguiste informaticienne & développeur java >>>> >>>> >> >
