[
https://issues.apache.org/jira/browse/SOLR-15237?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17298856#comment-17298856
]
Samir Huremovic commented on SOLR-15237:
----------------------------------------
In our case it is more about backwards-compatibility. The last few versions
were updated painlessly and since initially traditional distributed search was
used, it was kept that way.
Of course if there is some limitation, then it should be documented. For many
systems this would of course be a big deal (if they cannot use basic auth), but
at least the situation is clear.
Currently though, it looks more like a bug. And after I had a look at some
other, similar issues across almost all major versions, it seems that this part
of the code is a bit fragile.
> Distributed search with index sharding is not working with basic
> authentication plugin enabled
> ----------------------------------------------------------------------------------------------
>
> Key: SOLR-15237
> URL: https://issues.apache.org/jira/browse/SOLR-15237
> Project: Solr
> Issue Type: Bug
> Security Level: Public(Default Security Level. Issues are Public)
> Components: Authentication
> Affects Versions: 7.7.3, 8.7, 8.8.1
> Reporter: Samir Huremovic
> Priority: Critical
> Labels: Authentication
>
> Issue confirmed for 7.7.3, 8.7 and 8.8.1.
> Steps to reproduce are:
> 1. Following the docs for setting up distributed search
> (https://solr.apache.org/guide/8_8/distributed-search-with-index-sharding.html).
> 1.1 Stop both nodes after confirming that distributed search works without
> basic auth (last step).
> 2. Enable basic authentication plugin for both nodes, example for node1
> {{example/nodes/node1/security.json}}:
> {noformat}
> "authentication":{
> "blockUnknown": true,
> "class":"solr.BasicAuthPlugin",
> "credentials":{"solr":"IV0EHq1OnNrj6gvRCwvFwTrZ1+z1oBbnQdiVC3otuq0=
> Ndd7LKvVBAaZIF0QAVi1ekCfAJXr1GGfLtRUXhgrF8c="},
> "realm":"My Solr users",
> "forwardCredentials": false
> }}
> {noformat}
> 3. Configure {{shardsWhitelist}} in {{solr.xml}} for both nodes, example for
> node1 {{example/nodes/node1/solr.xml}}
> {noformat}
> <shardHandlerFactory name="shardHandlerFactory"
> class="HttpShardHandlerFactory">
> <int name="socketTimeout">${socketTimeout:600000}</int>
> <int name="connTimeout">${connTimeout:60000}</int>
> <str name="shardsWhitelist">localhost:8984,localhost:8985</str>
> </shardHandlerFactory>
> {noformat}
> 4. Start both nodes.
> 5. Confirm that searching on one node with basic auth works with {{curl
> --user solr:SolrRocks
> "http://localhost:8984/solr/core1/select?q=*:*&wt=xml&indent=true"}}
> 6. Confirm that searching on both nodes does not work with {{curl --user
> solr:SolrRocks
> "http://localhost:8984/solr/core1/select?q=*:*&indent=true&shards=localhost:8985/solr/core1,localhost:8984/solr/core1&fl=id,name&wt=xml"}}
> Error:
> {noformat}
> ❯ curl --user solr:SolrRocks
> "http://localhost:8984/solr/core1/select?q=*:*&indent=true&shards=localhost:8985/solr/core1,localhost:8984/solr/core1&fl=id,name&wt=xml";
> <?xml version="1.0" encoding="UTF-8"?>
> <response>
> <lst name="responseHeader">
> <int name="status">401</int>
> <int name="QTime">173</int>
> <lst name="params">
> <str name="q">*:*</str>
> <str
> name="shards">localhost:8985/solr/core1,localhost:8984/solr/core1</str>
> <str name="indent">true</str>
> <str name="fl">id,name</str>
> <str name="wt">xml</str>
> </lst>
> </lst>
> <lst name="error">
> <lst name="metadata">
> <str
> name="error-class">org.apache.solr.client.solrj.impl.BaseHttpSolrClient$RemoteSolrException</str>
> <str
> name="root-error-class">org.apache.solr.client.solrj.impl.BaseHttpSolrClient$RemoteSolrException</str>
> </lst>
> <str name="msg">Error from server at null: Expected mime type
> application/octet-stream but got text/html. <html>
> <head>
> <meta http-equiv="Content-Type" content="text/html;charset=utf-8"/>
> <title>Error 401 require authentication</title>
> </head>
> <body><h2>HTTP ERROR 401 require authentication</h2>
> <table>
> <tr><th>URI:</th><td>/solr/core1/select</td></tr>
> <tr><th>STATUS:</th><td>401</td></tr>
> <tr><th>MESSAGE:</th><td>require
> authentication</td></tr>
> <tr><th>SERVLET:</th><td>default</td></tr>
> </table>
> </body>
> </html>
> </str>
> <int name="code">401</int>
> </lst>
> </response>
> {noformat}
> See also SOLR-14569 that seems similar, but the patch provided does not help
> after I applied it to 8.8.1, therefore I think this is not the same issue.
> Adjust priority as necessary. For cases where basic auth is required this
> means we cannot use Solr as of now.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org
For additional commands, e-mail: issues-h...@lucene.apache.org
