Re: [EXTERNAL] - Re: HTTP 401 when searching on alias in secured Solr

Fri, 12 Jun 2020 14:31:33 -0700 

I’d say, try the query with curl and enable http headers

curl -i —user admin:admin http://localhost:8983/solr/mycollection/select?q=*:*
curl -i —user admin:admin http://localhost:8983/solr/myalias/select?q=*:*

Are you saying that you see a difference between the two? What are the headers?

Jan

> 12. jun. 2020 kl. 20:06 skrev Isabelle Giguere 
> <igigu...@opentext.com.INVALID>:
> 
> Hi Jan
> 
> Thank you for your time on this.
> 
> If I send a /select request directly on the alias (/solr/test/select), the 
> browser asks for credentials, but the Solr response returns status=401 and an 
> html error message with "HTTP ERROR 401 require authentication"
> 
> Obviously, my expectation was that some query results would be returned.
> 
> Since you can't reproduce the issue, I have to assume it's a configuration 
> issue.
> 
> So, if I may, let me provide as much details as I can about my setup.
> 
> Can anyone see something wrong here, some incompatibility ?
> 
> Solr 8.5.0
> 
> solrconfig.xml
> <luceneMatchVersion>7.1.0</luceneMatchVersion>
> <lib dir="../../lib-plugins" />
> <schemaFactory class="ClassicIndexSchemaFactory"/>
> <httpCaching never304="true" />
> <requestHandler name="/select" class="solr.SearchHandler">
>        <shardHandlerFactory class="HttpShardHandlerFactory">
>            <int name="socketTimeOut">50000</int>
>            <int name="connTimeOut">50000</int>
>            <int name="corePoolSize">5</int>
>        </shardHandlerFactory>
> 
> schema.xml
> version=1.6
> Some warnings on start-up about Trie* fields and deprecated filters (we 
> should fix that)
> 
> security.json in Zookeeper, at the Solr ZK root (provided on this thread)
> blockUnknown : (true|false) = no change in behavior for me, for this issue
> forwardCredentials : (true|false) = no change in behavior for me, for this 
> issue
> 
> No SSL
> 
> solr.in.sh
> SOLR_AUTH_TYPE="basic"
> SOLR_AUTHENTICATION_OPTS="-Dbasicauth=admin:admin"
> 
> start command params:
> solr start -force -c -m 4g -h <host> -p <port> -z 
> <zk_host>:<zk_port>/<solr_root>
> 
> 
> Am I missing anything ?
> 
> Thank you.
> 
> ********
> 
> My investigation so far:
> 
> I have set logging levels to TRACE for anything related to HTTP, HTTP2, 
> Authorization, Authentication...
> 
> Judging by a comment in 
> org.apache.solr.core.CoreContainer.setupHttpClientForAuthPlugin(Object), I 
> should see some logging from PKIAuthenticationPlugin, no matter what plugin 
> is actually used, and regardless if forwardCredentials is true or false:
> Comment:
> // Always register PKI auth interceptor, which will then delegate the 
> decision of who should secure
> // each request to the configured authentication plugin.
> 
> Expected log message from 
> org.apache.solr.security.PKIAuthenticationPlugin.setup(Http2SolrClient) 
> and/or from 
> org.apache.solr.security.PKIAuthenticationPlugin.HttpHeaderClientInterceptor.process(HttpRequest,
>  HttpContext)
> 
> When running a request on an alias, I only see the expected log message from 
> /admin requests, never for /select requests.
> 
> Of course, if my configuration is wrong, then my code and log analysis is 
> useless.
> 
> **********
> 
> 
> Isabelle Giguère
> Computational Linguist & Java Developer
> Linguiste informaticienne & développeur java
> 
> 
> ________________________________
> De : Jan Høydahl <jan....@cominvent.com>
> Envoyé : 12 juin 2020 06:55
> À : solr-user@lucene.apache.org <solr-user@lucene.apache.org>
> Objet : Re: [EXTERNAL] - Re: HTTP 401 when searching on alias in secured Solr
> 
> Hi
> 
> I tried to reproduce, but I can successfully search both the collection and 
> the alias. Both collection and alias promt for password, and when giving the 
> password the search succeeds.
> 
> What was your expectation?
> 
> Jan
> 
>> 11. jun. 2020 kl. 16:53 skrev Isabelle Giguere 
>> <igigu...@opentext.com.INVALID>:
>> 
>> Some extra info:
>> Collections have 1 shard, 1 replica.  Only 1 Solr node running.
>> 
>> The HTTP 401 is not intermittent, as reported in SOLR-13421 and SOLR-13510.
>> 
>> Any request to the alias fails.
>> 
>> Thanks;
>> 
>> Isabelle Giguère
>> Computational Linguist & Java Developer
>> Linguiste informaticienne & développeur java
>> 
>> 
>> ________________________________
>> De : Isabelle Giguere <igigu...@opentext.com.INVALID>
>> Envoyé : 10 juin 2020 16:11
>> À : solr-user@lucene.apache.org <solr-user@lucene.apache.org>
>> Objet : Re: [EXTERNAL] - Re: HTTP 401 when searching on alias in secured Solr
>> 
>> Hi Jan;
>> 
>> Thank you for your reply.
>> 
>> This is security.json as seen in Zookeeper.  Credentials are admin / admin
>> 
>> {
>> "authentication":{
>>   "blockUnknown":false,
>>   "realm":"MTM Solr",
>>   "forwardCredentials":true,
>>   "class":"solr.BasicAuthPlugin",
>>   "credentials":{"admin":"0rTOgObKYwzSyPoYuj2su2/90eQCfysF1aasxTx+wrc= 
>> +tCMmpawYYtTsp3JfkG9avb8bKZlm/IGTZirsufYvns="},
>>   "":{"v":2}},
>> "authorization":{
>>   "class":"solr.RuleBasedAuthorizationPlugin",
>>   "permissions":[{
>>       "name":"all",
>>       "role":"admin"}],
>>   "user-role":{"admin":"admin"},
>>   "":{"v":8}}}
>> 
>> Thanks for feedback
>> 
>> Isabelle Giguère
>> Computational Linguist & Java Developer
>> Linguiste informaticienne & développeur java
>> 
>> 
>> ________________________________
>> De : Jan Høydahl <jan....@cominvent.com>
>> Envoyé : 10 juin 2020 16:01
>> À : solr-user@lucene.apache.org <solr-user@lucene.apache.org>
>> Objet : [EXTERNAL] - Re: HTTP 401 when searching on alias in secured Solr
>> 
>> Please share your security.json file
>> 
>> Jan Høydahl
>> 
>>> 10. jun. 2020 kl. 21:53 skrev Isabelle Giguere 
>>> <igigu...@opentext.com.invalid>:
>>> 
>>> Hi;
>>> 
>>> I'm using Solr 8.5.0.  I have uploaded security.json to Zookeeper.  I can 
>>> log in the Solr Admin UI.  I can create collections and aliases, and I can 
>>> index documents in Solr.
>>> 
>>> Collections : test1, test2
>>> Alias: test (combines test1, test2)
>>> 
>>> Indexed document "solr-word.pdf" in collection test1
>>> 
>>> Searching on a collection works:
>>> http://localhost:8983/solr/test1/select?q=*:*&wt=xml
>>> <result name="response" numFound="1" start="0">
>>> 
>>> But searching on an alias results in HTTP 401
>>> http://localhost:8983/solr/test/select?q=*:*&wt=xml
>>> 
>>> Error from server at null: Expected mime type application/octet-stream but 
>>> got text/html. <html> <head> <meta http-equiv="Content-Type" 
>>> content="text/html;charset=utf-8"/> <title>Error 401 Authentication failed, 
>>> Response code: 401</title> </head> <body><h2>HTTP ERROR 401 Authentication 
>>> failed, Response code: 401</h2> <table> 
>>> <tr><th>URI:</th><td>/solr/test1_shard1_replica_n1/select</td></tr> 
>>> <tr><th>STATUS:</th><td>401</td></tr> 
>>> <tr><th>MESSAGE:</th><td>Authentication failed, Response code: 
>>> 401</td></tr> <tr><th>SERVLET:</th><td>default</td></tr> </table> </body> 
>>> </html>
>>> 
>>> Even if 
>>> https://urldefense.com/v3/__https://issues.apache.org/jira/browse/SOLR-13510__;!!Obbck6kTJA!P6ugA-rw1I80PaH0U_GVasNqn8EXwmVQ33lwcPOU-cvNgTJK6-3zAf8ukzvv3ynJ$
>>>   is fixed in Solr 8.5.0, I did try to start Solr with -Dsolr.http1=true, 
>>> and I set "forwardCredentials":true in security.json.
>>> 
>>> Nothing works.  I just cannot use aliases when Solr is secured.
>>> 
>>> Can anyone confirm if this may be a configuration issue, or if this could 
>>> possibly be a bug ?
>>> 
>>> Thank you;
>>> 
>>> Isabelle Giguère
>>> Computational Linguist & Java Developer
>>> Linguiste informaticienne & développeur java
>>> 
>>> 
>

Reply via email to