Whoever is sending calls to /solr/express_shard1_replica_n3/cdcr will have to
make sure to forward JWT -- How do I forward JWT from source to target server ??
You could try 'forwardCredentials:true' in security.json -- How can I try this
?
Can you suggest me sample security.json which will address my issue mention in
below mail trail:
I have security.json as given below : ( its just the format and values are
removed as per policy )
{
"authentication":{
"class":"solr.JWTAuthPlugin",
"blockUnknown":true,
"requireIss":false,
"requireExp":false,
"issuers":[
{
"name":
"clientId":
"jwk":{
"kty":"RSA",
"n":
"e":
"d":
"p":
"q":
"dp":
"dq":
"qi":
"alg":"RS256",
"kid":
"use":
}
}
]
}
}
-----Original Message-----
From: Jan Høydahl <jan....@cominvent.com>
Sent: Thursday, June 25, 2020 1:19 PM
To: solr-user@lucene.apache.org
Subject: Re: SOLR CDCR fails with JWT authorization configuration
EXTERNAL SENDER: Exercise caution with links and attachments.
Are both clusters setup with the same Identity Provider, so the same JWT token
would be valid for both clusters?
If so, it should be (theoretically) possible to have the clusters talk to each
other, if you can get them to forward the Authorization header with the JWT.
Whoever is sending calls to /solr/express_shard1_replica_n3/cdcr will have to
make sure to forward JWT and not just rely on PKI.
PKI won’t work since the two clusters have different ZK and Solr by default
only trust PKI between nodes registered in ZK.
You could try 'forwardCredentials:true' in security.json, but I’m not sure that
is enough here. There may be code changes needed in CDCR components.
Jan
> 24. jun. 2020 kl. 19:42 skrev Phatkar, Swapnil (Contractor)
> <swapnil.phat...@transunion.com.INVALID>:
>
> Hi Team ,
>
> I am trying to configure CDCR for SOLR 8.4.1 .
> With the provided configuration I can able to replicate the indexes from
> Source server to Target server. This setup even works with SSL configuration
> using Https protocol.
> But the moment I have introduced JWT authorization by enforcing security.json
> on both the server. I got an error at Target server side as shown below.
> Due to which the index were not getting replicated at target server.
>
> ERROR :
>
> 0200623 12:29:55.956 [ERROR] {qtp892083096-82} [ ]
> [org.apache.solr.security.PKIAuthenticationPlugin, 119] |
> Could not decipher a header <SouceIp>:8983_solr $$$$$$$. No principal
> set
>
> Caused by: java.util.concurrent.ExecutionException:
> org.apache.solr.client.solrj.impl.HttpSolrClient$RemoteSolrException:
> Error from server at
> https://<TargetIP>:8983/solr/express_shard1_replica_n3: Expected mime
> type application/octet-stream but got text/html. <html> <head> <meta
> http-equiv="Content-Type" content="text/html;charset=utf-8"/>
> <title>Error 401 Require authentication</title> </head> <body><h2>HTTP
> ERROR 401</h2> <p>Problem accessing
> /solr/express_shard1_replica_n3/cdcr. Reason:
> <pre> Require authentication</pre></p>
> </body>
> </html>
>
>
> Caused by:
> org.apache.solr.client.solrj.impl.HttpSolrClient$RemoteSolrException:
> Error from server at
> https://<TargetIP>:8983/solr/express_shard1_replica_n3: Expected mime
> type application/octet-stream but got text/html. <html> <head> <meta
> http-equiv="Content-Type" content="text/html;charset=utf-8"/>
> <title>Error 401 Require authentication</title> </head> <body><h2>HTTP
> ERROR 401</h2> <p>Problem accessing
> /solr/express_shard1_replica_n3/cdcr. Reason:
> <pre> Require authentication</pre></p>
> </body>
> </html>
>
> at
> org.apache.solr.client.solrj.impl.HttpSolrClient.executeMethod(HttpSolrClient.java:629)
> at
> org.apache.solr.client.solrj.impl.HttpSolrClient.request(HttpSolrClient.java:265)
> at
> org.apache.solr.client.solrj.impl.HttpSolrClient.request(HttpSolrClient.java:248)
> at
> org.apache.solr.client.solrj.SolrClient.request(SolrClient.java:1290)
> at
> org.apache.solr.handler.CdcrRequestHandler$SliceCheckpointCallable.call(CdcrRequestHandler.java:868)
> at
> org.apache.solr.handler.CdcrRequestHandler$SliceCheckpointCallable.cal
> l(CdcrRequestHandler.java:845)
>
>
> Thanks and Regards,
> Swapnil Phatkar
> 9167320216
>
