Hi,
1. Solr is relying on PKI for the request (one cluster sends PKI header to the node in the other cluster) -- > I have not configured anything explicitly. Just followed the steps mention @https://lucene.apache.org/solr/guide/8_4/cdcr-config.html. Is there any additional step ? 2. That fails since the sending node is unknown to the receiving node since it is in another cluster --> I think that obvious because Source cluster and Target clusters are different. What I know is once we configure zkhost of Target cluster in Source cluster in solrconfig.xml it establish connection. But I will like to know is there any other setting ? 3. Have you tried BasicAuth and do you have the same issue then? --> Nope . We were using "class":"solr.JWTAuthPlugin" . Do I need to add authorization also to overcome JWT authorization ?? Can you please guide me considering me as newbie :) . And it will be also good to get sample security.json Thanks -----Original Message----- From: Jan Høydahl <jan....@cominvent.com> Sent: Thursday, June 25, 2020 5:25 PM To: solr-user@lucene.apache.org Subject: Re: SOLR CDCR fails with JWT authorization configuration EXTERNAL SENDER: Exercise caution with links and attachments. Sorry, there is no forwardCredentials parameter for JWT, it is implicit. But from the response we can see two things: 1. Solr is relying on PKI for the request (one cluster sends PKI header to the node in the other cluster) 2. That fails since the sending node is unknown to the receiving node since it is in another cluster I’m not familiar with the CDCR code used here. Have you tried BasicAuth and do you have the same issue then? Jan > 25. jun. 2020 kl. 13:20 skrev Phatkar, Swapnil (Contractor) > <swapnil.phat...@transunion.com.INVALID>: > > > > Whoever is sending calls to /solr/express_shard1_replica_n3/cdcr will have to > make sure to forward JWT -- How do I forward JWT from source to target server > ?? > You could try 'forwardCredentials:true' in security.json -- How can I try > this ? > > Can you suggest me sample security.json which will address my issue mention > in below mail trail: > > I have security.json as given below : ( its just the format and values > are removed as per policy ) > > { > "authentication":{ > "class":"solr.JWTAuthPlugin", > "blockUnknown":true, > "requireIss":false, > "requireExp":false, > "issuers":[ > { > "name": > "clientId": > "jwk":{ > "kty":"RSA", > "n": > "e": > "d": > "p": > "q": > "dp": > "dq": > "qi": > "alg":"RS256", > "kid": > "use": > } > } > ] > } > } > > > > > -----Original Message----- > From: Jan Høydahl <jan....@cominvent.com> > Sent: Thursday, June 25, 2020 1:19 PM > To: solr-user@lucene.apache.org > Subject: Re: SOLR CDCR fails with JWT authorization configuration > > EXTERNAL SENDER: Exercise caution with links and attachments. > > Are both clusters setup with the same Identity Provider, so the same JWT > token would be valid for both clusters? > > If so, it should be (theoretically) possible to have the clusters talk to > each other, if you can get them to forward the Authorization header with the > JWT. > Whoever is sending calls to /solr/express_shard1_replica_n3/cdcr will have to > make sure to forward JWT and not just rely on PKI. > PKI won’t work since the two clusters have different ZK and Solr by default > only trust PKI between nodes registered in ZK. > > You could try 'forwardCredentials:true' in security.json, but I’m not sure > that is enough here. There may be code changes needed in CDCR components. > > Jan > >> 24. jun. 2020 kl. 19:42 skrev Phatkar, Swapnil (Contractor) >> <swapnil.phat...@transunion.com.INVALID>: >> >> Hi Team , >> >> I am trying to configure CDCR for SOLR 8.4.1 . >> With the provided configuration I can able to replicate the indexes from >> Source server to Target server. This setup even works with SSL configuration >> using Https protocol. >> But the moment I have introduced JWT authorization by enforcing >> security.json on both the server. I got an error at Target server side as >> shown below. >> Due to which the index were not getting replicated at target server. >> >> ERROR : >> >> 0200623 12:29:55.956 [ERROR] {qtp892083096-82} [ ] >> [org.apache.solr.security.PKIAuthenticationPlugin, 119] | >> Could not decipher a header <SouceIp>:8983_solr $$$$$$$. No principal >> set >> >> Caused by: java.util.concurrent.ExecutionException: >> org.apache.solr.client.solrj.impl.HttpSolrClient$RemoteSolrException: >> Error from server at >> https://<TargetIP>:8983/solr/express_shard1_replica_n3: Expected mime >> type application/octet-stream but got text/html. <html> <head> <meta >> http-equiv="Content-Type" content="text/html;charset=utf-8"/> >> <title>Error 401 Require authentication</title> </head> >> <body><h2>HTTP ERROR 401</h2> <p>Problem accessing >> /solr/express_shard1_replica_n3/cdcr. Reason: >> <pre> Require authentication</pre></p> >> </body> >> </html> >> >> >> Caused by: >> org.apache.solr.client.solrj.impl.HttpSolrClient$RemoteSolrException: >> Error from server at >> https://<TargetIP>:8983/solr/express_shard1_replica_n3: Expected mime >> type application/octet-stream but got text/html. <html> <head> <meta >> http-equiv="Content-Type" content="text/html;charset=utf-8"/> >> <title>Error 401 Require authentication</title> </head> >> <body><h2>HTTP ERROR 401</h2> <p>Problem accessing >> /solr/express_shard1_replica_n3/cdcr. Reason: >> <pre> Require authentication</pre></p> >> </body> >> </html> >> >> at >> org.apache.solr.client.solrj.impl.HttpSolrClient.executeMethod(HttpSolrClient.java:629) >> at >> org.apache.solr.client.solrj.impl.HttpSolrClient.request(HttpSolrClient.java:265) >> at >> org.apache.solr.client.solrj.impl.HttpSolrClient.request(HttpSolrClient.java:248) >> at >> org.apache.solr.client.solrj.SolrClient.request(SolrClient.java:1290) >> at >> org.apache.solr.handler.CdcrRequestHandler$SliceCheckpointCallable.call(CdcrRequestHandler.java:868) >> at >> org.apache.solr.handler.CdcrRequestHandler$SliceCheckpointCallable.ca >> l >> l(CdcrRequestHandler.java:845) >> >> >> Thanks and Regards, >> Swapnil Phatkar >> 9167320216 >> >
