I found this in the documentation
https://lucene.apache.org/solr/guide/8_5/cdcr-architecture.html#cdcr-limitations
<https://lucene.apache.org/solr/guide/8_5/cdcr-architecture.html#cdcr-limitations>
:
CDCR doesn’t support Basic Authentication features across clusters.
The JIRA for adding this capability is
https://issues.apache.org/jira/browse/SOLR-11959
<https://issues.apache.org/jira/browse/SOLR-11959> but it went stale in 2019.
You may add a comment there and hope for some traction, but don’t hold your
breath...
Jan
> 26. jun. 2020 kl. 06:34 skrev Phatkar, Swapnil (Contractor)
> <swapnil.phat...@transunion.com.INVALID>:
>
> Hi,
>
> CDCR might be deprecated really soon now --> In this case will it be there
> any alternate to this.
>
> However, if this turns out to be not supported or a bug, then we can file a
> JIRA issue. --> it will be great if you raise the JIRA ticket for it. So
> that we will be more clear that how does it response
> To such scenario : 1. CDCR with https and JWT authentication and the
> necessary settings for it including security.json.
>
>
> Thanks
> Swapnil
>
>
>
> -----Original Message-----
> From: Jan Høydahl <jan....@cominvent.com>
> Sent: Thursday, June 25, 2020 6:50 PM
> To: solr-user@lucene.apache.org
> Subject: Re: SOLR CDCR fails with JWT authorization configuration
>
> EXTERNAL SENDER: Exercise caution with links and attachments.
>
> I’m mostly trying to identify whether what you are trying to to is a
> supported option at all, or of perhaps CDCR is only tested without
> authentication in place.
> You would also be interested in the fact that CDCR might be deprecated really
> soon now, see
> https://urldefense.proofpoint.com/v2/url?u=https-3A__issues.apache.org_jira_browse_SOLR-2D11718&d=DwIFaQ&c=7gn0PlAmraV3zr-k385KhKAz9NTx0dwockj5vIsr5Sw&r=wQj2B5ci2ikx0AXWDp1ftYhkwteAsJcW-MBY4WoYz1A&m=VnSEvEi02eWt0BicxkJixew62AkT8xPFWcdVyny0UOc&s=xaIigYTYxurNRitDyLsqVfTreB0Kz15mR69HnhGbKSI&e=
>
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__issues.apache.org_jira_browse_SOLR-2D11718&d=DwIFaQ&c=7gn0PlAmraV3zr-k385KhKAz9NTx0dwockj5vIsr5Sw&r=wQj2B5ci2ikx0AXWDp1ftYhkwteAsJcW-MBY4WoYz1A&m=VnSEvEi02eWt0BicxkJixew62AkT8xPFWcdVyny0UOc&s=xaIigYTYxurNRitDyLsqVfTreB0Kz15mR69HnhGbKSI&e=
> > CDCR is complex. JWT is complex. Combining the two might bee too much
> unknown territory for beginners.
>
> However, if this turns out to be not supported or a bug, then we can file a
> JIRA issue. So far I hope that someone else with CDCR can give JWT a try to
> reproduce what you are seeing.
>
> Jan
>
>> 25. jun. 2020 kl. 15:06 skrev Phatkar, Swapnil (Contractor)
>> <swapnil.phat...@transunion.com.INVALID>:
>>
>> Hi,
>>
>>
>> 1. Solr is relying on PKI for the request (one cluster sends PKI
>> header to the node in the other cluster)
>> -- > I have not configured anything explicitly. Just followed the steps
>> mention
>> @https://urldefense.proofpoint.com/v2/url?u=https-3A__lucene.apache.org_solr_guide_8-5F4_cdcr-2Dconfig.html&d=DwIFaQ&c=7gn0PlAmraV3zr-k385KhKAz9NTx0dwockj5vIsr5Sw&r=wQj2B5ci2ikx0AXWDp1ftYhkwteAsJcW-MBY4WoYz1A&m=VnSEvEi02eWt0BicxkJixew62AkT8xPFWcdVyny0UOc&s=EHiRmseTycUfJdAgsdWoz1qiE9Y3DATFD4qPh0CkSig&e=
>> . Is there any additional step ?
>>
>> 2. That fails since the sending node is unknown to the receiving node
>> since it is in another cluster
>> --> I think that obvious because Source cluster and Target clusters
>> --> are different. What I know is once we configure zkhost of Target
>> --> cluster in Source cluster in solrconfig.xml it establish
>> --> connection. But I will
>> like to know is there any other setting ?
>>
>> 3. Have you tried BasicAuth and do you have the same issue then?
>> --> Nope . We were using "class":"solr.JWTAuthPlugin" . Do I need to add
>> authorization also to overcome JWT authorization ??
>>
>>
>> Can you please guide me considering me as newbie :) . And it will be
>> also good to get sample security.json
>>
>> Thanks
>>
>> -----Original Message-----
>> From: Jan Høydahl <jan....@cominvent.com>
>> Sent: Thursday, June 25, 2020 5:25 PM
>> To: solr-user@lucene.apache.org
>> Subject: Re: SOLR CDCR fails with JWT authorization configuration
>>
>> EXTERNAL SENDER: Exercise caution with links and attachments.
>>
>> Sorry, there is no forwardCredentials parameter for JWT, it is implicit.
>>
>> But from the response we can see two things:
>>
>> 1. Solr is relying on PKI for the request (one cluster sends PKI
>> header to the node in the other cluster) 2. That fails since the
>> sending node is unknown to the receiving node since it is in another
>> cluster
>>
>> I’m not familiar with the CDCR code used here. Have you tried BasicAuth and
>> do you have the same issue then?
>>
>> Jan
>>
>>
>>> 25. jun. 2020 kl. 13:20 skrev Phatkar, Swapnil (Contractor)
>>> <swapnil.phat...@transunion.com.INVALID>:
>>>
>>>
>>>
>>> Whoever is sending calls to /solr/express_shard1_replica_n3/cdcr will have
>>> to make sure to forward JWT -- How do I forward JWT from source to target
>>> server ??
>>> You could try 'forwardCredentials:true' in security.json -- How can I try
>>> this ?
>>>
>>> Can you suggest me sample security.json which will address my issue mention
>>> in below mail trail:
>>>
>>> I have security.json as given below : ( its just the format and
>>> values are removed as per policy )
>>>
>>> {
>>> "authentication":{
>>> "class":"solr.JWTAuthPlugin",
>>> "blockUnknown":true,
>>> "requireIss":false,
>>> "requireExp":false,
>>> "issuers":[
>>> {
>>> "name":
>>> "clientId":
>>> "jwk":{
>>> "kty":"RSA",
>>> "n":
>>> "e":
>>> "d":
>>> "p":
>>> "q":
>>> "dp":
>>> "dq":
>>> "qi":
>>> "alg":"RS256",
>>> "kid":
>>> "use":
>>> }
>>> }
>>> ]
>>> }
>>> }
>>>
>>>
>>>
>>>
>>> -----Original Message-----
>>> From: Jan Høydahl <jan....@cominvent.com>
>>> Sent: Thursday, June 25, 2020 1:19 PM
>>> To: solr-user@lucene.apache.org
>>> Subject: Re: SOLR CDCR fails with JWT authorization configuration
>>>
>>> EXTERNAL SENDER: Exercise caution with links and attachments.
>>>
>>> Are both clusters setup with the same Identity Provider, so the same JWT
>>> token would be valid for both clusters?
>>>
>>> If so, it should be (theoretically) possible to have the clusters talk to
>>> each other, if you can get them to forward the Authorization header with
>>> the JWT.
>>> Whoever is sending calls to /solr/express_shard1_replica_n3/cdcr will have
>>> to make sure to forward JWT and not just rely on PKI.
>>> PKI won’t work since the two clusters have different ZK and Solr by default
>>> only trust PKI between nodes registered in ZK.
>>>
>>> You could try 'forwardCredentials:true' in security.json, but I’m not sure
>>> that is enough here. There may be code changes needed in CDCR components.
>>>
>>> Jan
>>>
>>>> 24. jun. 2020 kl. 19:42 skrev Phatkar, Swapnil (Contractor)
>>>> <swapnil.phat...@transunion.com.INVALID>:
>>>>
>>>> Hi Team ,
>>>>
>>>> I am trying to configure CDCR for SOLR 8.4.1 .
>>>> With the provided configuration I can able to replicate the indexes from
>>>> Source server to Target server. This setup even works with SSL
>>>> configuration using Https protocol.
>>>> But the moment I have introduced JWT authorization by enforcing
>>>> security.json on both the server. I got an error at Target server side as
>>>> shown below.
>>>> Due to which the index were not getting replicated at target server.
>>>>
>>>> ERROR :
>>>>
>>>> 0200623 12:29:55.956 [ERROR] {qtp892083096-82} [ ]
>>>> [org.apache.solr.security.PKIAuthenticationPlugin, 119] |
>>>> Could not decipher a header <SouceIp>:8983_solr $$$$$$$. No
>>>> principal set
>>>>
>>>> Caused by: java.util.concurrent.ExecutionException:
>>>> org.apache.solr.client.solrj.impl.HttpSolrClient$RemoteSolrException:
>>>> Error from server at
>>>> https://<TargetIP>:8983/solr/express_shard1_replica_n3: Expected
>>>> mime type application/octet-stream but got text/html. <html> <head>
>>>> <meta http-equiv="Content-Type" content="text/html;charset=utf-8"/>
>>>> <title>Error 401 Require authentication</title> </head>
>>>> <body><h2>HTTP ERROR 401</h2> <p>Problem accessing
>>>> /solr/express_shard1_replica_n3/cdcr. Reason:
>>>> <pre> Require authentication</pre></p>
>>>> </body>
>>>> </html>
>>>>
>>>>
>>>> Caused by:
>>>> org.apache.solr.client.solrj.impl.HttpSolrClient$RemoteSolrException:
>>>> Error from server at
>>>> https://<TargetIP>:8983/solr/express_shard1_replica_n3: Expected
>>>> mime type application/octet-stream but got text/html. <html> <head>
>>>> <meta http-equiv="Content-Type" content="text/html;charset=utf-8"/>
>>>> <title>Error 401 Require authentication</title> </head>
>>>> <body><h2>HTTP ERROR 401</h2> <p>Problem accessing
>>>> /solr/express_shard1_replica_n3/cdcr. Reason:
>>>> <pre> Require authentication</pre></p>
>>>> </body>
>>>> </html>
>>>>
>>>> at
>>>> org.apache.solr.client.solrj.impl.HttpSolrClient.executeMethod(HttpSolrClient.java:629)
>>>> at
>>>> org.apache.solr.client.solrj.impl.HttpSolrClient.request(HttpSolrClient.java:265)
>>>> at
>>>> org.apache.solr.client.solrj.impl.HttpSolrClient.request(HttpSolrClient.java:248)
>>>> at
>>>> org.apache.solr.client.solrj.SolrClient.request(SolrClient.java:1290)
>>>> at
>>>> org.apache.solr.handler.CdcrRequestHandler$SliceCheckpointCallable.call(CdcrRequestHandler.java:868)
>>>> at
>>>> org.apache.solr.handler.CdcrRequestHandler$SliceCheckpointCallable.c
>>>> a
>>>> l
>>>> l(CdcrRequestHandler.java:845)
>>>>
>>>>
>>>> Thanks and Regards,
>>>> Swapnil Phatkar
>>>> 9167320216
>>>>
>>>
>>
>
