Hi Tim,
Are you running Solr 4.2? (In 4.0 and 4.1, the Collections API didn't
return any failure message. see SOLR-4043 issue).
As far as I know, you can't tell Solr to use authentication credentials
when communicating other nodes. It's a bigger issue.. for example, if you
want to protect the "/update" requestHandler, so unauthorized users won't
delete your whole collection, it can interfere the replication process.
I think it's a necessary mechanism in production environment... I'm curious
how do people use SolrCloud in production w/o it.
On Fri, Mar 29, 2013 at 3:42 AM, Vaillancourt, Tim <tvaillanco...@ea.com>wrote:
> Hey guys,
>
> I've recently setup basic auth under Jetty 8 for all my Solr 4.x
> '/admin/*' calls, in order to protect my Collections and Cores API.
>
> Although the security constraint is working as expected ('/admin/*' calls
> require Basic Auth or return 401), when I use the Collections API to create
> a collection, I receive a 200 OK to the Collections API CREATE call, but
> the background Cores API calls that are ran on the Collection API's behalf
> fail on the Basic Auth on other nodes with a 401 code, as I should have
> foreseen, but didn't.
>
> Is there a way to tell SolrCloud to use authentication on internal Cores
> API calls that are spawned on Collections API's behalf, or is this a new
> feature request?
>
> To reproduce:
>
> 1. Implement basic auth on '/admin/*' URIs.
>
> 2. Perform a CREATE Collections API call to a node (which will
> return 200 OK).
>
> 3. Notice all Cores API calls fail (Collection isn't created). See
> stack trace below from the node that was issued the CREATE call.
>
> The stack trace I get is:
>
> "org.apache.solr.common.SolrException: Server at http://<HOST
> HERE>:8983/solr<http://%3cHOST%20HERE%3e:8983/solr> returned non ok
> status:401, message:Unauthorized
> at
> org.apache.solr.client.solrj.impl.HttpSolrServer.request(HttpSolrServer.java:373)
> at
> org.apache.solr.client.solrj.impl.HttpSolrServer.request(HttpSolrServer.java:181)
> at
> org.apache.solr.handler.component.HttpShardHandler$1.call(HttpShardHandler.java:169)
> at
> org.apache.solr.handler.component.HttpShardHandler$1.call(HttpShardHandler.java:135)
> at java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:303)
> at java.util.concurrent.FutureTask.run(FutureTask.java:138)
> at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:439)
> at java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:303)
> at java.util.concurrent.FutureTask.run(FutureTask.java:138)
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:895)
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:918)
> at java.lang.Thread.run(Thread.java:662)"
>
> Cheers!
>
> Tim
>
>
>
