Uploaded image for project: 'Solr'
  1. Solr
  2. SOLR-13480

Collection creation failure when using Kerberos authentication combined with rule-base authorization

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 7.7.1
    • Fix Version/s: None
    • Component/s: Authorization, security
    • Labels:

      Description

      Creation of collection with an authorized user fails with the following error:

      org.apache.solr.common.SolrException: Error getting replica locations : unable to get autoscaling policy session

      At first it may seem like SOLR-13355 duplication as we are using “all” permission, but bug is specific to Kerberos (tested and found ok using basic auth) plus we verified the failure with 7.7.2 snapshot that included the relevant patch.

      How to reproduce:
      1. Configure solr cloud with kerberos authentication and rule-based authorization plugins using the following security.json file:

      {
      "authentication":{
         "class":"org.apache.solr.security.KerberosPlugin"
      },
      "authorization":{
         "class":"solr.RuleBasedAuthorizationPlugin",
         "permissions":[
           {
             "name":"read",
             "role":"*"
           },
           {
             "name":"all",
             "role":"admin_user"
           }
         ],
         "user-role":{
           "admin_user@OUR_REALM":"admin_user"
         }
      }}

      2. Create collection using an authorized user:

      kinit admin_user@OUR_REALM
      
      curl --negotiate -u : "http://<HOST:PORT>/solr/admin/collections?action=CREATE&name=mycoll&numShards=1&collection.configName=_default"

      ==> request fails with the error written above.

      3. Disable authorization by removing authorization section from security.json, so file should be as follow:

      {
        "authentication":{
          "class":"org.apache.solr.security.KerberosPlugin"
        }
      }

      4. Create collection again as in step 2.
      ==> request succeeds.

      5. Return authorization section to security.json (file from step 1) and make sure authorization works as expected by inserting documents and executing search queries with different users.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                ichattopadhyaya Ishan Chattopadhyaya
                Reporter:
                moshebla mosh
              • Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: