Uploaded image for project: 'Solr'
  1. Solr
  2. SOLR-13566

REINDEXCOLLECTION does not work with (basic) authentication

Attach filesAttach ScreenshotVotersWatch issueWatchersCreate sub-taskLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 8.1.1
    • Fix Version/s: 8.2
    • Component/s: None
    • Labels:
      None

      Description

      I'm on the Solr 8.1 branch off commit f26388d034fe5eadca7416aa63b509b8db2c7688 so I have the authentication fixes from SOLR-13510 (intermittent 401s for internode requests)
       
      When trying to use the new REINDEXCOLLECTION command introduced in SOLR-11127 with basic auth enabled, the daemon stream fails with repeated 401s when trying to access the target collection.
       
      This might be the same problem as SOLR-13472, except it applies even with a single node, and this doesn't require role based configuration.
       
      Repro: I added a reindex request in BasicAuthIntegrationTest and it is reproducible in there... I don't know what effect it should have on the auth metrics, if it were working correctly, so I don't know how to update the test properly. But you can add the request towards the end of org.apache.solr.security.BasicAuthIntegrationTest.testBasicAuth()
       
            CollectionAdminRequest.ReindexCollection reindexReq = CollectionAdminRequest.reindexCollection(COLLECTION);
            reindexReq.setBasicAuthCredentials("harry", "HarryIsUberCool");
            cluster.getSolrClient().request(reindexReq, COLLECTION);
       
      Manual Repro:
      run bin/solr -e cloud
      Choose 1 node / 1 shard / 1 replica
      In browser GET http://localhost:8983/solr/admin/collections?action=REINDEXCOLLECTION&name=gettingstarted will succeed
      Enable security: server\scripts\cloud-scripts\zkcli -zkhost localhost:9983 -cmd putfile /security.json <path to file with this>
       
      {
          "authentication": {
              "blockUnknown": true,
              "class": "solr.BasicAuthPlugin",
              "credentials":

      {             "solradmin": "fskh17INKrOTSRCJ8HkamA0L6Uiq1dSMgn4OVy8htME= /Q4VgOkwVlP6AMVY+ML+IuodbfV81WEfZ3lFb390bws="         }

          }
      }
       
       
      In browser authenticate (as solradmin : solradmin) and GET http://localhost:8983/solr/admin/collections?action=REINDEXCOLLECTION&name=gettingstarted will time out after 180 seconds
       
      The solr log will show repeated 401s
       
      Setting "forwardCredentials" : true in the security.json does not appear to change the outcome.
       
       
      The daemon stream should probably be using PKI auth for the internal request.
       

        Attachments

        1. security.json
          0.3 kB
          Colvin Cowie
        2. responses.txt
          6 kB
          Colvin Cowie
        3. solr.log
          626 kB
          Colvin Cowie
        4. SOLR-13566.patch
          2 kB
          Colvin Cowie
        5. SOLR-13566.patch
          6 kB
          Colvin Cowie
        6. SOLR-13566.patch
          6 kB
          Colvin Cowie

        Issue Links

          Activity

            People

            • Assignee:
              ab Andrzej Bialecki
              Reporter:
              cjcowie Colvin Cowie

              Dates

              • Created:
                Updated:
                Resolved:

                Issue deployment