Uploaded image for project: 'Solr'
  1. Solr
  2. SOLR-13566

REINDEXCOLLECTION does not work with (basic) authentication

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • 8.1.1
    • 8.2
    • None
    • None

    Description

      I'm on the Solr 8.1 branch off commit f26388d034fe5eadca7416aa63b509b8db2c7688 so I have the authentication fixes from SOLR-13510 (intermittent 401s for internode requests)
       
      When trying to use the new REINDEXCOLLECTION command introduced in SOLR-11127 with basic auth enabled, the daemon stream fails with repeated 401s when trying to access the target collection.
       
      This might be the same problem as SOLR-13472, except it applies even with a single node, and this doesn't require role based configuration.
       
      Repro: I added a reindex request in BasicAuthIntegrationTest and it is reproducible in there... I don't know what effect it should have on the auth metrics, if it were working correctly, so I don't know how to update the test properly. But you can add the request towards the end of org.apache.solr.security.BasicAuthIntegrationTest.testBasicAuth()
       
            CollectionAdminRequest.ReindexCollection reindexReq = CollectionAdminRequest.reindexCollection(COLLECTION);
            reindexReq.setBasicAuthCredentials("harry", "HarryIsUberCool");
            cluster.getSolrClient().request(reindexReq, COLLECTION);
       
      Manual Repro:
      run bin/solr -e cloud
      Choose 1 node / 1 shard / 1 replica
      In browser GET http://localhost:8983/solr/admin/collections?action=REINDEXCOLLECTION&name=gettingstarted will succeed
      Enable security: server\scripts\cloud-scripts\zkcli -zkhost localhost:9983 -cmd putfile /security.json <path to file with this>
       
      {
          "authentication": {
              "blockUnknown": true,
              "class": "solr.BasicAuthPlugin",
              "credentials":

      {             "solradmin": "fskh17INKrOTSRCJ8HkamA0L6Uiq1dSMgn4OVy8htME= /Q4VgOkwVlP6AMVY+ML+IuodbfV81WEfZ3lFb390bws="         }

          }
      }
       
       
      In browser authenticate (as solradmin : solradmin) and GET http://localhost:8983/solr/admin/collections?action=REINDEXCOLLECTION&name=gettingstarted will time out after 180 seconds
       
      The solr log will show repeated 401s
       
      Setting "forwardCredentials" : true in the security.json does not appear to change the outcome.
       
       
      The daemon stream should probably be using PKI auth for the internal request.
       

      Attachments

        1. SOLR-13566.patch
          6 kB
          cjcowie
        2. SOLR-13566.patch
          6 kB
          cjcowie
        3. SOLR-13566.patch
          2 kB
          cjcowie
        4. solr.log
          626 kB
          cjcowie
        5. responses.txt
          6 kB
          cjcowie
        6. security.json
          0.3 kB
          cjcowie

        Issue Links

          is related to

          Improvement - An improvement or enhancement to an existing feature or task. SOLR-13575 DaemonStream-s should use a pool of threads

          • Major - Major loss of function.
          • Open

          Activity

            People

              ab Andrzej Bialecki
              colvinco Colvin Cowie
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: