[
https://issues.apache.org/jira/browse/SOLR-13421?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16854424#comment-16854424
]
Colvin Cowie commented on SOLR-13421:
-------------------------------------
Hello, I hit this too. It's not just on faceting, it's any query - it doesn't
need any data to reproduce it. I did try to reply to the mailing list thread,
but I didn't have the old messages, so the reply doesn't seem to have threaded
-
[http://mail-archives.apache.org/mod_mbox/lucene-solr-user/201906.mbox/%3CCAEFGi_-fHKRBsrgSdNpi1EFgOUNGOkxbWdnUWhOyACjE8ELWhA%40mail.gmail.com%3E]
I'll put it here too for reference. If I get a chance, I'll take a look at the
code, but no promises there.
Coming from Solr 6.6.6, we use the BasicAuthPlugin +
RuleBasedAuthorizationPlugin to lock down Solr (and we also secure our
zookeeper). Here's an example for solradmin as the user and password
{
"authentication": {
"blockUnknown": true,
"class": "solr.BasicAuthPlugin",
"credentials": {
"solradmin":
"PIWZwkGnEKxKnqUs3X08xmbmYBaYyAeP3FiKp7fmeHc=Lnbp6bEbE7Ap8lXvQDKkUX2Xw53QDgP6Ae8QRT0P5/A="
}
},
"authorization": {
"class": "solr.RuleBasedAuthorizationPlugin",
"permissions": [
{
"name": "all",
"role": "admin"
}
],
"user-role": {
"solradmin": "admin"
}
}
}
On Solr 8.1.1, using our previously working security.json, running queries
(through the admin UI currently) I non-deterministically get 401 responses
on queries when a collection has more than 1 shard. Increasing the number
of shards in the collection makes the errors more likely.
{
"responseHeader":{
"zkConnected":true,
"status":401,
"QTime":30,
"params":{
"q":"*:*",
"_":"1559474550365"}},
"error":{
"metadata":[
"error-class","org.apache.solr.client.solrj.impl.BaseHttpSolrClient$RemoteSolrException",
"root-error-class","org.apache.solr.client.solrj.impl.BaseHttpSolrClient$RemoteSolrException"],
"msg":"Error from server at null: Expected mime type
application/octet-stream but got text/html. <html>\n<head>\n<meta
http-equiv=\"Content-Type\"
content=\"text/html;charset=utf-8\"/>\n<title>Error 401 require
authentication</title>\n</head>\n<body><h2>HTTP ERROR 401</h2>\n<p>Problem
accessing /solr/gettingstarted_shard4_replica_n6/select. Reason:\n<pre>
require authentication</pre></p>\n</body>\n</html>\n",
"code":401}}
The security stats indicate this is happening because the requests do not
have credentials with them, e.g.
http://localhost:8983/solr/#/gettingstarted_shard4_replica_n6/plugins?type=security&entry=org.apache.solr.security.BasicAuthPlugin
org.apache.solr.security.BasicAuthPlugin
class:
org.apache.solr.security.BasicAuthPlugin
description:
Authentication Plugin org.apache.solr.security.BasicAuthPlugin
stats
SECURITY./authentication.authenticated:
182
SECURITY./authentication.errors.count:
0
SECURITY./authentication.failMissingCredentials:
58
SECURITY./authentication.failWrongCredentials:
0
SECURITY./authentication.passThrough:
0
SECURITY./authentication.requestTimes.meanRate:
0.4183414110946125
SECURITY./authentication.requests:
240
SECURITY./authentication.totalTime:
117791100
I assume that this is connected to the changes around
https://issues.apache.org/jira/browse/SOLR-7896 and
https://issues.apache.org/jira/browse/SOLR-13344 I've tested with Solr
7.6.0 and it appears to be unaffected
Repro steps:
# Extract solr 8.1.1.
# bin\solr start -e cloud
1 node / [default port] / [default collection name] / 4 shards / 1
replica / [_default configuration]
# server\scripts\cloud-scripts\zkcli -zkhost localhost:9983 -cmd putfile
/security.json <example-security.json file with content from example above>
# Execute repeated GETS to
http://localhost:8983/solr/gettingstarted/select?q=*%3A* - a lot of them,
but not all, will fail with 401s
> Intermittent error 401 with JSON Facet query to retrieve count all collections
> ------------------------------------------------------------------------------
>
> Key: SOLR-13421
> URL: https://issues.apache.org/jira/browse/SOLR-13421
> Project: Solr
> Issue Type: Bug
> Security Level: Public(Default Security Level. Issues are Public)
> Components: Authentication
> Affects Versions: 8.0
> Reporter: Edwin Yeo Zheng Lin
> Priority: Major
> Labels: BasicAuth
>
> I am using the below JSON Facet to retrieve the count of all the different
> collections in one query.
>
>
> [https://localhost:8983/solr/collection1/select?q=testing&shards=https://localhost:8983/solr/collection1,https://localhost:8983/solr/collection2,https://localhost:8983/solr/collection3,https://localhost:8983/solr/collection4,https://localhost:8983/solr/collection5,https://localhost:8983/solr/collection6&rows=0&json.facet={categories|https://localhost:8983/solr/collection1/select?q=testing&shards=https://localhost:8983/solr/collection1,https://localhost:8983/solr/collection2,https://localhost:8983/solr/collection3,https://localhost:8983/solr/collection4,https://localhost:8983/solr/collection5,https://localhost:8983/solr/collection6&rows=0&json.facet=%7Bcategories]
> : \{type : terms,field : content_type,limit : 100}}
>
>
> Previously, in Solr 7.6 and Solr 7.7, this query can work correctly and we
> are able to produce the correct output.
>
> {
> "responseHeader":
> { "zkConnected":true, "status":0, "QTime":24}
> ,
> "response":
> {"numFound":41200,"start":0,"maxScore":12.993215,"docs":[] }
> ,
> "facets":{
> "count":41200,
> "categories":{
> "buckets":[
> { "val":"collection1", "count":26213}
> ,
>
> { "val":"collection2", "count":12075}
> ,
>
> { "val":"collection3", "count":1947}
> ,
>
> { "val":"collection4", "count":850}
> ,
>
> { "val":"collection5", "count":111}
> ,
>
> { "val":"collection6", "count":4}
> ]}}}
>
>
> However, in the new Solr 8.0.0, this query can only work if we put only one
> collection in the shards (can be any collection). If we put 2 collections,
> there will not be error 90% of the time (only 10% of the time the issue will
> occur with the 'Error 401 require authentication').
> However, once we put 3 or more collections (can be any of the collections),
> this issue of 'Error 401 require authentication' will keep occurring.
>
> {
> "responseHeader":
> { "zkConnected":true, "status":401, "QTime":11}
> ,
> "error":{
> "metadata":[
>
> "error-class","org.apache.solr.client.solrj.impl.Http2SolrClient$RemoteSolrException",
>
> "root-error-class","org.apache.solr.client.solrj.impl.Http2SolrClient$RemoteSolrException"],
> "msg":"Error from server at null: Expected mime type
> application/octet-stream but got text/html. <html>\n<head>\n<meta
> http-equiv=\"Content-Type\"
> content=\"text/html;charset=utf-8\"/>\n<title>Error 401 require
> authentication</title>\n</head>\n<body><h2>HTTP ERROR 401</h2>\n<p>Problem
> accessing /solr/collection6/select. Reason:\n<pre> require
> authentication</pre></p>\n</body>\n</html>\n",
> "code":401}}
>
> This issue does not occur in Solr 7.6 and Solr 7.7, even though I have set
> up the same authentication for all the versions.
>
>
> Below is the format of my security.json:
>
> {
> "authentication":
> { "blockUnknown": true, "class":"solr.BasicAuthPlugin",
> "credentials":
> {"user1":"hyHXXuJSqcZdNgdSTGUvrQZRpqrYFUQ2ffmlWQ4GUTk=
> E0w3/2FD+rlxulbPm2G7i9HZqT+2gMBzcyJCcGcMWwA="}
> },
> "authorization":
> { "class":"solr.RuleBasedAuthorizationPlugin", "user-role":
> {"user1":"admin"}
> ,
> "permissions":[
> {"name":"security-edit", "role":"admin"}
> ]
> }}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
