[
https://issues.apache.org/jira/browse/SOLR-13480?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Ishan Chattopadhyaya resolved SOLR-13480.
-----------------------------------------
Resolution: Fixed
> Collection creation failure when using Kerberos authentication combined with
> rule-base authorization
> ----------------------------------------------------------------------------------------------------
>
> Key: SOLR-13480
> URL: https://issues.apache.org/jira/browse/SOLR-13480
> Project: Solr
> Issue Type: Bug
> Components: Authorization, security
> Affects Versions: 7.7.1
> Reporter: mosh
> Assignee: Ishan Chattopadhyaya
> Priority: Major
> Labels: kerberos
>
> Creation of collection with an authorized user fails with the following error:
> {code:java}
> org.apache.solr.common.SolrException: Error getting replica locations :
> unable to get autoscaling policy session{code}
> At first it may seem like SOLR-13355 duplication as we are using “all”
> permission, but bug is specific to Kerberos (tested and found ok using basic
> auth) plus we verified the failure with 7.7.2 snapshot that included the
> relevant patch.
> +How to reproduce:+
> 1. Configure solr cloud with kerberos authentication and rule-based
> authorization plugins using the following security.json file:
> {code:java}
> {
> "authentication":{
> "class":"org.apache.solr.security.KerberosPlugin"
> },
> "authorization":{
> "class":"solr.RuleBasedAuthorizationPlugin",
> "permissions":[
> {
> "name":"read",
> "role":"*"
> },
> {
> "name":"all",
> "role":"admin_user"
> }
> ],
> "user-role":{
> "admin_user@OUR_REALM":"admin_user"
> }
> }}{code}
> 2. Create collection using an authorized user:
> {code:java}
> kinit admin_user@OUR_REALM
> curl --negotiate -u :
> "http://<HOST:PORT>/solr/admin/collections?action=CREATE&name=mycoll&numShards=1&collection.configName=_default"{code}
> {color:#d04437}==> request fails with the error written above.{color}
> 3. Disable authorization by removing _authorization_ section from
> security.json, so file should be as follow:
> {code:java}
> {
> "authentication":{
> "class":"org.apache.solr.security.KerberosPlugin"
> }
> }{code}
> 4. Create collection again as in step 2.
> {color:#14892c}==> request succeeds.{color}
> 5. Return authorization section to security.json (file from step 1) and make
> sure authorization works as expected by inserting documents and executing
> search queries with different users.
--
This message was sent by Atlassian JIRA
(v7.6.14#76016)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
