[jira] [Updated] (SOLR-16197) solr 8x -> 9.0.0 upgrade; BasicAuth security FAILs @ "o.a.s.s.BasicAuthPlugin Bad auth credentials supplied in Authorization header"

pgnd (Jira) Sun, 15 May 2022 05:54:07 -0700


     [ 
https://issues.apache.org/jira/browse/SOLR-16197?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


pgnd updated SOLR-16197:
------------------------
    Description: 
on
```
    lsb_release -rd
        Description:    Fedora release 36 (Thirty Six)
        Release:        36

    java -version
        Picked up JAVA_TOOL_OPTIONS: -Xmx512M
        openjdk version "18.0.1" 2022-04-19
        OpenJDK Runtime Environment 22.3 (build 18.0.1+10)
        OpenJDK 64-Bit Server VM 22.3 (build 18.0.1+10, mixed mode, sharing)
```

i've clean-installed solr 9.0.0

    sudo -u solr /srv/webapps/solr/solr/bin/solr version
        9.0.0

it's up/running

    systemctl status solr
    ● solr.service - LSB: Controls Apache Solr as a Service
         Loaded: loaded (/etc/rc.d/init.d/solr; generated)
         Active: active (exited) since Fri 2022-05-13 06:22:40 EDT; 2min 54s ago
           Docs: man:systemd-sysv-generator(8)
        Process: 56877 ExecStart=/etc/rc.d/init.d/solr start (code=exited, 
status=0/SUCCESS)
            CPU: 43ms

with no user/auth security,

    ls -al /data/solr/data/security.json
        ls: cannot access '/data/solr/data/security.json': No such file or 
directory

nav to & admin @,

    https:///solr.example.com:8983/solr

works as expected.

deploying user BasicAuth security

    
https://solr.apache.org/guide/solr/latest/deployment-guide/basic-authentication-plugin.html

with

    MY_USER_PASS="aaaaaaaaaaaaaa_bbbbbbbbbbbb_111111111+ccccccc_22"
    MY_USER_HASH=$( echo -n $MY_USER_PASS | shasum -a 256 | awk '{print $1}' | 
tr -d ' ')
    echo $MY_USER_HASH
        79a054509e27e20b16fb85caf221ac8d488168afa6715f2543d761269a72d832
and


    egrep "Dbasicauth|SOLR_LOG_LEVEL" /etc/default/solr.in.sh
        SOLR_LOG_LEVEL=DEBUG
        
SOLR_AUTHENTICATION_OPTS="-Dbasicauth=testuser:aaaaaaaaaaaaaa_bbbbbbbbbbbb_111111111+ccccccc_22"

and

    cat /data/solr/data/security.json
        {
        "authentication":{
           "blockUnknown": true,
           "class":"solr.BasicAuthPlugin",
           
"credentials":{"testuser":"79a054509e27e20b16fb85caf221ac8d488168afa6715f2543d761269a72d832"},
           "realm":"MyRealm Solr",
           "forwardCredentials": false
        },
        "authorization":{
           "class":"solr.RuleBasedAuthorizationPlugin",
           "permissions":[{"name":"security-edit",
              "role":"admin"}],
           "user-role":{"solr":"admin"}
        }}

nav to:

    https:///solr.example.com:8983/solr

returns the expected

    Basic Authentication

form.

entering credentials

    username: testuser
    password: aaaaaaaaaaaaaa_bbbbbbbbbbbb_111111111+ccccccc_22

fails with

    Basic Authentication
    Unauthorized

    Solr requires authentication for resource Dashboard.
    Please log in with your username and password for realm MyRealm Solr.

and DEBUG logs,

    --> https://pastebin.com/raw/aHVCgGKF

there, this looks possibly suspect,

        ...
        2022-05-13 06:33:00.651 DEBUG (qtp1777443462-23) [] 
o.a.s.s.SolrDispatchFilter Request to authenticate: 
org.apache.solr.servlet.ServletUtils$1@3acaf4f, domain: 10.1.1.27, port: 8983
        2022-05-13 06:33:00.656 DEBUG (qtp1777443462-22) [] 
o.a.s.s.SolrDispatchFilter Request to authenticate: 
org.apache.solr.servlet.ServletUtils$1@540dbd19, domain: 10.1.1.27, port: 8983
        2022-05-13 06:33:00.660 DEBUG (qtp1777443462-23) [] 
o.a.s.s.BasicAuthPlugin Bad auth credentials supplied in Authorization header
        2022-05-13 06:33:00.650 DEBUG (qtp1777443462-20) [] 
o.a.s.s.SolrDispatchFilter Request to authenticate: 
org.apache.solr.servlet.ServletUtils$1@7e6b57df, domain: 10.1.1.27, port: 8983
        2022-05-13 06:33:00.661 DEBUG (qtp1777443462-20) [] 
o.a.s.s.BasicAuthPlugin Bad auth credentials supplied in Authorization header
        2022-05-13 06:33:00.662 DEBUG (qtp1777443462-20) [] 
o.a.s.s.BasicAuthPlugin Prefixing WWW-Authenticate header for Basic Auth with 
'x' to prevent browser basic auth popup
??        2022-05-13 06:33:00.663 DEBUG (qtp1777443462-22) [] 
o.a.s.s.BasicAuthPlugin Bad auth credentials supplied in Authorization header
??        2022-05-13 06:33:00.663 DEBUG (qtp1777443462-22) [] 
o.a.s.s.BasicAuthPlugin Prefixing WWW-Authenticate header for Basic Auth with 
'x' to prevent browser basic auth popup
        2022-05-13 06:33:00.667 DEBUG (qtp1777443462-22) [] 
o.e.j.s.HttpChannelState sendError HttpChannelState@191ce1ad{s=HANDLING 
rs=BLOCKING os=OPEN is=IDLE awp=false se=false i=true al=0}
        ...

dropping back to solr 8x, i've no issues with basicauth.

  was:
on

    lsb_release -rd
        Description:    Fedora release 36 (Thirty Six)
        Release:        36

    java -version
        Picked up JAVA_TOOL_OPTIONS: -Xmx512M
        openjdk version "18.0.1" 2022-04-19
        OpenJDK Runtime Environment 22.3 (build 18.0.1+10)
        OpenJDK 64-Bit Server VM 22.3 (build 18.0.1+10, mixed mode, sharing)

i've clean-installed solr 9.0.0

    sudo -u solr /srv/webapps/solr/solr/bin/solr version
        9.0.0

it's up/running

    systemctl status solr
    ● solr.service - LSB: Controls Apache Solr as a Service
         Loaded: loaded (/etc/rc.d/init.d/solr; generated)
         Active: active (exited) since Fri 2022-05-13 06:22:40 EDT; 2min 54s ago
           Docs: man:systemd-sysv-generator(8)
        Process: 56877 ExecStart=/etc/rc.d/init.d/solr start (code=exited, 
status=0/SUCCESS)
            CPU: 43ms

with no user/auth security,

    ls -al /data/solr/data/security.json
        ls: cannot access '/data/solr/data/security.json': No such file or 
directory

nav to & admin @,

    https:///solr.example.com:8983/solr

works as expected.

deploying user BasicAuth security

    
https://solr.apache.org/guide/solr/latest/deployment-guide/basic-authentication-plugin.html

with

    MY_USER_PASS="aaaaaaaaaaaaaa_bbbbbbbbbbbb_111111111+ccccccc_22"
    MY_USER_HASH=$( echo -n $MY_USER_PASS | shasum -a 256 | awk '{print $1}' | 
tr -d ' ')
    echo $MY_USER_HASH
        79a054509e27e20b16fb85caf221ac8d488168afa6715f2543d761269a72d832
and


    egrep "Dbasicauth|SOLR_LOG_LEVEL" /etc/default/solr.in.sh
        SOLR_LOG_LEVEL=DEBUG
        
SOLR_AUTHENTICATION_OPTS="-Dbasicauth=testuser:aaaaaaaaaaaaaa_bbbbbbbbbbbb_111111111+ccccccc_22"

and

    cat /data/solr/data/security.json
        {
        "authentication":{
           "blockUnknown": true,
           "class":"solr.BasicAuthPlugin",
           
"credentials":{"testuser":"79a054509e27e20b16fb85caf221ac8d488168afa6715f2543d761269a72d832"},
           "realm":"MyRealm Solr",
           "forwardCredentials": false
        },
        "authorization":{
           "class":"solr.RuleBasedAuthorizationPlugin",
           "permissions":[{"name":"security-edit",
              "role":"admin"}],
           "user-role":{"solr":"admin"}
        }}

nav to:

    https:///solr.example.com:8983/solr

returns the expected

    Basic Authentication

form.

entering credentials

    username: testuser
    password: aaaaaaaaaaaaaa_bbbbbbbbbbbb_111111111+ccccccc_22

fails with

    Basic Authentication
    Unauthorized

    Solr requires authentication for resource Dashboard.
    Please log in with your username and password for realm MyRealm Solr.

and DEBUG logs,

    --> https://pastebin.com/raw/aHVCgGKF

there, this looks possibly suspect,

        ...
        2022-05-13 06:33:00.651 DEBUG (qtp1777443462-23) [] 
o.a.s.s.SolrDispatchFilter Request to authenticate: 
org.apache.solr.servlet.ServletUtils$1@3acaf4f, domain: 10.1.1.27, port: 8983
        2022-05-13 06:33:00.656 DEBUG (qtp1777443462-22) [] 
o.a.s.s.SolrDispatchFilter Request to authenticate: 
org.apache.solr.servlet.ServletUtils$1@540dbd19, domain: 10.1.1.27, port: 8983
        2022-05-13 06:33:00.660 DEBUG (qtp1777443462-23) [] 
o.a.s.s.BasicAuthPlugin Bad auth credentials supplied in Authorization header
        2022-05-13 06:33:00.650 DEBUG (qtp1777443462-20) [] 
o.a.s.s.SolrDispatchFilter Request to authenticate: 
org.apache.solr.servlet.ServletUtils$1@7e6b57df, domain: 10.1.1.27, port: 8983
        2022-05-13 06:33:00.661 DEBUG (qtp1777443462-20) [] 
o.a.s.s.BasicAuthPlugin Bad auth credentials supplied in Authorization header
        2022-05-13 06:33:00.662 DEBUG (qtp1777443462-20) [] 
o.a.s.s.BasicAuthPlugin Prefixing WWW-Authenticate header for Basic Auth with 
'x' to prevent browser basic auth popup
??        2022-05-13 06:33:00.663 DEBUG (qtp1777443462-22) [] 
o.a.s.s.BasicAuthPlugin Bad auth credentials supplied in Authorization header
??        2022-05-13 06:33:00.663 DEBUG (qtp1777443462-22) [] 
o.a.s.s.BasicAuthPlugin Prefixing WWW-Authenticate header for Basic Auth with 
'x' to prevent browser basic auth popup
        2022-05-13 06:33:00.667 DEBUG (qtp1777443462-22) [] 
o.e.j.s.HttpChannelState sendError HttpChannelState@191ce1ad{s=HANDLING 
rs=BLOCKING os=OPEN is=IDLE awp=false se=false i=true al=0}
        ...

dropping back to solr 8x, i've no issues with basicauth.


> solr 8x -> 9.0.0 upgrade; BasicAuth security FAILs @ "o.a.s.s.BasicAuthPlugin 
> Bad auth credentials supplied in Authorization header" 
> -------------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: SOLR-16197
>                 URL: https://issues.apache.org/jira/browse/SOLR-16197
>             Project: Solr
>          Issue Type: Bug
>      Security Level: Public(Default Security Level. Issues are Public) 
>          Components: Authentication
>    Affects Versions: 9.0
>            Reporter: pgnd
>            Priority: Major
>              Labels: BasicAuth, authentication, upgrade
>
> on
> ```
>     lsb_release -rd
>         Description:    Fedora release 36 (Thirty Six)
>         Release:        36
>     java -version
>         Picked up JAVA_TOOL_OPTIONS: -Xmx512M
>         openjdk version "18.0.1" 2022-04-19
>         OpenJDK Runtime Environment 22.3 (build 18.0.1+10)
>         OpenJDK 64-Bit Server VM 22.3 (build 18.0.1+10, mixed mode, sharing)
> ```
> i've clean-installed solr 9.0.0
>     sudo -u solr /srv/webapps/solr/solr/bin/solr version
>         9.0.0
> it's up/running
>     systemctl status solr
>     ● solr.service - LSB: Controls Apache Solr as a Service
>          Loaded: loaded (/etc/rc.d/init.d/solr; generated)
>          Active: active (exited) since Fri 2022-05-13 06:22:40 EDT; 2min 54s 
> ago
>            Docs: man:systemd-sysv-generator(8)
>         Process: 56877 ExecStart=/etc/rc.d/init.d/solr start (code=exited, 
> status=0/SUCCESS)
>             CPU: 43ms
> with no user/auth security,
>     ls -al /data/solr/data/security.json
>         ls: cannot access '/data/solr/data/security.json': No such file or 
> directory
> nav to & admin @,
>     https:///solr.example.com:8983/solr
> works as expected.
> deploying user BasicAuth security
>     
> https://solr.apache.org/guide/solr/latest/deployment-guide/basic-authentication-plugin.html
> with
>     MY_USER_PASS="aaaaaaaaaaaaaa_bbbbbbbbbbbb_111111111+ccccccc_22"
>     MY_USER_HASH=$( echo -n $MY_USER_PASS | shasum -a 256 | awk '{print $1}' 
> | tr -d ' ')
>     echo $MY_USER_HASH
>         79a054509e27e20b16fb85caf221ac8d488168afa6715f2543d761269a72d832
> and
>     egrep "Dbasicauth|SOLR_LOG_LEVEL" /etc/default/solr.in.sh
>         SOLR_LOG_LEVEL=DEBUG
>         
> SOLR_AUTHENTICATION_OPTS="-Dbasicauth=testuser:aaaaaaaaaaaaaa_bbbbbbbbbbbb_111111111+ccccccc_22"
> and
>     cat /data/solr/data/security.json
>         {
>         "authentication":{
>            "blockUnknown": true,
>            "class":"solr.BasicAuthPlugin",
>            
> "credentials":{"testuser":"79a054509e27e20b16fb85caf221ac8d488168afa6715f2543d761269a72d832"},
>            "realm":"MyRealm Solr",
>            "forwardCredentials": false
>         },
>         "authorization":{
>            "class":"solr.RuleBasedAuthorizationPlugin",
>            "permissions":[{"name":"security-edit",
>               "role":"admin"}],
>            "user-role":{"solr":"admin"}
>         }}
> nav to:
>     https:///solr.example.com:8983/solr
> returns the expected
>     Basic Authentication
> form.
> entering credentials
>     username: testuser
>     password: aaaaaaaaaaaaaa_bbbbbbbbbbbb_111111111+ccccccc_22
> fails with
>     Basic Authentication
>     Unauthorized
>     Solr requires authentication for resource Dashboard.
>     Please log in with your username and password for realm MyRealm Solr.
> and DEBUG logs,
>     --> https://pastebin.com/raw/aHVCgGKF
> there, this looks possibly suspect,
>         ...
>         2022-05-13 06:33:00.651 DEBUG (qtp1777443462-23) [] 
> o.a.s.s.SolrDispatchFilter Request to authenticate: 
> org.apache.solr.servlet.ServletUtils$1@3acaf4f, domain: 10.1.1.27, port: 8983
>         2022-05-13 06:33:00.656 DEBUG (qtp1777443462-22) [] 
> o.a.s.s.SolrDispatchFilter Request to authenticate: 
> org.apache.solr.servlet.ServletUtils$1@540dbd19, domain: 10.1.1.27, port: 8983
>         2022-05-13 06:33:00.660 DEBUG (qtp1777443462-23) [] 
> o.a.s.s.BasicAuthPlugin Bad auth credentials supplied in Authorization header
>         2022-05-13 06:33:00.650 DEBUG (qtp1777443462-20) [] 
> o.a.s.s.SolrDispatchFilter Request to authenticate: 
> org.apache.solr.servlet.ServletUtils$1@7e6b57df, domain: 10.1.1.27, port: 8983
>         2022-05-13 06:33:00.661 DEBUG (qtp1777443462-20) [] 
> o.a.s.s.BasicAuthPlugin Bad auth credentials supplied in Authorization header
>         2022-05-13 06:33:00.662 DEBUG (qtp1777443462-20) [] 
> o.a.s.s.BasicAuthPlugin Prefixing WWW-Authenticate header for Basic Auth with 
> 'x' to prevent browser basic auth popup
> ??        2022-05-13 06:33:00.663 DEBUG (qtp1777443462-22) [] 
> o.a.s.s.BasicAuthPlugin Bad auth credentials supplied in Authorization header
> ??        2022-05-13 06:33:00.663 DEBUG (qtp1777443462-22) [] 
> o.a.s.s.BasicAuthPlugin Prefixing WWW-Authenticate header for Basic Auth with 
> 'x' to prevent browser basic auth popup
>         2022-05-13 06:33:00.667 DEBUG (qtp1777443462-22) [] 
> o.e.j.s.HttpChannelState sendError HttpChannelState@191ce1ad{s=HANDLING 
> rs=BLOCKING os=OPEN is=IDLE awp=false se=false i=true al=0}
>         ...
> dropping back to solr 8x, i've no issues with basicauth.



--
This message was sent by Atlassian Jira
(v8.20.7#820007)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org
For additional commands, e-mail: issues-h...@solr.apache.org

[jira] [Updated] (SOLR-16197) solr 8x -> 9.0.0 upgrade; BasicAuth security FAILs @ "o.a.s.s.BasicAuthPlugin Bad auth credentials supplied in Authorization header"

Reply via email to