[
https://issues.apache.org/jira/browse/SOLR-16197?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
pgnd updated SOLR-16197:
------------------------
Description:
on
{{ lsb_release -rd}}
{{ Description: Fedora release 36 (Thirty Six)}}
{{ Release: 36}}{{ java -version}}
{{ Picked up JAVA_TOOL_OPTIONS: -Xmx512M}}
{{ openjdk version "18.0.1" 2022-04-19}}
{{ OpenJDK Runtime Environment 22.3 (build 18.0.1+10)}}
{{ OpenJDK 64-Bit Server VM 22.3 (build 18.0.1+10, mixed mode, sharing)}}
{{i've clean-installed solr 9.0.0}}
{{ sudo -u solr /srv/webapps/solr/solr/bin/solr version}}
{{ 9.0.0}}
it's up/running
{{ systemctl status solr}}
{{ ● solr.service - LSB: Controls Apache Solr as a Service}}
{{ Loaded: loaded (/etc/rc.d/init.d/solr; generated)}}
{{ Active: active (exited) since Fri 2022-05-13 06:22:40 EDT; 2min 54s
ago}}
{{ Docs: man:systemd-sysv-generator(8)}}
{{ Process: 56877 ExecStart=/etc/rc.d/init.d/solr start (code=exited,
status=0/SUCCESS)}}
{{ CPU: 43ms}}
with no user/auth security,
ls -al /data/solr/data/security.json
ls: cannot access '/data/solr/data/security.json': No such file or
directory
nav to & admin @,
[https:///solr.example.com:8983/solr|https://solr.example.com:8983/solr]
works as expected.
deploying user BasicAuth security
[https://solr.apache.org/guide/solr/latest/deployment-guide/basic-authentication-plugin.html]
with
{{ MY_USER_PASS="aaaaaaaaaaaaaa_bbbbbbbbbbbb_111111111+ccccccc_22"}}
{{ MY_USER_HASH=$( echo -n $MY_USER_PASS | shasum -a 256 | awk '\{print $1}'
| tr -d ' ')}}
{{ echo $MY_USER_HASH}}
{{ 79a054509e27e20b16fb85caf221ac8d488168afa6715f2543d761269a72d832}}
{{and}}
{{ egrep "Dbasicauth|SOLR_LOG_LEVEL" /etc/default/solr.in.sh}}
{{ SOLR_LOG_LEVEL=DEBUG}}
{{
SOLR_AUTHENTICATION_OPTS="-Dbasicauth=testuser:aaaaaaaaaaaaaa_bbbbbbbbbbbb_111111111+ccccccc_22"}}
and
{{ cat /data/solr/data/security.json}}
{{ {}}
{{{} "authentication":{}}}{{{}{ "blockUnknown": true,
"class":"solr.BasicAuthPlugin",
"credentials":\\{"testuser":"79a054509e27e20b16fb85caf221ac8d488168afa6715f2543d761269a72d832"}{}}}{{{},{}}}
{{ "realm":"MyRealm Solr",}}
{{ "forwardCredentials": false}}
{{ },}}
{{ "authorization":{}}
{{ "class":"solr.RuleBasedAuthorizationPlugin",}}
{{{} "permissions":[{}}}{{{}{"name":"security-edit",
"role":"admin"}{}}}{{{}],{}}}
{{ "user-role":\{"solr":"admin"}}}
{{ }}}}
nav to:
[https:///solr.example.com:8983/solr|https://solr.example.com:8983/solr]
returns the expected
{{ Basic Authentication}}
form.
entering credentials
{{ username: testuser}}
{{ password: aaaaaaaaaaaaaa_bbbbbbbbbbbb_111111111+ccccccc_22}}
fails with
{{ Basic Authentication}}
{{ Unauthorized}}{{ Solr requires authentication for resource Dashboard.}}
{{ Please log in with your username and password for realm MyRealm Solr.}}
and DEBUG logs,
--> [https://pastebin.com/raw/aHVCgGKF]
there, this looks possibly suspect,
{{ ...}}
{{ 2022-05-13 06:33:00.651 DEBUG (qtp1777443462-23) []
o.a.s.s.SolrDispatchFilter Request to authenticate:
org.apache.solr.servlet.ServletUtils$1@3acaf4f, domain: 10.1.1.27, port: 8983}}
{{ 2022-05-13 06:33:00.656 DEBUG (qtp1777443462-22) []
o.a.s.s.SolrDispatchFilter Request to authenticate:
org.apache.solr.servlet.ServletUtils$1@540dbd19, domain: 10.1.1.27, port: 8983}}
{{ 2022-05-13 06:33:00.660 DEBUG (qtp1777443462-23) []
o.a.s.s.BasicAuthPlugin Bad auth credentials supplied in Authorization header}}
{{ 2022-05-13 06:33:00.650 DEBUG (qtp1777443462-20) []
o.a.s.s.SolrDispatchFilter Request to authenticate:
org.apache.solr.servlet.ServletUtils$1@7e6b57df, domain: 10.1.1.27, port: 8983}}
{{ 2022-05-13 06:33:00.661 DEBUG (qtp1777443462-20) []
o.a.s.s.BasicAuthPlugin Bad auth credentials supplied in Authorization header}}
{{ 2022-05-13 06:33:00.662 DEBUG (qtp1777443462-20) []
o.a.s.s.BasicAuthPlugin Prefixing WWW-Authenticate header for Basic Auth with
'x' to prevent browser basic auth popup}}
{{?? 2022-05-13 06:33:00.663 DEBUG (qtp1777443462-22) []
o.a.s.s.BasicAuthPlugin Bad auth credentials supplied in Authorization header}}
{{?? 2022-05-13 06:33:00.663 DEBUG (qtp1777443462-22) []
o.a.s.s.BasicAuthPlugin Prefixing WWW-Authenticate header for Basic Auth with
'x' to prevent browser basic auth popup}}
{{ 2022-05-13 06:33:00.667 DEBUG (qtp1777443462-22) []
o.e.j.s.HttpChannelState sendError HttpChannelState@191ce1ad\{s=HANDLING
rs=BLOCKING os=OPEN is=IDLE awp=false se=false i=true al=0}}}
{{ ...}}
dropping back to solr 8x, i've no issues with basicauth.
is my config wrong for 9x? known issue? other?
was:
on
{{ lsb_release -rd}}
{{ Description: Fedora release 36 (Thirty Six)}}
{{ Release: 36}}{{ java -version}}
{{ Picked up JAVA_TOOL_OPTIONS: -Xmx512M}}
{{ openjdk version "18.0.1" 2022-04-19}}
{{ OpenJDK Runtime Environment 22.3 (build 18.0.1+10)}}
{{ OpenJDK 64-Bit Server VM 22.3 (build 18.0.1+10, mixed mode, sharing)}}
{{i've clean-installed solr 9.0.0}}
{{ sudo -u solr /srv/webapps/solr/solr/bin/solr version}}
{{ 9.0.0}}
it's up/running
{{ systemctl status solr}}
{{ ● solr.service - LSB: Controls Apache Solr as a Service}}
{{ Loaded: loaded (/etc/rc.d/init.d/solr; generated)}}
{{ Active: active (exited) since Fri 2022-05-13 06:22:40 EDT; 2min 54s
ago}}
{{ Docs: man:systemd-sysv-generator(8)}}
{{ Process: 56877 ExecStart=/etc/rc.d/init.d/solr start (code=exited,
status=0/SUCCESS)}}
{{ CPU: 43ms}}
with no user/auth security,
ls -al /data/solr/data/security.json
ls: cannot access '/data/solr/data/security.json': No such file or
directory
nav to & admin @,
https:///solr.example.com:8983/solr
works as expected.
deploying user BasicAuth security
https://solr.apache.org/guide/solr/latest/deployment-guide/basic-authentication-plugin.html
with
MY_USER_PASS="aaaaaaaaaaaaaa_bbbbbbbbbbbb_111111111+ccccccc_22"
MY_USER_HASH=$( echo -n $MY_USER_PASS | shasum -a 256 | awk '\{print $1}' |
tr -d ' ')
echo $MY_USER_HASH
79a054509e27e20b16fb85caf221ac8d488168afa6715f2543d761269a72d832
and
egrep "Dbasicauth|SOLR_LOG_LEVEL" /etc/default/solr.in.sh
SOLR_LOG_LEVEL=DEBUG
SOLR_AUTHENTICATION_OPTS="-Dbasicauth=testuser:aaaaaaaaaaaaaa_bbbbbbbbbbbb_111111111+ccccccc_22"
and
cat /data/solr/data/security.json
{
"authentication":{
"blockUnknown": true,
"class":"solr.BasicAuthPlugin",
"credentials":\{"testuser":"79a054509e27e20b16fb85caf221ac8d488168afa6715f2543d761269a72d832"},
"realm":"MyRealm Solr",
"forwardCredentials": false
},
"authorization":{
"class":"solr.RuleBasedAuthorizationPlugin",
"permissions":[{"name":"security-edit",
"role":"admin"}],
"user-role":\{"solr":"admin"}
}}
nav to:
https:///solr.example.com:8983/solr
returns the expected
Basic Authentication
form.
entering credentials
username: testuser
password: aaaaaaaaaaaaaa_bbbbbbbbbbbb_111111111+ccccccc_22
fails with
Basic Authentication
Unauthorized
Solr requires authentication for resource Dashboard.
Please log in with your username and password for realm MyRealm Solr.
and DEBUG logs,
--> https://pastebin.com/raw/aHVCgGKF
there, this looks possibly suspect,
...
2022-05-13 06:33:00.651 DEBUG (qtp1777443462-23) []
o.a.s.s.SolrDispatchFilter Request to authenticate:
org.apache.solr.servlet.ServletUtils$1@3acaf4f, domain: 10.1.1.27, port: 8983
2022-05-13 06:33:00.656 DEBUG (qtp1777443462-22) []
o.a.s.s.SolrDispatchFilter Request to authenticate:
org.apache.solr.servlet.ServletUtils$1@540dbd19, domain: 10.1.1.27, port: 8983
2022-05-13 06:33:00.660 DEBUG (qtp1777443462-23) []
o.a.s.s.BasicAuthPlugin Bad auth credentials supplied in Authorization header
2022-05-13 06:33:00.650 DEBUG (qtp1777443462-20) []
o.a.s.s.SolrDispatchFilter Request to authenticate:
org.apache.solr.servlet.ServletUtils$1@7e6b57df, domain: 10.1.1.27, port: 8983
2022-05-13 06:33:00.661 DEBUG (qtp1777443462-20) []
o.a.s.s.BasicAuthPlugin Bad auth credentials supplied in Authorization header
2022-05-13 06:33:00.662 DEBUG (qtp1777443462-20) []
o.a.s.s.BasicAuthPlugin Prefixing WWW-Authenticate header for Basic Auth with
'x' to prevent browser basic auth popup
?? 2022-05-13 06:33:00.663 DEBUG (qtp1777443462-22) []
o.a.s.s.BasicAuthPlugin Bad auth credentials supplied in Authorization header
?? 2022-05-13 06:33:00.663 DEBUG (qtp1777443462-22) []
o.a.s.s.BasicAuthPlugin Prefixing WWW-Authenticate header for Basic Auth with
'x' to prevent browser basic auth popup
2022-05-13 06:33:00.667 DEBUG (qtp1777443462-22) []
o.e.j.s.HttpChannelState sendError HttpChannelState@191ce1ad\{s=HANDLING
rs=BLOCKING os=OPEN is=IDLE awp=false se=false i=true al=0}
...
dropping back to solr 8x, i've no issues with basicauth.
is my config wrong for 9x? known issue? other?
> solr 8x -> 9.0.0 upgrade; BasicAuth security FAILs @ "o.a.s.s.BasicAuthPlugin
> Bad auth credentials supplied in Authorization header"
> -------------------------------------------------------------------------------------------------------------------------------------
>
> Key: SOLR-16197
> URL: https://issues.apache.org/jira/browse/SOLR-16197
> Project: Solr
> Issue Type: Bug
> Security Level: Public(Default Security Level. Issues are Public)
> Components: Authentication
> Affects Versions: 9.0
> Reporter: pgnd
> Priority: Major
> Labels: BasicAuth, authentication, upgrade
>
> on
> {{ lsb_release -rd}}
> {{ Description: Fedora release 36 (Thirty Six)}}
> {{ Release: 36}}{{ java -version}}
> {{ Picked up JAVA_TOOL_OPTIONS: -Xmx512M}}
> {{ openjdk version "18.0.1" 2022-04-19}}
> {{ OpenJDK Runtime Environment 22.3 (build 18.0.1+10)}}
> {{ OpenJDK 64-Bit Server VM 22.3 (build 18.0.1+10, mixed mode,
> sharing)}}
>
> {{i've clean-installed solr 9.0.0}}
> {{ sudo -u solr /srv/webapps/solr/solr/bin/solr version}}
> {{ 9.0.0}}
> it's up/running
> {{ systemctl status solr}}
> {{ ● solr.service - LSB: Controls Apache Solr as a Service}}
> {{ Loaded: loaded (/etc/rc.d/init.d/solr; generated)}}
> {{ Active: active (exited) since Fri 2022-05-13 06:22:40 EDT; 2min
> 54s ago}}
> {{ Docs: man:systemd-sysv-generator(8)}}
> {{ Process: 56877 ExecStart=/etc/rc.d/init.d/solr start (code=exited,
> status=0/SUCCESS)}}
> {{ CPU: 43ms}}
> with no user/auth security,
> ls -al /data/solr/data/security.json
> ls: cannot access '/data/solr/data/security.json': No such file or
> directory
> nav to & admin @,
> [https:///solr.example.com:8983/solr|https://solr.example.com:8983/solr]
> works as expected.
> deploying user BasicAuth security
>
> [https://solr.apache.org/guide/solr/latest/deployment-guide/basic-authentication-plugin.html]
> with
> {{ MY_USER_PASS="aaaaaaaaaaaaaa_bbbbbbbbbbbb_111111111+ccccccc_22"}}
> {{ MY_USER_HASH=$( echo -n $MY_USER_PASS | shasum -a 256 | awk '\{print
> $1}' | tr -d ' ')}}
> {{ echo $MY_USER_HASH}}
> {{ 79a054509e27e20b16fb85caf221ac8d488168afa6715f2543d761269a72d832}}
> {{and}}
> {{ egrep "Dbasicauth|SOLR_LOG_LEVEL" /etc/default/solr.in.sh}}
> {{ SOLR_LOG_LEVEL=DEBUG}}
> {{
> SOLR_AUTHENTICATION_OPTS="-Dbasicauth=testuser:aaaaaaaaaaaaaa_bbbbbbbbbbbb_111111111+ccccccc_22"}}
> and
> {{ cat /data/solr/data/security.json}}
> {{ {}}
> {{{} "authentication":{}}}{{{}{ "blockUnknown": true,
> "class":"solr.BasicAuthPlugin",
> "credentials":\\{"testuser":"79a054509e27e20b16fb85caf221ac8d488168afa6715f2543d761269a72d832"}{}}}{{{},{}}}
> {{ "realm":"MyRealm Solr",}}
> {{ "forwardCredentials": false}}
> {{ },}}
> {{ "authorization":{}}
> {{ "class":"solr.RuleBasedAuthorizationPlugin",}}
> {{{} "permissions":[{}}}{{{}{"name":"security-edit",
> "role":"admin"}{}}}{{{}],{}}}
> {{ "user-role":\{"solr":"admin"}}}
> {{ }}}}
> nav to:
> [https:///solr.example.com:8983/solr|https://solr.example.com:8983/solr]
> returns the expected
> {{ Basic Authentication}}
> form.
> entering credentials
> {{ username: testuser}}
> {{ password: aaaaaaaaaaaaaa_bbbbbbbbbbbb_111111111+ccccccc_22}}
> fails with
> {{ Basic Authentication}}
> {{ Unauthorized}}{{ Solr requires authentication for resource
> Dashboard.}}
> {{ Please log in with your username and password for realm MyRealm Solr.}}
> and DEBUG logs,
> --> [https://pastebin.com/raw/aHVCgGKF]
> there, this looks possibly suspect,
> {{ ...}}
> {{ 2022-05-13 06:33:00.651 DEBUG (qtp1777443462-23) []
> o.a.s.s.SolrDispatchFilter Request to authenticate:
> org.apache.solr.servlet.ServletUtils$1@3acaf4f, domain: 10.1.1.27, port:
> 8983}}
> {{ 2022-05-13 06:33:00.656 DEBUG (qtp1777443462-22) []
> o.a.s.s.SolrDispatchFilter Request to authenticate:
> org.apache.solr.servlet.ServletUtils$1@540dbd19, domain: 10.1.1.27, port:
> 8983}}
> {{ 2022-05-13 06:33:00.660 DEBUG (qtp1777443462-23) []
> o.a.s.s.BasicAuthPlugin Bad auth credentials supplied in Authorization
> header}}
> {{ 2022-05-13 06:33:00.650 DEBUG (qtp1777443462-20) []
> o.a.s.s.SolrDispatchFilter Request to authenticate:
> org.apache.solr.servlet.ServletUtils$1@7e6b57df, domain: 10.1.1.27, port:
> 8983}}
> {{ 2022-05-13 06:33:00.661 DEBUG (qtp1777443462-20) []
> o.a.s.s.BasicAuthPlugin Bad auth credentials supplied in Authorization
> header}}
> {{ 2022-05-13 06:33:00.662 DEBUG (qtp1777443462-20) []
> o.a.s.s.BasicAuthPlugin Prefixing WWW-Authenticate header for Basic Auth with
> 'x' to prevent browser basic auth popup}}
> {{?? 2022-05-13 06:33:00.663 DEBUG (qtp1777443462-22) []
> o.a.s.s.BasicAuthPlugin Bad auth credentials supplied in Authorization
> header}}
> {{?? 2022-05-13 06:33:00.663 DEBUG (qtp1777443462-22) []
> o.a.s.s.BasicAuthPlugin Prefixing WWW-Authenticate header for Basic Auth with
> 'x' to prevent browser basic auth popup}}
> {{ 2022-05-13 06:33:00.667 DEBUG (qtp1777443462-22) []
> o.e.j.s.HttpChannelState sendError HttpChannelState@191ce1ad\{s=HANDLING
> rs=BLOCKING os=OPEN is=IDLE awp=false se=false i=true al=0}}}
> {{ ...}}
> dropping back to solr 8x, i've no issues with basicauth.
> is my config wrong for 9x? known issue? other?
--
This message was sent by Atlassian Jira
(v8.20.7#820007)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org
For additional commands, e-mail: issues-h...@solr.apache.org
