Hi Jason Thanks for looking into this.
- what authc/authz plugins are enabled on your cluster? If basicAuth is in use (as the stack suggests), is "forwardCredentials" setup?
We have BasicAuth and RuleBasedAuthorization in use with blockUnknown enabled and forwardCredentials disabled.
- is SSL/TLS enabled on these clusters? If so, can you share the controlling sysprops?
TLS is enabled with the following properties:
-Dsolr.keyStoreReload.enabled=true
-Dsolr.jetty.keystore=/var/solr/keystore.p12
-Dsolr.jetty.truststore=/var/solr/truststore.p12
-Djavax.net.ssl.keyStore=/var/solr/keystore.p12
-Dsolr.ssl.checkPeerName=true
-Dsolr.jetty.ssl.sniHostCheck=true
-Djavax.net.ssl.trustStore=/var/solr/truststore.p12
-Dsolr.jetty.https.port=8983
-Dsolr.httpclient.builder.factory=org.apache.solr.client.solrj.impl.PreemptiveBasicAuthClientBuilderFactory
-Dbasicauth=--REDACTED--
-Djava.security.auth.login.config=/var/solr/jaas_client.conf
-Dsolr.jetty.ssl.sniHostCheck=false
-DzkACLProvider=org.apache.solr.common.cloud.SaslZkACLProvider
-DzkCredentialsProvider=org.apache.solr.common.cloud.DigestZkCredentialsProvider
-DzkCredentialsInjector=org.apache.solr.common.cloud.VMParamsZkCredentialsInjector
Checking these properties, I realized "solr.jetty.ssl.sniHostCheck"
being there twice with differing values.
This has been fixed but the issue persists.
- have you made any customizations to Jetty HttpClient creation? (Solr exposes sysprop-based hooks for influencing HttpClient settings)
None that I'm aware of. Regards, Patrik
OpenPGP_signature.asc
Description: OpenPGP digital signature
