Open khandnb opened 2 months ago
"authentication": {
"class": "solr.MultiAuthPlugin",
"schemes": [{
"scheme": "bearer",
"blockUnknown":false,
"class":"solr.JWTAuthPlugin",
"adminUiScope": "api://ttt/admin",
"principalClaim":"unique_name",
"iss":"https://sts.windows.net/abc/",
"aud":"api://xyz",
"wellKnownUrl":"https://login.microsoftonline.com/abc/v2.0/.well-known/openid-configuration",
"redirectUris": "https://localhost:8983/solr/",
"clientId":"xyz",
"authorizationFlow":"code_pkce",
"trustedCertsFile":"/path/to/certificate",
"jwkCacheDur":"60",
},{
"scheme": "basic",
"blockUnknown": false,
"class": "solr.BasicAuthPlugin",
"realm":"Solr Basic Auth",
"credentials": {
"solr":"bfjbf",
},
"forwardCredentials": false
}]
},
hi @janhoy @HoustonPutman Can you please suggest the miss here or fix that I can make to resolve this issue.
You’re using istio. I guess Istio proxy may be swallowing the SolrAuth http header, can you check?
I guessed so but I did not find anything in logs of istio proxy. Also I need to use istio proxy for all TLS based communications in my kubernetes cluster. Would this require some header forwarding on istio proxy side but this might be a complex handling. Any other alternate mechanism for example fallback to basic auth for this? only authentication of SOLR Admin UI with JwtAuth and rest of the core, probing operations with basic auth.
What version of Solr are you running? Also what logs is solr printing? It will likely give some reasoning behind why the PKIAuth could not be verified.
I am using solr version 9.6.0 and solr operator 0.8.1 . Below are the logs:
2024-09-06 07:25:56.992 INFO (qtp1212191909-53-solr-solrcloud-0.solr-solrcloud-headless.solr-343) [c: s: r: x: t:solr-solrcloud-0.solr-solrcloud-headless.solr-343] o.a.s.s.HttpSolrCall [admin] webapp=null path=/admin/info/health params={} status=0 QTime=0
2024-09-06 07:25:57.503 INFO (OverseerThreadFactory-19-thread-1) [c:testing s: r: x: t:] o.a.s.c.a.c.CreateCollectionCmd Create collection testing
2024-09-06 07:25:57.710 INFO (OverseerStateUpdate-72062713179013124-solr-solrcloud-0.solr-solrcloud-headless.solr:8983_solr-n_0000000002) [c: s: r: x: t:] o.a.s.c.o.SliceMutator createReplica() {
"core":"testing_shard1_replica_n1",
"node_name":"solr-solrcloud-0.solr-solrcloud-headless.solr:8983_solr",
"base_url":"http://solr-solrcloud-0.solr-solrcloud-headless.solr:8983/solr",
"collection":"testing",
"shard":"shard1",
"state":"down",
"type":"NRT",
"operation":"ADDREPLICA",
"waitForFinalState":"false"}
2024-09-06 07:25:57.837 INFO (zkCallback-13-thread-4) [c: s: r: x: t:] o.a.s.c.c.ZkStateReader A cluster state change: [WatchedEvent state:SyncConnected type:NodeDataChanged path:/collections/testing/state.json zxid: -1] for collection [testing] has occurred - updating... (live nodes size: [1])
2024-09-06 07:25:58.139 ERROR (qtp1212191909-54-solr-solrcloud-0.solr-solrcloud-headless.solr-345) [c: s: r: x: t:solr-solrcloud-0.solr-solrcloud-headless.solr-345] o.a.s.s.PKIAuthenticationPlugin Exception trying to get public key from: http://solr-solrcloud-0.solr-solrcloud-headless.solr:8983/solr => org.noggit.JSONParser$ParseException: JSON Parse Error: char=<,position=0 AFTER='<' BEFORE='!DOCTYPE html PUBLIC "-//W3C//DTD XHTML'
at org.noggit.JSONParser.err(JSONParser.java:447)
org.noggit.JSONParser$ParseException: JSON Parse Error: char=<,position=0 AFTER='<' BEFORE='!DOCTYPE html PUBLIC "-//W3C//DTD XHTML'
at org.noggit.JSONParser.err(JSONParser.java:447) ~[?:?]
at org.noggit.JSONParser.handleNonDoubleQuoteString(JSONParser.java:808) ~[?:?]
at org.noggit.JSONParser.next(JSONParser.java:1013) ~[?:?]
at org.noggit.JSONParser.nextEvent(JSONParser.java:1059) ~[?:?]
at org.noggit.ObjectBuilder.
URI: | /solr/admin/cores |
---|---|
STATUS: | 401 |
MESSAGE: | Could not validate PKI header. |
SERVLET: | default |
hi @janhoy @HoustonPutman any idea here? One more thing, I have added solrOpts for http proxy/port on solr pods to enable calls to IDP .
hi @janhoy @HoustonPutman any idea here?
The solr admin UI is successfully logged in with token received from IDP and is able to access security, list collections etc. but the core creation fails with invalid PKI header. The Solr is deployed on GKE with istio proxy. { "textPayload": "