-
Notifications
You must be signed in to change notification settings - Fork 114
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Configuration of Solr MultiAuthplugin with JWT and basic auth gives the error of PKI authentication on creating cores. #719
Comments
The solr admin UI is successfully logged in with token received from IDP and is able to access security, list collections etc. but the core creation fails with invalid PKI header. The Solr is deployed on GKE with istio proxy. |
"authentication": { |
hi @janhoy @HoustonPutman Can you please suggest the miss here or fix that I can make to resolve this issue. |
You’re using istio. I guess Istio proxy may be swallowing the SolrAuth http header, can you check? |
What version of Solr are you running? Also what logs is solr printing? It will likely give some reasoning behind why the PKIAuth could not be verified. |
I am using solr version 9.6.0 and solr operator 0.8.1 . Below are the logs: 2024-09-06 07:25:56.992 INFO (qtp1212191909-53-solr-solrcloud-0.solr-solrcloud-headless.solr-343) [c: s: r: x: t:solr-solrcloud-0.solr-solrcloud-headless.solr-343] o.a.s.s.HttpSolrCall [admin] webapp=null path=/admin/info/health params={} status=0 QTime=0 HTTP ERROR 401 Could not validate PKI header.
|
hi @janhoy @HoustonPutman any idea here? |
Knowledge sharing, because documentation does not disclose thisSolr version: 9.5 Also looks like solr does not pass JWT Principal with its full claims and it's looses scopes/roles(looks like a bug). Configuration MultiAuthRuleBasedAuthorizationPlugin that works for me{
"authorization": {
"class": "solr.MultiAuthRuleBasedAuthorizationPlugin",
"permissions": [{
"collection": null,
"name": "inner-node-comm",
"path": "/admin/info/key",
"role": null
}, {
"collection": null,
"method": ["HEAD", "GET"],
"name": "k8s-probe-0",
"path": "/admin/info/system",
"role": null
}, {
"collection": null,
"method": ["HEAD", "GET"],
"name": "k8s-probe-1",
"path": "/admin/info/health",
"role": null
}, {
"collection": null,
"method": ["HEAD", "GET"],
"name": "k8s-metrics",
"path": "/admin/metrics",
"role": null
}, {
"collection": null,
"method": ["HEAD", "GET"],
"name": "k8s-zk",
"path": "/admin/zookeeper/status",
"role": null
}, {
"collection": "*",
"method": ["HEAD", "GET"],
"name": "k8s-ping",
"path": "/admin/ping",
"role": null
}, {
"collection": null,
"method": ["HEAD", "GET"],
"name": "k8s-collection",
"params": {
"action": ["LIST", "CLUSTERSTATUS"]
},
"path": "/admin/collections",
"role": null
}, {
"name": "health",
"role": null
}, {
"name": "metrics-read",
"role": null
}, {
"name": "security-read",
"role": ["admin", "k8s"]
}, {
"name": "security-edit",
"role": ["admin", "k8s"]
}, {
"name": "schema-edit",
"role": ["admin", "k8s"]
}, {
"name": "schema-read",
"role": ["admin", "k8s"]
}, {
"name": "config-read",
"role": ["admin", "k8s"]
}, {
"name": "config-edit",
"role": ["admin", "k8s"]
}, {
"name": "core-admin-edit",
"role": null
}, {
"name": "core-admin-read",
"role": null
}, {
"name": "collection-admin-read",
"role": ["admin", "k8s"]
}, {
"name": "collection-admin-edit",
"role": ["admin", "k8s"]
}, {
"name": "update",
"role": ["admin", "k8s"]
}, {
"name": "read",
"role": ["admin", "k8s"]
}, {
"name": "zk-read",
"role": ["admin", "k8s"]
}, {
"name": "all",
"role": ["admin", "k8s"]
}
],
"schemes": [{
"class": "solr.ExternalRoleRuleBasedAuthorizationPlugin",
"scheme": "Bearer"
}, {
"class": "solr.RuleBasedAuthorizationPlugin",
"scheme": "Basic",
"user-role": {
"admin": ["admin", "k8s"],
"k8s-oper": ["k8s"],
"{{JWT.(clientId|name|email|...)}}": ["admin"]
}
}
]
}
} MultiAuthPlugin configuration{
"authentication": {
"class": "solr.MultiAuthPlugin",
"schemes": [{
"adminUiScope": "{{AdminScope}}",
"blockUnknown": true,
"class": "solr.JWTAuthPlugin",
"issuers": [{
"clientId": "{{UIClientId}}",
"name": "admin-ui",
"wellKnownUrl": "https://{{IDP.Url}}/.well-known/openid-configuration"
}, {
"aud": "{{ApiAudience}}",
"name": "api",
"wellKnownUrl": "https://{{IDP.Url}}/.well-known/openid-configuration"
}
],
"principalClaim": "client_id",
"redirectUris": "https://localhost:8983/solr/",
"rolesClaim": "scope",
"scheme": "Bearer",
"scope": "{{Scopes that will act as roles}}"
}, {
"blockUnknown": false,
"class": "solr.BasicAuthPlugin",
"credentials": {
"admin": "...",
"k8s-oper": "..."
},
"forwardCredentials": false,
"realm": "Solr",
"scheme": "Basic"
}
]
},
} P.s. |
Anyone looking for customKubeOptions:
podOptions:
envVars:
- name: CREDENTIALS
valueFrom:
secretKeyRef:
key: {{keyName with combined `username:password` format }}
name: {{secret name}}
image:
repository: library/solr
tag: '9.7' |
@janhoy @HoustonPutman forgot to ping you. Hope this will help :) |
/admin/info/key is always public no matter security.json. It’s a special case in the code. So must be a bug causing it to not be open for you? |
Yeah, something smells "off" here. Our dispatch code has a pretty explicit exception for In any case, it sounds like some folks are able to get JWT+basic multi-auth working without issue in Kubernetes. So I suspect we can close this out?
Others might easily see good reasons not to do this that I'm missing. Perhaps theres some security implication? But it's an interesting idea. It kindof makes sense conceptually to have nodes put their public-key as the "content" of their live-node entry. And it'd save a lot of "fetch the public key" requests to boot. Maybe worth raising on the dev@ list to see what people think... |
No description provided.
The text was updated successfully, but these errors were encountered: