solr-operator does not support authentication as far back as Solr 6.6.6

[nickumia-reisys]

Environment: cloud.gov
Solr Version: 6.6.6

During our release of Solr on cloud.gov, when an instance of Solr was provisioned and the url was visited, the Solr Admin UI was not restricted by authentication features. Upon inspection, the authentication plugin was not configured.

Based on the results from the implementation of authentication,

• As of 8.6, Solr native BasicAuth implements custom login/logout UI through an AngularJS library.
• Prior to 8.6, Solr native BasicAuth is implemented through browser-enabled HTTPBasicAuth (in the same way as NGINX).

How to reproduce

1. Create an instance of solr with the following commands:

cf create-service solr-cloud base [instance-name] -b [broker-name] -c '{"solrImageTag":"6.6.6"}'
cf create-service-key [instance-name] key
cf service-key [instance-name] key

2. Use the outputted credentials to login at the URL.

Expected behavior

Login page hit. Credentials accepted. Login successful.

Actual behavior

No login page. Open access.

Sketch

[Notes or a checklist reflecting our understanding of the selected approach]

• Useful commands:

# Extract kubeconfig from cloud.gov
# Save the config to a file and use that file to run kubectl
cf t -s management; cf env ssb-solr | grep -i kubeconfig
KUBECONFIG=kubeconfig kuebctl get all -n default

# Analyze the secrets to find good user pairs
KUBECONFIG=kubeconfig kubectl get secrets
KUBECONFIG=kubeconfig kubectl get secret [***-solrcloud-basic-auth] -o jsonpath='{.data.password}'  | base64 -d

Important resources:

• Solr Cloud CRD

[mogul]

@adborden and I worked on this today. We confirmed the problem in the dev environment: Solr 6.6.6 /admin does not require credentials. (The test to see if auth credentials work doesn't check to see if supplying bad/no credentials fails.)

[mogul]

We investigated more and eventually filed an upstream bug with the solr-operator documenting our findings.

[mogul]

We pushed the improved (and now failing) test up on the test/solr-6.6-login branch.

[mogul]

The latest version of the brokerpak added the capability to logout of a session in the admin UI in order to address a compliance finding... but that change only applies for newer versions of Solr than we can currently use for our CKAN apps, so it's more of an academic than practical point. We're not using the admin UI for data.gov, and the client apps will always supply credentials with each request to the API in any case.

I think while the upstream bug is pending, we can just downgrade the deployed brokerpak to the previous version that used nginx-ingress to add authentication. That would unblock using brokered Solr instances with our apps.

[mogul]

Oh no.

Can anyone speak to his questions about how CKAN uses Solr? Does it use Solr in really simple ways, or is it explicitly just not compatible with newer versions?

[mogul]

@adborden said in Slack:

Explicitly not compatible. The way that CKAN specifies the schema via solr config file at install time is no longer supported. CKAN needs to switch to solr’s managed schema API.
ckan/ckan#6248
Hmm, re-reading the issues, maybe I’m wrong that Solr 8 requires managed Schema and there might be a path with Solr 7.

[jbrown-xentity]

It looks like someone got it working, a few notes are made...
https://stackoverflow.com/questions/48533541/can-ckan-support-solr-7-0

[mogul]

I think while the upstream bug is pending, we can just downgrade the deployed brokerpak to the previous version that used nginx-ingress to add authentication. That would unblock using brokered Solr instances with our apps.

Oh ho ho ho, if only it were that easy... The previous solr brokerpak expects solr-operator 0.3.0, but the eks brokerpak installs 0.4.0, which means the previous solr brokerpak doesn't work. ARGH.

[mogul]

It looks like someone got it working, a few notes are made... https://stackoverflow.com/questions/48533541/can-ckan-support-solr-7-0

That seems like pretty minor changes. Any guesses why upstream CKAN wouldn't have made the move to 7.x if that's all it takes?

[jbrown-xentity]

This might be an easier lift for solr v7: ckan/ckan#4387
It would be interesting to look at a diff for our schema versus this one...
They also started an epic to track planning on how to get on solr 8, code changes, schema changes, documentation changes, and possible future changes to allow for CKAN to manage solr instead of it all being outside ckan...

[jbrown-xentity]

I posted on CKAN gitter about SOLR 8 on where we can track CKAN discussions, or if these conversations died if we can get caught up.

[jbrown-xentity]

CKAN PR to move to SOLR 8 (looks minimal, but still in draft mode): ckan/ckan#6530

[mogul]

Just noting here that the upstream PR seems to be getting close attention and is proceeding rapidly. 🤞