lucene-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ishan Chattopadhyaya (JIRA)" <j...@apache.org>
Subject [jira] [Comment Edited] (SOLR-8440) Script support for enabling basic auth
Date Sat, 29 Apr 2017 01:13:04 GMT

    [ https://issues.apache.org/jira/browse/SOLR-8440?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15989260#comment-15989260
] 

Ishan Chattopadhyaya edited comment on SOLR-8440 at 4/29/17 1:12 AM:
---------------------------------------------------------------------

WIP patch.

# Introduces the "auth" command, e.g. {{bin/solr auth -enable -type basic -adminuser solr
-adminpassword SolrRocks}}
# Support for optional blocksUnknown (false by default)
# -TODO: Put the hash of the password. Currently hardcoded to hash of "SolrRocks"-
# -TODO: Introduce a separate file and put the admin username/password there for use by the
script. If user wants, the bin/solr.in.sh can be used to override this user/pw.- Added auth.overlay.sh
file, which is applied after solr.in.sh has been applied. This file is created during -enable,
and deleted during -disable.
# TODO: Do pre-checks before enabling; don't do anything if already enabled.
# Uploads the following security.json by default (apart from the user/password hash variant.
# TODO: Windows script (bin/solr.cmd)

{code}
{
  "authentication":{
   "blockUnknown": $blockUnknown
   "class":"solr.BasicAuthPlugin",
   "credentials":{$user:$saltedhash_of_password}
  },
  "authorization":{
   "class":"solr.RuleBasedAuthorizationPlugin",
   "permissions":[
	{"name":"security-edit", "role":"admin"},
	{"name":"collection-admin-edit", "role":"admin"},
	{"name":"core-admin-edit", "role":"admin"}
   ],
   "user-role":{"$user":"admin"}
  }
}
{code}

With just this in place (after fixing TODOs and nocommits), one can enable basicauth with
typical authz configuration. After this, the user can use the REST API for authc/authz, or
we can build further support for adding users, roles etc. to the script.


was (Author: ichattopadhyaya):
WIP patch.

# Introduces the "auth" command, e.g. {{bin/solr auth -enable -type basic -adminuser solr
-adminpassword SolrRocks}}
# Support for optional blocksUnknown (false by default)
# TODO: Put the hash of the password. Currently hardcoded to hash of "SolrRocks"
# TODO: Introduce a separate file and put the admin username/password there for use by the
script. If user wants, the bin/solr.in.sh can be used to override this user/pw.
# TODO: Do pre-checks before enabling; don't do anything if already enabled.
# Uploads the following security.json by default (apart from the user/password hash variant.

{code}
{
  "authentication":{
   "blockUnknown": $blockUnknown
   "class":"solr.BasicAuthPlugin",
   "credentials":{"$user":"IV0EHq1OnNrj6gvRCwvFwTrZ1+z1oBbnQdiVC3otuq0= Ndd7LKvVBAaZIF0QAVi1ekCfAJXr1GGfLtRUXhgrF8c="}
  },
  "authorization":{
   "class":"solr.RuleBasedAuthorizationPlugin",
   "permissions":[
	{"name":"security-edit", "role":"admin"},
	{"name":"collection-admin-edit", "role":"admin"},
	{"name":"core-admin-edit", "role":"admin"}
   ],
   "user-role":{"$user":"admin"}
  }
}
{code}

With just this in place (after fixing TODOs and nocommits), one can enable basicauth with
typical authz configuration. After this, the user can use the REST API for authc/authz, or
we can build further support for adding users, roles etc. to the script.

> Script support for enabling basic auth
> --------------------------------------
>
>                 Key: SOLR-8440
>                 URL: https://issues.apache.org/jira/browse/SOLR-8440
>             Project: Solr
>          Issue Type: New Feature
>          Components: scripts and tools
>            Reporter: Jan Høydahl
>            Assignee: Ishan Chattopadhyaya
>              Labels: authentication, security
>         Attachments: SOLR-8440.patch, SOLR-8440.patch
>
>
> Now that BasicAuthPlugin will be able to work without an AuthorizationPlugin (SOLR-8429),
it would be sweet to provide a super simple way to "Password protect Solr"™ right from the
command line:
> {noformat}
> bin/solr basicAuth -adduser -user solr -pass SolrRocks
> {noformat}
> It would take the mystery out of enabling one single password across the board. The command
would do something like this
> # Check if HTTPS is enabled, and if not, print a friendly warning
> # Check if {{/security.json}} already exists
> ## NO => create one with only plugin class defined
> ## YES => Abort if exists but plugin is not {{BasicAuthPlugin}}
> # Using security REST API, add the new user



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lucene.apache.org
For additional commands, e-mail: dev-help@lucene.apache.org


Mime
View raw message