lucene-solr-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kevin Lee <kgle...@yahoo.com.INVALID>
Subject Re: Issue Using Solr 5.3 Authentication and Authorization Plugins
Date Fri, 04 Sep 2015 13:59:40 GMT
Noble,

Does SOLR-8000 need to be re-opened?  Has anyone else been able to test the restart fix? 


At startup, these are the log messages that say there is no security configuration and the
plugins aren’t being used even though security.json is in Zookeeper:
2015-09-04 08:06:21.205 INFO  (main) [   ] o.a.s.c.CoreContainer Security conf doesn't exist.
Skipping setup for authorization module.
2015-09-04 08:06:21.205 INFO  (main) [   ] o.a.s.c.CoreContainer No authentication plugin
used.

Thanks,
Kevin

> On Sep 4, 2015, at 5:47 AM, Noble Paul <noble.paul@gmail.com> wrote:
> 
> There are no download links for 5.3.x branch  till we do a bug fix release
> 
> If you wish to download the trunk nightly (which is not same as 5.3.0)
> check here https://builds.apache.org/job/Solr-Artifacts-trunk/lastSuccessfulBuild/artifact/solr/package/
> 
> If you wish to get the binaries for 5.3 branch you will have to make it
> (you will need to install svn and ant)
> 
> Here are the steps
> 
> svn checkout http://svn.apache.org/repos/asf/lucene/dev/branches/lucene_solr_5_3/
> cd lucene_solr_5_3/solr
> ant server
> 
> 
> 
> On Fri, Sep 4, 2015 at 4:11 PM, davidphilip cherian
> <davidphilipcherian@gmail.com> wrote:
>> Hi Kevin/Noble,
>> 
>> What is the download link to take the latest? What are the steps to compile
>> it, test and use?
>> We also have a use case to have this feature in solr too. Therefore, wanted
>> to test and above info would help a lot to get started.
>> 
>> Thanks.
>> 
>> 
>> On Fri, Sep 4, 2015 at 1:45 PM, Kevin Lee <kglee79@yahoo.com.invalid> wrote:
>> 
>>> Thanks, I downloaded the source and compiled it and replaced the jar file
>>> in the dist and solr-webapp’s WEB-INF/lib directory.  It does seem to be
>>> protecting the Collections API reload command now as long as I upload the
>>> security.json after startup of the Solr instances.  If I shutdown and bring
>>> the instances back up, the security is no longer in place and I have to
>>> upload the security.json again for it to take effect.
>>> 
>>> - Kevin
>>> 
>>>> On Sep 3, 2015, at 10:29 PM, Noble Paul <noble.paul@gmail.com> wrote:
>>>> 
>>>> Both these are committed. If you could test with the latest 5.3 branch
>>>> it would be helpful
>>>> 
>>>> On Wed, Sep 2, 2015 at 5:11 PM, Noble Paul <noble.paul@gmail.com> wrote:
>>>>> I opened a ticket for the same
>>>>> https://issues.apache.org/jira/browse/SOLR-8004
>>>>> 
>>>>> On Wed, Sep 2, 2015 at 1:36 PM, Kevin Lee <kglee79@yahoo.com.invalid>
>>> wrote:
>>>>>> I’ve found that completely exiting Chrome or Firefox and opening
it
>>> back up re-prompts for credentials when they are required.  It was
>>> re-prompting with the /browse path where authentication was working each
>>> time I completely exited and started the browser again, however it won’t
>>> re-prompt unless you exit completely and close all running instances so I
>>> closed all instances each time to test.
>>>>>> 
>>>>>> However, to make sure I ran it via the command line via curl as
>>> suggested and it still does not give any authentication error when trying
>>> to issue the command via curl.  I get a success response from all the Solr
>>> instances that the reload was successful.
>>>>>> 
>>>>>> Not sure why the pre-canned permissions aren’t working, but the
one to
>>> the request handler at the /browse path is.
>>>>>> 
>>>>>> 
>>>>>>> On Sep 1, 2015, at 11:03 PM, Noble Paul <noble.paul@gmail.com>
wrote:
>>>>>>> 
>>>>>>> " However, after uploading the new security.json and restarting
the
>>>>>>> web browser,"
>>>>>>> 
>>>>>>> The browser remembers your login , So it is unlikely to prompt
for the
>>>>>>> credentials again.
>>>>>>> 
>>>>>>> Why don't you try the RELOAD operation using command line (curl)
?
>>>>>>> 
>>>>>>> On Tue, Sep 1, 2015 at 10:31 PM, Kevin Lee <kglee79@yahoo.com.invalid>
>>> wrote:
>>>>>>>> The restart issues aside, I’m trying to lockdown usage
of the
>>> Collections API, but that also does not seem to be working either.
>>>>>>>> 
>>>>>>>> Here is my security.json.  I’m using the “collection-admin-edit”
>>> permission and assigning it to the “adminRole”.  However, after uploading
>>> the new security.json and restarting the web browser, it doesn’t seem to be
>>> requiring credentials when calling the RELOAD action on the Collections
>>> API.  The only thing that seems to work is the custom permission “browse”
>>> which is requiring authentication before allowing me to pull up the page.
>>> Am I using the permissions correctly for the RuleBasedAuthorizationPlugin?
>>>>>>>> 
>>>>>>>> {
>>>>>>>>      "authentication":{
>>>>>>>>         "class":"solr.BasicAuthPlugin",
>>>>>>>>         "credentials": {
>>>>>>>>                      "admin”:”<pass> <salt>",
>>>>>>>>                      "user": ”<pass> <salt>"
>>>>>>>>              }
>>>>>>>>      },
>>>>>>>>      "authorization":{
>>>>>>>>         "class":"solr.RuleBasedAuthorizationPlugin",
>>>>>>>>         "permissions": [
>>>>>>>>                      {
>>>>>>>>                              "name":"security-edit",
>>>>>>>>                              "role":"adminRole"
>>>>>>>>                      },
>>>>>>>>                      {
>>>>>>>>                              "name":"collection-admin-edit”,
>>>>>>>>                              "role":"adminRole"
>>>>>>>>                      },
>>>>>>>>                      {
>>>>>>>>                              "name":"browse",
>>>>>>>>                              "collection": "inventory",
>>>>>>>>                              "path": "/browse",
>>>>>>>>                              "role":"browseRole"
>>>>>>>>                      }
>>>>>>>>              ],
>>>>>>>>         "user-role": {
>>>>>>>>                      "admin": [
>>>>>>>>                              "adminRole",
>>>>>>>>                              "browseRole"
>>>>>>>>                      ],
>>>>>>>>                      "user": [
>>>>>>>>                              "browseRole"
>>>>>>>>                      ]
>>>>>>>>              }
>>>>>>>>      }
>>>>>>>> }
>>>>>>>> 
>>>>>>>> Also tried adding the permission using the Authorization
API, but no
>>> effect, still isn’t protecting the Collections API from being invoked
>>> without a username password.  I do see in the Solr logs that it sees the
>>> updates because it outputs the messages “Updating /security.json …”,
>>> “Security node changed”, “Initializing authorization plugin:
>>> solr.RuleBasedAuthorizationPlugin” and “Authentication plugin class
>>> obtained from ZK: solr.BasicAuthPlugin”.
>>>>>>>> 
>>>>>>>> Thanks,
>>>>>>>> Kevin
>>>>>>>> 
>>>>>>>>> On Sep 1, 2015, at 12:31 AM, Noble Paul <noble.paul@gmail.com>
>>> wrote:
>>>>>>>>> 
>>>>>>>>> I'm investigating why restarts or first time start does
not read the
>>>>>>>>> security.json
>>>>>>>>> 
>>>>>>>>> On Tue, Sep 1, 2015 at 1:00 PM, Noble Paul <noble.paul@gmail.com>
>>> wrote:
>>>>>>>>>> I removed that statement
>>>>>>>>>> 
>>>>>>>>>> "If activating the authorization plugin doesn't protect
the admin
>>> ui,
>>>>>>>>>> how does one protect access to it?"
>>>>>>>>>> 
>>>>>>>>>> One does not need to protect the admin UI. You only
need to protect
>>>>>>>>>> the relevant API calls . I mean it's OK to not protect
the CSS and
>>>>>>>>>> HTML stuff.  But if you perform an action to create
a core or do a
>>>>>>>>>> query through admin UI , it automatically will prompt
you for
>>>>>>>>>> credentials (if those APIs are protected)
>>>>>>>>>> 
>>>>>>>>>> On Tue, Sep 1, 2015 at 12:41 PM, Kevin Lee
>>> <kglee79@yahoo.com.invalid> wrote:
>>>>>>>>>>> Thanks for the clarification!
>>>>>>>>>>> 
>>>>>>>>>>> So is the wiki page incorrect at
>>>>>>>>>>> 
>>> https://cwiki.apache.org/confluence/display/solr/Basic+Authentication+Plugin
>>> which says that the admin ui will require authentication once the
>>> authorization plugin is activated?
>>>>>>>>>>> 
>>>>>>>>>>> "An authorization plugin is also available to
configure Solr with
>>> permissions to perform various activities in the system. Once activated,
>>> access to the Solr Admin UI and all requests will need to be authenticated
>>> and users will be required to have the proper authorization for all
>>> requests, including using the Admin UI and making any API calls."
>>>>>>>>>>> 
>>>>>>>>>>> If activating the authorization plugin doesn't
protect the admin
>>> ui, how does one protect access to it?
>>>>>>>>>>> 
>>>>>>>>>>> Also, the issue I'm having is not just at restart.
 According to
>>> the docs security.json should be uploaded to Zookeeper before starting any
>>> of the Solr instances.  However, I tried to upload security.json before
>>> starting any of the Solr instances, but it would not pick up the security
>>> config until after the Solr instances are already running and then
>>> uploading the security.json again.  I can see in the logs at startup that
>>> the Solr instances don't see any plugin enabled even though security.json
>>> is already in zookeeper and then after they are started and the
>>> security.json is uploaded again I see it reconfigure to use the plugin.
>>>>>>>>>>> 
>>>>>>>>>>> Thanks,
>>>>>>>>>>> Kevin
>>>>>>>>>>> 
>>>>>>>>>>>> On Aug 31, 2015, at 11:22 PM, Noble Paul
<noble.paul@gmail.com>
>>> wrote:
>>>>>>>>>>>> 
>>>>>>>>>>>> Admin UI is not protected by any of these
permissions. Only if
>>> you try
>>>>>>>>>>>> to perform a protected operation , it asks
for a password.
>>>>>>>>>>>> 
>>>>>>>>>>>> I'll investigate the restart problem and
report my  findings
>>>>>>>>>>>> 
>>>>>>>>>>>>> On Tue, Sep 1, 2015 at 3:10 AM, Kevin
Lee
>>> <kglee79@yahoo.com.invalid> wrote:
>>>>>>>>>>>>> Anyone else running into any issues trying
to get the
>>> authentication and authorization plugins in 5.3 working?
>>>>>>>>>>>>> 
>>>>>>>>>>>>>> On Aug 29, 2015, at 2:30 AM, Kevin
Lee
>>> <kglee79@yahoo.com.INVALID> wrote:
>>>>>>>>>>>>>> 
>>>>>>>>>>>>>> Hi,
>>>>>>>>>>>>>> 
>>>>>>>>>>>>>> I’m trying to use the new basic
auth plugin for Solr 5.3 and
>>> it doesn’t seem to be working quite right.  Not sure if I’m missing steps
>>> or there is a bug.  I am able to get it to protect access to a URL under a
>>> collection, but am unable to get it to secure access to the Admin UI.  In
>>> addition, after stopping the Solr and Zookeeper instances, the
>>> security.json is still in Zookeeper, however Solr is allowing access to
>>> everything again like the security configuration isn’t in place.
>>>>>>>>>>>>>> 
>>>>>>>>>>>>>> Contents of security.json taken from
wiki page, but edited to
>>> produce valid JSON.  Had to move comma after 3rd from last “}” up to just
>>> after the last “]”.
>>>>>>>>>>>>>> 
>>>>>>>>>>>>>> {
>>>>>>>>>>>>>> "authentication":{
>>>>>>>>>>>>>> "class":"solr.BasicAuthPlugin",
>>>>>>>>>>>>>> 
>>> "credentials":{"solr":"IV0EHq1OnNrj6gvRCwvFwTrZ1+z1oBbnQdiVC3otuq0=
>>> Ndd7LKvVBAaZIF0QAVi1ekCfAJXr1GGfLtRUXhgrF8c="}
>>>>>>>>>>>>>> },
>>>>>>>>>>>>>> "authorization":{
>>>>>>>>>>>>>> "class":"solr.RuleBasedAuthorizationPlugin",
>>>>>>>>>>>>>> "permissions":[{"name":"security-edit",
>>>>>>>>>>>>>> "role":"admin"}],
>>>>>>>>>>>>>> "user-role":{"solr":"admin"}
>>>>>>>>>>>>>> }}
>>>>>>>>>>>>>> 
>>>>>>>>>>>>>> Here are the steps I followed:
>>>>>>>>>>>>>> 
>>>>>>>>>>>>>> Upload security.json to zookeeper
>>>>>>>>>>>>>> ./zkcli.sh -z localhost:2181,localhost:2182,localhost:2183
>>> -cmd putfile /security.json ~/solr/security.json
>>>>>>>>>>>>>> 
>>>>>>>>>>>>>> Use zkCli.sh from Zookeeper to ensure
the security.json is in
>>> Zookeeper at /security.json.  It is there and looks like what was
>>> originally uploaded.
>>>>>>>>>>>>>> 
>>>>>>>>>>>>>> Start Solr Instances
>>>>>>>>>>>>>> 
>>>>>>>>>>>>>> Attempt to create a permission, however
get the following
>>> error:
>>>>>>>>>>>>>> {
>>>>>>>>>>>>>> "responseHeader":{
>>>>>>>>>>>>>> "status":400,
>>>>>>>>>>>>>> "QTime":0},
>>>>>>>>>>>>>> "error":{
>>>>>>>>>>>>>> "msg":"No authorization plugin configured",
>>>>>>>>>>>>>> "code":400}}
>>>>>>>>>>>>>> 
>>>>>>>>>>>>>> Upload security.json again.
>>>>>>>>>>>>>> ./zkcli.sh -z localhost:2181,localhost:2182,localhost:2183
>>> -cmd putfile /security.json ~/solr/security.json
>>>>>>>>>>>>>> 
>>>>>>>>>>>>>> Issue the following to try to create
the permission again and
>>> this time it’s successful.
>>>>>>>>>>>>>> // Create a permission for mysearch
endpoint
>>>>>>>>>>>>>>      curl --user solr:SolrRocks -H
>>> 'Content-type:application/json' -d '{"set-permission":
>>> {"name":"mycollection-search","collection":
>>> “mycollection","path":”/mysearch","role": "search-user"}}'
>>> http://localhost:8983/solr/admin/authorization
>>>>>>>>>>>>>> 
>>>>>>>>>>>>>> {
>>>>>>>>>>>>>> "responseHeader":{
>>>>>>>>>>>>>>  "status":0,
>>>>>>>>>>>>>>  "QTime":7}}
>>>>>>>>>>>>>> 
>>>>>>>>>>>>>> Issue the following commands to add
users
>>>>>>>>>>>>>> curl --user solr:SolrRocks
>>> http://localhost:8983/solr/admin/authentication -H
>>> 'Content-type:application/json' -d '{"set-user": {"admin" : “password" }}’
>>>>>>>>>>>>>> curl --user solr:SolrRocks
>>> http://localhost:8983/solr/admin/authentication -H
>>> 'Content-type:application/json' -d '{"set-user": {"user" : “password" }}'
>>>>>>>>>>>>>> 
>>>>>>>>>>>>>> Issue the following command to add
permission to users
>>>>>>>>>>>>>> curl -u solr:SolrRocks -H 'Content-type:application/json'
-d
>>> '{ "set-user-role" : {"admin": ["search-user", "admin"]}}'
>>> http://localhost:8983/solr/admin/authorization
>>>>>>>>>>>>>> curl -u solr:SolrRocks -H 'Content-type:application/json'
-d
>>> '{ "set-user-role" : {"user": ["search-user"]}}'
>>> http://localhost:8983/solr/admin/authorization
>>>>>>>>>>>>>> 
>>>>>>>>>>>>>> After executing the above, access
to /mysearch is protected
>>> until I restart the Solr and Zookeeper instances.  However, the admin UI is
>>> never protected like the Wiki page says it should be once activated.
>>>>>>>>>>>>>> 
>>>>>>>>>>>>>> 
>>> https://cwiki.apache.org/confluence/display/solr/Rule-Based+Authorization+Plugin
>>> <
>>> https://cwiki.apache.org/confluence/display/solr/Rule-Based+Authorization+Plugin
>>>> 
>>>>>>>>>>>>>> 
>>>>>>>>>>>>>> Why does the authentication and authorization
plugin not stay
>>> activated after restart and why is the Admin UI never protected?  Am I
>>> missing any steps?
>>>>>>>>>>>>>> 
>>>>>>>>>>>>>> Thanks,
>>>>>>>>>>>>>> Kevin
>>>>>>>>>>>> 
>>>>>>>>>>>> 
>>>>>>>>>>>> 
>>>>>>>>>>>> --
>>>>>>>>>>>> -----------------------------------------------------
>>>>>>>>>>>> Noble Paul
>>>>>>>>>> 
>>>>>>>>>> 
>>>>>>>>>> 
>>>>>>>>>> --
>>>>>>>>>> -----------------------------------------------------
>>>>>>>>>> Noble Paul
>>>>>>>>> 
>>>>>>>>> 
>>>>>>>>> 
>>>>>>>>> --
>>>>>>>>> -----------------------------------------------------
>>>>>>>>> Noble Paul
>>>>>>>> 
>>>>>>> 
>>>>>>> 
>>>>>>> 
>>>>>>> --
>>>>>>> -----------------------------------------------------
>>>>>>> Noble Paul
>>>>>> 
>>>>> 
>>>>> 
>>>>> 
>>>>> --
>>>>> -----------------------------------------------------
>>>>> Noble Paul
>>>> 
>>>> 
>>>> 
>>>> --
>>>> -----------------------------------------------------
>>>> Noble Paul
>>> 
>>> 
> 
> 
> 
> -- 
> -----------------------------------------------------
> Noble Paul


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message