lucene-solr-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Noble Paul <noble.p...@gmail.com>
Subject Re: Issue Using Solr 5.3 Authentication and Authorization Plugins
Date Tue, 01 Sep 2015 07:31:47 GMT
I'm investigating why restarts or first time start does not read the
security.json

On Tue, Sep 1, 2015 at 1:00 PM, Noble Paul <noble.paul@gmail.com> wrote:
> I removed that statement
>
> "If activating the authorization plugin doesn't protect the admin ui,
> how does one protect access to it?"
>
> One does not need to protect the admin UI. You only need to protect
> the relevant API calls . I mean it's OK to not protect the CSS and
> HTML stuff.  But if you perform an action to create a core or do a
> query through admin UI , it automatically will prompt you for
> credentials (if those APIs are protected)
>
> On Tue, Sep 1, 2015 at 12:41 PM, Kevin Lee <kglee79@yahoo.com.invalid> wrote:
>> Thanks for the clarification!
>>
>> So is the wiki page incorrect at
>> https://cwiki.apache.org/confluence/display/solr/Basic+Authentication+Plugin which
says that the admin ui will require authentication once the authorization plugin is activated?
>>
>> "An authorization plugin is also available to configure Solr with permissions to
perform various activities in the system. Once activated, access to the Solr Admin UI and
all requests will need to be authenticated and users will be required to have the proper authorization
for all requests, including using the Admin UI and making any API calls."
>>
>> If activating the authorization plugin doesn't protect the admin ui, how does one
protect access to it?
>>
>> Also, the issue I'm having is not just at restart.  According to the docs security.json
should be uploaded to Zookeeper before starting any of the Solr instances.  However, I tried
to upload security.json before starting any of the Solr instances, but it would not pick up
the security config until after the Solr instances are already running and then uploading
the security.json again.  I can see in the logs at startup that the Solr instances don't see
any plugin enabled even though security.json is already in zookeeper and then after they are
started and the security.json is uploaded again I see it reconfigure to use the plugin.
>>
>> Thanks,
>> Kevin
>>
>>> On Aug 31, 2015, at 11:22 PM, Noble Paul <noble.paul@gmail.com> wrote:
>>>
>>> Admin UI is not protected by any of these permissions. Only if you try
>>> to perform a protected operation , it asks for a password.
>>>
>>> I'll investigate the restart problem and report my  findings
>>>
>>>> On Tue, Sep 1, 2015 at 3:10 AM, Kevin Lee <kglee79@yahoo.com.invalid>
wrote:
>>>> Anyone else running into any issues trying to get the authentication and
authorization plugins in 5.3 working?
>>>>
>>>>> On Aug 29, 2015, at 2:30 AM, Kevin Lee <kglee79@yahoo.com.INVALID>
wrote:
>>>>>
>>>>> Hi,
>>>>>
>>>>> I’m trying to use the new basic auth plugin for Solr 5.3 and it doesn’t
seem to be working quite right.  Not sure if I’m missing steps or there is a bug.  I am
able to get it to protect access to a URL under a collection, but am unable to get it to secure
access to the Admin UI.  In addition, after stopping the Solr and Zookeeper instances, the
security.json is still in Zookeeper, however Solr is allowing access to everything again like
the security configuration isn’t in place.
>>>>>
>>>>> Contents of security.json taken from wiki page, but edited to produce
valid JSON.  Had to move comma after 3rd from last “}” up to just after the last “]”.
>>>>>
>>>>> {
>>>>> "authentication":{
>>>>> "class":"solr.BasicAuthPlugin",
>>>>> "credentials":{"solr":"IV0EHq1OnNrj6gvRCwvFwTrZ1+z1oBbnQdiVC3otuq0= Ndd7LKvVBAaZIF0QAVi1ekCfAJXr1GGfLtRUXhgrF8c="}
>>>>> },
>>>>> "authorization":{
>>>>> "class":"solr.RuleBasedAuthorizationPlugin",
>>>>> "permissions":[{"name":"security-edit",
>>>>>    "role":"admin"}],
>>>>> "user-role":{"solr":"admin"}
>>>>> }}
>>>>>
>>>>> Here are the steps I followed:
>>>>>
>>>>> Upload security.json to zookeeper
>>>>> ./zkcli.sh -z localhost:2181,localhost:2182,localhost:2183 -cmd putfile
/security.json ~/solr/security.json
>>>>>
>>>>> Use zkCli.sh from Zookeeper to ensure the security.json is in Zookeeper
at /security.json.  It is there and looks like what was originally uploaded.
>>>>>
>>>>> Start Solr Instances
>>>>>
>>>>> Attempt to create a permission, however get the following error:
>>>>> {
>>>>> "responseHeader":{
>>>>>  "status":400,
>>>>>  "QTime":0},
>>>>> "error":{
>>>>>  "msg":"No authorization plugin configured",
>>>>>  "code":400}}
>>>>>
>>>>> Upload security.json again.
>>>>> ./zkcli.sh -z localhost:2181,localhost:2182,localhost:2183 -cmd putfile
/security.json ~/solr/security.json
>>>>>
>>>>> Issue the following to try to create the permission again and this time
it’s successful.
>>>>> // Create a permission for mysearch endpoint
>>>>>          curl --user solr:SolrRocks -H 'Content-type:application/json'
-d '{"set-permission": {"name":"mycollection-search","collection": “mycollection","path":”/mysearch","role":
"search-user"}}' http://localhost:8983/solr/admin/authorization
>>>>>
>>>>>  {
>>>>>    "responseHeader":{
>>>>>      "status":0,
>>>>>      "QTime":7}}
>>>>>
>>>>> Issue the following commands to add users
>>>>> curl --user solr:SolrRocks http://localhost:8983/solr/admin/authentication
-H 'Content-type:application/json' -d '{"set-user": {"admin" : “password" }}’
>>>>> curl --user solr:SolrRocks http://localhost:8983/solr/admin/authentication
-H 'Content-type:application/json' -d '{"set-user": {"user" : “password" }}'
>>>>>
>>>>> Issue the following command to add permission to users
>>>>> curl -u solr:SolrRocks -H 'Content-type:application/json' -d '{ "set-user-role"
: {"admin": ["search-user", "admin"]}}' http://localhost:8983/solr/admin/authorization
>>>>> curl -u solr:SolrRocks -H 'Content-type:application/json' -d '{ "set-user-role"
: {"user": ["search-user"]}}' http://localhost:8983/solr/admin/authorization
>>>>>
>>>>> After executing the above, access to /mysearch is protected until I restart
the Solr and Zookeeper instances.  However, the admin UI is never protected like the Wiki
page says it should be once activated.
>>>>>
>>>>> https://cwiki.apache.org/confluence/display/solr/Rule-Based+Authorization+Plugin
<https://cwiki.apache.org/confluence/display/solr/Rule-Based+Authorization+Plugin>
>>>>>
>>>>> Why does the authentication and authorization plugin not stay activated
after restart and why is the Admin UI never protected?  Am I missing any steps?
>>>>>
>>>>> Thanks,
>>>>> Kevin
>>>
>>>
>>>
>>> --
>>> -----------------------------------------------------
>>> Noble Paul
>
>
>
> --
> -----------------------------------------------------
> Noble Paul



-- 
-----------------------------------------------------
Noble Paul

Mime
View raw message