lucene-solr-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Aziz Gaou <gaoua...@gmail.com>
Subject Re: Securing solr 5.2 basic auth permission rules
Date Fri, 18 Sep 2015 17:49:13 GMT
Hi,

Thank you Sanders for your quick reply,

I ty now to follow the steps

2015-09-17 19:37 GMT+00:00 Sanders, Marshall (AT - Atlanta) <
Marshall.Sanders@autotrader.com>:

> So the issue is that when it's stated that solr runs on jetty 9 what it
> really means is that it runs on 5% of jetty9 and the other 95% has been
> stripped out.  (WHYYYY!  It's only ~13 MB)
>
> You'll need to download the appropriate version of jetty and before
> starting up do the following
>
> 1. Copy modules/jaas.mod to the unpacked solr directory server/modules
> 2. Copy etc/jetty-jaas.xml to server/etc
> 3. Copy the jetty-jaas-<version>.jar to server/lib
> 4. Call the following before starting solr: java -jar start.jar
> --add-to-startd=jaas
>
> Now when you start solr JAAS will be available and you should be able to
> configure it with all of the defaults that you would expect.
> http://www.eclipse.org/jetty/documentation/current/jaas-support.html
>
>
> I'll reiterate that I think it's a pretty bad decision to have stripped
> out the modules from the version of jetty shipped.  Especially since they
> won't be loaded into the classloader with the new jetty modules setup.
>
>
> Marshall Sanders
> Technical Lead – Software Engineer
> Autotrader.com
> 404-568-7130
>
> -----Original Message-----
> From: Sanders, Marshall (AT - Atlanta) [mailto:
> Marshall.Sanders@autotrader.com]
> Sent: Thursday, September 17, 2015 2:28 PM
> To: solr-user@lucene.apache.org
> Subject: RE: Securing solr 5.2 basic auth permission rules
>
> I'm actually trying to do something similar with 5.3
>
> We're in the process of upgrading from 4.10 and were previously using jaas
> to secure dih pages and a few others and had a config similar to what you
> described.
>
> The Error I get is the following (Might only visible when you change the
> log4j startup log level, I didn't check what the default log level is):
>
> 2015-09-17 11:19:10,121 [main] WARN  xml.XmlConfiguration Config error at
> <Call name="addBean"><Arg>
>           <New class="org.eclipse.jetty.plus.jaas.JAASLoginService"><Set
> name="Name">SolrRealm</Set><Set
> name="LoginModuleName">multiloginmodule</Set></New>
>       </Arg></Call>
>
> From what I gather now with jetty 9 the modules have to be enabled
> individually:
> http://www.eclipse.org/jetty/documentation/current/startup-modules.html
>
> However: when I run
> java -jar start.jar --list-modules
>
> I only get a few modules as possibilities (server,http,https,ssl).  I
> tried adding the jetty-jaas jar for the version of jetty with 5.3 to /lib
> but I still am not able to figure out how to turn it on as it doesn't show
> up in the list.
>
> I'm much less familiar with jetty than I am with others so I'm still
> fumbling a bit here.  But it seems we need to:
>
> 1. Add the jetty-jaas.jar that's missing via an outside script  (Also note
> that if you want ldap you'll have to use an additional jar) 2. Execute the
> following (java -jar start.jar --add-to-startd=jaas) 3. Start the server
> (either with your own script or the new ./solr scripts)
>
> I've got the jar added, but either it's not in the right place (I've got
> it in /lib maybe it needs to be in /lib/ext?) or jetty needs to be
> configured to recognize it.
>
> Not sure what the thinking was behind the decision that only people
> running solr cloud would want authentication, or even how solr made it to
> 5.2 before adding anything in at all!
>
> We had all this working great in jetty8 solr versions but with the new
> jetty9 modules/classloaders it's proving a challenge.
>
> Marshall Sanders
> Technical Lead – Software Engineer
> Autotrader.com
> 404-568-7130
>
> -----Original Message-----
> From: Aziz Gaou [mailto:gaouaziz@gmail.com]
> Sent: Thursday, September 17, 2015 5:55 AM
> To: solr-user@lucene.apache.org
> Subject: Re: Securing solr 5.2 basic auth permission rules
>
> thank you so much for your reply,
>
> Now, i try to protect Apache Solr 5 admin with jetty, when I change
>
> 1) sudo nano /opt/solr/server/etc/webdefault.xml
>
>
> <?xml version="1.0" encoding="ISO-8859-1"?> <web-app ......>
>
> <!-- only the relevant addition is listed here -->
>
> <security-constraint>
>   <web-resource-collection>
>     <web-resource-name>Solr</web-resource-name>
>     <url-pattern>/*</url-pattern>
>   </web-resource-collection>
>   <auth-constraint>
>     <role-name>search-role</role-name>
>   </auth-constraint>
> </security-constraint>
>
> <login-config>
>   <auth-method>BASIC</auth-method>
>   <realm-name>Solr Realm</realm-name>
> </login-config>
>
> </web-app>
>
> 2) i changed too "*jetty.xml *
> <https://gist.github.com/jstrassburg/9777027#file-jetty-xml> " and "
> *realm.properties*
> <https://gist.github.com/jstrassburg/9777027#file-realm-properties>"
>
> 3) the following message will appear on browser:
>
>  - http://localhost:8983/solr/
>
>
> HTTP ERROR: 503
>
> Problem accessing /solr/. Reason:
>
>     Service Unavailable
>
> ------------------------------
> *Powered by Jetty://*
>
>
> Thanks for your help
>
> 2015-09-16 18:58 GMT+00:00 Anshum Gupta <anshum@anshumgupta.net>:
>
> > Basic authentication (and the API support, that you're trying to use)
> > was only released with 5.3.0 so it wouldn't work with 5.2.
> > 5.2 only had the authentication and authorization frameworks, and
> > shipped with Kerberos authentication plugin out of the box.
> >
> > There are a few known issues with that though, and a 5.3.1 release is
> > just around the corner.
> >
> > On Wed, Sep 16, 2015 at 10:11 AM, Aziz Gaou <gaouaziz@gmail.com> wrote:
> >
> > > Hi,
> > >
> > > I try to follow:
> > >
> > >
> > https://cwiki.apache.org/confluence/display/solr/Basic+Authentication+
> > Plugin
> > > ,
> > > to protect Solr 5.2 Admin with password, but I have not been able to
> > > secure.
> > >
> > > 1) When I run the following command:
> > >
> > > curl --user solr:SolrRocks
> > http://localhost:8983/solr/admin/authentication
> > > -H 'Content-type:application/json'-d '{
> > >   "set-user": {"tom" : "TomIsCool" }}'
> > >
> > > no update on the file security.json
> > >
> > > 2) I launched the following 2 commands:
> > >
> > > curl --user solr:SolrRocks
> > http://localhost:8983/solr/admin/authorization
> > > -H 'Content-type:application/json'-d '{"set-permission": {
> > > "name":"updates", "collection":"MyCollection", "role": "dev"}}'
> > >
> > > curl --user solr:SolrRocks
> > http://localhost:8983/solr/admin/authorization
> > > -H 'Content-type:application/json' -d '{ "set-user-role":
> > {"tom":["dev"}}'
> > >
> > > always MyCollection is not protected.
> > >
> > >
> > > thank you for your help.
> > >
> >
> >
> >
> > --
> > Anshum Gupta
> >
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message