Mailing-List: contact solr-user-help@lucene.apache.org; run by ezmlm
Precedence: bulk
Reply-To: solr-user@lucene.apache.org
MIME-Version: 1.0
In-Reply-To: 
 <CY1PR0401MB1485E8446A66DEC8E99E8153F85A0@CY1PR0401MB1485.namprd04.prod.outlook.com>
References: 
 <CAN+6kFkAbdYZzYnQVMsaNhhdPoHHNjfdNTWZG0BpSCF_upgTCQ@mail.gmail.com>
	<CAN+6kFnnaFDyyEPuEVXRBNGaMUuiBAeXJ2PQiJV6A6RDAFWQJQ@mail.gmail.com>
	<CAKiERN5VQNVhO4UV0M-1xQ4RnLG1-UCfEgK+vN1Hq96sRtqGuw@mail.gmail.com>
	<CAN+6kFnX+-X06CzfTFvgWHDjGOJ_Dycr9AOyE7MiosphoTdhaw@mail.gmail.com>
	<CY1PR0401MB14857474A4310025081B1737F85A0@CY1PR0401MB1485.namprd04.prod.outlook.com>
	<CY1PR0401MB1485E8446A66DEC8E99E8153F85A0@CY1PR0401MB1485.namprd04.prod.outlook.com>
Date: Fri, 18 Sep 2015 17:49:13 +0000
Message-ID: 
 <CAN+6kFmUDtZR=SV9q0SgsuSMxAWqAuch3aAXsPtDrjP8i305Fw@mail.gmail.com>
Subject: Re: Securing solr 5.2 basic auth permission rules
From: Aziz Gaou <gaouaziz@gmail.com>
To: solr-user@lucene.apache.org
Content-Type: multipart/alternative; boundary=001a1134fe145a43150520092682

--001a1134fe145a43150520092682
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

Hi,

Thank you Sanders for your quick reply,

I ty now to follow the steps

2015-09-17 19:37 GMT+00:00 Sanders, Marshall (AT - Atlanta) <
Marshall.Sanders@autotrader.com>:

> So the issue is that when it's stated that solr runs on jetty 9 what it
> really means is that it runs on 5% of jetty9 and the other 95% has been
> stripped out.  (WHYYYY!  It's only ~13 MB)
>
> You'll need to download the appropriate version of jetty and before
> starting up do the following
>
> 1. Copy modules/jaas.mod to the unpacked solr directory server/modules
> 2. Copy etc/jetty-jaas.xml to server/etc
> 3. Copy the jetty-jaas-<version>.jar to server/lib
> 4. Call the following before starting solr: java -jar start.jar
> --add-to-startd=3Djaas
>
> Now when you start solr JAAS will be available and you should be able to
> configure it with all of the defaults that you would expect.
> http://www.eclipse.org/jetty/documentation/current/jaas-support.html
>
>
> I'll reiterate that I think it's a pretty bad decision to have stripped
> out the modules from the version of jetty shipped.  Especially since they
> won't be loaded into the classloader with the new jetty modules setup.
>
>
> Marshall Sanders
> Technical Lead =E2=80=93 Software Engineer
> Autotrader.com
> 404-568-7130
>
> -----Original Message-----
> From: Sanders, Marshall (AT - Atlanta) [mailto:
> Marshall.Sanders@autotrader.com]
> Sent: Thursday, September 17, 2015 2:28 PM
> To: solr-user@lucene.apache.org
> Subject: RE: Securing solr 5.2 basic auth permission rules
>
> I'm actually trying to do something similar with 5.3
>
> We're in the process of upgrading from 4.10 and were previously using jaa=
s
> to secure dih pages and a few others and had a config similar to what you
> described.
>
> The Error I get is the following (Might only visible when you change the
> log4j startup log level, I didn't check what the default log level is):
>
> 2015-09-17 11:19:10,121 [main] WARN  xml.XmlConfiguration Config error at
> <Call name=3D"addBean"><Arg>
>           <New class=3D"org.eclipse.jetty.plus.jaas.JAASLoginService"><Se=
t
> name=3D"Name">SolrRealm</Set><Set
> name=3D"LoginModuleName">multiloginmodule</Set></New>
>       </Arg></Call>
>
> From what I gather now with jetty 9 the modules have to be enabled
> individually:
> http://www.eclipse.org/jetty/documentation/current/startup-modules.html
>
> However: when I run
> java -jar start.jar --list-modules
>
> I only get a few modules as possibilities (server,http,https,ssl).  I
> tried adding the jetty-jaas jar for the version of jetty with 5.3 to /lib
> but I still am not able to figure out how to turn it on as it doesn't sho=
w
> up in the list.
>
> I'm much less familiar with jetty than I am with others so I'm still
> fumbling a bit here.  But it seems we need to:
>
> 1. Add the jetty-jaas.jar that's missing via an outside script  (Also not=
e
> that if you want ldap you'll have to use an additional jar) 2. Execute th=
e
> following (java -jar start.jar --add-to-startd=3Djaas) 3. Start the serve=
r
> (either with your own script or the new ./solr scripts)
>
> I've got the jar added, but either it's not in the right place (I've got
> it in /lib maybe it needs to be in /lib/ext?) or jetty needs to be
> configured to recognize it.
>
> Not sure what the thinking was behind the decision that only people
> running solr cloud would want authentication, or even how solr made it to
> 5.2 before adding anything in at all!
>
> We had all this working great in jetty8 solr versions but with the new
> jetty9 modules/classloaders it's proving a challenge.
>
> Marshall Sanders
> Technical Lead =E2=80=93 Software Engineer
> Autotrader.com
> 404-568-7130
>
> -----Original Message-----
> From: Aziz Gaou [mailto:gaouaziz@gmail.com]
> Sent: Thursday, September 17, 2015 5:55 AM
> To: solr-user@lucene.apache.org
> Subject: Re: Securing solr 5.2 basic auth permission rules
>
> thank you so much for your reply,
>
> Now, i try to protect Apache Solr 5 admin with jetty, when I change
>
> 1) sudo nano /opt/solr/server/etc/webdefault.xml
>
>
> <?xml version=3D"1.0" encoding=3D"ISO-8859-1"?> <web-app ......>
>
> <!-- only the relevant addition is listed here -->
>
> <security-constraint>
>   <web-resource-collection>
>     <web-resource-name>Solr</web-resource-name>
>     <url-pattern>/*</url-pattern>
>   </web-resource-collection>
>   <auth-constraint>
>     <role-name>search-role</role-name>
>   </auth-constraint>
> </security-constraint>
>
> <login-config>
>   <auth-method>BASIC</auth-method>
>   <realm-name>Solr Realm</realm-name>
> </login-config>
>
> </web-app>
>
> 2) i changed too "*jetty.xml *
> <https://gist.github.com/jstrassburg/9777027#file-jetty-xml> " and "
> *realm.properties*
> <https://gist.github.com/jstrassburg/9777027#file-realm-properties>"
>
> 3) the following message will appear on browser:
>
>  - http://localhost:8983/solr/
>
>
> HTTP ERROR: 503
>
> Problem accessing /solr/. Reason:
>
>     Service Unavailable
>
> ------------------------------
> *Powered by Jetty://*
>
>
> Thanks for your help
>
> 2015-09-16 18:58 GMT+00:00 Anshum Gupta <anshum@anshumgupta.net>:
>
> > Basic authentication (and the API support, that you're trying to use)
> > was only released with 5.3.0 so it wouldn't work with 5.2.
> > 5.2 only had the authentication and authorization frameworks, and
> > shipped with Kerberos authentication plugin out of the box.
> >
> > There are a few known issues with that though, and a 5.3.1 release is
> > just around the corner.
> >
> > On Wed, Sep 16, 2015 at 10:11 AM, Aziz Gaou <gaouaziz@gmail.com> wrote:
> >
> > > Hi,
> > >
> > > I try to follow:
> > >
> > >
> > https://cwiki.apache.org/confluence/display/solr/Basic+Authentication+
> > Plugin
> > > ,
> > > to protect Solr 5.2 Admin with password, but I have not been able to
> > > secure.
> > >
> > > 1) When I run the following command:
> > >
> > > curl --user solr:SolrRocks
> > http://localhost:8983/solr/admin/authentication
> > > -H 'Content-type:application/json'-d '{
> > >   "set-user": {"tom" : "TomIsCool" }}'
> > >
> > > no update on the file security.json
> > >
> > > 2) I launched the following 2 commands:
> > >
> > > curl --user solr:SolrRocks
> > http://localhost:8983/solr/admin/authorization
> > > -H 'Content-type:application/json'-d '{"set-permission": {
> > > "name":"updates", "collection":"MyCollection", "role": "dev"}}'
> > >
> > > curl --user solr:SolrRocks
> > http://localhost:8983/solr/admin/authorization
> > > -H 'Content-type:application/json' -d '{ "set-user-role":
> > {"tom":["dev"}}'
> > >
> > > always MyCollection is not protected.
> > >
> > >
> > > thank you for your help.
> > >
> >
> >
> >
> > --
> > Anshum Gupta
> >
>

--001a1134fe145a43150520092682--