lucene-solr-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Oakley, Craig (NIH/NLM/NCBI) [C]" <>
Subject RE: BYOPW in security.json
Date Wed, 06 Apr 2016 13:10:49 GMT

I googled to look for examples of how to proceed, and notice that you opened SOLR-8951

Thanks again

-----Original Message-----
From: Jan Høydahl [] 
Sent: Wednesday, April 06, 2016 4:18 AM
Subject: Re: BYOPW in security.json


Note that storing the user names and passwords in security.json is just one implementation,
to easily get started. It uses the Sha256AuthenticationProvider class, which is pluggable.
That means that if you require Basic Auth with some form of self-service management, you could/should
add another AuthenticationProvider (implement interface BasicAuthPlugin.AuthenticationProvider
which e.g. pulls valid users and passwords from a database or some other source that you control.
Or perhaps your organization uses LDAP already, it would be convenient to create an LDAPAuthenticationProvider.

I would not recommend adding such complexity to the existing json backed user list, although
it has the benefit of beting 100% self contained.

Jan Høydahl, search solution architect
Cominvent AS -

> 18. mar. 2016 kl. 23.30 skrev Oakley, Craig (NIH/NLM/NCBI) [C] <>:
> When using security.json (in Solr 5.4.1 for instance), is there a recommended method
to allow users to change their own passwords? We certainly would not want to grant blanket
security-edit to all users; but requiring users to divulge their intended passwords (in Email
or by other means) to the administrators of the Solr installation is also arguably less than
optimal. It is unclear whether one could setup (for each individual user: "user1" in this
example) something like:
> "set-permission": {"name":"edit_pwd_user1",
> "path":"/admin/authentication",
> "params":{"command":[set-user],"login":[user1]},
> "role": "edit_pw_user1"}
> "set-user-role": {"user1": ["edit_pw_user1","other","roles","here"]}
> One point that is unclear would be whether "command" and "login" are the correct strings
in the third line of the example above: would they instead be "cmd" and "user"? "action" and
"username"? something else?
> Even if this worked when implemented for each individual login, it would be nice to be
able to say once and for all "every login can edit its own password".
> There could be ways to create a utility which would change the OS-ownership of its own
process in order to decrypt a file containing the Solr-admin-password, and to use that to
set the password of the Solr login which matched the OS login which initiated the process;
but before embarking on developing such a utility, I thought I would ask whether there were
other suggestions.

View raw message