[jira] [Commented] (SOLR-8408) Basic Auth Plugin doesn't require any credentials, doesn't enforce authentication

Kristine Jetzke (JIRA) Mon, 14 Dec 2015 06:19:08 -0800

    [ 
https://issues.apache.org/jira/browse/SOLR-8408?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15056024#comment-15056024
 ]


Kristine Jetzke commented on SOLR-8408:
---------------------------------------

Here is the output of all commands

{code}
$ curl  http://localhost:8983/solr/admin/authentication -H 
'Content-type:application/json' -d '{
> set-user : {scott : abc1234}}'
{
  "responseHeader":{
    "status":0,
    "QTime":12}}


$ curl  http://localhost:8983/solr/admin/authorization -H 
'Content-type:application/json' -d '{
> set-user-role : {scott : admin},
> set-user-role: {solr: dev}}'
{
  "responseHeader":{
    "status":0,
    "QTime":7}}


$ curl  http://localhost:8983/solr/admin/authorization -H 
'Content-type:application/json' -d '{
> set-permission : {name : security-edit , role: admin}}'
{
  "responseHeader":{
    "status":0,
    "QTime":6}}


$ curl http://localhost:8983/solr/admin/authorization -H 
'Content-type:application/json' -d '{
> set-permission : {name : collection-admin-edit, role : admin}}'
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/>
<title>Error 401 Unauthorized request, Response code: 401</title>
</head>
<body><h2>HTTP ERROR 401</h2>
<p>Problem accessing /solr/admin/authorization. Reason:
<pre>    Unauthorized request, Response code: 
401</pre></p><hr><i><small>Powered by Jetty://</small></i><hr/>

</body>
</html>


$ curl --user scott:abc1234 http://localhost:8983/solr/admin/authorization -H 
'Content-type:application/json' -d '{
> set-permission : {name : collection-admin-edit, role : admin}}'
{
  "responseHeader":{
    "status":0,
    "QTime":6}}


$ curl http://localhost:8983/solr/gettingstarted/select?q=*:*
<?xml version="1.0" encoding="UTF-8"?>
<response>
<lst name="responseHeader"><int name="status">0</int><int 
name="QTime">67</int><lst name="params"><str 
name="q">*:*</str></lst></lst><result name="response" numFound="0" start="0" 
maxScore="0.0"></result>
</response>


$ curl --user scott:abc1234 http://localhost:8983/solr/admin/authorization -H 
'Content-type:application/json' -d '{
> set-permission : {name : read, role : dev}}'
{
  "responseHeader":{
    "status":0,
    "QTime":5}}


$ curl http://localhost:8983/solr/gettingstarted/select?q=*:*
<?xml version="1.0" encoding="UTF-8"?>
<response>
<lst name="responseHeader"><int name="status">0</int><int 
name="QTime">10</int><lst name="params"><str 
name="q">*:*</str></lst></lst><result name="response" numFound="0" start="0" 
maxScore="0.0"></result>
</response>
{code}

> Basic Auth Plugin doesn't require any credentials, doesn't enforce 
> authentication
> ---------------------------------------------------------------------------------
>
>                 Key: SOLR-8408
>                 URL: https://issues.apache.org/jira/browse/SOLR-8408
>             Project: Solr
>          Issue Type: Bug
>            Reporter: Hoss Man
>            Assignee: Noble Paul
>         Attachments: SOLR-8408.patch
>
>
> as noted on solr-user by Kristine Jetzke, and trivially to reproduce...
> {noformat}
> # interactively launch solr cloud
> $ bin/solr -e cloud
> #       ... for simplicity of test, pick a single node, 1 shard, 1 replica
> # now upload security.json from wiki page...
> # https://cwiki.apache.org/confluence/display/solr/Basic+Authentication+Plugin
> $ server/scripts/cloud-scripts/zkcli.sh -zkhost localhost:9983 -cmd put 
> /security.json '{
> "authentication":{
>    "class":"solr.BasicAuthPlugin",
>    "credentials":{"solr":"IV0EHq1OnNrj6gvRCwvFwTrZ1+z1oBbnQdiVC3otuq0= 
> Ndd7LKvVBAaZIF0QAVi1ekCfAJXr1GGfLtRUXhgrF8c="}
> },
> "authorization":{
>    "class":"solr.RuleBasedAuthorizationPlugin",
>    "permissions":[{"name":"security-edit",
>       "role":"admin"}],
>    "user-role":{"solr":"admin"}
> }}'
> # now stop & restart the single node we are using...
> $ bin/solr stop -all
> $ bin/solr restart -c -p 8983 -s example/cloud/node1/solr
> # valid credentials are accepted...
> $ curl -u 'solr:SolrRocks' 
> 'http://localhost:8983/solr/gettingstarted/select?q=*%3A*&wt=json&indent=true'
> {
>   "responseHeader":{
>     "status":0,
>     "QTime":0,
>     "params":{
>       "q":"*:*",
>       "indent":"true",
>       "wt":"json"}},
>   "response":{"numFound":0,"start":0,"docs":[]
>   }}
> # invalid credentials are denied...
> $ curl -u 'solr:SolrBogus' 
> 'http://localhost:8983/solr/gettingstarted/select?q=*%3A*&wt=json&indent=true'
>  
> <html>
> <head>
> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/>
> <title>Error 401 Bad credentials</title>
> </head>
> <body><h2>HTTP ERROR 401</h2>
> <p>Problem accessing /solr/gettingstarted/select. Reason:
> <pre>    Bad credentials</pre></p><hr><i><small>Powered by 
> Jetty://</small></i><hr/>
> </body>
> </html>
> # requests w/o credentials are accepted even though they should be denied...
> $ curl 
> 'http://localhost:8983/solr/gettingstarted/select?q=*%3A*&wt=json&indent=true'{
>   "responseHeader":{
>     "status":0,
>     "QTime":0,
>     "params":{
>       "q":"*:*",
>       "indent":"true",
>       "wt":"json"}},
>   "response":{"numFound":0,"start":0,"docs":[]
>   }}
> {noformat}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org
For additional commands, e-mail: dev-h...@lucene.apache.org

[jira] [Commented] (SOLR-8408) Basic Auth Plugin doesn't require any credentials, doesn't enforce authentication

Reply via email to