Thanks for the clarification!
So is the wiki page incorrect at
https://cwiki.apache.org/confluence/display/solr/Basic+Authentication+Plugin
which says that the admin ui will require authentication once the authorization
plugin is activated?
"An authorization plugin is also available to configure Solr with permissions
to perform various activities in the system. Once activated, access to the Solr
Admin UI and all requests will need to be authenticated and users will be
required to have the proper authorization for all requests, including using the
Admin UI and making any API calls."
If activating the authorization plugin doesn't protect the admin ui, how does
one protect access to it?
Also, the issue I'm having is not just at restart. According to the docs
security.json should be uploaded to Zookeeper before starting any of the Solr
instances. However, I tried to upload security.json before starting any of the
Solr instances, but it would not pick up the security config until after the
Solr instances are already running and then uploading the security.json again.
I can see in the logs at startup that the Solr instances don't see any plugin
enabled even though security.json is already in zookeeper and then after they
are started and the security.json is uploaded again I see it reconfigure to use
the plugin.
Thanks,
Kevin
> On Aug 31, 2015, at 11:22 PM, Noble Paul <noble.p...@gmail.com> wrote:
>
> Admin UI is not protected by any of these permissions. Only if you try
> to perform a protected operation , it asks for a password.
>
> I'll investigate the restart problem and report my findings
>
>> On Tue, Sep 1, 2015 at 3:10 AM, Kevin Lee <kgle...@yahoo.com.invalid> wrote:
>> Anyone else running into any issues trying to get the authentication and
>> authorization plugins in 5.3 working?
>>
>>> On Aug 29, 2015, at 2:30 AM, Kevin Lee <kgle...@yahoo.com.INVALID> wrote:
>>>
>>> Hi,
>>>
>>> I’m trying to use the new basic auth plugin for Solr 5.3 and it doesn’t
>>> seem to be working quite right. Not sure if I’m missing steps or there is
>>> a bug. I am able to get it to protect access to a URL under a collection,
>>> but am unable to get it to secure access to the Admin UI. In addition,
>>> after stopping the Solr and Zookeeper instances, the security.json is still
>>> in Zookeeper, however Solr is allowing access to everything again like the
>>> security configuration isn’t in place.
>>>
>>> Contents of security.json taken from wiki page, but edited to produce valid
>>> JSON. Had to move comma after 3rd from last “}” up to just after the last
>>> “]”.
>>>
>>> {
>>> "authentication":{
>>> "class":"solr.BasicAuthPlugin",
>>> "credentials":{"solr":"IV0EHq1OnNrj6gvRCwvFwTrZ1+z1oBbnQdiVC3otuq0=
>>> Ndd7LKvVBAaZIF0QAVi1ekCfAJXr1GGfLtRUXhgrF8c="}
>>> },
>>> "authorization":{
>>> "class":"solr.RuleBasedAuthorizationPlugin",
>>> "permissions":[{"name":"security-edit",
>>> "role":"admin"}],
>>> "user-role":{"solr":"admin"}
>>> }}
>>>
>>> Here are the steps I followed:
>>>
>>> Upload security.json to zookeeper
>>> ./zkcli.sh -z localhost:2181,localhost:2182,localhost:2183 -cmd putfile
>>> /security.json ~/solr/security.json
>>>
>>> Use zkCli.sh from Zookeeper to ensure the security.json is in Zookeeper at
>>> /security.json. It is there and looks like what was originally uploaded.
>>>
>>> Start Solr Instances
>>>
>>> Attempt to create a permission, however get the following error:
>>> {
>>> "responseHeader":{
>>> "status":400,
>>> "QTime":0},
>>> "error":{
>>> "msg":"No authorization plugin configured",
>>> "code":400}}
>>>
>>> Upload security.json again.
>>> ./zkcli.sh -z localhost:2181,localhost:2182,localhost:2183 -cmd putfile
>>> /security.json ~/solr/security.json
>>>
>>> Issue the following to try to create the permission again and this time
>>> it’s successful.
>>> // Create a permission for mysearch endpoint
>>> curl --user solr:SolrRocks -H 'Content-type:application/json' -d
>>> '{"set-permission": {"name":"mycollection-search","collection":
>>> “mycollection","path":”/mysearch","role": "search-user"}}'
>>> http://localhost:8983/solr/admin/authorization
>>>
>>> {
>>> "responseHeader":{
>>> "status":0,
>>> "QTime":7}}
>>>
>>> Issue the following commands to add users
>>> curl --user solr:SolrRocks http://localhost:8983/solr/admin/authentication
>>> -H 'Content-type:application/json' -d '{"set-user": {"admin" : “password"
>>> }}’
>>> curl --user solr:SolrRocks http://localhost:8983/solr/admin/authentication
>>> -H 'Content-type:application/json' -d '{"set-user": {"user" : “password" }}'
>>>
>>> Issue the following command to add permission to users
>>> curl -u solr:SolrRocks -H 'Content-type:application/json' -d '{
>>> "set-user-role" : {"admin": ["search-user", "admin"]}}'
>>> http://localhost:8983/solr/admin/authorization
>>> curl -u solr:SolrRocks -H 'Content-type:application/json' -d '{
>>> "set-user-role" : {"user": ["search-user"]}}'
>>> http://localhost:8983/solr/admin/authorization
>>>
>>> After executing the above, access to /mysearch is protected until I restart
>>> the Solr and Zookeeper instances. However, the admin UI is never protected
>>> like the Wiki page says it should be once activated.
>>>
>>> https://cwiki.apache.org/confluence/display/solr/Rule-Based+Authorization+Plugin
>>>
>>> <https://cwiki.apache.org/confluence/display/solr/Rule-Based+Authorization+Plugin>
>>>
>>> Why does the authentication and authorization plugin not stay activated
>>> after restart and why is the Admin UI never protected? Am I missing any
>>> steps?
>>>
>>> Thanks,
>>> Kevin
>
>
>
> --
> -----------------------------------------------------
> Noble Paul
