I removed that statement "If activating the authorization plugin doesn't protect the admin ui, how does one protect access to it?"
One does not need to protect the admin UI. You only need to protect the relevant API calls . I mean it's OK to not protect the CSS and HTML stuff. But if you perform an action to create a core or do a query through admin UI , it automatically will prompt you for credentials (if those APIs are protected) On Tue, Sep 1, 2015 at 12:41 PM, Kevin Lee <kgle...@yahoo.com.invalid> wrote: > Thanks for the clarification! > > So is the wiki page incorrect at > https://cwiki.apache.org/confluence/display/solr/Basic+Authentication+Plugin > which says that the admin ui will require authentication once the > authorization plugin is activated? > > "An authorization plugin is also available to configure Solr with permissions > to perform various activities in the system. Once activated, access to the > Solr Admin UI and all requests will need to be authenticated and users will > be required to have the proper authorization for all requests, including > using the Admin UI and making any API calls." > > If activating the authorization plugin doesn't protect the admin ui, how does > one protect access to it? > > Also, the issue I'm having is not just at restart. According to the docs > security.json should be uploaded to Zookeeper before starting any of the Solr > instances. However, I tried to upload security.json before starting any of > the Solr instances, but it would not pick up the security config until after > the Solr instances are already running and then uploading the security.json > again. I can see in the logs at startup that the Solr instances don't see > any plugin enabled even though security.json is already in zookeeper and then > after they are started and the security.json is uploaded again I see it > reconfigure to use the plugin. > > Thanks, > Kevin > >> On Aug 31, 2015, at 11:22 PM, Noble Paul <noble.p...@gmail.com> wrote: >> >> Admin UI is not protected by any of these permissions. Only if you try >> to perform a protected operation , it asks for a password. >> >> I'll investigate the restart problem and report my findings >> >>> On Tue, Sep 1, 2015 at 3:10 AM, Kevin Lee <kgle...@yahoo.com.invalid> wrote: >>> Anyone else running into any issues trying to get the authentication and >>> authorization plugins in 5.3 working? >>> >>>> On Aug 29, 2015, at 2:30 AM, Kevin Lee <kgle...@yahoo.com.INVALID> wrote: >>>> >>>> Hi, >>>> >>>> I’m trying to use the new basic auth plugin for Solr 5.3 and it doesn’t >>>> seem to be working quite right. Not sure if I’m missing steps or there is >>>> a bug. I am able to get it to protect access to a URL under a collection, >>>> but am unable to get it to secure access to the Admin UI. In addition, >>>> after stopping the Solr and Zookeeper instances, the security.json is >>>> still in Zookeeper, however Solr is allowing access to everything again >>>> like the security configuration isn’t in place. >>>> >>>> Contents of security.json taken from wiki page, but edited to produce >>>> valid JSON. Had to move comma after 3rd from last “}” up to just after >>>> the last “]”. >>>> >>>> { >>>> "authentication":{ >>>> "class":"solr.BasicAuthPlugin", >>>> "credentials":{"solr":"IV0EHq1OnNrj6gvRCwvFwTrZ1+z1oBbnQdiVC3otuq0= >>>> Ndd7LKvVBAaZIF0QAVi1ekCfAJXr1GGfLtRUXhgrF8c="} >>>> }, >>>> "authorization":{ >>>> "class":"solr.RuleBasedAuthorizationPlugin", >>>> "permissions":[{"name":"security-edit", >>>> "role":"admin"}], >>>> "user-role":{"solr":"admin"} >>>> }} >>>> >>>> Here are the steps I followed: >>>> >>>> Upload security.json to zookeeper >>>> ./zkcli.sh -z localhost:2181,localhost:2182,localhost:2183 -cmd putfile >>>> /security.json ~/solr/security.json >>>> >>>> Use zkCli.sh from Zookeeper to ensure the security.json is in Zookeeper at >>>> /security.json. It is there and looks like what was originally uploaded. >>>> >>>> Start Solr Instances >>>> >>>> Attempt to create a permission, however get the following error: >>>> { >>>> "responseHeader":{ >>>> "status":400, >>>> "QTime":0}, >>>> "error":{ >>>> "msg":"No authorization plugin configured", >>>> "code":400}} >>>> >>>> Upload security.json again. >>>> ./zkcli.sh -z localhost:2181,localhost:2182,localhost:2183 -cmd putfile >>>> /security.json ~/solr/security.json >>>> >>>> Issue the following to try to create the permission again and this time >>>> it’s successful. >>>> // Create a permission for mysearch endpoint >>>> curl --user solr:SolrRocks -H 'Content-type:application/json' -d >>>> '{"set-permission": {"name":"mycollection-search","collection": >>>> “mycollection","path":”/mysearch","role": "search-user"}}' >>>> http://localhost:8983/solr/admin/authorization >>>> >>>> { >>>> "responseHeader":{ >>>> "status":0, >>>> "QTime":7}} >>>> >>>> Issue the following commands to add users >>>> curl --user solr:SolrRocks http://localhost:8983/solr/admin/authentication >>>> -H 'Content-type:application/json' -d '{"set-user": {"admin" : “password" >>>> }}’ >>>> curl --user solr:SolrRocks http://localhost:8983/solr/admin/authentication >>>> -H 'Content-type:application/json' -d '{"set-user": {"user" : “password" >>>> }}' >>>> >>>> Issue the following command to add permission to users >>>> curl -u solr:SolrRocks -H 'Content-type:application/json' -d '{ >>>> "set-user-role" : {"admin": ["search-user", "admin"]}}' >>>> http://localhost:8983/solr/admin/authorization >>>> curl -u solr:SolrRocks -H 'Content-type:application/json' -d '{ >>>> "set-user-role" : {"user": ["search-user"]}}' >>>> http://localhost:8983/solr/admin/authorization >>>> >>>> After executing the above, access to /mysearch is protected until I >>>> restart the Solr and Zookeeper instances. However, the admin UI is never >>>> protected like the Wiki page says it should be once activated. >>>> >>>> https://cwiki.apache.org/confluence/display/solr/Rule-Based+Authorization+Plugin >>>> >>>> <https://cwiki.apache.org/confluence/display/solr/Rule-Based+Authorization+Plugin> >>>> >>>> Why does the authentication and authorization plugin not stay activated >>>> after restart and why is the Admin UI never protected? Am I missing any >>>> steps? >>>> >>>> Thanks, >>>> Kevin >> >> >> >> -- >> ----------------------------------------------------- >> Noble Paul -- ----------------------------------------------------- Noble Paul
