The restart issues aside, I’m trying to lockdown usage of the Collections API,
but that also does not seem to be working either.
Here is my security.json. I’m using the “collection-admin-edit” permission and
assigning it to the “adminRole”. However, after uploading the new
security.json and restarting the web browser, it doesn’t seem to be requiring
credentials when calling the RELOAD action on the Collections API. The only
thing that seems to work is the custom permission “browse” which is requiring
authentication before allowing me to pull up the page. Am I using the
permissions correctly for the RuleBasedAuthorizationPlugin?
{
"authentication":{
"class":"solr.BasicAuthPlugin",
"credentials": {
"admin”:”<pass> <salt>",
"user": ”<pass> <salt>"
}
},
"authorization":{
"class":"solr.RuleBasedAuthorizationPlugin",
"permissions": [
{
"name":"security-edit",
"role":"adminRole"
},
{
"name":"collection-admin-edit”,
"role":"adminRole"
},
{
"name":"browse",
"collection": "inventory",
"path": "/browse",
"role":"browseRole"
}
],
"user-role": {
"admin": [
"adminRole",
"browseRole"
],
"user": [
"browseRole"
]
}
}
}
Also tried adding the permission using the Authorization API, but no effect,
still isn’t protecting the Collections API from being invoked without a
username password. I do see in the Solr logs that it sees the updates because
it outputs the messages “Updating /security.json …”, “Security node changed”,
“Initializing authorization plugin: solr.RuleBasedAuthorizationPlugin” and
“Authentication plugin class obtained from ZK: solr.BasicAuthPlugin”.
Thanks,
Kevin
> On Sep 1, 2015, at 12:31 AM, Noble Paul <noble.p...@gmail.com> wrote:
>
> I'm investigating why restarts or first time start does not read the
> security.json
>
> On Tue, Sep 1, 2015 at 1:00 PM, Noble Paul <noble.p...@gmail.com> wrote:
>> I removed that statement
>>
>> "If activating the authorization plugin doesn't protect the admin ui,
>> how does one protect access to it?"
>>
>> One does not need to protect the admin UI. You only need to protect
>> the relevant API calls . I mean it's OK to not protect the CSS and
>> HTML stuff. But if you perform an action to create a core or do a
>> query through admin UI , it automatically will prompt you for
>> credentials (if those APIs are protected)
>>
>> On Tue, Sep 1, 2015 at 12:41 PM, Kevin Lee <kgle...@yahoo.com.invalid> wrote:
>>> Thanks for the clarification!
>>>
>>> So is the wiki page incorrect at
>>> https://cwiki.apache.org/confluence/display/solr/Basic+Authentication+Plugin
>>> which says that the admin ui will require authentication once the
>>> authorization plugin is activated?
>>>
>>> "An authorization plugin is also available to configure Solr with
>>> permissions to perform various activities in the system. Once activated,
>>> access to the Solr Admin UI and all requests will need to be authenticated
>>> and users will be required to have the proper authorization for all
>>> requests, including using the Admin UI and making any API calls."
>>>
>>> If activating the authorization plugin doesn't protect the admin ui, how
>>> does one protect access to it?
>>>
>>> Also, the issue I'm having is not just at restart. According to the docs
>>> security.json should be uploaded to Zookeeper before starting any of the
>>> Solr instances. However, I tried to upload security.json before starting
>>> any of the Solr instances, but it would not pick up the security config
>>> until after the Solr instances are already running and then uploading the
>>> security.json again. I can see in the logs at startup that the Solr
>>> instances don't see any plugin enabled even though security.json is already
>>> in zookeeper and then after they are started and the security.json is
>>> uploaded again I see it reconfigure to use the plugin.
>>>
>>> Thanks,
>>> Kevin
>>>
>>>> On Aug 31, 2015, at 11:22 PM, Noble Paul <noble.p...@gmail.com> wrote:
>>>>
>>>> Admin UI is not protected by any of these permissions. Only if you try
>>>> to perform a protected operation , it asks for a password.
>>>>
>>>> I'll investigate the restart problem and report my findings
>>>>
>>>>> On Tue, Sep 1, 2015 at 3:10 AM, Kevin Lee <kgle...@yahoo.com.invalid>
>>>>> wrote:
>>>>> Anyone else running into any issues trying to get the authentication and
>>>>> authorization plugins in 5.3 working?
>>>>>
>>>>>> On Aug 29, 2015, at 2:30 AM, Kevin Lee <kgle...@yahoo.com.INVALID> wrote:
>>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> I’m trying to use the new basic auth plugin for Solr 5.3 and it doesn’t
>>>>>> seem to be working quite right. Not sure if I’m missing steps or there
>>>>>> is a bug. I am able to get it to protect access to a URL under a
>>>>>> collection, but am unable to get it to secure access to the Admin UI.
>>>>>> In addition, after stopping the Solr and Zookeeper instances, the
>>>>>> security.json is still in Zookeeper, however Solr is allowing access to
>>>>>> everything again like the security configuration isn’t in place.
>>>>>>
>>>>>> Contents of security.json taken from wiki page, but edited to produce
>>>>>> valid JSON. Had to move comma after 3rd from last “}” up to just after
>>>>>> the last “]”.
>>>>>>
>>>>>> {
>>>>>> "authentication":{
>>>>>> "class":"solr.BasicAuthPlugin",
>>>>>> "credentials":{"solr":"IV0EHq1OnNrj6gvRCwvFwTrZ1+z1oBbnQdiVC3otuq0=
>>>>>> Ndd7LKvVBAaZIF0QAVi1ekCfAJXr1GGfLtRUXhgrF8c="}
>>>>>> },
>>>>>> "authorization":{
>>>>>> "class":"solr.RuleBasedAuthorizationPlugin",
>>>>>> "permissions":[{"name":"security-edit",
>>>>>> "role":"admin"}],
>>>>>> "user-role":{"solr":"admin"}
>>>>>> }}
>>>>>>
>>>>>> Here are the steps I followed:
>>>>>>
>>>>>> Upload security.json to zookeeper
>>>>>> ./zkcli.sh -z localhost:2181,localhost:2182,localhost:2183 -cmd putfile
>>>>>> /security.json ~/solr/security.json
>>>>>>
>>>>>> Use zkCli.sh from Zookeeper to ensure the security.json is in Zookeeper
>>>>>> at /security.json. It is there and looks like what was originally
>>>>>> uploaded.
>>>>>>
>>>>>> Start Solr Instances
>>>>>>
>>>>>> Attempt to create a permission, however get the following error:
>>>>>> {
>>>>>> "responseHeader":{
>>>>>> "status":400,
>>>>>> "QTime":0},
>>>>>> "error":{
>>>>>> "msg":"No authorization plugin configured",
>>>>>> "code":400}}
>>>>>>
>>>>>> Upload security.json again.
>>>>>> ./zkcli.sh -z localhost:2181,localhost:2182,localhost:2183 -cmd putfile
>>>>>> /security.json ~/solr/security.json
>>>>>>
>>>>>> Issue the following to try to create the permission again and this time
>>>>>> it’s successful.
>>>>>> // Create a permission for mysearch endpoint
>>>>>> curl --user solr:SolrRocks -H 'Content-type:application/json' -d
>>>>>> '{"set-permission": {"name":"mycollection-search","collection":
>>>>>> “mycollection","path":”/mysearch","role": "search-user"}}'
>>>>>> http://localhost:8983/solr/admin/authorization
>>>>>>
>>>>>> {
>>>>>> "responseHeader":{
>>>>>> "status":0,
>>>>>> "QTime":7}}
>>>>>>
>>>>>> Issue the following commands to add users
>>>>>> curl --user solr:SolrRocks
>>>>>> http://localhost:8983/solr/admin/authentication -H
>>>>>> 'Content-type:application/json' -d '{"set-user": {"admin" : “password"
>>>>>> }}’
>>>>>> curl --user solr:SolrRocks
>>>>>> http://localhost:8983/solr/admin/authentication -H
>>>>>> 'Content-type:application/json' -d '{"set-user": {"user" : “password" }}'
>>>>>>
>>>>>> Issue the following command to add permission to users
>>>>>> curl -u solr:SolrRocks -H 'Content-type:application/json' -d '{
>>>>>> "set-user-role" : {"admin": ["search-user", "admin"]}}'
>>>>>> http://localhost:8983/solr/admin/authorization
>>>>>> curl -u solr:SolrRocks -H 'Content-type:application/json' -d '{
>>>>>> "set-user-role" : {"user": ["search-user"]}}'
>>>>>> http://localhost:8983/solr/admin/authorization
>>>>>>
>>>>>> After executing the above, access to /mysearch is protected until I
>>>>>> restart the Solr and Zookeeper instances. However, the admin UI is
>>>>>> never protected like the Wiki page says it should be once activated.
>>>>>>
>>>>>> https://cwiki.apache.org/confluence/display/solr/Rule-Based+Authorization+Plugin
>>>>>>
>>>>>> <https://cwiki.apache.org/confluence/display/solr/Rule-Based+Authorization+Plugin>
>>>>>>
>>>>>> Why does the authentication and authorization plugin not stay activated
>>>>>> after restart and why is the Admin UI never protected? Am I missing any
>>>>>> steps?
>>>>>>
>>>>>> Thanks,
>>>>>> Kevin
>>>>
>>>>
>>>>
>>>> --
>>>> -----------------------------------------------------
>>>> Noble Paul
>>
>>
>>
>> --
>> -----------------------------------------------------
>> Noble Paul
>
>
>
> --
> -----------------------------------------------------
> Noble Paul
