" However, after uploading the new security.json and restarting the web browser,"
The browser remembers your login , So it is unlikely to prompt for the credentials again. Why don't you try the RELOAD operation using command line (curl) ? On Tue, Sep 1, 2015 at 10:31 PM, Kevin Lee <kgle...@yahoo.com.invalid> wrote: > The restart issues aside, I’m trying to lockdown usage of the Collections > API, but that also does not seem to be working either. > > Here is my security.json. I’m using the “collection-admin-edit” permission > and assigning it to the “adminRole”. However, after uploading the new > security.json and restarting the web browser, it doesn’t seem to be requiring > credentials when calling the RELOAD action on the Collections API. The only > thing that seems to work is the custom permission “browse” which is requiring > authentication before allowing me to pull up the page. Am I using the > permissions correctly for the RuleBasedAuthorizationPlugin? > > { > "authentication":{ > "class":"solr.BasicAuthPlugin", > "credentials": { > "admin”:”<pass> <salt>", > "user": ”<pass> <salt>" > } > }, > "authorization":{ > "class":"solr.RuleBasedAuthorizationPlugin", > "permissions": [ > { > "name":"security-edit", > "role":"adminRole" > }, > { > "name":"collection-admin-edit”, > "role":"adminRole" > }, > { > "name":"browse", > "collection": "inventory", > "path": "/browse", > "role":"browseRole" > } > ], > "user-role": { > "admin": [ > "adminRole", > "browseRole" > ], > "user": [ > "browseRole" > ] > } > } > } > > Also tried adding the permission using the Authorization API, but no effect, > still isn’t protecting the Collections API from being invoked without a > username password. I do see in the Solr logs that it sees the updates > because it outputs the messages “Updating /security.json …”, “Security node > changed”, “Initializing authorization plugin: > solr.RuleBasedAuthorizationPlugin” and “Authentication plugin class obtained > from ZK: solr.BasicAuthPlugin”. > > Thanks, > Kevin > >> On Sep 1, 2015, at 12:31 AM, Noble Paul <noble.p...@gmail.com> wrote: >> >> I'm investigating why restarts or first time start does not read the >> security.json >> >> On Tue, Sep 1, 2015 at 1:00 PM, Noble Paul <noble.p...@gmail.com> wrote: >>> I removed that statement >>> >>> "If activating the authorization plugin doesn't protect the admin ui, >>> how does one protect access to it?" >>> >>> One does not need to protect the admin UI. You only need to protect >>> the relevant API calls . I mean it's OK to not protect the CSS and >>> HTML stuff. But if you perform an action to create a core or do a >>> query through admin UI , it automatically will prompt you for >>> credentials (if those APIs are protected) >>> >>> On Tue, Sep 1, 2015 at 12:41 PM, Kevin Lee <kgle...@yahoo.com.invalid> >>> wrote: >>>> Thanks for the clarification! >>>> >>>> So is the wiki page incorrect at >>>> https://cwiki.apache.org/confluence/display/solr/Basic+Authentication+Plugin >>>> which says that the admin ui will require authentication once the >>>> authorization plugin is activated? >>>> >>>> "An authorization plugin is also available to configure Solr with >>>> permissions to perform various activities in the system. Once activated, >>>> access to the Solr Admin UI and all requests will need to be authenticated >>>> and users will be required to have the proper authorization for all >>>> requests, including using the Admin UI and making any API calls." >>>> >>>> If activating the authorization plugin doesn't protect the admin ui, how >>>> does one protect access to it? >>>> >>>> Also, the issue I'm having is not just at restart. According to the docs >>>> security.json should be uploaded to Zookeeper before starting any of the >>>> Solr instances. However, I tried to upload security.json before starting >>>> any of the Solr instances, but it would not pick up the security config >>>> until after the Solr instances are already running and then uploading the >>>> security.json again. I can see in the logs at startup that the Solr >>>> instances don't see any plugin enabled even though security.json is >>>> already in zookeeper and then after they are started and the security.json >>>> is uploaded again I see it reconfigure to use the plugin. >>>> >>>> Thanks, >>>> Kevin >>>> >>>>> On Aug 31, 2015, at 11:22 PM, Noble Paul <noble.p...@gmail.com> wrote: >>>>> >>>>> Admin UI is not protected by any of these permissions. Only if you try >>>>> to perform a protected operation , it asks for a password. >>>>> >>>>> I'll investigate the restart problem and report my findings >>>>> >>>>>> On Tue, Sep 1, 2015 at 3:10 AM, Kevin Lee <kgle...@yahoo.com.invalid> >>>>>> wrote: >>>>>> Anyone else running into any issues trying to get the authentication and >>>>>> authorization plugins in 5.3 working? >>>>>> >>>>>>> On Aug 29, 2015, at 2:30 AM, Kevin Lee <kgle...@yahoo.com.INVALID> >>>>>>> wrote: >>>>>>> >>>>>>> Hi, >>>>>>> >>>>>>> I’m trying to use the new basic auth plugin for Solr 5.3 and it doesn’t >>>>>>> seem to be working quite right. Not sure if I’m missing steps or there >>>>>>> is a bug. I am able to get it to protect access to a URL under a >>>>>>> collection, but am unable to get it to secure access to the Admin UI. >>>>>>> In addition, after stopping the Solr and Zookeeper instances, the >>>>>>> security.json is still in Zookeeper, however Solr is allowing access to >>>>>>> everything again like the security configuration isn’t in place. >>>>>>> >>>>>>> Contents of security.json taken from wiki page, but edited to produce >>>>>>> valid JSON. Had to move comma after 3rd from last “}” up to just after >>>>>>> the last “]”. >>>>>>> >>>>>>> { >>>>>>> "authentication":{ >>>>>>> "class":"solr.BasicAuthPlugin", >>>>>>> "credentials":{"solr":"IV0EHq1OnNrj6gvRCwvFwTrZ1+z1oBbnQdiVC3otuq0= >>>>>>> Ndd7LKvVBAaZIF0QAVi1ekCfAJXr1GGfLtRUXhgrF8c="} >>>>>>> }, >>>>>>> "authorization":{ >>>>>>> "class":"solr.RuleBasedAuthorizationPlugin", >>>>>>> "permissions":[{"name":"security-edit", >>>>>>> "role":"admin"}], >>>>>>> "user-role":{"solr":"admin"} >>>>>>> }} >>>>>>> >>>>>>> Here are the steps I followed: >>>>>>> >>>>>>> Upload security.json to zookeeper >>>>>>> ./zkcli.sh -z localhost:2181,localhost:2182,localhost:2183 -cmd putfile >>>>>>> /security.json ~/solr/security.json >>>>>>> >>>>>>> Use zkCli.sh from Zookeeper to ensure the security.json is in Zookeeper >>>>>>> at /security.json. It is there and looks like what was originally >>>>>>> uploaded. >>>>>>> >>>>>>> Start Solr Instances >>>>>>> >>>>>>> Attempt to create a permission, however get the following error: >>>>>>> { >>>>>>> "responseHeader":{ >>>>>>> "status":400, >>>>>>> "QTime":0}, >>>>>>> "error":{ >>>>>>> "msg":"No authorization plugin configured", >>>>>>> "code":400}} >>>>>>> >>>>>>> Upload security.json again. >>>>>>> ./zkcli.sh -z localhost:2181,localhost:2182,localhost:2183 -cmd putfile >>>>>>> /security.json ~/solr/security.json >>>>>>> >>>>>>> Issue the following to try to create the permission again and this time >>>>>>> it’s successful. >>>>>>> // Create a permission for mysearch endpoint >>>>>>> curl --user solr:SolrRocks -H 'Content-type:application/json' >>>>>>> -d '{"set-permission": {"name":"mycollection-search","collection": >>>>>>> “mycollection","path":”/mysearch","role": "search-user"}}' >>>>>>> http://localhost:8983/solr/admin/authorization >>>>>>> >>>>>>> { >>>>>>> "responseHeader":{ >>>>>>> "status":0, >>>>>>> "QTime":7}} >>>>>>> >>>>>>> Issue the following commands to add users >>>>>>> curl --user solr:SolrRocks >>>>>>> http://localhost:8983/solr/admin/authentication -H >>>>>>> 'Content-type:application/json' -d '{"set-user": {"admin" : “password" >>>>>>> }}’ >>>>>>> curl --user solr:SolrRocks >>>>>>> http://localhost:8983/solr/admin/authentication -H >>>>>>> 'Content-type:application/json' -d '{"set-user": {"user" : “password" >>>>>>> }}' >>>>>>> >>>>>>> Issue the following command to add permission to users >>>>>>> curl -u solr:SolrRocks -H 'Content-type:application/json' -d '{ >>>>>>> "set-user-role" : {"admin": ["search-user", "admin"]}}' >>>>>>> http://localhost:8983/solr/admin/authorization >>>>>>> curl -u solr:SolrRocks -H 'Content-type:application/json' -d '{ >>>>>>> "set-user-role" : {"user": ["search-user"]}}' >>>>>>> http://localhost:8983/solr/admin/authorization >>>>>>> >>>>>>> After executing the above, access to /mysearch is protected until I >>>>>>> restart the Solr and Zookeeper instances. However, the admin UI is >>>>>>> never protected like the Wiki page says it should be once activated. >>>>>>> >>>>>>> https://cwiki.apache.org/confluence/display/solr/Rule-Based+Authorization+Plugin >>>>>>> >>>>>>> <https://cwiki.apache.org/confluence/display/solr/Rule-Based+Authorization+Plugin> >>>>>>> >>>>>>> Why does the authentication and authorization plugin not stay activated >>>>>>> after restart and why is the Admin UI never protected? Am I missing >>>>>>> any steps? >>>>>>> >>>>>>> Thanks, >>>>>>> Kevin >>>>> >>>>> >>>>> >>>>> -- >>>>> ----------------------------------------------------- >>>>> Noble Paul >>> >>> >>> >>> -- >>> ----------------------------------------------------- >>> Noble Paul >> >> >> >> -- >> ----------------------------------------------------- >> Noble Paul > -- ----------------------------------------------------- Noble Paul