Both these are committed. If you could test with the latest 5.3 branch it would be helpful
On Wed, Sep 2, 2015 at 5:11 PM, Noble Paul <noble.p...@gmail.com> wrote: > I opened a ticket for the same > https://issues.apache.org/jira/browse/SOLR-8004 > > On Wed, Sep 2, 2015 at 1:36 PM, Kevin Lee <kgle...@yahoo.com.invalid> wrote: >> I’ve found that completely exiting Chrome or Firefox and opening it back up >> re-prompts for credentials when they are required. It was re-prompting with >> the /browse path where authentication was working each time I completely >> exited and started the browser again, however it won’t re-prompt unless you >> exit completely and close all running instances so I closed all instances >> each time to test. >> >> However, to make sure I ran it via the command line via curl as suggested >> and it still does not give any authentication error when trying to issue the >> command via curl. I get a success response from all the Solr instances that >> the reload was successful. >> >> Not sure why the pre-canned permissions aren’t working, but the one to the >> request handler at the /browse path is. >> >> >>> On Sep 1, 2015, at 11:03 PM, Noble Paul <noble.p...@gmail.com> wrote: >>> >>> " However, after uploading the new security.json and restarting the >>> web browser," >>> >>> The browser remembers your login , So it is unlikely to prompt for the >>> credentials again. >>> >>> Why don't you try the RELOAD operation using command line (curl) ? >>> >>> On Tue, Sep 1, 2015 at 10:31 PM, Kevin Lee <kgle...@yahoo.com.invalid> >>> wrote: >>>> The restart issues aside, I’m trying to lockdown usage of the Collections >>>> API, but that also does not seem to be working either. >>>> >>>> Here is my security.json. I’m using the “collection-admin-edit” >>>> permission and assigning it to the “adminRole”. However, after uploading >>>> the new security.json and restarting the web browser, it doesn’t seem to >>>> be requiring credentials when calling the RELOAD action on the Collections >>>> API. The only thing that seems to work is the custom permission “browse” >>>> which is requiring authentication before allowing me to pull up the page. >>>> Am I using the permissions correctly for the RuleBasedAuthorizationPlugin? >>>> >>>> { >>>> "authentication":{ >>>> "class":"solr.BasicAuthPlugin", >>>> "credentials": { >>>> "admin”:”<pass> <salt>", >>>> "user": ”<pass> <salt>" >>>> } >>>> }, >>>> "authorization":{ >>>> "class":"solr.RuleBasedAuthorizationPlugin", >>>> "permissions": [ >>>> { >>>> "name":"security-edit", >>>> "role":"adminRole" >>>> }, >>>> { >>>> "name":"collection-admin-edit”, >>>> "role":"adminRole" >>>> }, >>>> { >>>> "name":"browse", >>>> "collection": "inventory", >>>> "path": "/browse", >>>> "role":"browseRole" >>>> } >>>> ], >>>> "user-role": { >>>> "admin": [ >>>> "adminRole", >>>> "browseRole" >>>> ], >>>> "user": [ >>>> "browseRole" >>>> ] >>>> } >>>> } >>>> } >>>> >>>> Also tried adding the permission using the Authorization API, but no >>>> effect, still isn’t protecting the Collections API from being invoked >>>> without a username password. I do see in the Solr logs that it sees the >>>> updates because it outputs the messages “Updating /security.json …”, >>>> “Security node changed”, “Initializing authorization plugin: >>>> solr.RuleBasedAuthorizationPlugin” and “Authentication plugin class >>>> obtained from ZK: solr.BasicAuthPlugin”. >>>> >>>> Thanks, >>>> Kevin >>>> >>>>> On Sep 1, 2015, at 12:31 AM, Noble Paul <noble.p...@gmail.com> wrote: >>>>> >>>>> I'm investigating why restarts or first time start does not read the >>>>> security.json >>>>> >>>>> On Tue, Sep 1, 2015 at 1:00 PM, Noble Paul <noble.p...@gmail.com> wrote: >>>>>> I removed that statement >>>>>> >>>>>> "If activating the authorization plugin doesn't protect the admin ui, >>>>>> how does one protect access to it?" >>>>>> >>>>>> One does not need to protect the admin UI. You only need to protect >>>>>> the relevant API calls . I mean it's OK to not protect the CSS and >>>>>> HTML stuff. But if you perform an action to create a core or do a >>>>>> query through admin UI , it automatically will prompt you for >>>>>> credentials (if those APIs are protected) >>>>>> >>>>>> On Tue, Sep 1, 2015 at 12:41 PM, Kevin Lee <kgle...@yahoo.com.invalid> >>>>>> wrote: >>>>>>> Thanks for the clarification! >>>>>>> >>>>>>> So is the wiki page incorrect at >>>>>>> https://cwiki.apache.org/confluence/display/solr/Basic+Authentication+Plugin >>>>>>> which says that the admin ui will require authentication once the >>>>>>> authorization plugin is activated? >>>>>>> >>>>>>> "An authorization plugin is also available to configure Solr with >>>>>>> permissions to perform various activities in the system. Once >>>>>>> activated, access to the Solr Admin UI and all requests will need to be >>>>>>> authenticated and users will be required to have the proper >>>>>>> authorization for all requests, including using the Admin UI and making >>>>>>> any API calls." >>>>>>> >>>>>>> If activating the authorization plugin doesn't protect the admin ui, >>>>>>> how does one protect access to it? >>>>>>> >>>>>>> Also, the issue I'm having is not just at restart. According to the >>>>>>> docs security.json should be uploaded to Zookeeper before starting any >>>>>>> of the Solr instances. However, I tried to upload security.json before >>>>>>> starting any of the Solr instances, but it would not pick up the >>>>>>> security config until after the Solr instances are already running and >>>>>>> then uploading the security.json again. I can see in the logs at >>>>>>> startup that the Solr instances don't see any plugin enabled even >>>>>>> though security.json is already in zookeeper and then after they are >>>>>>> started and the security.json is uploaded again I see it reconfigure to >>>>>>> use the plugin. >>>>>>> >>>>>>> Thanks, >>>>>>> Kevin >>>>>>> >>>>>>>> On Aug 31, 2015, at 11:22 PM, Noble Paul <noble.p...@gmail.com> wrote: >>>>>>>> >>>>>>>> Admin UI is not protected by any of these permissions. Only if you try >>>>>>>> to perform a protected operation , it asks for a password. >>>>>>>> >>>>>>>> I'll investigate the restart problem and report my findings >>>>>>>> >>>>>>>>> On Tue, Sep 1, 2015 at 3:10 AM, Kevin Lee <kgle...@yahoo.com.invalid> >>>>>>>>> wrote: >>>>>>>>> Anyone else running into any issues trying to get the authentication >>>>>>>>> and authorization plugins in 5.3 working? >>>>>>>>> >>>>>>>>>> On Aug 29, 2015, at 2:30 AM, Kevin Lee <kgle...@yahoo.com.INVALID> >>>>>>>>>> wrote: >>>>>>>>>> >>>>>>>>>> Hi, >>>>>>>>>> >>>>>>>>>> I’m trying to use the new basic auth plugin for Solr 5.3 and it >>>>>>>>>> doesn’t seem to be working quite right. Not sure if I’m missing >>>>>>>>>> steps or there is a bug. I am able to get it to protect access to a >>>>>>>>>> URL under a collection, but am unable to get it to secure access to >>>>>>>>>> the Admin UI. In addition, after stopping the Solr and Zookeeper >>>>>>>>>> instances, the security.json is still in Zookeeper, however Solr is >>>>>>>>>> allowing access to everything again like the security configuration >>>>>>>>>> isn’t in place. >>>>>>>>>> >>>>>>>>>> Contents of security.json taken from wiki page, but edited to >>>>>>>>>> produce valid JSON. Had to move comma after 3rd from last “}” up to >>>>>>>>>> just after the last “]”. >>>>>>>>>> >>>>>>>>>> { >>>>>>>>>> "authentication":{ >>>>>>>>>> "class":"solr.BasicAuthPlugin", >>>>>>>>>> "credentials":{"solr":"IV0EHq1OnNrj6gvRCwvFwTrZ1+z1oBbnQdiVC3otuq0= >>>>>>>>>> Ndd7LKvVBAaZIF0QAVi1ekCfAJXr1GGfLtRUXhgrF8c="} >>>>>>>>>> }, >>>>>>>>>> "authorization":{ >>>>>>>>>> "class":"solr.RuleBasedAuthorizationPlugin", >>>>>>>>>> "permissions":[{"name":"security-edit", >>>>>>>>>> "role":"admin"}], >>>>>>>>>> "user-role":{"solr":"admin"} >>>>>>>>>> }} >>>>>>>>>> >>>>>>>>>> Here are the steps I followed: >>>>>>>>>> >>>>>>>>>> Upload security.json to zookeeper >>>>>>>>>> ./zkcli.sh -z localhost:2181,localhost:2182,localhost:2183 -cmd >>>>>>>>>> putfile /security.json ~/solr/security.json >>>>>>>>>> >>>>>>>>>> Use zkCli.sh from Zookeeper to ensure the security.json is in >>>>>>>>>> Zookeeper at /security.json. It is there and looks like what was >>>>>>>>>> originally uploaded. >>>>>>>>>> >>>>>>>>>> Start Solr Instances >>>>>>>>>> >>>>>>>>>> Attempt to create a permission, however get the following error: >>>>>>>>>> { >>>>>>>>>> "responseHeader":{ >>>>>>>>>> "status":400, >>>>>>>>>> "QTime":0}, >>>>>>>>>> "error":{ >>>>>>>>>> "msg":"No authorization plugin configured", >>>>>>>>>> "code":400}} >>>>>>>>>> >>>>>>>>>> Upload security.json again. >>>>>>>>>> ./zkcli.sh -z localhost:2181,localhost:2182,localhost:2183 -cmd >>>>>>>>>> putfile /security.json ~/solr/security.json >>>>>>>>>> >>>>>>>>>> Issue the following to try to create the permission again and this >>>>>>>>>> time it’s successful. >>>>>>>>>> // Create a permission for mysearch endpoint >>>>>>>>>> curl --user solr:SolrRocks -H 'Content-type:application/json' >>>>>>>>>> -d '{"set-permission": {"name":"mycollection-search","collection": >>>>>>>>>> “mycollection","path":”/mysearch","role": "search-user"}}' >>>>>>>>>> http://localhost:8983/solr/admin/authorization >>>>>>>>>> >>>>>>>>>> { >>>>>>>>>> "responseHeader":{ >>>>>>>>>> "status":0, >>>>>>>>>> "QTime":7}} >>>>>>>>>> >>>>>>>>>> Issue the following commands to add users >>>>>>>>>> curl --user solr:SolrRocks >>>>>>>>>> http://localhost:8983/solr/admin/authentication -H >>>>>>>>>> 'Content-type:application/json' -d '{"set-user": {"admin" : >>>>>>>>>> “password" }}’ >>>>>>>>>> curl --user solr:SolrRocks >>>>>>>>>> http://localhost:8983/solr/admin/authentication -H >>>>>>>>>> 'Content-type:application/json' -d '{"set-user": {"user" : >>>>>>>>>> “password" }}' >>>>>>>>>> >>>>>>>>>> Issue the following command to add permission to users >>>>>>>>>> curl -u solr:SolrRocks -H 'Content-type:application/json' -d '{ >>>>>>>>>> "set-user-role" : {"admin": ["search-user", "admin"]}}' >>>>>>>>>> http://localhost:8983/solr/admin/authorization >>>>>>>>>> curl -u solr:SolrRocks -H 'Content-type:application/json' -d '{ >>>>>>>>>> "set-user-role" : {"user": ["search-user"]}}' >>>>>>>>>> http://localhost:8983/solr/admin/authorization >>>>>>>>>> >>>>>>>>>> After executing the above, access to /mysearch is protected until I >>>>>>>>>> restart the Solr and Zookeeper instances. However, the admin UI is >>>>>>>>>> never protected like the Wiki page says it should be once activated. >>>>>>>>>> >>>>>>>>>> https://cwiki.apache.org/confluence/display/solr/Rule-Based+Authorization+Plugin >>>>>>>>>> >>>>>>>>>> <https://cwiki.apache.org/confluence/display/solr/Rule-Based+Authorization+Plugin> >>>>>>>>>> >>>>>>>>>> Why does the authentication and authorization plugin not stay >>>>>>>>>> activated after restart and why is the Admin UI never protected? Am >>>>>>>>>> I missing any steps? >>>>>>>>>> >>>>>>>>>> Thanks, >>>>>>>>>> Kevin >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> ----------------------------------------------------- >>>>>>>> Noble Paul >>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> ----------------------------------------------------- >>>>>> Noble Paul >>>>> >>>>> >>>>> >>>>> -- >>>>> ----------------------------------------------------- >>>>> Noble Paul >>>> >>> >>> >>> >>> -- >>> ----------------------------------------------------- >>> Noble Paul >> > > > > -- > ----------------------------------------------------- > Noble Paul -- ----------------------------------------------------- Noble Paul
