Thanks Dan! Please let us know what you find. I’m interested to know if this is an issue with anyone else’s setup or if I have an issue in my local configuration that is still preventing it to work on start/restart.
- Kevin > On Sep 5, 2015, at 8:45 AM, Dan Davis <dansm...@gmail.com> wrote: > > Kevin & Noble, > > I'll take it on to test this. I've built from source before, and I've > wanted this authorization capability for awhile. > > On Fri, Sep 4, 2015 at 9:59 AM, Kevin Lee <kgle...@yahoo.com.invalid> wrote: > >> Noble, >> >> Does SOLR-8000 need to be re-opened? Has anyone else been able to test >> the restart fix? >> >> At startup, these are the log messages that say there is no security >> configuration and the plugins aren’t being used even though security.json >> is in Zookeeper: >> 2015-09-04 08:06:21.205 INFO (main) [ ] o.a.s.c.CoreContainer Security >> conf doesn't exist. Skipping setup for authorization module. >> 2015-09-04 08:06:21.205 INFO (main) [ ] o.a.s.c.CoreContainer No >> authentication plugin used. >> >> Thanks, >> Kevin >> >>> On Sep 4, 2015, at 5:47 AM, Noble Paul <noble.p...@gmail.com> wrote: >>> >>> There are no download links for 5.3.x branch till we do a bug fix >> release >>> >>> If you wish to download the trunk nightly (which is not same as 5.3.0) >>> check here >> https://builds.apache.org/job/Solr-Artifacts-trunk/lastSuccessfulBuild/artifact/solr/package/ >>> >>> If you wish to get the binaries for 5.3 branch you will have to make it >>> (you will need to install svn and ant) >>> >>> Here are the steps >>> >>> svn checkout >> http://svn.apache.org/repos/asf/lucene/dev/branches/lucene_solr_5_3/ >>> cd lucene_solr_5_3/solr >>> ant server >>> >>> >>> >>> On Fri, Sep 4, 2015 at 4:11 PM, davidphilip cherian >>> <davidphilipcher...@gmail.com> wrote: >>>> Hi Kevin/Noble, >>>> >>>> What is the download link to take the latest? What are the steps to >> compile >>>> it, test and use? >>>> We also have a use case to have this feature in solr too. Therefore, >> wanted >>>> to test and above info would help a lot to get started. >>>> >>>> Thanks. >>>> >>>> >>>> On Fri, Sep 4, 2015 at 1:45 PM, Kevin Lee <kgle...@yahoo.com.invalid> >> wrote: >>>> >>>>> Thanks, I downloaded the source and compiled it and replaced the jar >> file >>>>> in the dist and solr-webapp’s WEB-INF/lib directory. It does seem to >> be >>>>> protecting the Collections API reload command now as long as I upload >> the >>>>> security.json after startup of the Solr instances. If I shutdown and >> bring >>>>> the instances back up, the security is no longer in place and I have to >>>>> upload the security.json again for it to take effect. >>>>> >>>>> - Kevin >>>>> >>>>>> On Sep 3, 2015, at 10:29 PM, Noble Paul <noble.p...@gmail.com> wrote: >>>>>> >>>>>> Both these are committed. If you could test with the latest 5.3 branch >>>>>> it would be helpful >>>>>> >>>>>> On Wed, Sep 2, 2015 at 5:11 PM, Noble Paul <noble.p...@gmail.com> >> wrote: >>>>>>> I opened a ticket for the same >>>>>>> https://issues.apache.org/jira/browse/SOLR-8004 >>>>>>> >>>>>>> On Wed, Sep 2, 2015 at 1:36 PM, Kevin Lee <kgle...@yahoo.com.invalid >>> >>>>> wrote: >>>>>>>> I’ve found that completely exiting Chrome or Firefox and opening it >>>>> back up re-prompts for credentials when they are required. It was >>>>> re-prompting with the /browse path where authentication was working >> each >>>>> time I completely exited and started the browser again, however it >> won’t >>>>> re-prompt unless you exit completely and close all running instances >> so I >>>>> closed all instances each time to test. >>>>>>>> >>>>>>>> However, to make sure I ran it via the command line via curl as >>>>> suggested and it still does not give any authentication error when >> trying >>>>> to issue the command via curl. I get a success response from all the >> Solr >>>>> instances that the reload was successful. >>>>>>>> >>>>>>>> Not sure why the pre-canned permissions aren’t working, but the one >> to >>>>> the request handler at the /browse path is. >>>>>>>> >>>>>>>> >>>>>>>>> On Sep 1, 2015, at 11:03 PM, Noble Paul <noble.p...@gmail.com> >> wrote: >>>>>>>>> >>>>>>>>> " However, after uploading the new security.json and restarting the >>>>>>>>> web browser," >>>>>>>>> >>>>>>>>> The browser remembers your login , So it is unlikely to prompt for >> the >>>>>>>>> credentials again. >>>>>>>>> >>>>>>>>> Why don't you try the RELOAD operation using command line (curl) ? >>>>>>>>> >>>>>>>>> On Tue, Sep 1, 2015 at 10:31 PM, Kevin Lee >> <kgle...@yahoo.com.invalid> >>>>> wrote: >>>>>>>>>> The restart issues aside, I’m trying to lockdown usage of the >>>>> Collections API, but that also does not seem to be working either. >>>>>>>>>> >>>>>>>>>> Here is my security.json. I’m using the “collection-admin-edit” >>>>> permission and assigning it to the “adminRole”. However, after >> uploading >>>>> the new security.json and restarting the web browser, it doesn’t seem >> to be >>>>> requiring credentials when calling the RELOAD action on the Collections >>>>> API. The only thing that seems to work is the custom permission >> “browse” >>>>> which is requiring authentication before allowing me to pull up the >> page. >>>>> Am I using the permissions correctly for the >> RuleBasedAuthorizationPlugin? >>>>>>>>>> >>>>>>>>>> { >>>>>>>>>> "authentication":{ >>>>>>>>>> "class":"solr.BasicAuthPlugin", >>>>>>>>>> "credentials": { >>>>>>>>>> "admin”:”<pass> <salt>", >>>>>>>>>> "user": ”<pass> <salt>" >>>>>>>>>> } >>>>>>>>>> }, >>>>>>>>>> "authorization":{ >>>>>>>>>> "class":"solr.RuleBasedAuthorizationPlugin", >>>>>>>>>> "permissions": [ >>>>>>>>>> { >>>>>>>>>> "name":"security-edit", >>>>>>>>>> "role":"adminRole" >>>>>>>>>> }, >>>>>>>>>> { >>>>>>>>>> "name":"collection-admin-edit”, >>>>>>>>>> "role":"adminRole" >>>>>>>>>> }, >>>>>>>>>> { >>>>>>>>>> "name":"browse", >>>>>>>>>> "collection": "inventory", >>>>>>>>>> "path": "/browse", >>>>>>>>>> "role":"browseRole" >>>>>>>>>> } >>>>>>>>>> ], >>>>>>>>>> "user-role": { >>>>>>>>>> "admin": [ >>>>>>>>>> "adminRole", >>>>>>>>>> "browseRole" >>>>>>>>>> ], >>>>>>>>>> "user": [ >>>>>>>>>> "browseRole" >>>>>>>>>> ] >>>>>>>>>> } >>>>>>>>>> } >>>>>>>>>> } >>>>>>>>>> >>>>>>>>>> Also tried adding the permission using the Authorization API, but >> no >>>>> effect, still isn’t protecting the Collections API from being invoked >>>>> without a username password. I do see in the Solr logs that it sees >> the >>>>> updates because it outputs the messages “Updating /security.json …”, >>>>> “Security node changed”, “Initializing authorization plugin: >>>>> solr.RuleBasedAuthorizationPlugin” and “Authentication plugin class >>>>> obtained from ZK: solr.BasicAuthPlugin”. >>>>>>>>>> >>>>>>>>>> Thanks, >>>>>>>>>> Kevin >>>>>>>>>> >>>>>>>>>>> On Sep 1, 2015, at 12:31 AM, Noble Paul <noble.p...@gmail.com> >>>>> wrote: >>>>>>>>>>> >>>>>>>>>>> I'm investigating why restarts or first time start does not read >> the >>>>>>>>>>> security.json >>>>>>>>>>> >>>>>>>>>>> On Tue, Sep 1, 2015 at 1:00 PM, Noble Paul <noble.p...@gmail.com >>> >>>>> wrote: >>>>>>>>>>>> I removed that statement >>>>>>>>>>>> >>>>>>>>>>>> "If activating the authorization plugin doesn't protect the >> admin >>>>> ui, >>>>>>>>>>>> how does one protect access to it?" >>>>>>>>>>>> >>>>>>>>>>>> One does not need to protect the admin UI. You only need to >> protect >>>>>>>>>>>> the relevant API calls . I mean it's OK to not protect the CSS >> and >>>>>>>>>>>> HTML stuff. But if you perform an action to create a core or >> do a >>>>>>>>>>>> query through admin UI , it automatically will prompt you for >>>>>>>>>>>> credentials (if those APIs are protected) >>>>>>>>>>>> >>>>>>>>>>>> On Tue, Sep 1, 2015 at 12:41 PM, Kevin Lee >>>>> <kgle...@yahoo.com.invalid> wrote: >>>>>>>>>>>>> Thanks for the clarification! >>>>>>>>>>>>> >>>>>>>>>>>>> So is the wiki page incorrect at >>>>>>>>>>>>> >>>>> >> https://cwiki.apache.org/confluence/display/solr/Basic+Authentication+Plugin >>>>> which says that the admin ui will require authentication once the >>>>> authorization plugin is activated? >>>>>>>>>>>>> >>>>>>>>>>>>> "An authorization plugin is also available to configure Solr >> with >>>>> permissions to perform various activities in the system. Once >> activated, >>>>> access to the Solr Admin UI and all requests will need to be >> authenticated >>>>> and users will be required to have the proper authorization for all >>>>> requests, including using the Admin UI and making any API calls." >>>>>>>>>>>>> >>>>>>>>>>>>> If activating the authorization plugin doesn't protect the >> admin >>>>> ui, how does one protect access to it? >>>>>>>>>>>>> >>>>>>>>>>>>> Also, the issue I'm having is not just at restart. According >> to >>>>> the docs security.json should be uploaded to Zookeeper before starting >> any >>>>> of the Solr instances. However, I tried to upload security.json before >>>>> starting any of the Solr instances, but it would not pick up the >> security >>>>> config until after the Solr instances are already running and then >>>>> uploading the security.json again. I can see in the logs at startup >> that >>>>> the Solr instances don't see any plugin enabled even though >> security.json >>>>> is already in zookeeper and then after they are started and the >>>>> security.json is uploaded again I see it reconfigure to use the plugin. >>>>>>>>>>>>> >>>>>>>>>>>>> Thanks, >>>>>>>>>>>>> Kevin >>>>>>>>>>>>> >>>>>>>>>>>>>> On Aug 31, 2015, at 11:22 PM, Noble Paul < >> noble.p...@gmail.com> >>>>> wrote: >>>>>>>>>>>>>> >>>>>>>>>>>>>> Admin UI is not protected by any of these permissions. Only if >>>>> you try >>>>>>>>>>>>>> to perform a protected operation , it asks for a password. >>>>>>>>>>>>>> >>>>>>>>>>>>>> I'll investigate the restart problem and report my findings >>>>>>>>>>>>>> >>>>>>>>>>>>>>> On Tue, Sep 1, 2015 at 3:10 AM, Kevin Lee >>>>> <kgle...@yahoo.com.invalid> wrote: >>>>>>>>>>>>>>> Anyone else running into any issues trying to get the >>>>> authentication and authorization plugins in 5.3 working? >>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> On Aug 29, 2015, at 2:30 AM, Kevin Lee >>>>> <kgle...@yahoo.com.INVALID> wrote: >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Hi, >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> I’m trying to use the new basic auth plugin for Solr 5.3 and >>>>> it doesn’t seem to be working quite right. Not sure if I’m missing >> steps >>>>> or there is a bug. I am able to get it to protect access to a URL >> under a >>>>> collection, but am unable to get it to secure access to the Admin UI. >> In >>>>> addition, after stopping the Solr and Zookeeper instances, the >>>>> security.json is still in Zookeeper, however Solr is allowing access to >>>>> everything again like the security configuration isn’t in place. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Contents of security.json taken from wiki page, but edited >> to >>>>> produce valid JSON. Had to move comma after 3rd from last “}” up to >> just >>>>> after the last “]”. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> { >>>>>>>>>>>>>>>> "authentication":{ >>>>>>>>>>>>>>>> "class":"solr.BasicAuthPlugin", >>>>>>>>>>>>>>>> >>>>> "credentials":{"solr":"IV0EHq1OnNrj6gvRCwvFwTrZ1+z1oBbnQdiVC3otuq0= >>>>> Ndd7LKvVBAaZIF0QAVi1ekCfAJXr1GGfLtRUXhgrF8c="} >>>>>>>>>>>>>>>> }, >>>>>>>>>>>>>>>> "authorization":{ >>>>>>>>>>>>>>>> "class":"solr.RuleBasedAuthorizationPlugin", >>>>>>>>>>>>>>>> "permissions":[{"name":"security-edit", >>>>>>>>>>>>>>>> "role":"admin"}], >>>>>>>>>>>>>>>> "user-role":{"solr":"admin"} >>>>>>>>>>>>>>>> }} >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Here are the steps I followed: >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Upload security.json to zookeeper >>>>>>>>>>>>>>>> ./zkcli.sh -z localhost:2181,localhost:2182,localhost:2183 >>>>> -cmd putfile /security.json ~/solr/security.json >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Use zkCli.sh from Zookeeper to ensure the security.json is >> in >>>>> Zookeeper at /security.json. It is there and looks like what was >>>>> originally uploaded. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Start Solr Instances >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Attempt to create a permission, however get the following >>>>> error: >>>>>>>>>>>>>>>> { >>>>>>>>>>>>>>>> "responseHeader":{ >>>>>>>>>>>>>>>> "status":400, >>>>>>>>>>>>>>>> "QTime":0}, >>>>>>>>>>>>>>>> "error":{ >>>>>>>>>>>>>>>> "msg":"No authorization plugin configured", >>>>>>>>>>>>>>>> "code":400}} >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Upload security.json again. >>>>>>>>>>>>>>>> ./zkcli.sh -z localhost:2181,localhost:2182,localhost:2183 >>>>> -cmd putfile /security.json ~/solr/security.json >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Issue the following to try to create the permission again >> and >>>>> this time it’s successful. >>>>>>>>>>>>>>>> // Create a permission for mysearch endpoint >>>>>>>>>>>>>>>> curl --user solr:SolrRocks -H >>>>> 'Content-type:application/json' -d '{"set-permission": >>>>> {"name":"mycollection-search","collection": >>>>> “mycollection","path":”/mysearch","role": "search-user"}}' >>>>> http://localhost:8983/solr/admin/authorization >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> { >>>>>>>>>>>>>>>> "responseHeader":{ >>>>>>>>>>>>>>>> "status":0, >>>>>>>>>>>>>>>> "QTime":7}} >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Issue the following commands to add users >>>>>>>>>>>>>>>> curl --user solr:SolrRocks >>>>> http://localhost:8983/solr/admin/authentication -H >>>>> 'Content-type:application/json' -d '{"set-user": {"admin" : “password" >> }}’ >>>>>>>>>>>>>>>> curl --user solr:SolrRocks >>>>> http://localhost:8983/solr/admin/authentication -H >>>>> 'Content-type:application/json' -d '{"set-user": {"user" : “password" >> }}' >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Issue the following command to add permission to users >>>>>>>>>>>>>>>> curl -u solr:SolrRocks -H 'Content-type:application/json' -d >>>>> '{ "set-user-role" : {"admin": ["search-user", "admin"]}}' >>>>> http://localhost:8983/solr/admin/authorization >>>>>>>>>>>>>>>> curl -u solr:SolrRocks -H 'Content-type:application/json' -d >>>>> '{ "set-user-role" : {"user": ["search-user"]}}' >>>>> http://localhost:8983/solr/admin/authorization >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> After executing the above, access to /mysearch is protected >>>>> until I restart the Solr and Zookeeper instances. However, the admin >> UI is >>>>> never protected like the Wiki page says it should be once activated. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>> >> https://cwiki.apache.org/confluence/display/solr/Rule-Based+Authorization+Plugin >>>>> < >>>>> >> https://cwiki.apache.org/confluence/display/solr/Rule-Based+Authorization+Plugin >>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Why does the authentication and authorization plugin not >> stay >>>>> activated after restart and why is the Admin UI never protected? Am I >>>>> missing any steps? >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Thanks, >>>>>>>>>>>>>>>> Kevin >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> -- >>>>>>>>>>>>>> ----------------------------------------------------- >>>>>>>>>>>>>> Noble Paul >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> -- >>>>>>>>>>>> ----------------------------------------------------- >>>>>>>>>>>> Noble Paul >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> -- >>>>>>>>>>> ----------------------------------------------------- >>>>>>>>>>> Noble Paul >>>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> -- >>>>>>>>> ----------------------------------------------------- >>>>>>>>> Noble Paul >>>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> ----------------------------------------------------- >>>>>>> Noble Paul >>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> ----------------------------------------------------- >>>>>> Noble Paul >>>>> >>>>> >>> >>> >>> >>> -- >>> ----------------------------------------------------- >>> Noble Paul >> >>