The authorization plugin is new in Solr 5.3. It is hard to describe a secure Solr 5.2.1 environment simply - the basics are to protect /solr by placing it behind Apache httpd or nginx, and also a port-based firewall. I am most familiar with Apache httpd and Linux/RedHat family.
Within the Apache httpd configuration, I have a single virtual host, but multiple locations defined, each with different security. So, now we're past simple and on to specific and complicated. Here's a sample fictionalized fragment of an Apache httpd.conf, perhaps something you would put in /etc/httpd/conf.d/solr.conf on CentOS or /etc/apache/conf.enabled.d/solr.conf on Ubuntu: # Solr is admin and requires specific users to login with particular AuthType - basic is pretty basic <Location /solr> AuthName "NLM Login" AuthType Basic Require user merlin ProxyPass http://127.0.0.1:8983/solr retry=0 ProxyPassReverse http://127.0.0.1:8983/solr </Location> # Allow select on on lrprod collection from 10.1.0.0/24 subnet <Location /proxy/lrprod/select> ProxyPass http://127.0.0.1:8983/solr/lrprod/select ProxyPassReverse http://127.0.0.1:8983/solr/lrprod/select Options -MultiViews Order allow,deny Allow from 10.1.0.0/24 127.0.0.1 </Location> # Allow update on lrprod collection from specific IPs in that subnet <Location /proxy/lrprod/update> ProxyPass http://127.0.0.1:8983/solr/lrprod/update ProxyPassReverse http://127.0.0.1:8983/solr/lrprod/update Options -MultiViews Order allow,deny Allow from 10.1.0.17 10.1.0.18 127.0.0.1 </Location> In addition, I open the following ports on my hosts to the other hosts using Linux iptables for the cluster # allow other nodes to reach other ACCEPT tcp -- 10.1.1.0/24 0.0.0.0/0 state NEW tcp dpt:8983 # zookeeper is running locally in my setup, so: ACCEPT tcp -- 10.1.1.0/24 0.0.0.0/0 state NEW tcp dpt:2181 ACCEPT tcp -- 10.1.1.0/24 0.0.0.0/0 state NEW tcp dpt:2888 ACCEPT tcp -- 10.1.1.0/24 0.0.0.0/0 state NEW tcp dpt:3888 I hope this too long post is not didn't read. -----Original Message----- From: Merlin Morgenstern [mailto:merlin.morgenst...@gmail.com] Sent: Friday, September 11, 2015 10:30 AM To: solr-user@lucene.apache.org; noble.p...@gmail.com Subject: Re: How to secure Admin UI with Basic Auth in Solr 5.3.x Thank you for the info. I have already downgraded to 5.2.x as this is a production setup. Unfortunatelly I have the same trouble there ... Any suggestions how to fix this? What is the recommended procedure in securing the admin gui on prod setups? 2015-09-11 14:26 GMT+02:00 Noble Paul <noble.p...@gmail.com>: > There were some bugs with the 5.3.0 release and 5.3.1 is in the > process of getting released. > > try out the option #2 with the RC here > > > https://dist.apache.org/repos/dist/dev/lucene/lucene-solr-5.3.1-RC1-re > v1702389/solr/ > > > > On Fri, Sep 11, 2015 at 5:16 PM, Merlin Morgenstern > <merlin.morgenst...@gmail.com> wrote: > > OK, I downgraded to solr 5.2.x > > > > Unfortunatelly still no luck. I followed 2 aproaches: > > > > 1. Secure it the old fashioned way like described here: > > > http://stackoverflow.com/questions/28043957/how-to-set-apache-solr-adm > in-password > > > > 2. Using the Basic Authentication Plugin like described here: > > http://lucidworks.com/blog/securing-solr-basic-auth-permission-rules > > / > > > > Both aproaches created unsolved problems. > > > > While following option 1, I was able to secure the Admin UI with > > basic authentication, but no longer able to access my application > > despite the fact that it was working on solr 3.x with the same type > > of authentication procedure and credentials. > > > > While following option 2, I was stuck right after uploading the > > security.json file to the zookeeper ensemble. The described > > behaviour to > curl > > http://localhost:8983/solr/admin/authentication responded with a 404 > > not found and then solr could not connect to zookeeper. I had to > > remove that file from zookeeper and restart all solr nodes. > > > > Please could someone lead me the way on how to secure the Admin UI > > and password protect solr cloud? I have a perfectly running system > > with solr 3.x and one core and now taking it to solr cloud 5.2.x > > into production seems to be stoped by simple authorization problems. > > > > Thank you in advane for any help. > > > > > > > > 2015-09-10 20:42 GMT+02:00 Noble Paul <noble.p...@gmail.com>: > > > >> Check this > https://cwiki.apache.org/confluence/display/solr/Securing+Solr > >> > >> There a couple of bugs in 5.3.o and a bug fix release is coming up > >> over the next few days. > >> > >> We don't provide any specific means to restrict access to admin UI > >> itself. However we let users specify fine grained ACLs on various > >> operations such collection-admin-edit, read etc > >> > >> On Wed, Sep 9, 2015 at 2:35 PM, Merlin Morgenstern > >> <merlin.morgenst...@gmail.com> wrote: > >> > I just installed solr cloud 5.3.x and found that the way to > >> > secure the > >> amin > >> > ui has changed. Aparently there is a new plugin which does role > >> > based authentification and all info on how to secure the admin UI > >> > found on > the > >> > net is outdated. > >> > > >> > I do not need role based authentification but just simply want to > >> > put > >> basic > >> > authentification to the Admin UI. > >> > > >> > How do I configure solr cloud 5.3.x in order to restrict access > >> > to the Admin UI via Basic Authentification? > >> > > >> > Thank you for any help > >> > >> > >> > >> -- > >> ----------------------------------------------------- > >> Noble Paul > >> > > > > -- > ----------------------------------------------------- > Noble Paul >
