I switched solr from standalone to cloud and created the two collections (emails1 and emails2).
I was able to create a basic set of credentials via the curl-based API's. I could create users, and toggle the blockUnknown property status. However, the system refused to allow me to delete a user, or to set a permission. Here are the curl commands (with *terry:admin* as admin credentials) and results: *succeeded in setting blockUnknown property (verified by admin/authentication dump):* curl --user terry:admin http://localhost:8983/solr/admin/authentication -H 'Content-type:application/json' -d '{ "set-property": {"blockUnknown" : true}}' *succeeded in adding a user (verified by admin/authentication dump):* curl --user terry:admin http://localhost:8983/solr/admin/authentication -H 'Content-type:application/json' -d '{ > "set-user": {"lanny" : "hawaii"}}' *succeeded in changing lanny's password (verified by admin/authentication dump):* curl --user terry:admin http://localhost:8983/solr/admin/authentication -H 'Content-type:application/json' -d '{ "set-user": {"lanny" : "hawaii_five_o"}}' *failed to delete a user:* curl --user terry:admin http://localhost:8983/solr/admin/authentication -H 'Content-type:application/json' -d '{ "delete-user": {"lanny"}}' { "responseHeader":{ "status":500, "QTime":1}, "error":{ "msg":"Expected key,value separator ':': char=},position=26 BEFORE='{ \"delete-user\": {\"lanny\"}' AFTER='}'", [terry here: plus a very long stack trace} *failed to set a permission: * curl --user terry:admin http://localhost:8983/solr/admin/authentication -H 'Content-type:application/json' -d '{"set-permission" : {"name":"collection-admin-edit", "role":"admin"}}' { "responseHeader":{ "status":0, "QTime":2}, "errorMessages":[{ "set-permission":{ "name":"collection-admin-edit", "role":"admin"}, "errorMessages":["Unknown operation 'set-permission' "]}]} This really makes no sense at all (or, I'm really losing it - always a distinct possibility). It's almost as if half of the documented parameters must have been changed, though I can't find any references to any such changes. I confess I'm about to just give up and find some other route to go. Terry On 03/12/2018 11:15 PM, Shawn Heisey wrote: > On 3/12/2018 8:39 PM, Terry Steichen wrote: >> I'm increasingly of the view that Solr's authentication/authorization >> mechanism doesn't work correctly in a _standalone_ mode. It was present >> in the cloud mode for quite a few versions back, but as of 6.0.0 (or so) >> it was supposed to be available in standalone mode too. It seems to >> partly work (when using the built-in permissions), but does not seem to >> work with customized, core-specific permissions. > > I suspected based on your last message that the authorization feature > might only work correctly in SolrCloud. The entire authentication > feature was designed for SolrCloud. Version 6.5 brought the > security.json file to standalone mode. This was LONG after the > feature was introduced in 5.2 and had a LOT of bugs fixed in the three > 5.3.x releases. > > I just found the section in the documentation confirming what I > suspected. > > https://lucene.apache.org/solr/guide/7_2/authentication-and-authorization-plugins.html#authorization > > > There is a note here that says "The authorization plugin is only > supported in SolrCloud mode. Also, reloading the plugin isn’t yet > supported and requires a restart of the Solr installation (meaning, > the JVM should be restarted, not simply a core reload)." The 6.6 > documentation contains the same note that you can see here in the > latest docs. > > I have no idea how hard it would be to extend the authorization plugin > to support standalone cores as well as collections. I imagine that if > it were easy, it would have been done already. > > Thanks, > Shawn > >
