[
https://issues.apache.org/jira/browse/SOLR-8326?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15018581#comment-15018581
]
Anshum Gupta commented on SOLR-8326:
------------------------------------
Here are the list of steps that you'd need to run to see that things are fine
for you without the read permission:
* Untar and setup Solr, don't start it yet
* Start clean zookeeper
* Put the security.json in zk, without anything other than a security-edit
permission. Find the content of the file below. Upload it using your own zk
client or through the solr script:
> solr-5.3.1/server/scripts/cloud-scripts/zkcli.sh -zkhost localhost:2181 -cmd
> putfile /security.json ~/security.json
security.json:
{"authentication":{"class":"solr.BasicAuthPlugin","credentials":{"solr":"IV0EHq1OnNrj6gvRCwvFwTrZ1+z1oBbnQdiVC3otuq0=
Ndd7LKvVBAaZIF0QAVi1ekCfAJXr1GGfLtRUXhgrF8c="}},"authorization":{"class":"solr.RuleBasedAuthorizationPlugin","user-role":{"solr":["admin"]},"permissions":[{"name":"security-edit","role":"admin"}]}}
* Start solr:
> solr-5.3.1/bin/solr start -e cloud -z localhost:2181
You would need to key in a few things e.g. #nodes and ports, leave them at the
default values of 2 nodes and 8983/7574, unless you want to run Solr on a
different port. Then let it create a default collection to just make sure that
everything works fine.
* Add the collection-admin-edit command:
> curl --user solr:SolrRocks http://localhost:8983/solr/admin/authorization -H
> 'Content-type:application/json' -d '{"set-permission" :
> {"name":"collection-admin-edit", "role":"admin"}}'
At this point, everything should be working fine. Restarting the nodes should
also work fine. You can try 2 things at this point:
1. Create a new collection with 1 shard and 1 replica and then try adding a
replica, here's how:
> curl --user solr:SolrRocks
> http://localhost:8983/solr/admin/collections?action=CREATE&name=testcollection&collection.configName=gettingstarted&numShards=1
> curl --user solr:SolrRocks
> http://localhost:8983/solr/admin/collections?action=ADDREPLICA&collection=testcollection&shard=shard1
This should work fine.
2. After this, try restarting the solr cluster. Here's how you can do so,
assuming you didn't change any of the defaults and you are running zk on
localhost:2181. If not, just change those values below:
> bin/solr stop -all
After this, check that Solr was actually stopped. I'd also suggest you tail the
logs on both nodes when they are coming up to see any errors, if any. The logs
would be here: example/cloud/node1/logs/solr.log and
example/cloud/node2/logs/solr.log
> bin/solr start -c -p 8983 -s "example/cloud/node1/solr" -z localhost:2181
> bin/solr start -c -p 7574 -s "example/cloud/node2/solr" -z localhost:2181
If you get to this checkpoint fine, try adding a read permission.
Add a permission:
> curl --user solr:SolrRocks http://localhost:8983/solr/admin/authorization -H
> 'Content-type:application/json' -d '{"set-permission" : {"name":"read",
> "role":"read"}}'
Add a user:
> curl --user solr:SolrRocks http://localhost:8983/solr/admin/authentication -H
> 'Content-type:application/json' -d '{"set-user" : {"solrread":"solrRocks"}}'
Assign a role to the user:
>curl --user solr:SolrRocks http://localhost:8983/solr/admin/authorization -H
>'Content-type:application/json' -d '{"set-user-role" : {"solrread":["read"]}}'
After this, you should start having issues with ADDREPLICA.
Also, as you would at this point have a collection with a shard that has a
replication factor > 1 (remember the ADDREPLICA we did earlier), you would have
issues when you restart the cluster again using the steps I mentioned above.
> Adding read restriction to BasicAuth + RuleBased authorization causes issue
> with replication
> --------------------------------------------------------------------------------------------
>
> Key: SOLR-8326
> URL: https://issues.apache.org/jira/browse/SOLR-8326
> Project: Solr
> Issue Type: Bug
> Affects Versions: 5.3, 5.3.1
> Reporter: Anshum Gupta
> Priority: Blocker
> Fix For: 5.4
>
>
> This was reported on the mailing list:
> https://www.mail-archive.com/[email protected]/msg115921.html
> I tested it out as follows to confirm that adding a 'read' rule causes
> replication to break.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
