[
https://issues.apache.org/jira/browse/SOLR-8440?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Ishan Chattopadhyaya updated SOLR-8440:
---------------------------------------
Attachment: SOLR-8440.patch
WIP patch.
# Introduces the "auth" command, e.g. {{bin/solr auth -enable -type basic
-adminuser solr -adminpassword SolrRocks}}
# Support for optional blocksUnknown (false by default)
# TODO: Put the hash of the password. Currently hardcoded to hash of "SolrRocks"
# TODO: Introduce a separate file and put the admin username/password there for
use by the script. If user wants, the bin/solr.in.sh can be used to override
this user/pw.
# TODO: Do pre-checks before enabling; don't do anything if already enabled.
# Uploads the following security.json by default (apart from the user/password
hash variant.
{code}
{
"authentication":{
"blockUnknown": $blockUnknown
"class":"solr.BasicAuthPlugin",
"credentials":{"$user":"IV0EHq1OnNrj6gvRCwvFwTrZ1+z1oBbnQdiVC3otuq0=
Ndd7LKvVBAaZIF0QAVi1ekCfAJXr1GGfLtRUXhgrF8c="}
},
"authorization":{
"class":"solr.RuleBasedAuthorizationPlugin",
"permissions":[
{"name":"security-edit", "role":"admin"},
{"name":"collection-admin-edit", "role":"admin"},
{"name":"core-admin-edit", "role":"admin"}
],
"user-role":{"$user":"admin"}
}
}
{code}
With just this in place (after fixing TODOs and nocommits), one can enable
basicauth with typical authz configuration. After this, the user can use the
REST API for authc/authz, or we can build further support for adding users,
roles etc. to the script.
> Script support for enabling basic auth
> --------------------------------------
>
> Key: SOLR-8440
> URL: https://issues.apache.org/jira/browse/SOLR-8440
> Project: Solr
> Issue Type: New Feature
> Components: scripts and tools
> Reporter: Jan Høydahl
> Assignee: Ishan Chattopadhyaya
> Labels: authentication, security
> Attachments: SOLR-8440.patch
>
>
> Now that BasicAuthPlugin will be able to work without an AuthorizationPlugin
> (SOLR-8429), it would be sweet to provide a super simple way to "Password
> protect Solr"™ right from the command line:
> {noformat}
> bin/solr basicAuth -adduser -user solr -pass SolrRocks
> {noformat}
> It would take the mystery out of enabling one single password across the
> board. The command would do something like this
> # Check if HTTPS is enabled, and if not, print a friendly warning
> # Check if {{/security.json}} already exists
> ## NO => create one with only plugin class defined
> ## YES => Abort if exists but plugin is not {{BasicAuthPlugin}}
> # Using security REST API, add the new user
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
