[
https://issues.apache.org/jira/browse/SOLR-8440?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16007808#comment-16007808
]
Jan Høydahl commented on SOLR-8440:
-----------------------------------
bq. Isn't it the case that all of those instances will be part of the same
SolrCloud cluster, and hence they should have the same {{basicAuth.conf}}?
Normally, yes, not as you say it won't necessarily be true for standalone.
Question is, how many times should a cloud user need to run {{solr auth
-enable...}}? Say there are three servers, each with two Solr nodes, totally
six nodes in the cluster. To be able to run {{bin/solr}} commands from any of
the nodes without typing the password every time, the user would need to add
the {{basicAuth.conf}} file to all three servers, and to point
{{SOLR_AUTHENTICATION_OPTS}} to that file in each of the six {{solr.in.sh}}
files. He could do that manually or by running {{solr auth -enable}} six times,
once for each node... How do you plan to document this in refGuide? And each
command would re-upload the json to ZK :(
And what if the user changes his "admin" password through REST APIs, he should
also find some documentation on how to update all the {{basicAuth.conf}} files
on all nodes, either manually or through {{solr auth -changepass}} or something?
Perhaps it would be wiser to split the commands up in an {{-enable}}
(server-side) command and a {{-remember}} (client-side) command?
{noformat}
bin/solr auth -enable -credentials solr:SolrRocks # takes care of security.json
SOLR_INCLUDE=/etc/defaults/solr.in.sh ; bin/solr auth -remember -credentials
solr:SolrRocks
SOLR_INCLUDE=/etc/defaults/solr2.in.sh ; bin/solr auth -remember -credentials
solr:SolrRocks
SOLR_INCLUDE=/etc/defaults/solr3.in.sh ; bin/solr auth -remember -credentials
solr:SolrRocks
{noformat}
*Another general comment*
The {{bin/solr}} sub tools, like {{bin/solr zk}} do not prefix the commands
with a {{-}}. I.e. you have {{bin/solr zk mkdir foo}}. Could we follow that
style here as well, i.e.
{noformat}
Usage: solr auth enable [-type basicAuth] -credentials user:pass [-blockUnknown]
solr auth disable
{noformat}
> Script support for enabling basic auth
> --------------------------------------
>
> Key: SOLR-8440
> URL: https://issues.apache.org/jira/browse/SOLR-8440
> Project: Solr
> Issue Type: New Feature
> Components: scripts and tools
> Reporter: Jan Høydahl
> Assignee: Ishan Chattopadhyaya
> Labels: authentication, security
> Fix For: 6.6, master (7.0)
>
> Attachments: SOLR-8440-follow-up.patch, SOLR-8440.patch,
> SOLR-8440.patch, SOLR-8440.patch, SOLR-8440.patch, SOLR-8440.patch,
> SOLR-8440.patch, SOLR-8440.patch, SOLR-8440.patch
>
>
> Now that BasicAuthPlugin will be able to work without an AuthorizationPlugin
> (SOLR-8429), it would be sweet to provide a super simple way to "Password
> protect Solr"™ right from the command line:
> {noformat}
> bin/solr basicAuth -adduser -user solr -pass SolrRocks
> {noformat}
> It would take the mystery out of enabling one single password across the
> board. The command would do something like this
> # Check if HTTPS is enabled, and if not, print a friendly warning
> # Check if {{/security.json}} already exists
> ## NO => create one with only plugin class defined
> ## YES => Abort if exists but plugin is not {{BasicAuthPlugin}}
> # Using security REST API, add the new user
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
