[
https://issues.apache.org/jira/browse/SOLR-13480?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16885212#comment-16885212
]
Ishan Chattopadhyaya commented on SOLR-13480:
---------------------------------------------
Hi [~moshebla], after I committed SOLR-13472 and SOLR-13619, I was able to
successfully create the collection with the following change to the
security.json.:
{code:java}
{
"authentication":{
"class":"org.apache.solr.security.KerberosPlugin"
},
"authorization":{
"class":"solr.RuleBasedAuthorizationPlugin",
"permissions":[
{
"name":"read",
"role":"*"
},
{
"name":"all",
"role":"admin_user"
}
],
"user-role":{
"admin_user@OUR_REALM":"admin_user",
"HTTP/solr1@OUR_REALM":"admin_user",
"HTTP/solr2@OUR_REALM":"admin_user",
"HTTP/solr3@OUR_REALM":"admin_user"
}
}}{code}
Currently, internode communication with Kerberos requires all the Solr's
service principals to be added the security.json as an admin user (with "all"
permissions). That means every time a new Solr node is added, its principal
should be added to the security.json.
Please feel free to re-open if this doesn't work for any other reason (custom
autoscaling policies?).
> Collection creation failure when using Kerberos authentication combined with
> rule-base authorization
> ----------------------------------------------------------------------------------------------------
>
> Key: SOLR-13480
> URL: https://issues.apache.org/jira/browse/SOLR-13480
> Project: Solr
> Issue Type: Bug
> Components: Authorization, security
> Affects Versions: 7.7.1
> Reporter: mosh
> Assignee: Ishan Chattopadhyaya
> Priority: Major
> Labels: kerberos
>
> Creation of collection with an authorized user fails with the following error:
> {code:java}
> org.apache.solr.common.SolrException: Error getting replica locations :
> unable to get autoscaling policy session{code}
> At first it may seem like SOLR-13355 duplication as we are using “all”
> permission, but bug is specific to Kerberos (tested and found ok using basic
> auth) plus we verified the failure with 7.7.2 snapshot that included the
> relevant patch.
> +How to reproduce:+
> 1. Configure solr cloud with kerberos authentication and rule-based
> authorization plugins using the following security.json file:
> {code:java}
> {
> "authentication":{
> "class":"org.apache.solr.security.KerberosPlugin"
> },
> "authorization":{
> "class":"solr.RuleBasedAuthorizationPlugin",
> "permissions":[
> {
> "name":"read",
> "role":"*"
> },
> {
> "name":"all",
> "role":"admin_user"
> }
> ],
> "user-role":{
> "admin_user@OUR_REALM":"admin_user"
> }
> }}{code}
> 2. Create collection using an authorized user:
> {code:java}
> kinit admin_user@OUR_REALM
> curl --negotiate -u :
> "http://<HOST:PORT>/solr/admin/collections?action=CREATE&name=mycoll&numShards=1&collection.configName=_default"{code}
> {color:#d04437}==> request fails with the error written above.{color}
> 3. Disable authorization by removing _authorization_ section from
> security.json, so file should be as follow:
> {code:java}
> {
> "authentication":{
> "class":"org.apache.solr.security.KerberosPlugin"
> }
> }{code}
> 4. Create collection again as in step 2.
> {color:#14892c}==> request succeeds.{color}
> 5. Return authorization section to security.json (file from step 1) and make
> sure authorization works as expected by inserting documents and executing
> search queries with different users.
--
This message was sent by Atlassian JIRA
(v7.6.14#76016)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org
For additional commands, e-mail: dev-h...@lucene.apache.org
