VitalijusDBentley commented on issue #719: URL: https://github.com/apache/solr-operator/issues/719#issuecomment-2504105636
Knowledge sharing, because documentation does not disclose this --- [source code](https://github.com/apache/solr/blob/main/solr/core/src/java/org/apache/solr/security/PublicKeyHandler.java#L33) When enabling authentication you need to allow `/admin/info/key` public access, otherwise Solr will not be able to get keys from incoming request node during RequestForwarding process. Why Public Keys are not saved in zookeeper? Also looks like solr does not pass JWT Principal with its full claims and it's looses scopes/roles(looks like a bug). You need to add all your principals into `Basic` authentication access matrix so RequestForwarding will work. Configuration MultiAuthRuleBasedAuthorizationPlugin that works for me --- ```json { "authorization": { "class": "solr.MultiAuthRuleBasedAuthorizationPlugin", "permissions": [{ "collection": null, "name": "inner-node-comm", "path": "/admin/info/key", "role": null }, { "collection": null, "method": ["HEAD", "GET"], "name": "k8s-probe-0", "path": "/admin/info/system", "role": null }, { "collection": null, "method": ["HEAD", "GET"], "name": "k8s-probe-1", "path": "/admin/info/health", "role": null }, { "collection": null, "method": ["HEAD", "GET"], "name": "k8s-metrics", "path": "/admin/metrics", "role": null }, { "collection": null, "method": ["HEAD", "GET"], "name": "k8s-zk", "path": "/admin/zookeeper/status", "role": null }, { "collection": "*", "method": ["HEAD", "GET"], "name": "k8s-ping", "path": "/admin/ping", "role": null }, { "collection": null, "method": ["HEAD", "GET"], "name": "k8s-collection", "params": { "action": ["LIST", "CLUSTERSTATUS"] }, "path": "/admin/collections", "role": null }, { "name": "health", "role": null }, { "name": "metrics-read", "role": null }, { "name": "security-read", "role": ["admin", "k8s"] }, { "name": "security-edit", "role": ["admin", "k8s"] }, { "name": "schema-edit", "role": ["admin", "k8s"] }, { "name": "schema-read", "role": ["admin", "k8s"] }, { "name": "config-read", "role": ["admin", "k8s"] }, { "name": "config-edit", "role": ["admin", "k8s"] }, { "name": "core-admin-edit", "role": null }, { "name": "core-admin-read", "role": null }, { "name": "collection-admin-read", "role": ["admin", "k8s"] }, { "name": "collection-admin-edit", "role": ["admin", "k8s"] }, { "name": "update", "role": ["admin", "k8s"] }, { "name": "read", "role": ["admin", "k8s"] }, { "name": "zk-read", "role": ["admin", "k8s"] }, { "name": "all", "role": ["admin", "k8s"] } ], "schemes": [{ "class": "solr.ExternalRoleRuleBasedAuthorizationPlugin", "scheme": "Bearer" }, { "class": "solr.RuleBasedAuthorizationPlugin", "scheme": "Basic", "user-role": { "admin": ["admin", "k8s"], "k8s-oper": ["k8s"], "{{JWT.(clientId|name|email|...)}}": ["admin"] } } ] } } ``` MultiAuthPlugin configuration --- ```json { "authentication": { "class": "solr.MultiAuthPlugin", "schemes": [{ "adminUiScope": "{{AdminScope}}", "blockUnknown": true, "class": "solr.JWTAuthPlugin", "issuers": [{ "clientId": "{{UIClientId}}", "name": "admin-ui", "wellKnownUrl": "https://{{IDP.Url}}/.well-known/openid-configuration" }, { "aud": "{{ApiAudience}}", "name": "api", "wellKnownUrl": "https://{{IDP.Url}}/.well-known/openid-configuration" } ], "principalClaim": "client_id", "redirectUris": "https://localhost:8983/solr/", "rolesClaim": "scope", "scheme": "Bearer", "scope": "{{Scopes that will act as roles}}" }, { "blockUnknown": false, "class": "solr.BasicAuthPlugin", "credentials": { "admin": "...", "k8s-oper": "..." }, "forwardCredentials": false, "realm": "Solr", "scheme": "Basic" } ] }, } ``` P.s. `"blockUnknown": false,` should be `true`, but Prometheus Exporter does send basic authentication configured with `basicauth` variable. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org For additional commands, e-mail: issues-h...@solr.apache.org