VitalijusDBentley commented on issue #719:
URL: https://github.com/apache/solr-operator/issues/719#issuecomment-2504105636

   Knowledge sharing, because documentation does not disclose this
   ---
   [source 
code](https://github.com/apache/solr/blob/main/solr/core/src/java/org/apache/solr/security/PublicKeyHandler.java#L33)
   When enabling authentication you need to allow `/admin/info/key` public 
access, otherwise Solr will not be able to get keys from incoming request node 
during RequestForwarding process. Why Public Keys are not saved in zookeeper?
   
   Also looks like solr does not pass JWT Principal with its full claims and 
it's looses scopes/roles(looks like a bug).
   You need to add all your principals into `Basic` authentication access 
matrix so RequestForwarding will work.
   
   Configuration MultiAuthRuleBasedAuthorizationPlugin that works for me
   ---
   ```json
   {
       "authorization": {
           "class": "solr.MultiAuthRuleBasedAuthorizationPlugin",
           "permissions": [{
                   "collection": null,
                   "name": "inner-node-comm",
                   "path": "/admin/info/key",
                   "role": null
               }, {
                   "collection": null,
                   "method": ["HEAD", "GET"],
                   "name": "k8s-probe-0",
                   "path": "/admin/info/system",
                   "role": null
               }, {
                   "collection": null,
                   "method": ["HEAD", "GET"],
                   "name": "k8s-probe-1",
                   "path": "/admin/info/health",
                   "role": null
               }, {
                   "collection": null,
                   "method": ["HEAD", "GET"],
                   "name": "k8s-metrics",
                   "path": "/admin/metrics",
                   "role": null
               }, {
                   "collection": null,
                   "method": ["HEAD", "GET"],
                   "name": "k8s-zk",
                   "path": "/admin/zookeeper/status",
                   "role": null
               }, {
                   "collection": "*",
                   "method": ["HEAD", "GET"],
                   "name": "k8s-ping",
                   "path": "/admin/ping",
                   "role": null
               }, {
                   "collection": null,
                   "method": ["HEAD", "GET"],
                   "name": "k8s-collection",
                   "params": {
                       "action": ["LIST", "CLUSTERSTATUS"]
                   },
                   "path": "/admin/collections",
                   "role": null
               }, {
                   "name": "health",
                   "role": null
               }, {
                   "name": "metrics-read",
                   "role": null
               }, {
                   "name": "security-read",
                   "role": ["admin", "k8s"]
               }, {
                   "name": "security-edit",
                   "role": ["admin", "k8s"]
               }, {
                   "name": "schema-edit",
                   "role": ["admin", "k8s"]
               }, {
                   "name": "schema-read",
                   "role": ["admin", "k8s"]
               }, {
                   "name": "config-read",
                   "role": ["admin", "k8s"]
               }, {
                   "name": "config-edit",
                   "role": ["admin", "k8s"]
               }, {
                   "name": "core-admin-edit",
                   "role": null
               }, {
                   "name": "core-admin-read",
                   "role": null
               }, {
                   "name": "collection-admin-read",
                   "role": ["admin", "k8s"]
               }, {
                   "name": "collection-admin-edit",
                   "role": ["admin", "k8s"]
               }, {
                   "name": "update",
                   "role": ["admin", "k8s"]
               }, {
                   "name": "read",
                   "role": ["admin", "k8s"]
               }, {
                   "name": "zk-read",
                   "role": ["admin", "k8s"]
               }, {
                   "name": "all",
                   "role": ["admin", "k8s"]
               }
           ],
           "schemes": [{
                   "class": "solr.ExternalRoleRuleBasedAuthorizationPlugin",
                   "scheme": "Bearer"
               }, {
                   "class": "solr.RuleBasedAuthorizationPlugin",
                   "scheme": "Basic",
                   "user-role": {
                       "admin": ["admin", "k8s"],
                       "k8s-oper": ["k8s"],
                       "{{JWT.(clientId|name|email|...)}}": ["admin"]
                   }
               }
           ]
       }
   }
   ```
   MultiAuthPlugin configuration
   ---
   ```json
   {
       "authentication": {
           "class": "solr.MultiAuthPlugin",
           "schemes": [{
                   "adminUiScope": "{{AdminScope}}",
                   "blockUnknown": true,
                   "class": "solr.JWTAuthPlugin",
                   "issuers": [{
                           "clientId": "{{UIClientId}}",
                           "name": "admin-ui",
                           "wellKnownUrl": 
"https://{{IDP.Url}}/.well-known/openid-configuration";
                       }, {
                           "aud": "{{ApiAudience}}",
                           "name": "api",
                           "wellKnownUrl": 
"https://{{IDP.Url}}/.well-known/openid-configuration";
                       }
                   ],
                   "principalClaim": "client_id",
                   "redirectUris": "https://localhost:8983/solr/";,
                   "rolesClaim": "scope",
                   "scheme": "Bearer",
                   "scope": "{{Scopes that will act as roles}}"
               }, {
                   "blockUnknown": false,
                   "class": "solr.BasicAuthPlugin",
                   "credentials": {
                       "admin": "...",
                       "k8s-oper": "..."
                   },
                   "forwardCredentials": false,
                   "realm": "Solr",
                   "scheme": "Basic"
               }
           ]
       },
   }
   ```
   
   P.s. `"blockUnknown": false,` should be `true`, but Prometheus Exporter does 
send basic authentication configured with `basicauth` variable.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org
For additional commands, e-mail: issues-h...@solr.apache.org

Reply via email to