Re: Basic auth on SolrCloud /admin/* calls

2014-08-27 Thread rulinma 
mark



--
View this message in context: 
http://lucene.472066.n3.nabble.com/Basic-auth-on-SolrCloud-admin-calls-tp4052266p4155521.html
Sent from the Solr - User mailing list archive at Nabble.com.

Re: Basic auth on SolrCloud /admin/* calls

2013-04-14 Thread adfel70 
Did anyone try blocking access to the ports in the firewall level, and
allowing all the solr servers in the cluster+given control-machines?
Assuming that search request to solr run though a proxy..





--
View this message in context: 
http://lucene.472066.n3.nabble.com/Basic-auth-on-SolrCloud-admin-calls-tp4052266p4055868.html
Sent from the Solr - User mailing list archive at Nabble.com.

Re: Basic auth on SolrCloud /admin/* calls

2013-04-14 Thread Tim Vaillancourt 
I've thought about this too, and have heard of some people running a 
lightweight http proxy upstream of Solr.


With the right network restrictions (only way for a client to reach solr 
is via a proxy + the nodes can still talk to each other), you could 
achieve the same thing SOLR-4470 is doing, with the drawback of 
additional proxy and firewall components to maintain, plus added 
overhead on HTTP calls.


A benefit though is a lightweight proxy ahead of Solr could implement 
HTTP caching, taking some load off of Solr.


In a perfect world, I'd say rolling out SOLR-4470 is the best solution, 
but again, it seems to be losing momentum (please Vote/support the 
discussion!). While proxies can achieve this, I think enough people have 
pondered about this to implement this as a feature in Solr.


Tim

On 14/04/13 12:32 AM, adfel70 wrote:

Did anyone try blocking access to the ports in the firewall level, and
allowing all the solr servers in the cluster+given control-machines?
Assuming that search request to solr run though a proxy..





--
View this message in context: 
http://lucene.472066.n3.nabble.com/Basic-auth-on-SolrCloud-admin-calls-tp4052266p4055868.html
Sent from the Solr - User mailing list archive at Nabble.com.

Re: Basic auth on SolrCloud /admin/* calls

2013-04-14 Thread Gopal Patwa 
I was looking too for this feature and it seems SOLR-4470 can work but I
haven't tried yet.

+1


On Sun, Apr 14, 2013 at 12:14 PM, Tim Vaillancourt t...@elementspace.comwrote:

 I've thought about this too, and have heard of some people running a
 lightweight http proxy upstream of Solr.

 With the right network restrictions (only way for a client to reach solr
 is via a proxy + the nodes can still talk to each other), you could achieve
 the same thing SOLR-4470 is doing, with the drawback of additional proxy
 and firewall components to maintain, plus added overhead on HTTP calls.

 A benefit though is a lightweight proxy ahead of Solr could implement HTTP
 caching, taking some load off of Solr.

 In a perfect world, I'd say rolling out SOLR-4470 is the best solution,
 but again, it seems to be losing momentum (please Vote/support the
 discussion!). While proxies can achieve this, I think enough people have
 pondered about this to implement this as a feature in Solr.

 Tim


 On 14/04/13 12:32 AM, adfel70 wrote:

 Did anyone try blocking access to the ports in the firewall level, and
 allowing all the solr servers in the cluster+given control-machines?
 Assuming that search request to solr run though a proxy..





 --
 View this message in context: http://lucene.472066.n3.**
 nabble.com/Basic-auth-on-**SolrCloud-admin-calls-**tp4052266p4055868.htmlhttp://lucene.472066.n3.nabble.com/Basic-auth-on-SolrCloud-admin-calls-tp4052266p4055868.html
 Sent from the Solr - User mailing list archive at Nabble.com.

Re: Basic auth on SolrCloud /admin/* calls

2013-04-13 Thread Tim Vaillancourt 

This JIRA covers a lot of what you're asking:

https://issues.apache.org/jira/browse/SOLR-4470

I am also trying to get this sort of solution in place, but it seems to 
be dying off a bit. Hopefully we can get some interest on this again, 
this question comes up every few weeks, it seems.


I can confirm the latest patch from this JIRA works as expected, 
although my primary concern is the credentials appear in the JVM 
command, and I'd like to move that to a file.


Cheers,

Tim

On 11/04/13 10:41 AM, Michael Della Bitta wrote:

It's fairly easy to lock down Solr behind basic auth using just the
servlet container it's running in, but the problem becomes letting
services that *should* be able to access Solr in. I've rolled with
basic auth in some setups, but certain deployments such as Solr Cloud
or sharded setups don't play well with auth because there's no good
way to configure them to use it.

Michael Della Bitta


Appinions
18 East 41st Street, 2nd Floor
New York, NY 10017-6271

www.appinions.com

Where Influence Isn’t a Game


On Thu, Apr 11, 2013 at 1:19 PM, Raymond Wikerrwi...@gmail.com  wrote:

On Apr 11, 2013, at 17:12 , adfel70adfe...@gmail.com  wrote:

Hi
I need to implement security in solr as follows:
1. prevent unauthorized users from accessing to solr admin pages.
2. prevent unauthorized users from performing solr operations - both /admin
and /update.


Is the conclusion of this thread is that this is not possible at the moment?


The obvious solution (to me, at least) would be to (1) restrict access to solr to 
localhost, and (2) use a reverse proxy (e.g, apache) on the same node to provide 
authenticated  restricted access to solr. I think I've seen recipes for (1), somewhere, 
and I've used (2) fairly extensively for similar purposes.

RE: Basic auth on SolrCloud /admin/* calls

2013-04-11 Thread adfel70 
Hi
I need to implement security in solr as follows:
1. prevent unauthorized users from accessing to solr admin pages.
2. prevent unauthorized users from performing solr operations - both /admin
and /update.


Is the conclusion of this thread is that this is not possible at the moment?




--
View this message in context: 
http://lucene.472066.n3.nabble.com/Basic-auth-on-SolrCloud-admin-calls-tp4052266p4055330.html
Sent from the Solr - User mailing list archive at Nabble.com.

Re: Basic auth on SolrCloud /admin/* calls

2013-04-11 Thread Raymond Wiker 
On Apr 11, 2013, at 17:12 , adfel70 adfe...@gmail.com wrote:
 Hi
 I need to implement security in solr as follows:
 1. prevent unauthorized users from accessing to solr admin pages.
 2. prevent unauthorized users from performing solr operations - both /admin
 and /update.
 
 
 Is the conclusion of this thread is that this is not possible at the moment?


The obvious solution (to me, at least) would be to (1) restrict access to 
solr to localhost, and (2) use a reverse proxy (e.g, apache) on the same node 
to provide authenticated  restricted access to solr. I think I've seen recipes 
for (1), somewhere, and I've used (2) fairly extensively for similar purposes.

Re: Basic auth on SolrCloud /admin/* calls

2013-04-11 Thread Michael Della Bitta 
It's fairly easy to lock down Solr behind basic auth using just the
servlet container it's running in, but the problem becomes letting
services that *should* be able to access Solr in. I've rolled with
basic auth in some setups, but certain deployments such as Solr Cloud
or sharded setups don't play well with auth because there's no good
way to configure them to use it.

Michael Della Bitta


Appinions
18 East 41st Street, 2nd Floor
New York, NY 10017-6271

www.appinions.com

Where Influence Isn’t a Game


On Thu, Apr 11, 2013 at 1:19 PM, Raymond Wiker rwi...@gmail.com wrote:
 On Apr 11, 2013, at 17:12 , adfel70 adfe...@gmail.com wrote:
 Hi
 I need to implement security in solr as follows:
 1. prevent unauthorized users from accessing to solr admin pages.
 2. prevent unauthorized users from performing solr operations - both /admin
 and /update.


 Is the conclusion of this thread is that this is not possible at the moment?


 The obvious solution (to me, at least) would be to (1) restrict access to 
 solr to localhost, and (2) use a reverse proxy (e.g, apache) on the same node 
 to provide authenticated  restricted access to solr. I think I've seen 
 recipes for (1), somewhere, and I've used (2) fairly extensively for similar 
 purposes.

Re: Basic auth on SolrCloud /admin/* calls

2013-03-29 Thread Isaac Hebsh 
Hi Tim,
Are you running Solr 4.2? (In 4.0 and 4.1, the Collections API didn't
return any failure message. see SOLR-4043 issue).

As far as I know, you can't tell Solr to use authentication credentials
when communicating other nodes. It's a bigger issue.. for example, if you
want to protect the /update requestHandler, so unauthorized users won't
delete your whole collection, it can interfere the replication process.

I think it's a necessary mechanism in production environment... I'm curious
how do people use SolrCloud in production w/o it.





On Fri, Mar 29, 2013 at 3:42 AM, Vaillancourt, Tim tvaillanco...@ea.comwrote:

 Hey guys,

 I've recently setup basic auth under Jetty 8 for all my Solr 4.x
 '/admin/*' calls, in order to protect my Collections and Cores API.

 Although the security constraint is working as expected ('/admin/*' calls
 require Basic Auth or return 401), when I use the Collections API to create
 a collection, I receive a 200 OK to the Collections API CREATE call, but
 the background Cores API calls that are ran on the Collection API's behalf
 fail on the Basic Auth on other nodes with a 401 code, as I should have
 foreseen, but didn't.

 Is there a way to tell SolrCloud to use authentication on internal Cores
 API calls that are spawned on Collections API's behalf, or is this a new
 feature request?

 To reproduce:

 1.   Implement basic auth on '/admin/*' URIs.

 2.   Perform a CREATE Collections API call to a node (which will
 return 200 OK).

 3.   Notice all Cores API calls fail (Collection isn't created). See
 stack trace below from the node that was issued the CREATE call.

 The stack trace I get is:

 org.apache.solr.common.SolrException: Server at http://HOST
 HERE:8983/solrhttp://%3cHOST%20HERE%3e:8983/solr returned non ok
 status:401, message:Unauthorized
 at
 org.apache.solr.client.solrj.impl.HttpSolrServer.request(HttpSolrServer.java:373)
 at
 org.apache.solr.client.solrj.impl.HttpSolrServer.request(HttpSolrServer.java:181)
 at
 org.apache.solr.handler.component.HttpShardHandler$1.call(HttpShardHandler.java:169)
 at
 org.apache.solr.handler.component.HttpShardHandler$1.call(HttpShardHandler.java:135)
 at java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:303)
 at java.util.concurrent.FutureTask.run(FutureTask.java:138)
 at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:439)
 at java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:303)
 at java.util.concurrent.FutureTask.run(FutureTask.java:138)
 at
 java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:895)
 at
 java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:918)
 at java.lang.Thread.run(Thread.java:662)

 Cheers!

 Tim

RE: Basic auth on SolrCloud /admin/* calls

2013-03-29 Thread Vaillancourt, Tim 
Yes, I should have mentioned this is under 4.2 Solr.

I sort of expected what I'm doing might be unsupported, but basically my 
concern is under the current SOLR design, any client with connectivity to 
SOLR's port can perform Admin-level API calls like create/drop Cores or 
Collections.

I'm only aiming for '/solr/admin/*' calls to separate Application access from 
the Administrative access logically, and not the non-admin calls like 
'/update', although you can cause damage with '/update', too.

I may try to patch the code to send Basic auth credentials on internal calls 
just for fun, but I'm thinking longer-term authentication should be 
implemented/added to the SOLR codebase (for at least admin calls) vs playing 
with security at the container level, and having the app inside the container 
aware of it.

On the upside, in short testing I was able to get a Collection online using 
Cores API only using curl calls w/basic auth. Only the Collections API is 
affected due to it calls itself which do not have auth.

Cheers,

Tim

-Original Message-
From: Isaac Hebsh [mailto:isaac.he...@gmail.com] 
Sent: Friday, March 29, 2013 12:37 AM
To: solr-user@lucene.apache.org
Subject: Re: Basic auth on SolrCloud /admin/* calls

Hi Tim,
Are you running Solr 4.2? (In 4.0 and 4.1, the Collections API didn't return 
any failure message. see SOLR-4043 issue).

As far as I know, you can't tell Solr to use authentication credentials when 
communicating other nodes. It's a bigger issue.. for example, if you want to 
protect the /update requestHandler, so unauthorized users won't delete your 
whole collection, it can interfere the replication process.

I think it's a necessary mechanism in production environment... I'm curious how 
do people use SolrCloud in production w/o it.





On Fri, Mar 29, 2013 at 3:42 AM, Vaillancourt, Tim tvaillanco...@ea.comwrote:

 Hey guys,

 I've recently setup basic auth under Jetty 8 for all my Solr 4.x 
 '/admin/*' calls, in order to protect my Collections and Cores API.

 Although the security constraint is working as expected ('/admin/*' 
 calls require Basic Auth or return 401), when I use the Collections 
 API to create a collection, I receive a 200 OK to the Collections API 
 CREATE call, but the background Cores API calls that are ran on the 
 Collection API's behalf fail on the Basic Auth on other nodes with a 
 401 code, as I should have foreseen, but didn't.

 Is there a way to tell SolrCloud to use authentication on internal 
 Cores API calls that are spawned on Collections API's behalf, or is 
 this a new feature request?

 To reproduce:

 1.   Implement basic auth on '/admin/*' URIs.

 2.   Perform a CREATE Collections API call to a node (which will
 return 200 OK).

 3.   Notice all Cores API calls fail (Collection isn't created). See
 stack trace below from the node that was issued the CREATE call.

 The stack trace I get is:

 org.apache.solr.common.SolrException: Server at http://HOST
 HERE:8983/solrhttp://%3cHOST%20HERE%3e:8983/solr returned non ok
 status:401, message:Unauthorized
 at
 org.apache.solr.client.solrj.impl.HttpSolrServer.request(HttpSolrServe
 r.java:373)
 at
 org.apache.solr.client.solrj.impl.HttpSolrServer.request(HttpSolrServe
 r.java:181)
 at
 org.apache.solr.handler.component.HttpShardHandler$1.call(HttpShardHan
 dler.java:169)
 at
 org.apache.solr.handler.component.HttpShardHandler$1.call(HttpShardHan
 dler.java:135) at 
 java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:303)
 at java.util.concurrent.FutureTask.run(FutureTask.java:138)
 at 
 java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:439
 ) at 
 java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:303)
 at java.util.concurrent.FutureTask.run(FutureTask.java:138)
 at
 java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecu
 tor.java:895)
 at
 java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.
 java:918) at java.lang.Thread.run(Thread.java:662)

 Cheers!

 Tim

Re: Basic auth on SolrCloud /admin/* calls

2013-03-29 Thread Mark Miller 
This has always been the case with Solr. Solr's security model is that clients 
should not have access to it - only trusted intermediaries should have access 
to it. Otherwise, it should be locked down at a higher level. That's been the 
case from day one and still is.

That said, someone did do some work on internode basic auth a while back, but 
it didn't raise a ton of interest yet.

- Mark

On Mar 29, 2013, at 2:09 PM, Vaillancourt, Tim tvaillanco...@ea.com wrote:

 Yes, I should have mentioned this is under 4.2 Solr.
 
 I sort of expected what I'm doing might be unsupported, but basically my 
 concern is under the current SOLR design, any client with connectivity to 
 SOLR's port can perform Admin-level API calls like create/drop Cores or 
 Collections.
 
 I'm only aiming for '/solr/admin/*' calls to separate Application access 
 from the Administrative access logically, and not the non-admin calls like 
 '/update', although you can cause damage with '/update', too.
 
 I may try to patch the code to send Basic auth credentials on internal calls 
 just for fun, but I'm thinking longer-term authentication should be 
 implemented/added to the SOLR codebase (for at least admin calls) vs playing 
 with security at the container level, and having the app inside the container 
 aware of it.
 
 On the upside, in short testing I was able to get a Collection online using 
 Cores API only using curl calls w/basic auth. Only the Collections API is 
 affected due to it calls itself which do not have auth.
 
 Cheers,
 
 Tim
 
 -Original Message-
 From: Isaac Hebsh [mailto:isaac.he...@gmail.com] 
 Sent: Friday, March 29, 2013 12:37 AM
 To: solr-user@lucene.apache.org
 Subject: Re: Basic auth on SolrCloud /admin/* calls
 
 Hi Tim,
 Are you running Solr 4.2? (In 4.0 and 4.1, the Collections API didn't return 
 any failure message. see SOLR-4043 issue).
 
 As far as I know, you can't tell Solr to use authentication credentials when 
 communicating other nodes. It's a bigger issue.. for example, if you want to 
 protect the /update requestHandler, so unauthorized users won't delete your 
 whole collection, it can interfere the replication process.
 
 I think it's a necessary mechanism in production environment... I'm curious 
 how do people use SolrCloud in production w/o it.
 
 
 
 
 
 On Fri, Mar 29, 2013 at 3:42 AM, Vaillancourt, Tim 
 tvaillanco...@ea.comwrote:
 
 Hey guys,
 
 I've recently setup basic auth under Jetty 8 for all my Solr 4.x 
 '/admin/*' calls, in order to protect my Collections and Cores API.
 
 Although the security constraint is working as expected ('/admin/*' 
 calls require Basic Auth or return 401), when I use the Collections 
 API to create a collection, I receive a 200 OK to the Collections API 
 CREATE call, but the background Cores API calls that are ran on the 
 Collection API's behalf fail on the Basic Auth on other nodes with a 
 401 code, as I should have foreseen, but didn't.
 
 Is there a way to tell SolrCloud to use authentication on internal 
 Cores API calls that are spawned on Collections API's behalf, or is 
 this a new feature request?
 
 To reproduce:
 
 1.   Implement basic auth on '/admin/*' URIs.
 
 2.   Perform a CREATE Collections API call to a node (which will
 return 200 OK).
 
 3.   Notice all Cores API calls fail (Collection isn't created). See
 stack trace below from the node that was issued the CREATE call.
 
 The stack trace I get is:
 
 org.apache.solr.common.SolrException: Server at http://HOST
 HERE:8983/solrhttp://%3cHOST%20HERE%3e:8983/solr returned non ok
 status:401, message:Unauthorized
 at
 org.apache.solr.client.solrj.impl.HttpSolrServer.request(HttpSolrServe
 r.java:373)
 at
 org.apache.solr.client.solrj.impl.HttpSolrServer.request(HttpSolrServe
 r.java:181)
 at
 org.apache.solr.handler.component.HttpShardHandler$1.call(HttpShardHan
 dler.java:169)
 at
 org.apache.solr.handler.component.HttpShardHandler$1.call(HttpShardHan
 dler.java:135) at 
 java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:303)
 at java.util.concurrent.FutureTask.run(FutureTask.java:138)
 at 
 java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:439
 ) at 
 java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:303)
 at java.util.concurrent.FutureTask.run(FutureTask.java:138)
 at
 java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecu
 tor.java:895)
 at
 java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.
 java:918) at java.lang.Thread.run(Thread.java:662)
 
 Cheers!
 
 Tim

RE: Basic auth on SolrCloud /admin/* calls

2013-03-29 Thread Vaillancourt, Tim 
Agreed, we don't have clients hitting Solr directly, it is used like a backend 
database in our usage by intermediaries, similar to say MySQL. Although 
restricting the access to Solr to fewer hosts is something, I still feel an 
application has no business being able to perform admin level calls, at least 
in my use case. This is being very nitpicky though.

We also open Solr's port to monitoring servers who shouldn't have access to 
admin calls and thinking paranoid a compromised app using a single collection 
could affect the entire cloud with admin call access.

Seeing the long term plan is to leave this feature at the container level 
(which is totally valid), I think I'll continue with the basic auth approach I 
attempted and see what I can dig up on past efforts. I'll be sure to share what 
I've done.

Thanks Mark!

Tim

-Original Message-
From: Mark Miller [mailto:markrmil...@gmail.com] 
Sent: Friday, March 29, 2013 1:04 PM
To: solr-user@lucene.apache.org
Subject: Re: Basic auth on SolrCloud /admin/* calls

This has always been the case with Solr. Solr's security model is that clients 
should not have access to it - only trusted intermediaries should have access 
to it. Otherwise, it should be locked down at a higher level. That's been the 
case from day one and still is.

That said, someone did do some work on internode basic auth a while back, but 
it didn't raise a ton of interest yet.

- Mark

On Mar 29, 2013, at 2:09 PM, Vaillancourt, Tim tvaillanco...@ea.com wrote:

 Yes, I should have mentioned this is under 4.2 Solr.
 
 I sort of expected what I'm doing might be unsupported, but basically my 
 concern is under the current SOLR design, any client with connectivity to 
 SOLR's port can perform Admin-level API calls like create/drop Cores or 
 Collections.
 
 I'm only aiming for '/solr/admin/*' calls to separate Application access 
 from the Administrative access logically, and not the non-admin calls like 
 '/update', although you can cause damage with '/update', too.
 
 I may try to patch the code to send Basic auth credentials on internal calls 
 just for fun, but I'm thinking longer-term authentication should be 
 implemented/added to the SOLR codebase (for at least admin calls) vs playing 
 with security at the container level, and having the app inside the container 
 aware of it.
 
 On the upside, in short testing I was able to get a Collection online using 
 Cores API only using curl calls w/basic auth. Only the Collections API is 
 affected due to it calls itself which do not have auth.
 
 Cheers,
 
 Tim
 
 -Original Message-
 From: Isaac Hebsh [mailto:isaac.he...@gmail.com]
 Sent: Friday, March 29, 2013 12:37 AM
 To: solr-user@lucene.apache.org
 Subject: Re: Basic auth on SolrCloud /admin/* calls
 
 Hi Tim,
 Are you running Solr 4.2? (In 4.0 and 4.1, the Collections API didn't return 
 any failure message. see SOLR-4043 issue).
 
 As far as I know, you can't tell Solr to use authentication credentials when 
 communicating other nodes. It's a bigger issue.. for example, if you want to 
 protect the /update requestHandler, so unauthorized users won't delete your 
 whole collection, it can interfere the replication process.
 
 I think it's a necessary mechanism in production environment... I'm curious 
 how do people use SolrCloud in production w/o it.
 
 
 
 
 
 On Fri, Mar 29, 2013 at 3:42 AM, Vaillancourt, Tim 
 tvaillanco...@ea.comwrote:
 
 Hey guys,
 
 I've recently setup basic auth under Jetty 8 for all my Solr 4.x 
 '/admin/*' calls, in order to protect my Collections and Cores API.
 
 Although the security constraint is working as expected ('/admin/*' 
 calls require Basic Auth or return 401), when I use the Collections 
 API to create a collection, I receive a 200 OK to the Collections API 
 CREATE call, but the background Cores API calls that are ran on the 
 Collection API's behalf fail on the Basic Auth on other nodes with a
 401 code, as I should have foreseen, but didn't.
 
 Is there a way to tell SolrCloud to use authentication on internal 
 Cores API calls that are spawned on Collections API's behalf, or is 
 this a new feature request?
 
 To reproduce:
 
 1.   Implement basic auth on '/admin/*' URIs.
 
 2.   Perform a CREATE Collections API call to a node (which will
 return 200 OK).
 
 3.   Notice all Cores API calls fail (Collection isn't created). See
 stack trace below from the node that was issued the CREATE call.
 
 The stack trace I get is:
 
 org.apache.solr.common.SolrException: Server at http://HOST
 HERE:8983/solrhttp://%3cHOST%20HERE%3e:8983/solr returned non ok
 status:401, message:Unauthorized
 at
 org.apache.solr.client.solrj.impl.HttpSolrServer.request(HttpSolrServ
 e
 r.java:373)
 at
 org.apache.solr.client.solrj.impl.HttpSolrServer.request(HttpSolrServ
 e
 r.java:181)
 at
 org.apache.solr.handler.component.HttpShardHandler$1.call(HttpShardHa
 n
 dler.java:169)
 at
 org.apache.solr.handler.component.HttpShardHandler$1.call

RE: Basic auth on SolrCloud /admin/* calls

2013-03-29 Thread Vaillancourt, Tim 
Here we go:

https://issues.apache.org/jira/browse/SOLR-4470

Tim

-Original Message-
From: Vaillancourt, Tim [mailto:tvaillanco...@ea.com] 
Sent: Friday, March 29, 2013 3:25 PM
To: solr-user@lucene.apache.org
Subject: RE: Basic auth on SolrCloud /admin/* calls

Agreed, we don't have clients hitting Solr directly, it is used like a backend 
database in our usage by intermediaries, similar to say MySQL. Although 
restricting the access to Solr to fewer hosts is something, I still feel an 
application has no business being able to perform admin level calls, at least 
in my use case. This is being very nitpicky though.

We also open Solr's port to monitoring servers who shouldn't have access to 
admin calls and thinking paranoid a compromised app using a single collection 
could affect the entire cloud with admin call access.

Seeing the long term plan is to leave this feature at the container level 
(which is totally valid), I think I'll continue with the basic auth approach I 
attempted and see what I can dig up on past efforts. I'll be sure to share what 
I've done.

Thanks Mark!

Tim

-Original Message-
From: Mark Miller [mailto:markrmil...@gmail.com]
Sent: Friday, March 29, 2013 1:04 PM
To: solr-user@lucene.apache.org
Subject: Re: Basic auth on SolrCloud /admin/* calls

This has always been the case with Solr. Solr's security model is that clients 
should not have access to it - only trusted intermediaries should have access 
to it. Otherwise, it should be locked down at a higher level. That's been the 
case from day one and still is.

That said, someone did do some work on internode basic auth a while back, but 
it didn't raise a ton of interest yet.

- Mark

On Mar 29, 2013, at 2:09 PM, Vaillancourt, Tim tvaillanco...@ea.com wrote:

 Yes, I should have mentioned this is under 4.2 Solr.
 
 I sort of expected what I'm doing might be unsupported, but basically my 
 concern is under the current SOLR design, any client with connectivity to 
 SOLR's port can perform Admin-level API calls like create/drop Cores or 
 Collections.
 
 I'm only aiming for '/solr/admin/*' calls to separate Application access 
 from the Administrative access logically, and not the non-admin calls like 
 '/update', although you can cause damage with '/update', too.
 
 I may try to patch the code to send Basic auth credentials on internal calls 
 just for fun, but I'm thinking longer-term authentication should be 
 implemented/added to the SOLR codebase (for at least admin calls) vs playing 
 with security at the container level, and having the app inside the container 
 aware of it.
 
 On the upside, in short testing I was able to get a Collection online using 
 Cores API only using curl calls w/basic auth. Only the Collections API is 
 affected due to it calls itself which do not have auth.
 
 Cheers,
 
 Tim
 
 -Original Message-
 From: Isaac Hebsh [mailto:isaac.he...@gmail.com]
 Sent: Friday, March 29, 2013 12:37 AM
 To: solr-user@lucene.apache.org
 Subject: Re: Basic auth on SolrCloud /admin/* calls
 
 Hi Tim,
 Are you running Solr 4.2? (In 4.0 and 4.1, the Collections API didn't return 
 any failure message. see SOLR-4043 issue).
 
 As far as I know, you can't tell Solr to use authentication credentials when 
 communicating other nodes. It's a bigger issue.. for example, if you want to 
 protect the /update requestHandler, so unauthorized users won't delete your 
 whole collection, it can interfere the replication process.
 
 I think it's a necessary mechanism in production environment... I'm curious 
 how do people use SolrCloud in production w/o it.
 
 
 
 
 
 On Fri, Mar 29, 2013 at 3:42 AM, Vaillancourt, Tim 
 tvaillanco...@ea.comwrote:
 
 Hey guys,
 
 I've recently setup basic auth under Jetty 8 for all my Solr 4.x 
 '/admin/*' calls, in order to protect my Collections and Cores API.
 
 Although the security constraint is working as expected ('/admin/*' 
 calls require Basic Auth or return 401), when I use the Collections 
 API to create a collection, I receive a 200 OK to the Collections API 
 CREATE call, but the background Cores API calls that are ran on the 
 Collection API's behalf fail on the Basic Auth on other nodes with a
 401 code, as I should have foreseen, but didn't.
 
 Is there a way to tell SolrCloud to use authentication on internal 
 Cores API calls that are spawned on Collections API's behalf, or is 
 this a new feature request?
 
 To reproduce:
 
 1.   Implement basic auth on '/admin/*' URIs.
 
 2.   Perform a CREATE Collections API call to a node (which will
 return 200 OK).
 
 3.   Notice all Cores API calls fail (Collection isn't created). See
 stack trace below from the node that was issued the CREATE call.
 
 The stack trace I get is:
 
 org.apache.solr.common.SolrException: Server at http://HOST
 HERE:8983/solrhttp://%3cHOST%20HERE%3e:8983/solr returned non ok
 status:401, message:Unauthorized
 at
 org.apache.solr.client.solrj.impl.HttpSolrServer.request