Hello,
If you enable authentication, this will work on your HTTP port. Solr won’t make
a difference on whether the request comes from the Web UI or Dovecot.
I guess the workaround could be to put the web UI behind a proxy like NGINX and
have authentication there?
But if anyone can have direct HTTP access to Solr, then it’s not really secure.
Best regards,
Radu
--
Sematext Cloud - Full Stack Observability - https://sematext.com
Solr and Elasticsearch Consulting, Training and Production Support
> On 12 Oct 2020, at 05:11, PGNet Dev wrote:
>
> I'm running,
>
> solr -version
> 8.6.3
>
> on
>
> uname -rm
> 5.8.13-200.fc32.x86_64 x86_64
>
> grep _NAME /etc/os-release
> PRETTY_NAME="Fedora 32 (Server Edition)"
> CPE_NAME="cpe:/o:fedoraproject:fedora:32"
>
> with
>
> java -version
> openjdk version "15" 2020-09-15
> OpenJDK Runtime Environment 20.9 (build 15+36)
> OpenJDK 64-Bit Server VM 20.9 (build 15+36, mixed mode, sharing)
>
> solr's configured for SSL usage. both client search connections and WebUI
> access work OK, with EC certs in use
>
> SOLR_SSL_KEY_STORE="/srv/ssl/solr.server.EC.pfx"
> SOLR_SSL_TRUST_STORE="/srv/ssl/solr.server.EC.pfx"
>
> If I enable BasicAuth, adding
>
> /security.json
> {
> "authentication":{
> "blockUnknown": true,
> "class":"solr.BasicAuthPlugin",
> "credentials":{
> "myuser":"jO... Fe..."
>
> },
> "realm":"Solr REALM",
> "forwardCredentials": false
> },
> "authorization":{
> "class":"solr.RuleBasedAuthorizationPlugin",
> "permissions":[{
> "name":"security-edit",
> "role":"admin"
> }],
> "user-role":{
> "solr":"admin"
> }
> }
> }
>
> as expected, WebUI requires/accepts valid credentials for access.
>
> BUT ... client connections, e.g. from a mail MUA using dovecot's fts solr
> plugin, immediately fail, returning "401 Unauthorized".
>
> How can solr authentication be configured to split method -- using BasicAuth
> for WebUI access ONLY, and still allowing the client connections?
>
> Eventually, I want those client connections to require solr-side SSL client
> auth.
> Atm, I'd just like to get it working -- _with_ the BasicAuth WebUI protection
> in place.
>