Re: how to config split authentication methods -- BasicAuth for WebUI, & none (or SSL client) for client connections?

2020-10-14 Thread Radu Gheorghe 
Hello,

If you enable authentication, this will work on your HTTP port. Solr won’t make 
a difference on whether the request comes from the Web UI or Dovecot.

I guess the workaround could be to put the web UI behind a proxy like NGINX and 
have authentication there?

But if anyone can have direct HTTP access to Solr, then it’s not really secure.

Best regards,
Radu
--
Sematext Cloud - Full Stack Observability - https://sematext.com
Solr and Elasticsearch Consulting, Training and Production Support

> On 12 Oct 2020, at 05:11, PGNet Dev  wrote:
> 
>  I'm running,
> 
>   solr -version
>   8.6.3
> 
> on
> 
>   uname -rm
>   5.8.13-200.fc32.x86_64 x86_64
> 
>   grep _NAME /etc/os-release
>   PRETTY_NAME="Fedora 32 (Server Edition)"
>   CPE_NAME="cpe:/o:fedoraproject:fedora:32"
> 
> with
> 
>   java -version
>   openjdk version "15" 2020-09-15
>   OpenJDK Runtime Environment 20.9 (build 15+36)
>   OpenJDK 64-Bit Server VM 20.9 (build 15+36, mixed mode, sharing)
> 
> solr's configured for SSL usage.  both client search connections and WebUI 
> access work OK, with EC certs in use
> 
>   SOLR_SSL_KEY_STORE="/srv/ssl/solr.server.EC.pfx"
>   SOLR_SSL_TRUST_STORE="/srv/ssl/solr.server.EC.pfx"
> 
> If I enable BasicAuth, adding
> 
>   /security.json
>   {
>   "authentication":{
>   "blockUnknown": true,
>   "class":"solr.BasicAuthPlugin",
>   "credentials":{
>   "myuser":"jO... Fe..."
> 
>   },
>   "realm":"Solr REALM",
>   "forwardCredentials": false
>   },
>   "authorization":{
>   "class":"solr.RuleBasedAuthorizationPlugin",
>   "permissions":[{
>   "name":"security-edit",
>   "role":"admin"
>   }],
>   "user-role":{
>   "solr":"admin"
>   }
>   }
>   }
> 
> as expected, WebUI requires/accepts valid credentials for access.
> 
> BUT ... client connections, e.g. from a mail MUA using dovecot's fts solr 
> plugin, immediately fail, returning "401 Unauthorized".
> 
> How can solr authentication be configured to split method -- using BasicAuth 
> for WebUI access ONLY, and still allowing the client connections?
> 
> Eventually, I want those client connections to require solr-side SSL client 
> auth.
> Atm, I'd just like to get it working -- _with_ the BasicAuth WebUI protection 
> in place.
>

how to config split authentication methods -- BasicAuth for WebUI, & none (or SSL client) for client connections?

2020-10-11 Thread PGNet Dev 
 I'm running,

solr -version
8.6.3

on

uname -rm
5.8.13-200.fc32.x86_64 x86_64

grep _NAME /etc/os-release
PRETTY_NAME="Fedora 32 (Server Edition)"
CPE_NAME="cpe:/o:fedoraproject:fedora:32"

with

java -version
openjdk version "15" 2020-09-15
OpenJDK Runtime Environment 20.9 (build 15+36)
OpenJDK 64-Bit Server VM 20.9 (build 15+36, mixed mode, sharing)

solr's configured for SSL usage.  both client search connections and WebUI 
access work OK, with EC certs in use

SOLR_SSL_KEY_STORE="/srv/ssl/solr.server.EC.pfx"
SOLR_SSL_TRUST_STORE="/srv/ssl/solr.server.EC.pfx"

If I enable BasicAuth, adding

/security.json
{
"authentication":{
"blockUnknown": true,
"class":"solr.BasicAuthPlugin",
"credentials":{
"myuser":"jO... Fe..."

},
"realm":"Solr REALM",
"forwardCredentials": false
},
"authorization":{
"class":"solr.RuleBasedAuthorizationPlugin",
"permissions":[{
"name":"security-edit",
"role":"admin"
}],
"user-role":{
"solr":"admin"
}
}
}

as expected, WebUI requires/accepts valid credentials for access.

BUT ... client connections, e.g. from a mail MUA using dovecot's fts solr 
plugin, immediately fail, returning "401 Unauthorized".

How can solr authentication be configured to split method -- using BasicAuth 
for WebUI access ONLY, and still allowing the client connections?

Eventually, I want those client connections to require solr-side SSL client 
auth.
Atm, I'd just like to get it working -- _with_ the BasicAuth WebUI protection 
in place.