Re: Authentication for all but selects

[Robert Douglas]

Thanks Craig!

I got the following to work.

{
  "authentication":{
"blockUnknown":false,
"class":"solr.BasicAuthPlugin",
"credentials":{"solr":"..."}},
  "authorization":{
"class":"solr.RuleBasedAuthorizationPlugin",
"user-role":{"solr":"admin"},
"permissions":[
  {
"name":"all",
"role":"admin",
"index":1},
  {
"name":"open_select",
"collection":"*",
"path":"/select",
"role":null,
"index":2}],
"":{"v":0}}}

On 2/5/21, 3:35 PM, "Oakley, Craig (NIH/NLM/NCBI) [C]" 
 wrote:

What works for us is having something like this at the bottom of 
security.json:
  {
"name":"open_select",
"path":"/select/*",
"role":null,
"index":9},
  {
"name":"catch-all-nocollection",
"collection":null,
"path":"/*",
"role":"allgen",
"index":10},
  {
"name":"catch-all-collection",
"path":"/*",
"role":"allgen",
"index":11}],
"":{"v":9}}}

The clause with the name open_select specifically allows selects to run 
without any role ("role":null)

The last two clauses say that anything else (with any collection and 
without any collection) requires allgen role: and that is a role that I grant 
to all users generally

Other permissions can go higher up in security.json (disallowing normal 
users from running DELETEREPLICA, and things like that); but these are the 
three clauses which I think should allow select without any login (and without 
any password), while everything else does require a login and password.

-Original Message-
From: Robert Douglas  
Sent: Friday, February 05, 2021 1:19 PM
To: solr-user@lucene.apache.org
Subject: Authentication for all but selects

Hello all,

We are working on some migrations and we want to be incorporating 
authentication more uniformly across all our installations of Solr, but we are 
getting stuck on allowing Select statements through without authentication 
while having authentication on with RBAP for everything else. For some of our 
apps the authentication for Selects isn’t an issue but for others, where we 
can’t really touch the code, it is.

Is there a way of doing this?

Cheers,
R

Robert Douglas
DevOps Engineer
Cornell University Library

RE: Authentication for all but selects

[Oakley, Craig (NIH/NLM/NCBI) [C]]

What works for us is having something like this at the bottom of security.json:
  {
"name":"open_select",
"path":"/select/*",
"role":null,
"index":9},
  {
"name":"catch-all-nocollection",
"collection":null,
"path":"/*",
"role":"allgen",
"index":10},
  {
"name":"catch-all-collection",
"path":"/*",
"role":"allgen",
"index":11}],
"":{"v":9}}}

The clause with the name open_select specifically allows selects to run without 
any role ("role":null)

The last two clauses say that anything else (with any collection and without 
any collection) requires allgen role: and that is a role that I grant to all 
users generally

Other permissions can go higher up in security.json (disallowing normal users 
from running DELETEREPLICA, and things like that); but these are the three 
clauses which I think should allow select without any login (and without any 
password), while everything else does require a login and password.

-Original Message-
From: Robert Douglas  
Sent: Friday, February 05, 2021 1:19 PM
To: solr-user@lucene.apache.org
Subject: Authentication for all but selects

Hello all,

We are working on some migrations and we want to be incorporating 
authentication more uniformly across all our installations of Solr, but we are 
getting stuck on allowing Select statements through without authentication 
while having authentication on with RBAP for everything else. For some of our 
apps the authentication for Selects isn’t an issue but for others, where we 
can’t really touch the code, it is.

Is there a way of doing this?

Cheers,
R

Robert Douglas
DevOps Engineer
Cornell University Library

Authentication for all but selects

[Robert Douglas]

Hello all,

We are working on some migrations and we want to be incorporating 
authentication more uniformly across all our installations of Solr, but we are 
getting stuck on allowing Select statements through without authentication 
while having authentication on with RBAP for everything else. For some of our 
apps the authentication for Selects isn’t an issue but for others, where we 
can’t really touch the code, it is.

Is there a way of doing this?

Cheers,
R

Robert Douglas
DevOps Engineer
Cornell University Library

Re: how to config split authentication methods -- BasicAuth for WebUI, & none (or SSL client) for client connections?

[Radu Gheorghe]

Hello,

If you enable authentication, this will work on your HTTP port. Solr won’t make 
a difference on whether the request comes from the Web UI or Dovecot.

I guess the workaround could be to put the web UI behind a proxy like NGINX and 
have authentication there?

But if anyone can have direct HTTP access to Solr, then it’s not really secure.

Best regards,
Radu
--
Sematext Cloud - Full Stack Observability - https://sematext.com
Solr and Elasticsearch Consulting, Training and Production Support

> On 12 Oct 2020, at 05:11, PGNet Dev  wrote:
> 
>  I'm running,
> 
>   solr -version
>   8.6.3
> 
> on
> 
>   uname -rm
>   5.8.13-200.fc32.x86_64 x86_64
> 
>   grep _NAME /etc/os-release
>   PRETTY_NAME="Fedora 32 (Server Edition)"
>   CPE_NAME="cpe:/o:fedoraproject:fedora:32"
> 
> with
> 
>   java -version
>   openjdk version "15" 2020-09-15
>   OpenJDK Runtime Environment 20.9 (build 15+36)
>   OpenJDK 64-Bit Server VM 20.9 (build 15+36, mixed mode, sharing)
> 
> solr's configured for SSL usage.  both client search connections and WebUI 
> access work OK, with EC certs in use
> 
>   SOLR_SSL_KEY_STORE="/srv/ssl/solr.server.EC.pfx"
>   SOLR_SSL_TRUST_STORE="/srv/ssl/solr.server.EC.pfx"
> 
> If I enable BasicAuth, adding
> 
>   /security.json
>   {
>   "authentication":{
>   "blockUnknown": true,
>   "class":"solr.BasicAuthPlugin",
>   "credentials":{
>   "myuser":"jO... Fe..."
> 
>   },
>   "realm":"Solr REALM",
>   "forwardCredentials": false
>   },
>   "authorization":{
>   "class":"solr.RuleBasedAuthorizationPlugin",
>   "permissions":[{
>   "name":"security-edit",
>   "role":"admin"
>   }],
>   "user-role":{
>   "solr":"admin"
>   }
>   }
>   }
> 
> as expected, WebUI requires/accepts valid credentials for access.
> 
> BUT ... client connections, e.g. from a mail MUA using dovecot's fts solr 
> plugin, immediately fail, returning "401 Unauthorized".
> 
> How can solr authentication be configured to split method -- using BasicAuth 
> for WebUI access ONLY, and still allowing the client connections?
> 
> Eventually, I want those client connections to require solr-side SSL client 
> auth.
> Atm, I'd just like to get it working -- _with_ the BasicAuth WebUI protection 
> in place.
> 

how to config split authentication methods -- BasicAuth for WebUI, & none (or SSL client) for client connections?

[PGNet Dev]

 I'm running,

solr -version
8.6.3

on

uname -rm
5.8.13-200.fc32.x86_64 x86_64

grep _NAME /etc/os-release
PRETTY_NAME="Fedora 32 (Server Edition)"
CPE_NAME="cpe:/o:fedoraproject:fedora:32"

with

java -version
openjdk version "15" 2020-09-15
OpenJDK Runtime Environment 20.9 (build 15+36)
OpenJDK 64-Bit Server VM 20.9 (build 15+36, mixed mode, sharing)

solr's configured for SSL usage.  both client search connections and WebUI 
access work OK, with EC certs in use

SOLR_SSL_KEY_STORE="/srv/ssl/solr.server.EC.pfx"
SOLR_SSL_TRUST_STORE="/srv/ssl/solr.server.EC.pfx"

If I enable BasicAuth, adding

/security.json
    {
"authentication":{
"blockUnknown": true,
"class":"solr.BasicAuthPlugin",
"credentials":{
"myuser":"jO... Fe..."

},
"realm":"Solr REALM",
"forwardCredentials": false
},
"authorization":{
"class":"solr.RuleBasedAuthorizationPlugin",
"permissions":[{
"name":"security-edit",
"role":"admin"
}],
"user-role":{
"solr":"admin"
    }
    }
}

as expected, WebUI requires/accepts valid credentials for access.

BUT ... client connections, e.g. from a mail MUA using dovecot's fts solr 
plugin, immediately fail, returning "401 Unauthorized".

How can solr authentication be configured to split method -- using BasicAuth 
for WebUI access ONLY, and still allowing the client connections?

Eventually, I want those client connections to require solr-side SSL client 
auth.
Atm, I'd just like to get it working -- _with_ the BasicAuth WebUI protection 
in place.

Re: Authentication for each collection

[Chris Hostetter]

https://lucene.apache.org/solr/guide/8_6/authentication-and-authorization-plugins.html

*Authentication* is global, but *Authorization* can be configured to use 
rules that restrict permissions on a per collection basis...

https://lucene.apache.org/solr/guide/8_6/rule-based-authorization-plugin.html#permissions-2

In concrete terms, the specific example you asked about is supported:

: Example ; user1:password1 for collection A
:  user2:password2 for collection B

what would *NOT* be supported is to have a distinct set of users for each 
collection, such that there could be two different "user1" instances, each 
with it's own password, where each "user1" had access to one collection.



: Date: Thu, 1 Oct 2020 13:45:14 -0700
: From: sambasivarao giddaluri 
: Reply-To: solr-user@lucene.apache.org
: To: solr-user@lucene.apache.org
: Subject: Authentication for each collection
: 
: Hi All,
: We have 2 collections and we are using  basic authentication against solr ,
: configured in security.json . Is it possible to configure in such a way
: that we have different credentials for each collection . Please advise if
: there is any other approach i can look into.
: 
: Example ; user1:password1 for collection A
:  user2:password2 for collection B
: 

-Hoss
http://www.lucidworks.com/

Authentication for each collection

[sambasivarao giddaluri]

Hi All,
We have 2 collections and we are using  basic authentication against solr ,
configured in security.json . Is it possible to configure in such a way
that we have different credentials for each collection . Please advise if
there is any other approach i can look into.

Example ; user1:password1 for collection A
 user2:password2 for collection B

Re: Addreplica throwing error when authentication is enabled

[yaswanth kumar]

Hi Ben

Thanks for looking.. but I am not understanding about the file encrypted stuff 
that you mentioned?? Which file are you saying encrypted ? Security.json??

Sent from my iPhone

> On Sep 1, 2020, at 10:56 PM, Ben  wrote:
> 
> It appears the issue is with the encrypted file. Are these files encrypted?
> If yes, you need to decrypt it first.
> 
> moreCaused by: javax.crypto.BadPaddingException: RSA private key operation
> failed
> 
> Best,
> Ben
> 
>> On Tue, Sep 1, 2020, 10:51 PM yaswanth kumar  wrote:
>> 
>> Can some one please help me on the below error??
>> 
>> Solr 8.2; zookeeper 3.4
>> 
>> Enabled authentication and authentication and make sure that the role gets
>> all access
>> 
>> Now just add a collection with single replica and once done .. now try to
>> add another replica with addreplica solr api and that’s throwing error ..
>> note: this is happening only when security.json was enabled with
>> authentication
>> 
>> Below is the error
>> Collection: test operation: restore
>> failed:org.apache.solr.common.SolrException: ADDREPLICA failed to create
>> replicaCollection: test operation: restore
>> failed:org.apache.solr.common.SolrException: ADDREPLICA failed to create
>> replica at
>> org.apache.solr.cloud.api.collections.OverseerCollectionMessageHandler$ShardRequestTracker.processResponses(OverseerCollectionMessageHandler.java:1030)
>> at
>> org.apache.solr.cloud.api.collections.OverseerCollectionMessageHandler$ShardRequestTracker.processResponses(OverseerCollectionMessageHandler.java:1013)
>> at
>> org.apache.solr.cloud.api.collections.AddReplicaCmd.lambda$addReplica$1(AddReplicaCmd.java:177)
>> at
>> org.apache.solr.cloud.api.collections.AddReplicaCmd$$Lambda$798/.run(Unknown
>> Source) at
>> org.apache.solr.cloud.api.collections.AddReplicaCmd.addReplica(AddReplicaCmd.java:199)
>> at
>> org.apache.solr.cloud.api.collections.OverseerCollectionMessageHandler.addReplica(OverseerCollectionMessageHandler.java:708)
>> at
>> org.apache.solr.cloud.api.collections.RestoreCmd.call(RestoreCmd.java:286)
>> at
>> org.apache.solr.cloud.api.collections.OverseerCollectionMessageHandler.processMessage(OverseerCollectionMessageHandler.java:264)
>> at
>> org.apache.solr.cloud.OverseerTaskProcessor$Runner.run(OverseerTaskProcessor.java:505)
>> at
>> org.apache.solr.common.util.ExecutorUtil$MDCAwareThreadPoolExecutor.lambda$execute$0(ExecutorUtil.java:209)
>> at
>> org.apache.solr.common.util.ExecutorUtil$MDCAwareThreadPoolExecutor$$Lambda$142/.run(Unknown
>> Source) at
>> java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
>> at
>> java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
>> at java.base/java.lang.Thread.run(Thread.java:834)Caused by:
>> org.apache.solr.common.SolrException: javax.crypto.BadPaddingException: RSA
>> private key operation failed at
>> org.apache.solr.util.CryptoKeys$RSAKeyPair.encrypt(CryptoKeys.java:325) at
>> org.apache.solr.security.PKIAuthenticationPlugin.generateToken(PKIAuthenticationPlugin.java:305)
>> at
>> org.apache.solr.security.PKIAuthenticationPlugin.access$200(PKIAuthenticationPlugin.java:61)
>> at
>> org.apache.solr.security.PKIAuthenticationPlugin$2.onQueued(PKIAuthenticationPlugin.java:239)
>> at
>> org.apache.solr.client.solrj.impl.Http2SolrClient.decorateRequest(Http2SolrClient.java:468)
>> at
>> org.apache.solr.client.solrj.impl.Http2SolrClient.makeRequest(Http2SolrClient.java:455)
>> at
>> org.apache.solr.client.solrj.impl.Http2SolrClient.request(Http2SolrClient.java:364)
>> at
>> org.apache.solr.client.solrj.impl.Http2SolrClient.request(Http2SolrClient.java:746)
>> at org.apache.solr.client.solrj.SolrClient.request(SolrClient.java:1274) at
>> org.apache.solr.handler.component.HttpShardHandler.request(HttpShardHandler.java:238)
>> at
>> org.apache.solr.handler.component.HttpShardHandler.lambda$submit$0(HttpShardHandler.java:199)
>> at
>> org.apache.solr.handler.component.HttpShardHandler$$Lambda$512/.call(Unknown
>> Source) at
>> java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264) at
>> java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515)
>> at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264) at
>> com.codahale.metrics.InstrumentedExecutorService$InstrumentedRunnable.run(InstrumentedExecutorService.java:181)
>> ... 5 moreCaused by: javax.crypto.BadPaddingException: RSA p

Re: Addreplica throwing error when authentication is enabled

[Ben]

It appears the issue is with the encrypted file. Are these files encrypted?
If yes, you need to decrypt it first.

moreCaused by: javax.crypto.BadPaddingException: RSA private key operation
failed

Best,
Ben

On Tue, Sep 1, 2020, 10:51 PM yaswanth kumar  wrote:

> Can some one please help me on the below error??
>
> Solr 8.2; zookeeper 3.4
>
> Enabled authentication and authentication and make sure that the role gets
> all access
>
> Now just add a collection with single replica and once done .. now try to
> add another replica with addreplica solr api and that’s throwing error ..
> note: this is happening only when security.json was enabled with
> authentication
>
> Below is the error
> Collection: test operation: restore
> failed:org.apache.solr.common.SolrException: ADDREPLICA failed to create
> replicaCollection: test operation: restore
> failed:org.apache.solr.common.SolrException: ADDREPLICA failed to create
> replica at
> org.apache.solr.cloud.api.collections.OverseerCollectionMessageHandler$ShardRequestTracker.processResponses(OverseerCollectionMessageHandler.java:1030)
> at
> org.apache.solr.cloud.api.collections.OverseerCollectionMessageHandler$ShardRequestTracker.processResponses(OverseerCollectionMessageHandler.java:1013)
> at
> org.apache.solr.cloud.api.collections.AddReplicaCmd.lambda$addReplica$1(AddReplicaCmd.java:177)
> at
> org.apache.solr.cloud.api.collections.AddReplicaCmd$$Lambda$798/.run(Unknown
> Source) at
> org.apache.solr.cloud.api.collections.AddReplicaCmd.addReplica(AddReplicaCmd.java:199)
> at
> org.apache.solr.cloud.api.collections.OverseerCollectionMessageHandler.addReplica(OverseerCollectionMessageHandler.java:708)
> at
> org.apache.solr.cloud.api.collections.RestoreCmd.call(RestoreCmd.java:286)
> at
> org.apache.solr.cloud.api.collections.OverseerCollectionMessageHandler.processMessage(OverseerCollectionMessageHandler.java:264)
> at
> org.apache.solr.cloud.OverseerTaskProcessor$Runner.run(OverseerTaskProcessor.java:505)
> at
> org.apache.solr.common.util.ExecutorUtil$MDCAwareThreadPoolExecutor.lambda$execute$0(ExecutorUtil.java:209)
> at
> org.apache.solr.common.util.ExecutorUtil$MDCAwareThreadPoolExecutor$$Lambda$142/.run(Unknown
> Source) at
> java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
> at
> java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
> at java.base/java.lang.Thread.run(Thread.java:834)Caused by:
> org.apache.solr.common.SolrException: javax.crypto.BadPaddingException: RSA
> private key operation failed at
> org.apache.solr.util.CryptoKeys$RSAKeyPair.encrypt(CryptoKeys.java:325) at
> org.apache.solr.security.PKIAuthenticationPlugin.generateToken(PKIAuthenticationPlugin.java:305)
> at
> org.apache.solr.security.PKIAuthenticationPlugin.access$200(PKIAuthenticationPlugin.java:61)
> at
> org.apache.solr.security.PKIAuthenticationPlugin$2.onQueued(PKIAuthenticationPlugin.java:239)
> at
> org.apache.solr.client.solrj.impl.Http2SolrClient.decorateRequest(Http2SolrClient.java:468)
> at
> org.apache.solr.client.solrj.impl.Http2SolrClient.makeRequest(Http2SolrClient.java:455)
> at
> org.apache.solr.client.solrj.impl.Http2SolrClient.request(Http2SolrClient.java:364)
> at
> org.apache.solr.client.solrj.impl.Http2SolrClient.request(Http2SolrClient.java:746)
> at org.apache.solr.client.solrj.SolrClient.request(SolrClient.java:1274) at
> org.apache.solr.handler.component.HttpShardHandler.request(HttpShardHandler.java:238)
> at
> org.apache.solr.handler.component.HttpShardHandler.lambda$submit$0(HttpShardHandler.java:199)
> at
> org.apache.solr.handler.component.HttpShardHandler$$Lambda$512/.call(Unknown
> Source) at
> java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264) at
> java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515)
> at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264) at
> com.codahale.metrics.InstrumentedExecutorService$InstrumentedRunnable.run(InstrumentedExecutorService.java:181)
> ... 5 moreCaused by: javax.crypto.BadPaddingException: RSA private key
> operation failed at
> java.base/sun.security.rsa.NativeRSACore.crtCrypt_Native(NativeRSACore.java:149)
> at java.base/sun.security.rsa.NativeRSACore.rsa(NativeRSACore.java:91) at
> java.base/sun.security.rsa.RSACore.rsa(RSACore.java:149) at
> java.base/com.sun.crypto.provider.RSACipher.doFinal(RSACipher.java:355) at
> java.base/com.sun.crypto.provider.RSACipher.engineDoFinal(RSACipher.java:392)
> at java.base/javax.crypto.Cipher.doFinal(Cipher.java:2260) at
> org.apache.solr.util.CryptoKeys$RSAKeyPair.encrypt(CryptoKeys.java:323) ...
> 20 more
>
> That's the error stack trace I

Addreplica throwing error when authentication is enabled

[yaswanth kumar]

Can some one please help me on the below error??

Solr 8.2; zookeeper 3.4

Enabled authentication and authentication and make sure that the role gets all 
access 

Now just add a collection with single replica and once done .. now try to add 
another replica with addreplica solr api and that’s throwing error .. note: 
this is happening only when security.json was enabled with authentication 

Below is the error
Collection: test operation: restore 
failed:org.apache.solr.common.SolrException: ADDREPLICA failed to create 
replicaCollection: test operation: restore 
failed:org.apache.solr.common.SolrException: ADDREPLICA failed to create 
replica at 
org.apache.solr.cloud.api.collections.OverseerCollectionMessageHandler$ShardRequestTracker.processResponses(OverseerCollectionMessageHandler.java:1030)
 at 
org.apache.solr.cloud.api.collections.OverseerCollectionMessageHandler$ShardRequestTracker.processResponses(OverseerCollectionMessageHandler.java:1013)
 at 
org.apache.solr.cloud.api.collections.AddReplicaCmd.lambda$addReplica$1(AddReplicaCmd.java:177)
 at 
org.apache.solr.cloud.api.collections.AddReplicaCmd$$Lambda$798/.run(Unknown
 Source) at 
org.apache.solr.cloud.api.collections.AddReplicaCmd.addReplica(AddReplicaCmd.java:199)
 at 
org.apache.solr.cloud.api.collections.OverseerCollectionMessageHandler.addReplica(OverseerCollectionMessageHandler.java:708)
 at org.apache.solr.cloud.api.collections.RestoreCmd.call(RestoreCmd.java:286) 
at 
org.apache.solr.cloud.api.collections.OverseerCollectionMessageHandler.processMessage(OverseerCollectionMessageHandler.java:264)
 at 
org.apache.solr.cloud.OverseerTaskProcessor$Runner.run(OverseerTaskProcessor.java:505)
 at 
org.apache.solr.common.util.ExecutorUtil$MDCAwareThreadPoolExecutor.lambda$execute$0(ExecutorUtil.java:209)
 at 
org.apache.solr.common.util.ExecutorUtil$MDCAwareThreadPoolExecutor$$Lambda$142/.run(Unknown
 Source) at 
java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
 at 
java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
 at java.base/java.lang.Thread.run(Thread.java:834)Caused by: 
org.apache.solr.common.SolrException: javax.crypto.BadPaddingException: RSA 
private key operation failed at 
org.apache.solr.util.CryptoKeys$RSAKeyPair.encrypt(CryptoKeys.java:325) at 
org.apache.solr.security.PKIAuthenticationPlugin.generateToken(PKIAuthenticationPlugin.java:305)
 at 
org.apache.solr.security.PKIAuthenticationPlugin.access$200(PKIAuthenticationPlugin.java:61)
 at 
org.apache.solr.security.PKIAuthenticationPlugin$2.onQueued(PKIAuthenticationPlugin.java:239)
 at 
org.apache.solr.client.solrj.impl.Http2SolrClient.decorateRequest(Http2SolrClient.java:468)
 at 
org.apache.solr.client.solrj.impl.Http2SolrClient.makeRequest(Http2SolrClient.java:455)
 at 
org.apache.solr.client.solrj.impl.Http2SolrClient.request(Http2SolrClient.java:364)
 at 
org.apache.solr.client.solrj.impl.Http2SolrClient.request(Http2SolrClient.java:746)
 at org.apache.solr.client.solrj.SolrClient.request(SolrClient.java:1274) at 
org.apache.solr.handler.component.HttpShardHandler.request(HttpShardHandler.java:238)
 at 
org.apache.solr.handler.component.HttpShardHandler.lambda$submit$0(HttpShardHandler.java:199)
 at 
org.apache.solr.handler.component.HttpShardHandler$$Lambda$512/.call(Unknown
 Source) at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264) 
at 
java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515)
 at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264) at 
com.codahale.metrics.InstrumentedExecutorService$InstrumentedRunnable.run(InstrumentedExecutorService.java:181)
 ... 5 moreCaused by: javax.crypto.BadPaddingException: RSA private key 
operation failed at 
java.base/sun.security.rsa.NativeRSACore.crtCrypt_Native(NativeRSACore.java:149)
 at java.base/sun.security.rsa.NativeRSACore.rsa(NativeRSACore.java:91) at 
java.base/sun.security.rsa.RSACore.rsa(RSACore.java:149) at 
java.base/com.sun.crypto.provider.RSACipher.doFinal(RSACipher.java:355) at 
java.base/com.sun.crypto.provider.RSACipher.engineDoFinal(RSACipher.java:392) 
at java.base/javax.crypto.Cipher.doFinal(Cipher.java:2260) at 
org.apache.solr.util.CryptoKeys$RSAKeyPair.encrypt(CryptoKeys.java:323) ... 20 
more
 
That's the error stack trace I am seeing, as soon as I call the restore API I 
am seeing the collection test with a single core on the cloud but its in down 
state.
 
No of nodes that I configured with solr cloud is : 2 
Testing on a single collection with 2 replicas
Here is my security.json looks like
{
"authentication":{
"class":"solr.BasicAuthPlugin",
"credentials":
{ "admin":"", "dev":""}
,
"":{"v":11},
"blockUnknown":true,
"forwardCredentials":true},
"authorization":{
"class&qu

Re: Online Solr password encryption tool for the Basic Authentication plugin

[Clemente Biondo]

Thank you Jan,
your solution is also super easy, I was not aware of that, thanks for
letting me know, it solves another use case for us.
Yes, we use the REST API, but since we use solr as a docker image I feel
unease to commit the initial password in the image.
We came out with the following solution:
1) in the security.json we have a placeholder instead of the hardcoded
password
2) we replace it  (sed) before starting solr with in an init script (inside
solr_init.d) by reading the real password from a vault.
Thanks for your feedback!

Clemente
https://www.linkedin.com/in/clemente-biondo




Il giorno ven 28 ago 2020 alle ore 10:43 Jan Høydahl 
ha scritto:

> Cool, it’s even easier than my old Java tool:
> https://github.com/cominvent/solr-tools <
> https://github.com/cominvent/solr-tools>
>
> Also, I can recommend using the authenitcation REST API to add users
> instead of hardcoding. The API takes care of the encoding for you!
>
> Jan
>
> > 27. aug. 2020 kl. 18:28 skrev Clemente Biondo  >:
> >
> > I was a little annoyed of the default "SolrRocks" password so I wrote a
> > little utility to generate solr passwords for the Basic Authentication
> > plugin and made it available online.
> > The password encoder is written in simple plain javascript, there is no
> > need to install or download anything, the process is entirely local and
> no
> > data is sent over the internet.
> > The utility is published under an MIT licence and you are welcome to use
> or
> > improve upon it.
> > Hope you like it!
> >
> > The source repository is here:
> > https://github.com/clemente-biondo/clemente-biondo.github.io
> > The online utility is here: https://clemente-biondo.github.io/
> >
> > Security was my main concern, I tried to address the best I coud, again
> any
> > feedback is welcome and appreciated.
> >
> > Cheers!
> > Clemente Biondo
>
>

Re: Online Solr password encryption tool for the Basic Authentication plugin

[Jan Høydahl]

Cool, it’s even easier than my old Java tool: 
https://github.com/cominvent/solr-tools 
<https://github.com/cominvent/solr-tools>

Also, I can recommend using the authenitcation REST API to add users instead of 
hardcoding. The API takes care of the encoding for you!

Jan

> 27. aug. 2020 kl. 18:28 skrev Clemente Biondo :
> 
> I was a little annoyed of the default "SolrRocks" password so I wrote a
> little utility to generate solr passwords for the Basic Authentication
> plugin and made it available online.
> The password encoder is written in simple plain javascript, there is no
> need to install or download anything, the process is entirely local and no
> data is sent over the internet.
> The utility is published under an MIT licence and you are welcome to use or
> improve upon it.
> Hope you like it!
> 
> The source repository is here:
> https://github.com/clemente-biondo/clemente-biondo.github.io
> The online utility is here: https://clemente-biondo.github.io/
> 
> Security was my main concern, I tried to address the best I coud, again any
> feedback is welcome and appreciated.
> 
> Cheers!
> Clemente Biondo

Online Solr password encryption tool for the Basic Authentication plugin

[Clemente Biondo]

I was a little annoyed of the default "SolrRocks" password so I wrote a
little utility to generate solr passwords for the Basic Authentication
plugin and made it available online.
The password encoder is written in simple plain javascript, there is no
need to install or download anything, the process is entirely local and no
data is sent over the internet.
The utility is published under an MIT licence and you are welcome to use or
improve upon it.
Hope you like it!

The source repository is here:
https://github.com/clemente-biondo/clemente-biondo.github.io
The online utility is here: https://clemente-biondo.github.io/

Security was my main concern, I tried to address the best I coud, again any
feedback is welcome and appreciated.

Cheers!
Clemente Biondo

Basic Authentication Plugin + Http2SolrClient

[Tiago Barros]

Hello, everyone. I hope you are all well and safe.

I am trying to enable authentication to our Solr 8.3.1 servers. I followed
the instructions on this page:
https://lucene.apache.org/solr/guide/8_3/basic-authentication-plugin.html
and used the "Global (JVM) Basic Auth Credentials" with the
solr.httpclient.config system property.
This setup works if I use HttpSolrClient to connect to Solr, but it does
not work with Http2SolrClient (it gives me HTTP ERROR 401 - require
authentication).

I found and read the issue SOLR-13510, but that seems to be fixed on 8.3.1.

Any help will be appreciated.

-- 
Tiago Barros

Re: Solr basic authentication and authorization Document

[Jan Høydahl]

Hi,

There is little context in your question. We don’t know how you deploy Solr 
(via solr-operator <https://github.com/bloomberg/solr-operator> or manually),
we don’t know if you deploy in Zookeeper or standalone mode, we don’t know if 
you tried enabling basic auth
already using the documentation at 
https://lucene.apache.org/solr/guide/8_5/basic-authentication-plugin.html 
<https://lucene.apache.org/solr/guide/8_5/basic-authentication-plugin.html>
and if that failed, what error messages are you seeing.

If you give some more context I’m sure there are many who can help.

Jan

> 26. jun. 2020 kl. 08:03 skrev Roshan Naik :
> 
> Hello Team ,
> 
> We are deploying the solr cluster on GCP kubernetes .
> We are not getting a clear idea in the documents for how we can
> implement the solr basic authentication and authorization in kubernetes
> cluster.
> 
> 
> Could you please provide the documents for the same?
> 
> 
> 
> -- 
> Thanks & Regards,
> Roshan Naik
> Cloud Engineer
> Email : rosh...@mactores.com
> Contact : +91 22 61123015
> 
> -- 
> This email and any files transmitted with it are confidential and intended 
> solely for the use of the individual or entity to whom they are addressed. 
> If you have received this email in error please notify the system manager. 
> This message contains confidential information and is intended only for the 
> individual named. If you are not the named addressee you should not 
> disseminate, distribute or copy this e-mail. Please notify the sender 
> immediately by e-mail if you have received this e-mail by mistake and 
> delete this e-mail from your system. If you are not the intended recipient 
> you are notified that disclosing, copying, distributing or taking any 
> action in reliance on the contents of this information is strictly 
> prohibited. WARNING!! : Computer viruses can be transmitted via email. The 
> recipient should check this email and any attachments for the presence of 
> viruses. The company accepts no liability for any damage caused by any 
> virus transmitted by this email. E-mail transmission cannot be guaranteed 
> to be secure or error-free as information could be intercepted, corrupted, 
> lost, destroyed, arrive late or incomplete, or contain viruses. The sender 
> therefore does not accept liability for any errors or omissions in the 
> contents of this message, which arise as a result of e-mail transmission. 
> Warning!!: Although the company has taken reasonable precautions to ensure 
> no viruses are present in this email, the company cannot accept 
> responsibility for any loss or damage arising from the use of this email or 
> attachments. Negligent misstatement: Our company accepts no liability for 
> the content of this email, or for the consequences of any actions taken on 
> the basis of the information provided, unless that information is 
> subsequently confirmed in writing. If you are not the intended recipient 
> you are notified that disclosing, copying, distributing or taking any 
> action in reliance on the contents of this information is strictly 
> prohibited.

Solr basic authentication and authorization Document

[Roshan Naik]

Hello Team ,

We are deploying the solr cluster on GCP kubernetes .
We are not getting a clear idea in the documents for how we can
implement the solr basic authentication and authorization in kubernetes
cluster.


Could you please provide the documents for the same?



-- 
Thanks & Regards,
Roshan Naik
Cloud Engineer
Email : rosh...@mactores.com
Contact : +91 22 61123015

-- 
This email and any files transmitted with it are confidential and intended 
solely for the use of the individual or entity to whom they are addressed. 
If you have received this email in error please notify the system manager. 
This message contains confidential information and is intended only for the 
individual named. If you are not the named addressee you should not 
disseminate, distribute or copy this e-mail. Please notify the sender 
immediately by e-mail if you have received this e-mail by mistake and 
delete this e-mail from your system. If you are not the intended recipient 
you are notified that disclosing, copying, distributing or taking any 
action in reliance on the contents of this information is strictly 
prohibited. WARNING!! : Computer viruses can be transmitted via email. The 
recipient should check this email and any attachments for the presence of 
viruses. The company accepts no liability for any damage caused by any 
virus transmitted by this email. E-mail transmission cannot be guaranteed 
to be secure or error-free as information could be intercepted, corrupted, 
lost, destroyed, arrive late or incomplete, or contain viruses. The sender 
therefore does not accept liability for any errors or omissions in the 
contents of this message, which arise as a result of e-mail transmission. 
Warning!!: Although the company has taken reasonable precautions to ensure 
no viruses are present in this email, the company cannot accept 
responsibility for any loss or damage arising from the use of this email or 
attachments. Negligent misstatement: Our company accepts no liability for 
the content of this email, or for the consequences of any actions taken on 
the basis of the information provided, unless that information is 
subsequently confirmed in writing. If you are not the intended recipient 
you are notified that disclosing, copying, distributing or taking any 
action in reliance on the contents of this information is strictly 
prohibited.

Re: Solr 8.1.5 Postlogs - Basic Authentication Error

[Joel Bernstein]

Right now this is not, but this would be fairly easy to add. I'll see if I
can get that in for the next release.


Joel Bernstein
http://joelsolr.blogspot.com/


On Mon, May 11, 2020 at 5:03 PM Waheed, Imran 
wrote:

> Is there a way to use bin/postllogs with basic authentication on? I am
> getting error if do not give username/password
>
> bin/postlogs http://localhost:8983/solr/logs server/logs/<
> http://localhost:8983/solr/logs%20server/logs/> server/logs
>
> Exception in thread "main"
> org.apache.solr.client.solrj.impl.HttpSolrClient$RemoteSolrException: Error
> from server at http://localhost:8983/solr/logs: Expected mime type
> application/octet-stream but got text/html. 
> 
> 
> Error 401 require authentication
> 
> HTTP ERROR 401 require authentication
> 
> URI:/solr/logs/update
> STATUS:401
> MESSAGE:require authentication
> SERVLET:default
> 
>
> I get a different error if I try
> bin/postlogs -u user:@password http://localhost:8983/solr/logs
> server/logs/
>
>
> SLF4J: Failed to load class "org.slf4j.impl.StaticLoggerBinder".
> SLF4J: Defaulting to no-operation (NOP) logger implementation
> SLF4J: See http://www.slf4j.org/codes.html#StaticLoggerBinder for further
> details.
> Exception in thread "main" java.lang.NullPointerException
> at
> org.apache.solr.util.SolrLogPostTool.gatherFiles(SolrLogPostTool.java:127)
> at
> org.apache.solr.util.SolrLogPostTool.main(SolrLogPostTool.java:65)
>
> thank you,
> Imran
>
>
> The information in this e-mail is intended only for the person to whom it
> is
> addressed. If you believe this e-mail was sent to you in error and the
> e-mail
> contains patient information, please contact the Partners Compliance
> HelpLine at
> http://www.partners.org/complianceline . If the e-mail was sent to you in
> error
> but does not contain patient information, please contact the sender and
> properly
> dispose of the e-mail.
>

Re: Solr 8.1.5 Postlogs - Basic Authentication Error

[ART GALLERY]

check out the videos on this website TROO.TUBE don't be such a
sheep/zombie/loser/NPC. Much love!
https://troo.tube/videos/watch/aaa64864-52ee-4201-922f-41300032f219

On Mon, May 11, 2020 at 4:03 PM Waheed, Imran
 wrote:
>
> Is there a way to use bin/postllogs with basic authentication on? I am 
> getting error if do not give username/password
>
> bin/postlogs http://localhost:8983/solr/logs 
> server/logs/<http://localhost:8983/solr/logs%20server/logs/> server/logs
>
> Exception in thread "main" 
> org.apache.solr.client.solrj.impl.HttpSolrClient$RemoteSolrException: Error 
> from server at http://localhost:8983/solr/logs: Expected mime type 
> application/octet-stream but got text/html. 
> 
> 
> Error 401 require authentication
> 
> HTTP ERROR 401 require authentication
> 
> URI:/solr/logs/update
> STATUS:401
> MESSAGE:require authentication
> SERVLET:default
> 
>
> I get a different error if I try
> bin/postlogs -u user:@password http://localhost:8983/solr/logs server/logs/
>
>
> SLF4J: Failed to load class "org.slf4j.impl.StaticLoggerBinder".
> SLF4J: Defaulting to no-operation (NOP) logger implementation
> SLF4J: See http://www.slf4j.org/codes.html#StaticLoggerBinder for further 
> details.
> Exception in thread "main" java.lang.NullPointerException
> at 
> org.apache.solr.util.SolrLogPostTool.gatherFiles(SolrLogPostTool.java:127)
> at 
> org.apache.solr.util.SolrLogPostTool.main(SolrLogPostTool.java:65)
>
> thank you,
> Imran
>
>
> The information in this e-mail is intended only for the person to whom it is
> addressed. If you believe this e-mail was sent to you in error and the e-mail
> contains patient information, please contact the Partners Compliance HelpLine 
> at
> http://www.partners.org/complianceline . If the e-mail was sent to you in 
> error
> but does not contain patient information, please contact the sender and 
> properly
> dispose of the e-mail.

Solr 8.1.5 Postlogs - Basic Authentication Error

[Waheed, Imran]

Is there a way to use bin/postllogs with basic authentication on? I am getting 
error if do not give username/password

bin/postlogs http://localhost:8983/solr/logs 
server/logs/<http://localhost:8983/solr/logs%20server/logs/> server/logs

Exception in thread "main" 
org.apache.solr.client.solrj.impl.HttpSolrClient$RemoteSolrException: Error 
from server at http://localhost:8983/solr/logs: Expected mime type 
application/octet-stream but got text/html. 


Error 401 require authentication

HTTP ERROR 401 require authentication

URI:/solr/logs/update
STATUS:401
MESSAGE:require authentication
SERVLET:default


I get a different error if I try
bin/postlogs -u user:@password http://localhost:8983/solr/logs server/logs/


SLF4J: Failed to load class "org.slf4j.impl.StaticLoggerBinder".
SLF4J: Defaulting to no-operation (NOP) logger implementation
SLF4J: See http://www.slf4j.org/codes.html#StaticLoggerBinder for further 
details.
Exception in thread "main" java.lang.NullPointerException
at 
org.apache.solr.util.SolrLogPostTool.gatherFiles(SolrLogPostTool.java:127)
at 
org.apache.solr.util.SolrLogPostTool.main(SolrLogPostTool.java:65)

thank you,
Imran


The information in this e-mail is intended only for the person to whom it is
addressed. If you believe this e-mail was sent to you in error and the e-mail
contains patient information, please contact the Partners Compliance HelpLine at
http://www.partners.org/complianceline . If the e-mail was sent to you in error
but does not contain patient information, please contact the sender and properly
dispose of the e-mail.

Re: Apache Solr 8.4.1 Basic Authentication

[Mike Phillips]

The line webResource = client.resource(resourceUrl); defines what action 
I am performing example 
"https://localhost:8985/solr/CoreName/select?q=*%3A*;
Are you setting up your URL correctly. My snippet was outlining the 
additional Authorization header that needs to also be part of the 
request but assuming you were already going to a valid URL.


On 3/26/2020 3:59 PM, Altamirano, Emmanuel wrote:


Thank you so much for replying my email Mike.

I did use now the base64 to encode user and password but now Solr 
doesn’t undertint the credentials:


{Accept=[application/json], Content-Type=[application/json], 
*Authorization*=[Basic c29scjpTb2xyUm9ja3M=]}>] 
ERROR[org.springframework.web.client.HttpClientErrorException: 404 Not 
Found]


Before I got:

{Accept=[application/json], Content-Type=[application/json], 
*Authorization*=[Basic solr:SolrRocks]}>] 
ERROR[org.springframework.web.client.HttpClientErrorException: 401 
Invalid authentication token]


Is there something else that I need to configure?

*Emmanuel Altamirano,*

Consultant- Global Technology

International Operations

*Telephone:*312-985-3149

*Mobile:*312-860-3774

*cid:image001.png@01D02A68.19FA64F0*

555 W. Adams 5^th Floor

Chicago, IL 60661

_transunion.com <http://www.transunion.com/>___

This email including, without limitation, the attachments, if any, 
accompanying this email, may contain information which is confidential 
or privileged and exempt from disclosure under applicable law. The 
information is for the use of the intended recipient. If you are not 
the intended recipient, be aware that any disclosure, copying, 
distribution, review or use of the contents of this email, and/or its 
attachments, is without authorization and is prohibited. If you have 
received this email in error, please notify us by reply email 
immediately and destroy all copies of this email and its attachments.


*From:* Mike Phillips 
*Sent:* Thursday, March 26, 2020 3:10 PM
*To:* Altamirano, Emmanuel 
*Subject:* Re: Apache Solr 8.4.1 Basic Authentication

*EXTERNAL SENDER:* Exercise caution with links and attachments.

I use Jersey to talk to solr. Here is a code snippet. You seem to be 
on the right track but you need to base64 encode the username/password 
bytes.


    String combined = username + ":" + password;
    String  encoded = base64.encode(combined.getBytes());
    String  authHeader = "Basic " + encoded;

    // Setup need to encode the query
    webResource = client.resource(resourceUrl);
    webResource.accept("*.*");

    // Perform request
    response = webResource.header("Content-Type", "application/json")
    .header("Authorization", authHeader)
    .get(ClientResponse.class);
    respStatus = response.getStatus();

On 3/26/2020 12:27 PM, Altamirano, Emmanuel wrote:

Hello everyone,

We recently enable Solr Basic Authentication in our Dev
environment and we are testing Solr security. We followed the
instructions provided in the Apache Solr website and it is working
using curl command.

If you could provide us any advice of how do we need to send the
credentials in the HTTP headers in a Java program? It is very
appreciate it.

HttpHeaders headers= *new*HttpHeaders();

headers.setAccept(Arrays./asList/(MediaType.*/APPLICATION_JSON/*));

headers.setContentType(MediaType.*/APPLICATION_JSON/*);

headers.add("Authorization", "Basic "+ "solr:SolrRocks");

Thanks,

*Emmanuel Altamirano,*

Consultant- Global Technology

International Operations

*Telephone:*312-985-3149

*Mobile:*312-860-3774

*cid:image001.png@01D02A68.19FA64F0*

555 W. Adams 5^th Floor

Chicago, IL 60661

_transunion.com <http://www.transunion.com/>_

This email including, without limitation, the attachments, if any,
accompanying this email, may contain information which is
confidential or privileged and exempt from disclosure under
applicable law. The information is for the use of the intended
recipient. If you are not the intended recipient, be aware that
any disclosure, copying, distribution, review or use of the
contents of this email, and/or its attachments, is without
authorization and is prohibited. If you have received this email
in error, please notify us by reply email immediately and destroy
all copies of this email and its attachments.

Re: Apache Solr 8.4.1 Basic Authentication

[lstusr 5u93n4]

Hey Emmanuel,

If you're using Java, I'd highly suggest using solrj, it'll do the work
that you need it to do:

SolrRequest req ;//create a new request object
req.setBasicAuthCredentials(userName, password);
solrClient.request(req);


If that doesn't work for you for some reason, you need to base64 encode the
username:password combo for basic http auth:

String auth =
Base64.getEncoder().encodeToString("solr:SolrRocks".getBytes());

headers.add("Authorization", "Basic " +  auth );

Also, I'm not sure if java.net.HttpClient has basic auth built in, but
apache HttpClient sure does...

Kyle

On Thu, 26 Mar 2020 at 15:27, Altamirano, Emmanuel <
emmanuel.altamir...@transunion.com> wrote:

> Hello everyone,
>
>
>
> We recently enable Solr Basic Authentication in our Dev environment and we
> are testing Solr security. We followed the instructions provided in the
> Apache Solr website and it is working using curl command.
>
>
>
> If you could provide us any advice of how do we need to send the
> credentials in the HTTP headers in a Java program? It is very appreciate it.
>
>
>
> HttpHeaders headers = *new* HttpHeaders();
>
> headers.setAccept(Arrays.*asList*(MediaType.*APPLICATION_JSON*));
>
> headers.setContentType(MediaType.*APPLICATION_JSON*);
>
> headers.add("Authorization", "Basic " + "solr:SolrRocks");
>
>
>
> Thanks,
>
>
>
> *Emmanuel Altamirano,*
>
> Consultant - Global Technology
>
> International Operations
>
>
>
> *Telephone:* 312-985-3149
>
> *Mobile:* 312-860-3774
>
>
>
> *[image: cid:image001.png@01D02A68.19FA64F0]*
>
>
>
> 555 W. Adams 5th Floor
>
> Chicago, IL 60661
>
> *transunion.com <http://www.transunion.com/>*
>
>
>
> This email including, without limitation, the attachments, if any,
> accompanying this email, may contain information which is confidential or
> privileged and exempt from disclosure under applicable law. The information
> is for the use of the intended recipient. If you are not the intended
> recipient, be aware that any disclosure, copying, distribution, review or
> use of the contents of this email, and/or its attachments, is without
> authorization and is prohibited. If you have received this email in error,
> please notify us by reply email immediately and destroy all copies of this
> email and its attachments.
>
>
>

Apache Solr 8.4.1 Basic Authentication

[Altamirano, Emmanuel]

Hello everyone,

We recently enable Solr Basic Authentication in our Dev environment and we are 
testing Solr security. We followed the instructions provided in the Apache Solr 
website and it is working using curl command.

If you could provide us any advice of how do we need to send the credentials in 
the HTTP headers in a Java program? It is very appreciate it.

HttpHeaders headers = new HttpHeaders();
headers.setAccept(Arrays.asList(MediaType.APPLICATION_JSON));
headers.setContentType(MediaType.APPLICATION_JSON);
headers.add("Authorization", "Basic " + "solr:SolrRocks");

Thanks,

Emmanuel Altamirano,
Consultant - Global Technology
International Operations

Telephone: 312-985-3149
Mobile: 312-860-3774

[cid:image001.png@01D02A68.19FA64F0]

555 W. Adams 5th Floor
Chicago, IL 60661
transunion.com<http://www.transunion.com/>

This email including, without limitation, the attachments, if any, accompanying 
this email, may contain information which is confidential or privileged and 
exempt from disclosure under applicable law. The information is for the use of 
the intended recipient. If you are not the intended recipient, be aware that 
any disclosure, copying, distribution, review or use of the contents of this 
email, and/or its attachments, is without authorization and is prohibited. If 
you have received this email in error, please notify us by reply email 
immediately and destroy all copies of this email and its attachments.

Re: Facing jwt authentication problem using solr 8.1.1

[Jan Høydahl]

As I said, I don’t think you will be successful with a public OAuth provider 
like google or GitHub.
I know little about how or whether they issue access tokens at all. I think 
they just deal with ID tokens?

Jan

> 3. jan. 2020 kl. 08:07 skrev lakshgupta29 :
> 
> Hi Jan,
> 
> I've used Auth2.0 provider for admin UI Dashboard authentication. I've
> passed IdP endpoint and client id as per the provider details. It's logging
> in my dashboard successfully, not able to authenticate API, 
> getting below exception. 
> 
> o.a.s.s.SolrLogAuditLoggerPlugin type="REJECTED" message="Rejected"
> method="GET" status="401" requestType="UNKNOWN" username="null"
> resource="/solr" queryString="_=1578034784015=json" collections=null
> 
> As above exception, username is "null". 
> 
> Could you please help out? 
> 
> Please find the screenshot after provider authentication.
> <https://lucene.472066.n3.nabble.com/file/t495331/solr-authentication.png> 
> 
> 
> 
> 
> --
> Sent from: https://lucene.472066.n3.nabble.com/Solr-User-f472068.html

Re: Facing jwt authentication problem using solr 8.1.1

[lakshgupta29]

Hi Jan,

I've used Auth2.0 provider for admin UI Dashboard authentication. I've
passed IdP endpoint and client id as per the provider details. It's logging
in my dashboard successfully, not able to authenticate API, 
getting below exception. 

o.a.s.s.SolrLogAuditLoggerPlugin type="REJECTED" message="Rejected"
method="GET" status="401" requestType="UNKNOWN" username="null"
resource="/solr" queryString="_=1578034784015=json" collections=null

As above exception, username is "null". 

Could you please help out? 

Please find the screenshot after provider authentication.
<https://lucene.472066.n3.nabble.com/file/t495331/solr-authentication.png> 




--
Sent from: https://lucene.472066.n3.nabble.com/Solr-User-f472068.html

Re: Facing jwt authentication problem using solr 8.1.1

[Jan Høydahl]

Don’t think so - you need to register Solr as a client with your IdP according 
to the docs.

Jan

> 2. jan. 2020 kl. 13:01 skrev lakshgupta29 :
> 
> Can i use GitHub Provider authentication for admin UI support.
> 
> 
> 
> --
> Sent from: https://lucene.472066.n3.nabble.com/Solr-User-f472068.html

Re: Facing jwt authentication problem using solr 8.1.1

[lakshgupta29]

Can i use GitHub Provider authentication for admin UI support.



--
Sent from: https://lucene.472066.n3.nabble.com/Solr-User-f472068.html

Re: Facing jwt authentication problem using solr 8.1.1

[Jan Høydahl]

Hi

Explaining what OpenID or Idenity servers are is a bit outside the scope here :)
Encourage you to read up on the subject[1] and try out one of the free IdP 
providers online[2]
to test things out, then decide whether you want to install your own IdP 
in-house.

[1] https://en.wikipedia.org/wiki/OpenID_Connect 
 
[2] https://auth0.com , https://www.okta.com 
 and many others

Jan

> 30. des. 2019 kl. 13:03 skrev lakshgupta29 :
> 
> Currently, I am seeing the below image 
> 
>  
> 
> Jan, Could you please provide steps to create own IdP server or any
> reference on the internet. I'd really appreciate that. 
> 
> Thanks!
> 
> 
> 
> --
> Sent from: https://lucene.472066.n3.nabble.com/Solr-User-f472068.html

Re: Facing jwt authentication problem using solr 8.1.1

[lakshgupta29]

Currently, I am seeing the below image 

 

Jan, Could you please provide steps to create own IdP server or any
reference on the internet. I'd really appreciate that. 

Thanks!



--
Sent from: https://lucene.472066.n3.nabble.com/Solr-User-f472068.html

Re: Facing jwt authentication problem using solr 8.1.1

[Jan Høydahl]

There is support for OpenID connect login from Admin. Just point it to your 
IDP’s endpoint and Solr will redirect you to your IdP for logging in. The IdP 
will pass the JWT token to your browser.

If you manually generate your JWT tokens and do not have an IdP server it’s not 
that easy. What do you currently see in the login screen?

Jan Høydahl

> 29. des. 2019 kl. 11:44 skrev lakshgupta29 :
> 
> Thanks for your quick response. 
> 
> Is there any way to secure my Admin UI Dashboard as well as API's using JWT
> token machanism.
> 
> Thanks
> 
> 
> 
> --
> Sent from: https://lucene.472066.n3.nabble.com/Solr-User-f472068.html

Re: Facing jwt authentication problem using solr 8.1.1

[lakshgupta29]

Thanks for your quick response. 

Is there any way to secure my Admin UI Dashboard as well as API's using JWT
token machanism.

Thanks



--
Sent from: https://lucene.472066.n3.nabble.com/Solr-User-f472068.html

Re: Facing jwt authentication problem using solr 8.1.1

[lakshgupta29]

Hi Jan,

Thanks for your quick response. The above issue has resolved now API's are
secured with JWT token with set authorized permissions. 
Unfortunately , I'm stuck in solr admin UI dashboard. 

My API's are secured by using JWT authentication, When i'm trying to access
admin dashboard few functionalities are not accessible like querying, admin
etc. 

because, all /select, /admin API's required authentication in respect of
that. 

How can i secured admin UI dashboard as well as solr API's. Can you provide
your inputs? 

Thanks!
Lakhan Gupta 



--
Sent from: https://lucene.472066.n3.nabble.com/Solr-User-f472068.html

Re: Facing jwt authentication problem using solr 8.1.1

[Jason Gerlowski]

Oh, ok.

>From the user's error message it looked to me like bin/solr was making
an admin/info/system call from bash, but it must be something else.

On Fri, Dec 20, 2019 at 6:28 AM Jan Høydahl  wrote:
>
> No, I doubt that bin/solr support would do more than just wire in a simple 
> initial JWT config, with some default Rule-based config.
>
> Jan
>
> > 17. des. 2019 kl. 16:42 skrev Jason Gerlowski :
> >
> > Hey Jan,
> >
> > Is this a case of something that'd be fixed by
> > https://issues.apache.org/jira/browse/SOLR-13071 ?
> >
> > Just wondering
> >
> > Best,
> > Jason
> >
> > On Thu, Dec 12, 2019 at 5:43 PM Jan Høydahl  wrote:
> >>
> >> Try something like this 
> >> https://gist.github.com/b330e1bea7842bcdc1e5fa3940b4a4f7 
> >> <https://gist.github.com/b330e1bea7842bcdc1e5fa3940b4a4f7>
> >>
> >> The trick is to «whitelist» certain paths that will not require auth, but 
> >> then further down add rules to block all other paths either as admin role 
> >> or with special role *»* which means «any authenticated user».
> >>
> >> Jan
> >>
> >>> 12. des. 2019 kl. 07:47 skrev Lakhan Gupta 
> >>> :
> >>>
> >>> Hi,
> >>>
> >>> Using solr 8.1.1 version and facing problem while enabling jwt 
> >>> authentication in solr. Jwt authentication is working fine after 
> >>> configuring security.json file. Below is the configuration I am using for 
> >>> enabling jwt authentication.
> >>>
> >>> Security.json
> >>>
> >>> {
> >>> "authentication":{
> >>>  "blockUnknown": false,
> >>>   "class":"solr.JWTAuthPlugin",
> >>>  "jwk":{
> >>> "kty":"oct",
> >>> "use":"sig",
> >>> "kid":"k1",
> >>> 
> >>> "k":"7A02618BE6943C22FD81CAB9F6FCF063B6E1732C3614BC3ACA6032B6B3215CAF0D28A34FD423423CA3AC34BEA27D3F79",
> >>> "alg":"HS256"},
> >>>   "aud":"solr"},
> >>>  "authorization":{
> >>> "class":"solr.RuleBasedAuthorizationPlugin",
> >>> "permissions":[
> >>> {
> >>>   "name":"all",
> >>>    "path":"/*",
> >>>   "role":"admin"
> >>>}
> >>> ],
> >>> "user-role":{
> >>>    "solr":"admin"
> >>> }
> >>>  }
> >>> }
> >>>
> >>> Using secret key
> >>> 7A02618BE6943C22FD81CAB9F6FCF063B6E1732C3614BC3ACA6032B6B3215CAF0D28A34FD423423CA3AC34BEA27D3F79
> >>>
> >>> Jwt token is generated:
> >>> eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJhZCIsImF1ZCI6InNvbHIiLCJleHAiOjk5MTYyMzkwMjJ9.M4PksJTJ9gFjOlvvFmG1eDSyXDtKIRSGIYicIW9hwT4
> >>>
> >>> Below header and payload I'm using for generate jwt token :
> >>>
> >>> The header is
> >>> {
> >>> "alg": "HS256",
> >>> "typ": "JWT"
> >>> }
> >>>
> >>> and the payload is
> >>>
> >>> {
> >>> "sub": "admin",
> >>> "aud": "Solr",
> >>> "exp": 9916239022
> >>> }
> >>>
> >>> With above configuration my jwt authentication is working fine. But there 
> >>> is a problem when request is sent without authentication in header the 
> >>> api still retrieving data. I want to prevent it when request come without 
> >>> authentication header.
> >>>
> >>> For that, I've enabled blockUnknown parameter in security.json file. That 
> >>> works fine and authentication request is required. But, after enabling 
> >>> blockunknown  parameter I am facing below exception while starting solr 
> >>> using solr start command.
> >>>
> >>>
> >>> ERROR: Solr requires authentication for 
> >>> http://localhost:8983/solr/admin/info/system. Please supply valid 
> >>> credentials. HTTP code=401
> >>>
> >>> I've googled a lot and find out
> >>>
> >>> solr/admin/info/system endpoint required authentication.
> >>>
> >>> How to authenticate solr/admin/info/system endpoint while startup solr?
> >>>
> >>> Need urgent help. I'd appreciate if someone can help me.
> >>>
> >>> Thanks
> >>> Lakhan Gupta
> >>>
> >>>
> >>>
> >>> The information in this email is confidential and may be legally 
> >>> privileged. It is intended solely for the addressee and access to it by 
> >>> anyone else is unauthorized. If you are not the intended recipient, any 
> >>> disclosure, copying, distribution or any action taken or omitted to be 
> >>> taken based on it, is strictly prohibited and may be unlawful.
> >>
>

Re: Facing jwt authentication problem using solr 8.1.1

[Jan Høydahl]

No, I doubt that bin/solr support would do more than just wire in a simple 
initial JWT config, with some default Rule-based config.

Jan

> 17. des. 2019 kl. 16:42 skrev Jason Gerlowski :
> 
> Hey Jan,
> 
> Is this a case of something that'd be fixed by
> https://issues.apache.org/jira/browse/SOLR-13071 ?
> 
> Just wondering
> 
> Best,
> Jason
> 
> On Thu, Dec 12, 2019 at 5:43 PM Jan Høydahl  wrote:
>> 
>> Try something like this 
>> https://gist.github.com/b330e1bea7842bcdc1e5fa3940b4a4f7 
>> <https://gist.github.com/b330e1bea7842bcdc1e5fa3940b4a4f7>
>> 
>> The trick is to «whitelist» certain paths that will not require auth, but 
>> then further down add rules to block all other paths either as admin role or 
>> with special role *»* which means «any authenticated user».
>> 
>> Jan
>> 
>>> 12. des. 2019 kl. 07:47 skrev Lakhan Gupta 
>>> :
>>> 
>>> Hi,
>>> 
>>> Using solr 8.1.1 version and facing problem while enabling jwt 
>>> authentication in solr. Jwt authentication is working fine after 
>>> configuring security.json file. Below is the configuration I am using for 
>>> enabling jwt authentication.
>>> 
>>> Security.json
>>> 
>>> {
>>> "authentication":{
>>>  "blockUnknown": false,
>>>   "class":"solr.JWTAuthPlugin",
>>>  "jwk":{
>>> "kty":"oct",
>>> "use":"sig",
>>> "kid":"k1",
>>> 
>>> "k":"7A02618BE6943C22FD81CAB9F6FCF063B6E1732C3614BC3ACA6032B6B3215CAF0D28A34FD423423CA3AC34BEA27D3F79",
>>> "alg":"HS256"},
>>>   "aud":"solr"},
>>>  "authorization":{
>>> "class":"solr.RuleBasedAuthorizationPlugin",
>>> "permissions":[
>>> {
>>>   "name":"all",
>>>"path":"/*",
>>>   "role":"admin"
>>>}
>>> ],
>>> "user-role":{
>>>"solr":"admin"
>>> }
>>>  }
>>> }
>>> 
>>> Using secret key
>>> 7A02618BE6943C22FD81CAB9F6FCF063B6E1732C3614BC3ACA6032B6B3215CAF0D28A34FD423423CA3AC34BEA27D3F79
>>> 
>>> Jwt token is generated:
>>> eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJhZCIsImF1ZCI6InNvbHIiLCJleHAiOjk5MTYyMzkwMjJ9.M4PksJTJ9gFjOlvvFmG1eDSyXDtKIRSGIYicIW9hwT4
>>> 
>>> Below header and payload I'm using for generate jwt token :
>>> 
>>> The header is
>>> {
>>> "alg": "HS256",
>>> "typ": "JWT"
>>> }
>>> 
>>> and the payload is
>>> 
>>> {
>>> "sub": "admin",
>>> "aud": "Solr",
>>> "exp": 9916239022
>>> }
>>> 
>>> With above configuration my jwt authentication is working fine. But there 
>>> is a problem when request is sent without authentication in header the api 
>>> still retrieving data. I want to prevent it when request come without 
>>> authentication header.
>>> 
>>> For that, I've enabled blockUnknown parameter in security.json file. That 
>>> works fine and authentication request is required. But, after enabling 
>>> blockunknown  parameter I am facing below exception while starting solr 
>>> using solr start command.
>>> 
>>> 
>>> ERROR: Solr requires authentication for 
>>> http://localhost:8983/solr/admin/info/system. Please supply valid 
>>> credentials. HTTP code=401
>>> 
>>> I've googled a lot and find out
>>> 
>>> solr/admin/info/system endpoint required authentication.
>>> 
>>> How to authenticate solr/admin/info/system endpoint while startup solr?
>>> 
>>> Need urgent help. I'd appreciate if someone can help me.
>>> 
>>> Thanks
>>> Lakhan Gupta
>>> 
>>> 
>>> 
>>> The information in this email is confidential and may be legally 
>>> privileged. It is intended solely for the addressee and access to it by 
>>> anyone else is unauthorized. If you are not the intended recipient, any 
>>> disclosure, copying, distribution or any action taken or omitted to be 
>>> taken based on it, is strictly prohibited and may be unlawful.
>> 

Re: Facing jwt authentication problem using solr 8.1.1

[Jason Gerlowski]

Hey Jan,

Is this a case of something that'd be fixed by
https://issues.apache.org/jira/browse/SOLR-13071 ?

Just wondering

Best,
Jason

On Thu, Dec 12, 2019 at 5:43 PM Jan Høydahl  wrote:
>
> Try something like this 
> https://gist.github.com/b330e1bea7842bcdc1e5fa3940b4a4f7 
> <https://gist.github.com/b330e1bea7842bcdc1e5fa3940b4a4f7>
>
> The trick is to «whitelist» certain paths that will not require auth, but 
> then further down add rules to block all other paths either as admin role or 
> with special role *»* which means «any authenticated user».
>
> Jan
>
> > 12. des. 2019 kl. 07:47 skrev Lakhan Gupta 
> > :
> >
> > Hi,
> >
> > Using solr 8.1.1 version and facing problem while enabling jwt 
> > authentication in solr. Jwt authentication is working fine after 
> > configuring security.json file. Below is the configuration I am using for 
> > enabling jwt authentication.
> >
> > Security.json
> >
> > {
> >  "authentication":{
> >   "blockUnknown": false,
> >"class":"solr.JWTAuthPlugin",
> >   "jwk":{
> >  "kty":"oct",
> >  "use":"sig",
> >  "kid":"k1",
> >  
> > "k":"7A02618BE6943C22FD81CAB9F6FCF063B6E1732C3614BC3ACA6032B6B3215CAF0D28A34FD423423CA3AC34BEA27D3F79",
> >  "alg":"HS256"},
> >"aud":"solr"},
> >   "authorization":{
> >  "class":"solr.RuleBasedAuthorizationPlugin",
> >  "permissions":[
> >  {
> >"name":"all",
> > "path":"/*",
> >"role":"admin"
> > }
> >  ],
> >  "user-role":{
> > "solr":"admin"
> >  }
> >   }
> > }
> >
> > Using secret key
> > 7A02618BE6943C22FD81CAB9F6FCF063B6E1732C3614BC3ACA6032B6B3215CAF0D28A34FD423423CA3AC34BEA27D3F79
> >
> > Jwt token is generated:
> > eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJhZCIsImF1ZCI6InNvbHIiLCJleHAiOjk5MTYyMzkwMjJ9.M4PksJTJ9gFjOlvvFmG1eDSyXDtKIRSGIYicIW9hwT4
> >
> > Below header and payload I'm using for generate jwt token :
> >
> > The header is
> > {
> >  "alg": "HS256",
> >  "typ": "JWT"
> > }
> >
> > and the payload is
> >
> > {
> >  "sub": "admin",
> >  "aud": "Solr",
> >  "exp": 9916239022
> > }
> >
> > With above configuration my jwt authentication is working fine. But there 
> > is a problem when request is sent without authentication in header the api 
> > still retrieving data. I want to prevent it when request come without 
> > authentication header.
> >
> > For that, I've enabled blockUnknown parameter in security.json file. That 
> > works fine and authentication request is required. But, after enabling 
> > blockunknown  parameter I am facing below exception while starting solr 
> > using solr start command.
> >
> >
> > ERROR: Solr requires authentication for 
> > http://localhost:8983/solr/admin/info/system. Please supply valid 
> > credentials. HTTP code=401
> >
> > I've googled a lot and find out
> >
> > solr/admin/info/system endpoint required authentication.
> >
> > How to authenticate solr/admin/info/system endpoint while startup solr?
> >
> > Need urgent help. I'd appreciate if someone can help me.
> >
> > Thanks
> > Lakhan Gupta
> >
> >
> >
> > The information in this email is confidential and may be legally 
> > privileged. It is intended solely for the addressee and access to it by 
> > anyone else is unauthorized. If you are not the intended recipient, any 
> > disclosure, copying, distribution or any action taken or omitted to be 
> > taken based on it, is strictly prohibited and may be unlawful.
>

Re: Facing jwt authentication problem using solr 8.1.1

[Jan Høydahl]

Try something like this 
https://gist.github.com/b330e1bea7842bcdc1e5fa3940b4a4f7 
<https://gist.github.com/b330e1bea7842bcdc1e5fa3940b4a4f7>

The trick is to «whitelist» certain paths that will not require auth, but then 
further down add rules to block all other paths either as admin role or with 
special role *»* which means «any authenticated user».

Jan

> 12. des. 2019 kl. 07:47 skrev Lakhan Gupta 
> :
> 
> Hi,
> 
> Using solr 8.1.1 version and facing problem while enabling jwt authentication 
> in solr. Jwt authentication is working fine after configuring security.json 
> file. Below is the configuration I am using for enabling jwt authentication.
> 
> Security.json
> 
> {
>  "authentication":{
>   "blockUnknown": false,
>"class":"solr.JWTAuthPlugin",
>   "jwk":{
>  "kty":"oct",
>  "use":"sig",
>  "kid":"k1",
>  
> "k":"7A02618BE6943C22FD81CAB9F6FCF063B6E1732C3614BC3ACA6032B6B3215CAF0D28A34FD423423CA3AC34BEA27D3F79",
>  "alg":"HS256"},
>"aud":"solr"},
>   "authorization":{
>  "class":"solr.RuleBasedAuthorizationPlugin",
>  "permissions":[
>  {
>"name":"all",
> "path":"/*",
>"role":"admin"
> }
>  ],
>  "user-role":{
> "solr":"admin"
>  }
>   }
> }
> 
> Using secret key
> 7A02618BE6943C22FD81CAB9F6FCF063B6E1732C3614BC3ACA6032B6B3215CAF0D28A34FD423423CA3AC34BEA27D3F79
> 
> Jwt token is generated:
> eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJhZCIsImF1ZCI6InNvbHIiLCJleHAiOjk5MTYyMzkwMjJ9.M4PksJTJ9gFjOlvvFmG1eDSyXDtKIRSGIYicIW9hwT4
> 
> Below header and payload I'm using for generate jwt token :
> 
> The header is
> {
>  "alg": "HS256",
>  "typ": "JWT"
> }
> 
> and the payload is
> 
> {
>  "sub": "admin",
>  "aud": "Solr",
>  "exp": 9916239022
> }
> 
> With above configuration my jwt authentication is working fine. But there is 
> a problem when request is sent without authentication in header the api still 
> retrieving data. I want to prevent it when request come without 
> authentication header.
> 
> For that, I've enabled blockUnknown parameter in security.json file. That 
> works fine and authentication request is required. But, after enabling 
> blockunknown  parameter I am facing below exception while starting solr using 
> solr start command.
> 
> 
> ERROR: Solr requires authentication for 
> http://localhost:8983/solr/admin/info/system. Please supply valid 
> credentials. HTTP code=401
> 
> I've googled a lot and find out
> 
> solr/admin/info/system endpoint required authentication.
> 
> How to authenticate solr/admin/info/system endpoint while startup solr?
> 
> Need urgent help. I'd appreciate if someone can help me.
> 
> Thanks
> Lakhan Gupta
> 
> 
> 
> The information in this email is confidential and may be legally privileged. 
> It is intended solely for the addressee and access to it by anyone else is 
> unauthorized. If you are not the intended recipient, any disclosure, copying, 
> distribution or any action taken or omitted to be taken based on it, is 
> strictly prohibited and may be unlawful.

Facing jwt authentication problem using solr 8.1.1

[Lakhan Gupta]

Hi,

Using solr 8.1.1 version and facing problem while enabling jwt authentication 
in solr. Jwt authentication is working fine after configuring security.json 
file. Below is the configuration I am using for enabling jwt authentication.

Security.json

{
  "authentication":{
   "blockUnknown": false,
"class":"solr.JWTAuthPlugin",
   "jwk":{
  "kty":"oct",
  "use":"sig",
  "kid":"k1",
  
"k":"7A02618BE6943C22FD81CAB9F6FCF063B6E1732C3614BC3ACA6032B6B3215CAF0D28A34FD423423CA3AC34BEA27D3F79",
  "alg":"HS256"},
"aud":"solr"},
   "authorization":{
  "class":"solr.RuleBasedAuthorizationPlugin",
  "permissions":[
  {
"name":"all",
 "path":"/*",
"role":"admin"
 }
  ],
  "user-role":{
 "solr":"admin"
  }
   }
}

Using secret key
7A02618BE6943C22FD81CAB9F6FCF063B6E1732C3614BC3ACA6032B6B3215CAF0D28A34FD423423CA3AC34BEA27D3F79

Jwt token is generated:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJhZCIsImF1ZCI6InNvbHIiLCJleHAiOjk5MTYyMzkwMjJ9.M4PksJTJ9gFjOlvvFmG1eDSyXDtKIRSGIYicIW9hwT4

Below header and payload I'm using for generate jwt token :

The header is
{
  "alg": "HS256",
  "typ": "JWT"
}

and the payload is

{
  "sub": "admin",
  "aud": "Solr",
  "exp": 9916239022
}

With above configuration my jwt authentication is working fine. But there is a 
problem when request is sent without authentication in header the api still 
retrieving data. I want to prevent it when request come without authentication 
header.

For that, I've enabled blockUnknown parameter in security.json file. That works 
fine and authentication request is required. But, after enabling blockunknown  
parameter I am facing below exception while starting solr using solr start 
command.


ERROR: Solr requires authentication for 
http://localhost:8983/solr/admin/info/system. Please supply valid credentials. 
HTTP code=401

I've googled a lot and find out

solr/admin/info/system endpoint required authentication.

How to authenticate solr/admin/info/system endpoint while startup solr?

Need urgent help. I'd appreciate if someone can help me.

Thanks
Lakhan Gupta



The information in this email is confidential and may be legally privileged. It 
is intended solely for the addressee and access to it by anyone else is 
unauthorized. If you are not the intended recipient, any disclosure, copying, 
distribution or any action taken or omitted to be taken based on it, is 
strictly prohibited and may be unlawful.

RE: Basic Authentication problem

[Oakley, Craig (NIH/NLM/NCBI) [C]]

Was I correct in my description yesterday (which I am pasting in below)? That 
you are using a hash based on the "solr" account name and expecting that to 
work if you change the account name but not the hash?

Am I correct in assuming that everything other than security-edit functions 
currently works for you with any account and any password, including without 
any login-and-password at all?


-Original Message-
From: Oakley, Craig (NIH/NLM/NCBI) [C] 
Sent: Thursday, August 01, 2019 10:58 AM
To: solr-user@lucene.apache.org
Subject: RE: Basic Authentication problem

The hash value 
"IV0EHq1OnNrj6gvRCwvFwTrZ1+z1oBbnQdiVC3otuq0=Ndd7LKvVBAaZIF0QAVi1ekCfAJXr1GGfLtRUXhgrF8c="
 is based on both the plain text password AND the plain test login. Since 
"solr" is not the same string as "solr-admin", the password will not work. If 
the only authorization in security.json is restricting security-edit, then you 
can do anything else with any password, or with no password.

What you can do is setup the security.json file as specified in the Reference 
Guide (whence you got the hash of the login and password), then use the default 
solr login to run your set-user (to add the solr-admin user alongside the 
existing solr login), then use the default solr login to run 
{"set-user-role":{"solr-admin":["security-edit"]}}, and then (when you are sure 
things are correctly setup for solr-admin) drop the default solr login


-Original Message-
From: Zheng Lin Edwin Yeo  
Sent: Friday, August 02, 2019 2:59 AM
To: solr-user@lucene.apache.org
Subject: Re: Basic Authentication problem

From what I see, you are trying to change your own user's password. If I
remembered correctly this might not be allowed, which is why you are
getting the "Unauthorized request" error.

You can try to create another user with admin role as well, and to change
your existing user's password from the new user.

Regards,
Edwin

On Fri, 2 Aug 2019 at 13:32, Salmaan Rashid Syed 
wrote:

> My curl command works fine for querying, updating etc.
>
> I don't think it is the fault of curl command.
>
> I get the following error message when I tried to change the password of
> solr-admin,
>
>
> 
>
> 
>
> 
>
> Error 403 Unauthorized request, Response code: 403
>
> 
>
> HTTP ERROR 403
>
> Problem accessing /solr/admin/authentication. Reason:
>
> Unauthorized request, Response code: 403
>
> 
>
> 
>
>
> And if I give incorrect username and password, it states bad credentials
> entered. So, I think the curl command is fine. There is some issue with
> basic authentication.
>
>
> Okay, One way around is to figure out how to convert my password into a
> SHA256 (password + salt) and enter it in security.json file. But, I have no
> idea how to generate the SHA256 equivalent of my password.
>
>
> Any suggestions?
>
>
>
> On Fri, Aug 2, 2019 at 10:55 AM Zheng Lin Edwin Yeo 
> wrote:
>
> > Hi Salmaan,
> >
> > Does your curl command works for other curl commands like normal
> querying?
> > Or is it just not working when updating password and adding new users?
> >
> > Regards,
> > Edwin
> >
> >
> >
> > On Fri, 2 Aug 2019 at 13:03, Salmaan Rashid Syed <
> > salmaan.ras...@mroads.com>
> > wrote:
> >
> > > Hi Zheng,
> > >
> > > I tried and it works. But, when I use the curl command to update
> password
> > > or add new users it doesn't work.
> > >
> > > I don't know what is going wrong with curl command!
> > >
> > > Regards,
> > > Salmaan
> > >
> > >
> > > On Fri, Aug 2, 2019 at 8:26 AM Zheng Lin Edwin Yeo <
> edwinye...@gmail.com
> > >
> > > wrote:
> > >
> > > > Have you tried to access the Solr Admin UI with your created user
> name
> > > and
> > > > password to see if it works?
> > > >
> > > > Regards,
> > > > Edwin
> > > >
> > > > On Thu, 1 Aug 2019 at 19:51, Salmaan Rashid Syed <
> > > > salmaan.ras...@mroads.com>
> > > > wrote:
> > > >
> > > > > Hi Solr User,
> > > > >
> > > > > Please help me with my issue.
> > > > >
> > > > > I have enabled Solr basic authentication as shown in Solr
> > > documentations.
> > > > >
> > > > > I have changed username from solr to solr-admin as follow
> > > > >
> > > > > {
> > > > > "authentication":{
> > > > >"blockUnknown": true,
>

Re: Basic Authentication problem

[Zheng Lin Edwin Yeo]

>From what I see, you are trying to change your own user's password. If I
remembered correctly this might not be allowed, which is why you are
getting the "Unauthorized request" error.

You can try to create another user with admin role as well, and to change
your existing user's password from the new user.

Regards,
Edwin

On Fri, 2 Aug 2019 at 13:32, Salmaan Rashid Syed 
wrote:

> My curl command works fine for querying, updating etc.
>
> I don't think it is the fault of curl command.
>
> I get the following error message when I tried to change the password of
> solr-admin,
>
>
> 
>
> 
>
> 
>
> Error 403 Unauthorized request, Response code: 403
>
> 
>
> HTTP ERROR 403
>
> Problem accessing /solr/admin/authentication. Reason:
>
> Unauthorized request, Response code: 403
>
> 
>
> 
>
>
> And if I give incorrect username and password, it states bad credentials
> entered. So, I think the curl command is fine. There is some issue with
> basic authentication.
>
>
> Okay, One way around is to figure out how to convert my password into a
> SHA256 (password + salt) and enter it in security.json file. But, I have no
> idea how to generate the SHA256 equivalent of my password.
>
>
> Any suggestions?
>
>
>
> On Fri, Aug 2, 2019 at 10:55 AM Zheng Lin Edwin Yeo 
> wrote:
>
> > Hi Salmaan,
> >
> > Does your curl command works for other curl commands like normal
> querying?
> > Or is it just not working when updating password and adding new users?
> >
> > Regards,
> > Edwin
> >
> >
> >
> > On Fri, 2 Aug 2019 at 13:03, Salmaan Rashid Syed <
> > salmaan.ras...@mroads.com>
> > wrote:
> >
> > > Hi Zheng,
> > >
> > > I tried and it works. But, when I use the curl command to update
> password
> > > or add new users it doesn't work.
> > >
> > > I don't know what is going wrong with curl command!
> > >
> > > Regards,
> > > Salmaan
> > >
> > >
> > > On Fri, Aug 2, 2019 at 8:26 AM Zheng Lin Edwin Yeo <
> edwinye...@gmail.com
> > >
> > > wrote:
> > >
> > > > Have you tried to access the Solr Admin UI with your created user
> name
> > > and
> > > > password to see if it works?
> > > >
> > > > Regards,
> > > > Edwin
> > > >
> > > > On Thu, 1 Aug 2019 at 19:51, Salmaan Rashid Syed <
> > > > salmaan.ras...@mroads.com>
> > > > wrote:
> > > >
> > > > > Hi Solr User,
> > > > >
> > > > > Please help me with my issue.
> > > > >
> > > > > I have enabled Solr basic authentication as shown in Solr
> > > documentations.
> > > > >
> > > > > I have changed username from solr to solr-admin as follow
> > > > >
> > > > > {
> > > > > "authentication":{
> > > > >"blockUnknown": true,
> > > > >"class":"solr.BasicAuthPlugin",
> > > > >
> > > > >
> > > >
> > "credentials":{"solr-admin":"IV0EHq1OnNrj6gvRCwvFwTrZ1+z1oBbnQdiVC3otuq0=
> > > > > Ndd7LKvVBAaZIF0QAVi1ekCfAJXr1GGfLtRUXhgrF8c="}
> > > > > },
> > > > > "authorization":{
> > > > >"class":"solr.RuleBasedAuthorizationPlugin",
> > > > >"permissions":[{"name":"security-edit",
> > > > >   "role":"admin"}],
> > > > >"user-role":{"solr-admin":"admin"}
> > > > > }}
> > > > >
> > > > > I am able to login to the page using the credentials
> > > > solr-admin:SolrRocks.
> > > > >
> > > > > But, when I try to change the default password using the curl
> command
> > > as
> > > > > follows,
> > > > >
> > > > > curl --user solr-admin:SolrRocks
> > > > > http://localhost:8983/solr/admin/authentication -H
> > > > > 'Content-type:application/json' -d
> > > '{"set-user":{"solr-admin":"s2019"}}'
> > > > >
> > > > >
> > > > > I get the following error message,
> > > > >
> > > > >
> > > > > 
> > > > >
> > > > > 
> > > > >

Re: Basic Authentication problem

[Salmaan Rashid Syed]

My curl command works fine for querying, updating etc.

I don't think it is the fault of curl command.

I get the following error message when I tried to change the password of
solr-admin,








Error 403 Unauthorized request, Response code: 403



HTTP ERROR 403

Problem accessing /solr/admin/authentication. Reason:

Unauthorized request, Response code: 403






And if I give incorrect username and password, it states bad credentials
entered. So, I think the curl command is fine. There is some issue with
basic authentication.


Okay, One way around is to figure out how to convert my password into a
SHA256 (password + salt) and enter it in security.json file. But, I have no
idea how to generate the SHA256 equivalent of my password.


Any suggestions?



On Fri, Aug 2, 2019 at 10:55 AM Zheng Lin Edwin Yeo 
wrote:

> Hi Salmaan,
>
> Does your curl command works for other curl commands like normal querying?
> Or is it just not working when updating password and adding new users?
>
> Regards,
> Edwin
>
>
>
> On Fri, 2 Aug 2019 at 13:03, Salmaan Rashid Syed <
> salmaan.ras...@mroads.com>
> wrote:
>
> > Hi Zheng,
> >
> > I tried and it works. But, when I use the curl command to update password
> > or add new users it doesn't work.
> >
> > I don't know what is going wrong with curl command!
> >
> > Regards,
> > Salmaan
> >
> >
> > On Fri, Aug 2, 2019 at 8:26 AM Zheng Lin Edwin Yeo  >
> > wrote:
> >
> > > Have you tried to access the Solr Admin UI with your created user name
> > and
> > > password to see if it works?
> > >
> > > Regards,
> > > Edwin
> > >
> > > On Thu, 1 Aug 2019 at 19:51, Salmaan Rashid Syed <
> > > salmaan.ras...@mroads.com>
> > > wrote:
> > >
> > > > Hi Solr User,
> > > >
> > > > Please help me with my issue.
> > > >
> > > > I have enabled Solr basic authentication as shown in Solr
> > documentations.
> > > >
> > > > I have changed username from solr to solr-admin as follow
> > > >
> > > > {
> > > > "authentication":{
> > > >"blockUnknown": true,
> > > >"class":"solr.BasicAuthPlugin",
> > > >
> > > >
> > >
> "credentials":{"solr-admin":"IV0EHq1OnNrj6gvRCwvFwTrZ1+z1oBbnQdiVC3otuq0=
> > > > Ndd7LKvVBAaZIF0QAVi1ekCfAJXr1GGfLtRUXhgrF8c="}
> > > > },
> > > > "authorization":{
> > > >"class":"solr.RuleBasedAuthorizationPlugin",
> > > >"permissions":[{"name":"security-edit",
> > > >   "role":"admin"}],
> > > >"user-role":{"solr-admin":"admin"}
> > > > }}
> > > >
> > > > I am able to login to the page using the credentials
> > > solr-admin:SolrRocks.
> > > >
> > > > But, when I try to change the default password using the curl command
> > as
> > > > follows,
> > > >
> > > > curl --user solr-admin:SolrRocks
> > > > http://localhost:8983/solr/admin/authentication -H
> > > > 'Content-type:application/json' -d
> > '{"set-user":{"solr-admin":"s2019"}}'
> > > >
> > > >
> > > > I get the following error message,
> > > >
> > > >
> > > > 
> > > >
> > > > 
> > > >
> > > > 
> > > >
> > > > Error 403 Unauthorized request, Response code: 403
> > > >
> > > > 
> > > >
> > > > HTTP ERROR 403
> > > >
> > > > Problem accessing /solr/admin/authentication. Reason:
> > > >
> > > > Unauthorized request, Response code: 403
> > > >
> > > > 
> > > >
> > > > 
> > > >
> > > >
> > > > Please help.
> > > >
> > > > Regards,
> > > > Salmaan
> > > >
> > > >
> > > > On Thu, Aug 1, 2019 at 1:51 PM Salmaan Rashid Syed <
> > > > salmaan.ras...@mroads.com> wrote:
> > > >
> > > > > Small correction in the user-name. It is solr-admin everywhere.
> > > > >
> > > > > Hi Solr Users,
> > > > >
> > > > > I have enabled Solr basic authentication as shown

Re: Basic Authentication problem

[Zheng Lin Edwin Yeo]

Hi Salmaan,

Does your curl command works for other curl commands like normal querying?
Or is it just not working when updating password and adding new users?

Regards,
Edwin



On Fri, 2 Aug 2019 at 13:03, Salmaan Rashid Syed 
wrote:

> Hi Zheng,
>
> I tried and it works. But, when I use the curl command to update password
> or add new users it doesn't work.
>
> I don't know what is going wrong with curl command!
>
> Regards,
> Salmaan
>
>
> On Fri, Aug 2, 2019 at 8:26 AM Zheng Lin Edwin Yeo 
> wrote:
>
> > Have you tried to access the Solr Admin UI with your created user name
> and
> > password to see if it works?
> >
> > Regards,
> > Edwin
> >
> > On Thu, 1 Aug 2019 at 19:51, Salmaan Rashid Syed <
> > salmaan.ras...@mroads.com>
> > wrote:
> >
> > > Hi Solr User,
> > >
> > > Please help me with my issue.
> > >
> > > I have enabled Solr basic authentication as shown in Solr
> documentations.
> > >
> > > I have changed username from solr to solr-admin as follow
> > >
> > > {
> > > "authentication":{
> > >"blockUnknown": true,
> > >"class":"solr.BasicAuthPlugin",
> > >
> > >
> > "credentials":{"solr-admin":"IV0EHq1OnNrj6gvRCwvFwTrZ1+z1oBbnQdiVC3otuq0=
> > > Ndd7LKvVBAaZIF0QAVi1ekCfAJXr1GGfLtRUXhgrF8c="}
> > > },
> > > "authorization":{
> > >"class":"solr.RuleBasedAuthorizationPlugin",
> > >"permissions":[{"name":"security-edit",
> > >   "role":"admin"}],
> > >"user-role":{"solr-admin":"admin"}
> > > }}
> > >
> > > I am able to login to the page using the credentials
> > solr-admin:SolrRocks.
> > >
> > > But, when I try to change the default password using the curl command
> as
> > > follows,
> > >
> > > curl --user solr-admin:SolrRocks
> > > http://localhost:8983/solr/admin/authentication -H
> > > 'Content-type:application/json' -d
> '{"set-user":{"solr-admin":"s2019"}}'
> > >
> > >
> > > I get the following error message,
> > >
> > >
> > > 
> > >
> > > 
> > >
> > > 
> > >
> > > Error 403 Unauthorized request, Response code: 403
> > >
> > > 
> > >
> > > HTTP ERROR 403
> > >
> > > Problem accessing /solr/admin/authentication. Reason:
> > >
> > > Unauthorized request, Response code: 403
> > >
> > > 
> > >
> > > 
> > >
> > >
> > > Please help.
> > >
> > > Regards,
> > > Salmaan
> > >
> > >
> > > On Thu, Aug 1, 2019 at 1:51 PM Salmaan Rashid Syed <
> > > salmaan.ras...@mroads.com> wrote:
> > >
> > > > Small correction in the user-name. It is solr-admin everywhere.
> > > >
> > > > Hi Solr Users,
> > > >
> > > > I have enabled Solr basic authentication as shown in Solr
> > documentations.
> > > >
> > > > I have changed username from solr to solr-admin as follow
> > > >
> > > > {
> > > > "authentication":{
> > > >"blockUnknown": true,
> > > >"class":"solr.BasicAuthPlugin",
> > > >
> > > >
> > >
> "credentials":{"solr-admin":"IV0EHq1OnNrj6gvRCwvFwTrZ1+z1oBbnQdiVC3otuq0=
> > > > Ndd7LKvVBAaZIF0QAVi1ekCfAJXr1GGfLtRUXhgrF8c="}
> > > > },
> > > > "authorization":{
> > > >"class":"solr.RuleBasedAuthorizationPlugin",
> > > >"permissions":[{"name":"security-edit",
> > > >   "role":"admin"}],
> > > >"user-role":{"solr-admin":"admin"}
> > > > }}
> > > >
> > > > I am able to login to the page using the credentials
> > > > mroads-solr-admin:SolrRocks.
> > > >
> > > > But, when I try to change the default password using the curl command
> > as
> > > > follows,
> > > >
> > > > curl --user solr-admin:SolrRocks
> > > > http://localhost:8983/solr/admin/authentication -H
> &

Re: Basic Authentication problem

[Salmaan Rashid Syed]

Hi Zheng,

I tried and it works. But, when I use the curl command to update password
or add new users it doesn't work.

I don't know what is going wrong with curl command!

Regards,
Salmaan


On Fri, Aug 2, 2019 at 8:26 AM Zheng Lin Edwin Yeo 
wrote:

> Have you tried to access the Solr Admin UI with your created user name and
> password to see if it works?
>
> Regards,
> Edwin
>
> On Thu, 1 Aug 2019 at 19:51, Salmaan Rashid Syed <
> salmaan.ras...@mroads.com>
> wrote:
>
> > Hi Solr User,
> >
> > Please help me with my issue.
> >
> > I have enabled Solr basic authentication as shown in Solr documentations.
> >
> > I have changed username from solr to solr-admin as follow
> >
> > {
> > "authentication":{
> >"blockUnknown": true,
> >"class":"solr.BasicAuthPlugin",
> >
> >
> "credentials":{"solr-admin":"IV0EHq1OnNrj6gvRCwvFwTrZ1+z1oBbnQdiVC3otuq0=
> > Ndd7LKvVBAaZIF0QAVi1ekCfAJXr1GGfLtRUXhgrF8c="}
> > },
> > "authorization":{
> >"class":"solr.RuleBasedAuthorizationPlugin",
> >"permissions":[{"name":"security-edit",
> >   "role":"admin"}],
> >    "user-role":{"solr-admin":"admin"}
> > }}
> >
> > I am able to login to the page using the credentials
> solr-admin:SolrRocks.
> >
> > But, when I try to change the default password using the curl command as
> > follows,
> >
> > curl --user solr-admin:SolrRocks
> > http://localhost:8983/solr/admin/authentication -H
> > 'Content-type:application/json' -d '{"set-user":{"solr-admin":"s2019"}}'
> >
> >
> > I get the following error message,
> >
> >
> > 
> >
> > 
> >
> > 
> >
> > Error 403 Unauthorized request, Response code: 403
> >
> > 
> >
> > HTTP ERROR 403
> >
> > Problem accessing /solr/admin/authentication. Reason:
> >
> > Unauthorized request, Response code: 403
> >
> > 
> >
> > 
> >
> >
> > Please help.
> >
> > Regards,
> > Salmaan
> >
> >
> > On Thu, Aug 1, 2019 at 1:51 PM Salmaan Rashid Syed <
> > salmaan.ras...@mroads.com> wrote:
> >
> > > Small correction in the user-name. It is solr-admin everywhere.
> > >
> > > Hi Solr Users,
> > >
> > > I have enabled Solr basic authentication as shown in Solr
> documentations.
> > >
> > > I have changed username from solr to solr-admin as follow
> > >
> > > {
> > > "authentication":{
> > >"blockUnknown": true,
> > >"class":"solr.BasicAuthPlugin",
> > >
> > >
> > "credentials":{"solr-admin":"IV0EHq1OnNrj6gvRCwvFwTrZ1+z1oBbnQdiVC3otuq0=
> > > Ndd7LKvVBAaZIF0QAVi1ekCfAJXr1GGfLtRUXhgrF8c="}
> > > },
> > > "authorization":{
> > >"class":"solr.RuleBasedAuthorizationPlugin",
> > >"permissions":[{"name":"security-edit",
> > >   "role":"admin"}],
> > >"user-role":{"solr-admin":"admin"}
> > > }}
> > >
> > > I am able to login to the page using the credentials
> > > mroads-solr-admin:SolrRocks.
> > >
> > > But, when I try to change the default password using the curl command
> as
> > > follows,
> > >
> > > curl --user solr-admin:SolrRocks
> > > http://localhost:8983/solr/admin/authentication -H
> > > 'Content-type:application/json' -d
> '{"set-user":{"solr-admin":"s2019"}}'
> > >
> > >
> > >
> > > I get the following error message,
> > >
> > >
> > > 
> > >
> > > 
> > >
> > > 
> > >
> > > Error 403 Unauthorized request, Response code: 403
> > >
> > > 
> > >
> > > HTTP ERROR 403
> > >
> > > Problem accessing /solr/admin/authentication. Reason:
> > >
> > > Unauthorized request, Response code: 403
> > >
> > > 
> > >
> > > 
> > >
> > >
> > > Please help.
> > >
> > >
> > > *Thanks and Regards,*
> > >

Re: Basic Authentication problem

[Zheng Lin Edwin Yeo]

Have you tried to access the Solr Admin UI with your created user name and
password to see if it works?

Regards,
Edwin

On Thu, 1 Aug 2019 at 19:51, Salmaan Rashid Syed 
wrote:

> Hi Solr User,
>
> Please help me with my issue.
>
> I have enabled Solr basic authentication as shown in Solr documentations.
>
> I have changed username from solr to solr-admin as follow
>
> {
> "authentication":{
>"blockUnknown": true,
>"class":"solr.BasicAuthPlugin",
>
>  "credentials":{"solr-admin":"IV0EHq1OnNrj6gvRCwvFwTrZ1+z1oBbnQdiVC3otuq0=
> Ndd7LKvVBAaZIF0QAVi1ekCfAJXr1GGfLtRUXhgrF8c="}
> },
> "authorization":{
>"class":"solr.RuleBasedAuthorizationPlugin",
>"permissions":[{"name":"security-edit",
>   "role":"admin"}],
>"user-role":{"solr-admin":"admin"}
> }}
>
> I am able to login to the page using the credentials solr-admin:SolrRocks.
>
> But, when I try to change the default password using the curl command as
> follows,
>
> curl --user solr-admin:SolrRocks
> http://localhost:8983/solr/admin/authentication -H
> 'Content-type:application/json' -d '{"set-user":{"solr-admin":"s2019"}}'
>
>
> I get the following error message,
>
>
> 
>
> 
>
> 
>
> Error 403 Unauthorized request, Response code: 403
>
> 
>
> HTTP ERROR 403
>
> Problem accessing /solr/admin/authentication. Reason:
>
> Unauthorized request, Response code: 403
>
> 
>
> 
>
>
> Please help.
>
> Regards,
> Salmaan
>
>
> On Thu, Aug 1, 2019 at 1:51 PM Salmaan Rashid Syed <
> salmaan.ras...@mroads.com> wrote:
>
> > Small correction in the user-name. It is solr-admin everywhere.
> >
> > Hi Solr Users,
> >
> > I have enabled Solr basic authentication as shown in Solr documentations.
> >
> > I have changed username from solr to solr-admin as follow
> >
> > {
> > "authentication":{
> >"blockUnknown": true,
> >"class":"solr.BasicAuthPlugin",
> >
> >
> "credentials":{"solr-admin":"IV0EHq1OnNrj6gvRCwvFwTrZ1+z1oBbnQdiVC3otuq0=
> > Ndd7LKvVBAaZIF0QAVi1ekCfAJXr1GGfLtRUXhgrF8c="}
> > },
> > "authorization":{
> >"class":"solr.RuleBasedAuthorizationPlugin",
> >"permissions":[{"name":"security-edit",
> >   "role":"admin"}],
> >"user-role":{"solr-admin":"admin"}
> > }}
> >
> > I am able to login to the page using the credentials
> > mroads-solr-admin:SolrRocks.
> >
> > But, when I try to change the default password using the curl command as
> > follows,
> >
> > curl --user solr-admin:SolrRocks
> > http://localhost:8983/solr/admin/authentication -H
> > 'Content-type:application/json' -d '{"set-user":{"solr-admin":"s2019"}}'
> >
> >
> >
> > I get the following error message,
> >
> >
> > 
> >
> > 
> >
> > 
> >
> > Error 403 Unauthorized request, Response code: 403
> >
> > 
> >
> > HTTP ERROR 403
> >
> > Problem accessing /solr/admin/authentication. Reason:
> >
> > Unauthorized request, Response code: 403
> >
> > 
> >
> > 
> >
> >
> > Please help.
> >
> >
> > *Thanks and Regards,*
> > Salmaan Rashid Syed
> > +91 8978353445 | www.panna.ai |
> > 5550 Granite Pkwy, Suite #225, Plano TX-75024.
> > Cyber Gateways, Hi-tech City, Hyderabad, Telangana, India.
> >
> >
> >
> > On Thu, Aug 1, 2019 at 1:48 PM Salmaan Rashid Syed <
> > salmaan.ras...@mroads.com> wrote:
> >
> >> Hi Solr Users,
> >>
> >> I have enabled Solr basic authentication as shown in Solr
> documentations.
> >>
> >> I have changed username from solr to solr-admin as follow
> >>
> >> {
> >> "authentication":{
> >>"blockUnknown": true,
> >>"class":"solr.BasicAuthPlugin",
> >>
> >>
> "credentials":{"solr-admin":"IV0EHq1OnNrj6gvRCwvFwTrZ1+z1oBbnQdiVC3otuq0=
> >> Ndd7LKvVBAaZIF0QAVi1ekCfAJXr1GGfLtRUXhgrF8c="}
> >> },
> >> "authorization":{
> >>"class":"solr.RuleBasedAuthorizationPlugin",
> >>"permissions":[{"name":"security-edit",
> >>   "role":"admin"}],
> >>"user-role":{"solr-admin":"admin"}
> >> }}
> >>
> >> I am able to login to the page using the credentials
> >> mroads-solr-admin:SolrRocks.
> >>
> >> But, when I try to change the default password using the curl command as
> >> follows,
> >>
> >> curl --user mroads-solr-admin:SolrRocks
> >> http://localhost:8983/solr/admin/authentication -H
> >> 'Content-type:application/json' -d
> '{"set-user":{"mroads-solr":"Mroads@2019
> >> #"}}'
> >>
> >>
> >>
> >> I get the following error message,
> >>
> >>
> >> 
> >>
> >> 
> >>
> >> 
> >>
> >> Error 403 Unauthorized request, Response code: 403
> >>
> >> 
> >>
> >> HTTP ERROR 403
> >>
> >> Problem accessing /solr/admin/authentication. Reason:
> >>
> >> Unauthorized request, Response code: 403
> >>
> >> 
> >>
> >> 
> >>
> >>
> >> Please help.
> >>
> >>
> >>
> >> *Thanks and Regards,*
> >> Salmaan Rashid Syed
> >> +91 8978353445 | www.panna.ai |
> >> 5550 Granite Pkwy, Suite #225, Plano TX-75024.
> >> Cyber Gateways, Hi-tech City, Hyderabad, Telangana, India.
> >>
> >>
> >
>

RE: Basic Authentication problem

[Oakley, Craig (NIH/NLM/NCBI) [C]]

The hash value 
"IV0EHq1OnNrj6gvRCwvFwTrZ1+z1oBbnQdiVC3otuq0=Ndd7LKvVBAaZIF0QAVi1ekCfAJXr1GGfLtRUXhgrF8c="
 is based on both the plain text password AND the plain test login. Since 
"solr" is not the same string as "solr-admin", the password will not work. If 
the only authorization in security.json is restricting security-edit, then you 
can do anything else with any password, or with no password.

What you can do is setup the security.json file as specified in the Reference 
Guide (whence you got the hash of the login and password), then use the default 
solr login to run your set-user (to add the solr-admin user alongside the 
existing solr login), then use the default solr login to run 
{"set-user-role":{"solr-admin":["security-edit"]}}, and then (when you are sure 
things are correctly setup for solr-admin) drop the default solr login

-Original Message-
From: Salmaan Rashid Syed  
Sent: Thursday, August 01, 2019 7:51 AM
To: solr-user@lucene.apache.org
Subject: Re: Basic Authentication problem

Hi Solr User,

Please help me with my issue.

I have enabled Solr basic authentication as shown in Solr documentations.

I have changed username from solr to solr-admin as follow

{
"authentication":{
   "blockUnknown": true,
   "class":"solr.BasicAuthPlugin",

 "credentials":{"solr-admin":"IV0EHq1OnNrj6gvRCwvFwTrZ1+z1oBbnQdiVC3otuq0=
Ndd7LKvVBAaZIF0QAVi1ekCfAJXr1GGfLtRUXhgrF8c="}
},
"authorization":{
   "class":"solr.RuleBasedAuthorizationPlugin",
   "permissions":[{"name":"security-edit",
  "role":"admin"}],
   "user-role":{"solr-admin":"admin"}
}}

I am able to login to the page using the credentials solr-admin:SolrRocks.

But, when I try to change the default password using the curl command as
follows,

curl --user solr-admin:SolrRocks
http://localhost:8983/solr/admin/authentication -H
'Content-type:application/json' -d '{"set-user":{"solr-admin":"s2019"}}'


I get the following error message,








Error 403 Unauthorized request, Response code: 403



HTTP ERROR 403

Problem accessing /solr/admin/authentication. Reason:

Unauthorized request, Response code: 403






Please help.

Regards,
Salmaan


On Thu, Aug 1, 2019 at 1:51 PM Salmaan Rashid Syed <
salmaan.ras...@mroads.com> wrote:

> Small correction in the user-name. It is solr-admin everywhere.
>
> Hi Solr Users,
>
> I have enabled Solr basic authentication as shown in Solr documentations.
>
> I have changed username from solr to solr-admin as follow
>
> {
> "authentication":{
>"blockUnknown": true,
>"class":"solr.BasicAuthPlugin",
>
>  "credentials":{"solr-admin":"IV0EHq1OnNrj6gvRCwvFwTrZ1+z1oBbnQdiVC3otuq0=
> Ndd7LKvVBAaZIF0QAVi1ekCfAJXr1GGfLtRUXhgrF8c="}
> },
> "authorization":{
>    "class":"solr.RuleBasedAuthorizationPlugin",
>"permissions":[{"name":"security-edit",
>   "role":"admin"}],
>"user-role":{"solr-admin":"admin"}
> }}
>
> I am able to login to the page using the credentials
> mroads-solr-admin:SolrRocks.
>
> But, when I try to change the default password using the curl command as
> follows,
>
> curl --user solr-admin:SolrRocks
> http://localhost:8983/solr/admin/authentication -H
> 'Content-type:application/json' -d '{"set-user":{"solr-admin":"s2019"}}'
>
>
>
> I get the following error message,
>
>
> 
>
> 
>
> 
>
> Error 403 Unauthorized request, Response code: 403
>
> 
>
> HTTP ERROR 403
>
> Problem accessing /solr/admin/authentication. Reason:
>
> Unauthorized request, Response code: 403
>
> 
>
> 
>
>
> Please help.
>
>
> *Thanks and Regards,*
> Salmaan Rashid Syed
> +91 8978353445 | www.panna.ai |
> 5550 Granite Pkwy, Suite #225, Plano TX-75024.
> Cyber Gateways, Hi-tech City, Hyderabad, Telangana, India.
>
>
>
> On Thu, Aug 1, 2019 at 1:48 PM Salmaan Rashid Syed <
> salmaan.ras...@mroads.com> wrote:
>
>> Hi Solr Users,
>>
>> I have enabled Solr basic authentication as shown in Solr documentations.
>>
>> I have changed username from solr to solr-admin as follow
>>
>> {
>> "authentication":{
>>"blockUnknown": true,
>>"class":"solr.BasicAuthPlugin",
>>
>>  "credentials":{"solr-admin":"IV0EHq1OnNrj6gvRCwvFwTrZ1+z1oBbnQdiVC3otuq0=
>> Ndd7LKv

Re: Basic Authentication problem

[Salmaan Rashid Syed]

Hi Solr User,

Please help me with my issue.

I have enabled Solr basic authentication as shown in Solr documentations.

I have changed username from solr to solr-admin as follow

{
"authentication":{
   "blockUnknown": true,
   "class":"solr.BasicAuthPlugin",

 "credentials":{"solr-admin":"IV0EHq1OnNrj6gvRCwvFwTrZ1+z1oBbnQdiVC3otuq0=
Ndd7LKvVBAaZIF0QAVi1ekCfAJXr1GGfLtRUXhgrF8c="}
},
"authorization":{
   "class":"solr.RuleBasedAuthorizationPlugin",
   "permissions":[{"name":"security-edit",
  "role":"admin"}],
   "user-role":{"solr-admin":"admin"}
}}

I am able to login to the page using the credentials solr-admin:SolrRocks.

But, when I try to change the default password using the curl command as
follows,

curl --user solr-admin:SolrRocks
http://localhost:8983/solr/admin/authentication -H
'Content-type:application/json' -d '{"set-user":{"solr-admin":"s2019"}}'


I get the following error message,








Error 403 Unauthorized request, Response code: 403



HTTP ERROR 403

Problem accessing /solr/admin/authentication. Reason:

Unauthorized request, Response code: 403






Please help.

Regards,
Salmaan


On Thu, Aug 1, 2019 at 1:51 PM Salmaan Rashid Syed <
salmaan.ras...@mroads.com> wrote:

> Small correction in the user-name. It is solr-admin everywhere.
>
> Hi Solr Users,
>
> I have enabled Solr basic authentication as shown in Solr documentations.
>
> I have changed username from solr to solr-admin as follow
>
> {
> "authentication":{
>"blockUnknown": true,
>"class":"solr.BasicAuthPlugin",
>
>  "credentials":{"solr-admin":"IV0EHq1OnNrj6gvRCwvFwTrZ1+z1oBbnQdiVC3otuq0=
> Ndd7LKvVBAaZIF0QAVi1ekCfAJXr1GGfLtRUXhgrF8c="}
> },
> "authorization":{
>"class":"solr.RuleBasedAuthorizationPlugin",
>"permissions":[{"name":"security-edit",
>   "role":"admin"}],
>"user-role":{"solr-admin":"admin"}
> }}
>
> I am able to login to the page using the credentials
> mroads-solr-admin:SolrRocks.
>
> But, when I try to change the default password using the curl command as
> follows,
>
> curl --user solr-admin:SolrRocks
> http://localhost:8983/solr/admin/authentication -H
> 'Content-type:application/json' -d '{"set-user":{"solr-admin":"s2019"}}'
>
>
>
> I get the following error message,
>
>
> 
>
> 
>
> 
>
> Error 403 Unauthorized request, Response code: 403
>
> 
>
> HTTP ERROR 403
>
> Problem accessing /solr/admin/authentication. Reason:
>
> Unauthorized request, Response code: 403
>
> 
>
> 
>
>
> Please help.
>
>
> *Thanks and Regards,*
> Salmaan Rashid Syed
> +91 8978353445 | www.panna.ai |
> 5550 Granite Pkwy, Suite #225, Plano TX-75024.
> Cyber Gateways, Hi-tech City, Hyderabad, Telangana, India.
>
>
>
> On Thu, Aug 1, 2019 at 1:48 PM Salmaan Rashid Syed <
> salmaan.ras...@mroads.com> wrote:
>
>> Hi Solr Users,
>>
>> I have enabled Solr basic authentication as shown in Solr documentations.
>>
>> I have changed username from solr to solr-admin as follow
>>
>> {
>> "authentication":{
>>"blockUnknown": true,
>>"class":"solr.BasicAuthPlugin",
>>
>>  "credentials":{"solr-admin":"IV0EHq1OnNrj6gvRCwvFwTrZ1+z1oBbnQdiVC3otuq0=
>> Ndd7LKvVBAaZIF0QAVi1ekCfAJXr1GGfLtRUXhgrF8c="}
>> },
>> "authorization":{
>>"class":"solr.RuleBasedAuthorizationPlugin",
>>"permissions":[{"name":"security-edit",
>>   "role":"admin"}],
>>"user-role":{"solr-admin":"admin"}
>> }}
>>
>> I am able to login to the page using the credentials
>> mroads-solr-admin:SolrRocks.
>>
>> But, when I try to change the default password using the curl command as
>> follows,
>>
>> curl --user mroads-solr-admin:SolrRocks
>> http://localhost:8983/solr/admin/authentication -H
>> 'Content-type:application/json' -d '{"set-user":{"mroads-solr":"Mroads@2019
>> #"}}'
>>
>>
>>
>> I get the following error message,
>>
>>
>> 
>>
>> 
>>
>> 
>>
>> Error 403 Unauthorized request, Response code: 403
>>
>> 
>>
>> HTTP ERROR 403
>>
>> Problem accessing /solr/admin/authentication. Reason:
>>
>> Unauthorized request, Response code: 403
>>
>> 
>>
>> 
>>
>>
>> Please help.
>>
>>
>>
>> *Thanks and Regards,*
>> Salmaan Rashid Syed
>> +91 8978353445 | www.panna.ai |
>> 5550 Granite Pkwy, Suite #225, Plano TX-75024.
>> Cyber Gateways, Hi-tech City, Hyderabad, Telangana, India.
>>
>>
>

Re: Basic Authentication problem

[Salmaan Rashid Syed]

Small correction in the user-name. It is solr-admin everywhere.

Hi Solr Users,

I have enabled Solr basic authentication as shown in Solr documentations.

I have changed username from solr to solr-admin as follow

{
"authentication":{
   "blockUnknown": true,
   "class":"solr.BasicAuthPlugin",

 "credentials":{"solr-admin":"IV0EHq1OnNrj6gvRCwvFwTrZ1+z1oBbnQdiVC3otuq0=
Ndd7LKvVBAaZIF0QAVi1ekCfAJXr1GGfLtRUXhgrF8c="}
},
"authorization":{
   "class":"solr.RuleBasedAuthorizationPlugin",
   "permissions":[{"name":"security-edit",
  "role":"admin"}],
   "user-role":{"solr-admin":"admin"}
}}

I am able to login to the page using the credentials
mroads-solr-admin:SolrRocks.

But, when I try to change the default password using the curl command as
follows,

curl --user solr-admin:SolrRocks
http://localhost:8983/solr/admin/authentication -H
'Content-type:application/json' -d '{"set-user":{"solr-admin":"s2019"}}'



I get the following error message,








Error 403 Unauthorized request, Response code: 403



HTTP ERROR 403

Problem accessing /solr/admin/authentication. Reason:

Unauthorized request, Response code: 403






Please help.


*Thanks and Regards,*
Salmaan Rashid Syed
+91 8978353445 | www.panna.ai |
5550 Granite Pkwy, Suite #225, Plano TX-75024.
Cyber Gateways, Hi-tech City, Hyderabad, Telangana, India.



On Thu, Aug 1, 2019 at 1:48 PM Salmaan Rashid Syed <
salmaan.ras...@mroads.com> wrote:

> Hi Solr Users,
>
> I have enabled Solr basic authentication as shown in Solr documentations.
>
> I have changed username from solr to solr-admin as follow
>
> {
> "authentication":{
>"blockUnknown": true,
>"class":"solr.BasicAuthPlugin",
>
>  "credentials":{"solr-admin":"IV0EHq1OnNrj6gvRCwvFwTrZ1+z1oBbnQdiVC3otuq0=
> Ndd7LKvVBAaZIF0QAVi1ekCfAJXr1GGfLtRUXhgrF8c="}
> },
> "authorization":{
>"class":"solr.RuleBasedAuthorizationPlugin",
>    "permissions":[{"name":"security-edit",
>   "role":"admin"}],
>"user-role":{"solr-admin":"admin"}
> }}
>
> I am able to login to the page using the credentials
> mroads-solr-admin:SolrRocks.
>
> But, when I try to change the default password using the curl command as
> follows,
>
> curl --user mroads-solr-admin:SolrRocks
> http://localhost:8983/solr/admin/authentication -H
> 'Content-type:application/json' -d '{"set-user":{"mroads-solr":"Mroads@2019
> #"}}'
>
>
>
> I get the following error message,
>
>
> 
>
> 
>
> 
>
> Error 403 Unauthorized request, Response code: 403
>
> 
>
> HTTP ERROR 403
>
> Problem accessing /solr/admin/authentication. Reason:
>
> Unauthorized request, Response code: 403
>
> 
>
> 
>
>
> Please help.
>
>
>
> *Thanks and Regards,*
> Salmaan Rashid Syed
> +91 8978353445 | www.panna.ai |
> 5550 Granite Pkwy, Suite #225, Plano TX-75024.
> Cyber Gateways, Hi-tech City, Hyderabad, Telangana, India.
>
>

Basic Authentication problem

[Salmaan Rashid Syed]

Hi Solr Users,

I have enabled Solr basic authentication as shown in Solr documentations.

I have changed username from solr to solr-admin as follow

{
"authentication":{
   "blockUnknown": true,
   "class":"solr.BasicAuthPlugin",

 "credentials":{"solr-admin":"IV0EHq1OnNrj6gvRCwvFwTrZ1+z1oBbnQdiVC3otuq0=
Ndd7LKvVBAaZIF0QAVi1ekCfAJXr1GGfLtRUXhgrF8c="}
},
"authorization":{
   "class":"solr.RuleBasedAuthorizationPlugin",
   "permissions":[{"name":"security-edit",
  "role":"admin"}],
   "user-role":{"solr-admin":"admin"}
}}

I am able to login to the page using the credentials
mroads-solr-admin:SolrRocks.

But, when I try to change the default password using the curl command as
follows,

curl --user mroads-solr-admin:SolrRocks
http://localhost:8983/solr/admin/authentication -H
'Content-type:application/json' -d '{"set-user":{"mroads-solr":"Mroads@2019
#"}}'



I get the following error message,








Error 403 Unauthorized request, Response code: 403



HTTP ERROR 403

Problem accessing /solr/admin/authentication. Reason:

Unauthorized request, Response code: 403






Please help.



*Thanks and Regards,*
Salmaan Rashid Syed
+91 8978353445 | www.panna.ai |
5550 Granite Pkwy, Suite #225, Plano TX-75024.
Cyber Gateways, Hi-tech City, Hyderabad, Telangana, India.

Re: REINDEXCOLLECTION does not work with (basic) authentication

[Colvin Cowie]

Patch available for review on
https://issues.apache.org/jira/browse/SOLR-13566

On Thu, 20 Jun 2019 at 10:02, Colvin Cowie 
wrote:

> I've raised SOLR-13566
>
> On Thu, 20 Jun 2019 at 09:14, Jan Høydahl  wrote:
>
>> I think this may be a case where the (background) job should use PKI
>> auth. Can you file a JIRA issue?
>>
>> --
>> Jan Høydahl, search solution architect
>> Cominvent AS - www.cominvent.com
>>
>> > 19. jun. 2019 kl. 20:50 skrev Colvin Cowie > >:
>> >
>> > Hello
>> >
>> > I'm on the Solr 8.1 branch off commit
>> > f26388d034fe5eadca7416aa63b509b8db2c7688 so I have the authentication
>> fixes
>> > from SOLR-13510 (intermittent 401s for internode requests)
>> >
>> > When trying to use the new REINDEXCOLLECTION command with basic auth
>> > enabled, the daemon stream fails with repeated 401s when trying to
>> access
>> > the target collection.
>> >
>> > This might be the same problem as SOLR-13472, except it applies even
>> with a
>> > single node, and this doesn't require role based configuration.
>> >
>> > Repro: I added a reindex request in BasicAuthIntegrationTest and it is
>> > reproducible in there... I don't know what effect it should have on the
>> > auth metrics, if it were working correctly, so I don't know how to
>> update
>> > the test properly. But you can add the request towards the end of
>> > org.apache.solr.security.BasicAuthIntegrationTest.testBasicAuth()
>> >
>> >
>> >
>> > *  CollectionAdminRequest.ReindexCollection reindexReq =
>> > CollectionAdminRequest.reindexCollection(COLLECTION);
>> > reindexReq.setBasicAuthCredentials("harry", "HarryIsUberCool");
>> > cluster.getSolrClient().request(reindexReq, COLLECTION);*
>> >
>> > Manual Repro:
>> > run bin/solr -e cloud
>> > Choose 1 node / 1 shard / 1 replica
>> > In browser GET
>> >
>> http://localhost:8983/solr/admin/collections?action=REINDEXCOLLECTION=gettingstarted
>> > will succeed
>> > Enable security: server\scripts\cloud-scripts\zkcli -zkhost
>> localhost:9983
>> > -cmd putfile /security.json 
>> >
>> > {
>> >"authentication": {
>> >"blockUnknown": true,
>> >"class": "solr.BasicAuthPlugin",
>> >"credentials": {
>> >"solradmin": "fskh17INKrOTSRCJ8HkamA0L6Uiq1dSMgn4OVy8htME=
>> > /Q4VgOkwVlP6AMVY+ML+IuodbfV81WEfZ3lFb390bws="
>> >}
>> >}
>> > }
>> >
>> > In browser authenticate (as solradmin : solradmin) and GET
>> >
>> http://localhost:8983/solr/admin/collections?action=REINDEXCOLLECTION=gettingstarted
>> > will time out after 180 seconds
>> >
>> > The solr log will show repeated 401s
>> >
>> > Setting "forwardCredentials" : true in the security.json does not
>> appear to
>> > change the outcome.
>> >
>> >
>> > responses.txt
>> > <
>> https://drive.google.com/file/d/1h_vQCrf5KyZAK6TIG6fPzMNxBL1Rx1bT/view?usp=drive_web
>> >
>> >
>> > solr.log
>> > <
>> https://drive.google.com/file/d/10oYL3AtECxmei7cVOKAM5JPKEt8lFh67/view?usp=drive_web
>> >
>> >
>> > security.json
>> > <
>> https://drive.google.com/file/d/1xVbXcDEq2btbTycBdXLe3Evz5zIYxm9o/view?usp=drive_web
>> >
>>
>>

Re: REINDEXCOLLECTION does not work with (basic) authentication

[Colvin Cowie]

I've raised SOLR-13566

On Thu, 20 Jun 2019 at 09:14, Jan Høydahl  wrote:

> I think this may be a case where the (background) job should use PKI auth.
> Can you file a JIRA issue?
>
> --
> Jan Høydahl, search solution architect
> Cominvent AS - www.cominvent.com
>
> > 19. jun. 2019 kl. 20:50 skrev Colvin Cowie :
> >
> > Hello
> >
> > I'm on the Solr 8.1 branch off commit
> > f26388d034fe5eadca7416aa63b509b8db2c7688 so I have the authentication
> fixes
> > from SOLR-13510 (intermittent 401s for internode requests)
> >
> > When trying to use the new REINDEXCOLLECTION command with basic auth
> > enabled, the daemon stream fails with repeated 401s when trying to access
> > the target collection.
> >
> > This might be the same problem as SOLR-13472, except it applies even
> with a
> > single node, and this doesn't require role based configuration.
> >
> > Repro: I added a reindex request in BasicAuthIntegrationTest and it is
> > reproducible in there... I don't know what effect it should have on the
> > auth metrics, if it were working correctly, so I don't know how to update
> > the test properly. But you can add the request towards the end of
> > org.apache.solr.security.BasicAuthIntegrationTest.testBasicAuth()
> >
> >
> >
> > *  CollectionAdminRequest.ReindexCollection reindexReq =
> > CollectionAdminRequest.reindexCollection(COLLECTION);
> > reindexReq.setBasicAuthCredentials("harry", "HarryIsUberCool");
> > cluster.getSolrClient().request(reindexReq, COLLECTION);*
> >
> > Manual Repro:
> > run bin/solr -e cloud
> > Choose 1 node / 1 shard / 1 replica
> > In browser GET
> >
> http://localhost:8983/solr/admin/collections?action=REINDEXCOLLECTION=gettingstarted
> > will succeed
> > Enable security: server\scripts\cloud-scripts\zkcli -zkhost
> localhost:9983
> > -cmd putfile /security.json 
> >
> > {
> >"authentication": {
> >"blockUnknown": true,
> >"class": "solr.BasicAuthPlugin",
> >"credentials": {
> >"solradmin": "fskh17INKrOTSRCJ8HkamA0L6Uiq1dSMgn4OVy8htME=
> > /Q4VgOkwVlP6AMVY+ML+IuodbfV81WEfZ3lFb390bws="
> >}
> >}
> > }
> >
> > In browser authenticate (as solradmin : solradmin) and GET
> >
> http://localhost:8983/solr/admin/collections?action=REINDEXCOLLECTION=gettingstarted
> > will time out after 180 seconds
> >
> > The solr log will show repeated 401s
> >
> > Setting "forwardCredentials" : true in the security.json does not appear
> to
> > change the outcome.
> >
> >
> > responses.txt
> > <
> https://drive.google.com/file/d/1h_vQCrf5KyZAK6TIG6fPzMNxBL1Rx1bT/view?usp=drive_web
> >
> >
> > solr.log
> > <
> https://drive.google.com/file/d/10oYL3AtECxmei7cVOKAM5JPKEt8lFh67/view?usp=drive_web
> >
> >
> > security.json
> > <
> https://drive.google.com/file/d/1xVbXcDEq2btbTycBdXLe3Evz5zIYxm9o/view?usp=drive_web
> >
>
>

Re: REINDEXCOLLECTION does not work with (basic) authentication

[Jan Høydahl]

I think this may be a case where the (background) job should use PKI auth. Can 
you file a JIRA issue?

--
Jan Høydahl, search solution architect
Cominvent AS - www.cominvent.com

> 19. jun. 2019 kl. 20:50 skrev Colvin Cowie :
> 
> Hello
> 
> I'm on the Solr 8.1 branch off commit
> f26388d034fe5eadca7416aa63b509b8db2c7688 so I have the authentication fixes
> from SOLR-13510 (intermittent 401s for internode requests)
> 
> When trying to use the new REINDEXCOLLECTION command with basic auth
> enabled, the daemon stream fails with repeated 401s when trying to access
> the target collection.
> 
> This might be the same problem as SOLR-13472, except it applies even with a
> single node, and this doesn't require role based configuration.
> 
> Repro: I added a reindex request in BasicAuthIntegrationTest and it is
> reproducible in there... I don't know what effect it should have on the
> auth metrics, if it were working correctly, so I don't know how to update
> the test properly. But you can add the request towards the end of
> org.apache.solr.security.BasicAuthIntegrationTest.testBasicAuth()
> 
> 
> 
> *  CollectionAdminRequest.ReindexCollection reindexReq =
> CollectionAdminRequest.reindexCollection(COLLECTION);
> reindexReq.setBasicAuthCredentials("harry", "HarryIsUberCool");
> cluster.getSolrClient().request(reindexReq, COLLECTION);*
> 
> Manual Repro:
> run bin/solr -e cloud
> Choose 1 node / 1 shard / 1 replica
> In browser GET
> http://localhost:8983/solr/admin/collections?action=REINDEXCOLLECTION=gettingstarted
> will succeed
> Enable security: server\scripts\cloud-scripts\zkcli -zkhost localhost:9983
> -cmd putfile /security.json 
> 
> {
>"authentication": {
>"blockUnknown": true,
>"class": "solr.BasicAuthPlugin",
>"credentials": {
>"solradmin": "fskh17INKrOTSRCJ8HkamA0L6Uiq1dSMgn4OVy8htME=
> /Q4VgOkwVlP6AMVY+ML+IuodbfV81WEfZ3lFb390bws="
>}
>}
> }
> 
> In browser authenticate (as solradmin : solradmin) and GET
> http://localhost:8983/solr/admin/collections?action=REINDEXCOLLECTION=gettingstarted
> will time out after 180 seconds
> 
> The solr log will show repeated 401s
> 
> Setting "forwardCredentials" : true in the security.json does not appear to
> change the outcome.
> 
> 
> responses.txt
> <https://drive.google.com/file/d/1h_vQCrf5KyZAK6TIG6fPzMNxBL1Rx1bT/view?usp=drive_web>
> 
> solr.log
> <https://drive.google.com/file/d/10oYL3AtECxmei7cVOKAM5JPKEt8lFh67/view?usp=drive_web>
> 
> security.json
> <https://drive.google.com/file/d/1xVbXcDEq2btbTycBdXLe3Evz5zIYxm9o/view?usp=drive_web>

REINDEXCOLLECTION does not work with (basic) authentication

[Colvin Cowie]

Hello

I'm on the Solr 8.1 branch off commit
f26388d034fe5eadca7416aa63b509b8db2c7688 so I have the authentication fixes
from SOLR-13510 (intermittent 401s for internode requests)

When trying to use the new REINDEXCOLLECTION command with basic auth
enabled, the daemon stream fails with repeated 401s when trying to access
the target collection.

This might be the same problem as SOLR-13472, except it applies even with a
single node, and this doesn't require role based configuration.

Repro: I added a reindex request in BasicAuthIntegrationTest and it is
reproducible in there... I don't know what effect it should have on the
auth metrics, if it were working correctly, so I don't know how to update
the test properly. But you can add the request towards the end of
org.apache.solr.security.BasicAuthIntegrationTest.testBasicAuth()



*  CollectionAdminRequest.ReindexCollection reindexReq =
CollectionAdminRequest.reindexCollection(COLLECTION);
reindexReq.setBasicAuthCredentials("harry", "HarryIsUberCool");
cluster.getSolrClient().request(reindexReq, COLLECTION);*

Manual Repro:
run bin/solr -e cloud
Choose 1 node / 1 shard / 1 replica
In browser GET
http://localhost:8983/solr/admin/collections?action=REINDEXCOLLECTION=gettingstarted
will succeed
Enable security: server\scripts\cloud-scripts\zkcli -zkhost localhost:9983
-cmd putfile /security.json 

{
"authentication": {
"blockUnknown": true,
"class": "solr.BasicAuthPlugin",
"credentials": {
"solradmin": "fskh17INKrOTSRCJ8HkamA0L6Uiq1dSMgn4OVy8htME=
/Q4VgOkwVlP6AMVY+ML+IuodbfV81WEfZ3lFb390bws="
}
}
}

In browser authenticate (as solradmin : solradmin) and GET
http://localhost:8983/solr/admin/collections?action=REINDEXCOLLECTION=gettingstarted
will time out after 180 seconds

The solr log will show repeated 401s

Setting "forwardCredentials" : true in the security.json does not appear to
change the outcome.


 responses.txt
<https://drive.google.com/file/d/1h_vQCrf5KyZAK6TIG6fPzMNxBL1Rx1bT/view?usp=drive_web>

 solr.log
<https://drive.google.com/file/d/10oYL3AtECxmei7cVOKAM5JPKEt8lFh67/view?usp=drive_web>

 security.json
<https://drive.google.com/file/d/1xVbXcDEq2btbTycBdXLe3Evz5zIYxm9o/view?usp=drive_web>

Re: Basic Authentication in Standalone Configuration ?

[Colvin Cowie]

Hello,

You need to use the *set *command in windows cmd files to set values. The
example solr.in.cmd has commented out examples, e.g.





*REM Settings for authenticationREM Please configure only one of
SOLR_AUTHENTICATION_CLIENT_BUILDER or SOLR_AUTH_TYPE parametersREM set
SOLR_AUTHENTICATION_CLIENT_BUILDER=org.apache.solr.client.solrj.impl.PreemptiveBasicAuthClientBuilderFactoryREM
set SOLR_AUTH_TYPE=basicREM set
SOLR_AUTHENTICATION_OPTS="-Dbasicauth=solr:SolrRocks"*

So that would be


*set SOLR_AUTH_TYPE=basicset
SOLR_AUTHENTICATION_OPTS="-Dbasicauth=solr:SolrRocks"*

Hope that helps

On Mon, 10 Jun 2019 at 13:01, Paul  wrote:

> Hi,
>
> I am not sure if Basic Authentication is possible in SOLR standalone
> configuration (version 7.6). I have a working SOLR installation using SSL.
> When following the docs I add options into solr.in.cmd, as in:
>
> SOLR_AUTH_TYPE="basic"
> SOLR_AUTHENTICATION_OPTS="-Dbasicauth=solr:SolrRocks"
>
> When I go to start SOLR I get:
>
> 'SOLR_AUTH_TYPE' is not recognized as an internal or external command,
> operable program or batch file.
> 'SOLR_AUTHENTICATION_OPTS' is not recognized as an internal or external
> command, operable program or batch file.
>
> This is as per
> https://www.apache.si/lucene/solr/ref-guide/apache-solr-ref-guide-7.7.pdf
> and in there it refers to '*If you are using SolrCloud*, you must upload
> security.json to ZooKeeper. You can use this example command, ensuring that
> the ZooKeeper port is correct '.
>
> I am not using SolrCloud 
>
>
>
>
>
>
>
>
> --
> Sent from: http://lucene.472066.n3.nabble.com/Solr-User-f472068.html
>

Basic Authentication in Standalone Configuration ?

[Paul]

Hi,

I am not sure if Basic Authentication is possible in SOLR standalone
configuration (version 7.6). I have a working SOLR installation using SSL.
When following the docs I add options into solr.in.cmd, as in:

SOLR_AUTH_TYPE="basic"
SOLR_AUTHENTICATION_OPTS="-Dbasicauth=solr:SolrRocks"

When I go to start SOLR I get:

'SOLR_AUTH_TYPE' is not recognized as an internal or external command,
operable program or batch file.
'SOLR_AUTHENTICATION_OPTS' is not recognized as an internal or external
command, operable program or batch file.

This is as per
https://www.apache.si/lucene/solr/ref-guide/apache-solr-ref-guide-7.7.pdf
and in there it refers to '*If you are using SolrCloud*, you must upload
security.json to ZooKeeper. You can use this example command, ensuring that
the ZooKeeper port is correct '.

I am not using SolrCloud   








--
Sent from: http://lucene.472066.n3.nabble.com/Solr-User-f472068.html

Exclude update & read from authentication.

[Mannar mannan]

Hi Team,

Iam setting up basic authentication and authorization in Solr 7.7.1. Need
to exclude read & update (predefined permission) from authentication.

In solr 7.7.1 created a user to access console & another user for
dataimport purpose, with basicauth plugin. Have to access(update, read) the
index without authentiaction. Kindly check my security.json file.

{
  "authentication":{"blockUnknown":true, "class":"solr.BasicAuthPlugin",
"credentials":{
  "solr":"IV0EHq1OnNrj6gvRCwvFwTrZ1+z1oBbnQdiVC3otuq0=
Ndd7LKvVBAaZIF0QAVi1ekCfAJXr1GGfLtRUXhgrF8c=",
  "testuser":"Z9MhKDHQvGqugG57RRpLdvguQrDXHKKJUnsyyw1909k=
LvXPDZMr4ePt6QWKK+MFoQyxrAM3EXSUWosSseqyFhU=",
  "testuser1":"qx3kJ+XdXdMVEf1Kn9lw1ZU8VpSkf2jc7KZWrYyqLbc=
vmr3o5L+zVprh8G+9+6/vFpd08z6VpPoOVgsMPMHEAQ="},
"":{"v":42}},
  "authorization":{
"class":"solr.RuleBasedAuthorizationPlugin",
"permissions":[{"name":"security-edit", "role":"admin", "index":1},
{"name":"schema-read", "role":["admin", "prod", "guest"], "index":2},
{"name":"config-read", "role":["admin", "prod", "guest"], "index":3},
{"name":"collection-admin-edit", "role":["admin", "prod"], "index":4},
{"name":"system-coll-import", "collection":"*", "path":"/dataimport/*",
"role":["admin", "prod"], "index":5}],
"user-role":{"admin":"admin", "testuser":"guest", "testuser1":"prod"},
"":{"v":46}}}

Have to update the index and select from index without authentication.
Kindly let me know the possible way.

Re: SolrJ, CloudSolrClient and basic authentication

[Kevin Risden]

Chris - not sure if what you are seeing is related to basic auth
credentials not being sent until a 401. There was report of this behavior
with Apache Knox in front of Solr.

https://issues.apache.org/jira/browse/KNOX-1066

The jira above has an example of how to preemptively send basic auth
instead of waiting for the 401 from the server.

Kevin Risden


On Fri, May 31, 2019 at 4:28 PM Christopher Schultz <
ch...@christopherschultz.net> wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Dimitris,
>
> On 6/1/18 02:46, Dimitris Kardarakos wrote:
> > Thanks a lot Shawn. I had tried with the documented approach, but
> > since I use SolrClient.add to add documents to the index, I could
> > not "port" the documented approach to my case (probably I do miss
> > something).
> >
> > The custom HttpClient suggestion worked as expected!
>
> Can you please explain how you did this?
>
> I'm facing a problem where the simplest possible solution is giving
> the error "org.apache.http.client.NonRepeatableRequestException:
> Cannot retry request with a non-repeatable request entity.".
>
> It seems that SolrClient is using something like BasicHttpEntity which
> isn't "repeatable" when using HTTP Basic auth (where the server is
> supposed to challenge the client and the client only then sends the
> credentials). I need to either make the client data repeatable (which
> is in SolrClient, which I'd prefer to avoid) or I need to make
> HttpClient use an "expectant" credential-sending technique, or I need
> to just stuff things into a header manually.
>
> What did you do to solve this problem? It seems like this should
> really probably come up more often than it does. Maybe nobody bothers
> to lock-down their Solr instances?
>
> Thanks,
> - -chris
>
> > On 31/05/2018 06:16 μμ, Shawn Heisey wrote:
> >> On 5/31/2018 8:03 AM, Dimitris Kardarakos wrote:
> >>> Following the feedback in the "Index protected zip" thread, I
> >>> am trying to add documents to the index using SolrJ API.
> >>>
> >>> The server is in SolrCloud mode with BasicAuthPlugin for
> >>> authentication.
> >>>
> >>> I have not managed to figure out how to pass username/password
> >>> to my client.
> >> There are two ways to approach this.
> >>
> >> One approach is to build a custom HttpClient object that uses
> >> credentials by default, and then use that custom HttpClient
> >> object to build your CloudSolrClient.  Exactly how to correctly
> >> build the HttpClient object will depend on exactly which
> >> HttpClient version you've included into your program.  If you go
> >> with SolrJ dependency defaults, then the HttpClient version will
> >> depend on the SolrJ version.
> >>
> >> The other approach is the method described in the documentation,
> >> where credentials are added to each request object:
> >>
> >> https://lucene.apache.org/solr/guide/6_6/basic-authentication-plugin.
> html#BasicAuthenticationPlugin-UsingBasicAuthwithSolrJ
> <https://lucene.apache.org/solr/guide/6_6/basic-authentication-plugin.html#BasicAuthenticationPlugin-UsingBasicAuthwithSolrJ>
> >>
> >>
> >>
> >>
> There are several different kinds of request objects.  A few examples:
> >> UpdateRequest, QueryRequest, CollectionAdminRequest.
> >>
> >> Thanks, Shawn
> >>
> >
> -BEGIN PGP SIGNATURE-
> Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
>
> iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlzxjlEACgkQHPApP6U8
> pFhoeQ/7BzlhjGGE8tnMcrdmruP+N2rgvawfLcTdzDg3U4cQFNUVRoCclZcM8LiA
> iuZf+cAewTTQTjLpQuSv2WoknQgO/YRgaqTlo+b3hv9zR2awY8Mob/m5RYcYAwmn
> i+2SJrG7+u+qhpfDQGSjwppUKpm2WrfvGXL3lcRF48UXQ+z7J95o2g88SnP44FKH
> 87/X/iYX+xMsj0bkIEOkyppuXENQQwUZ7QWhgfAxSItJr2A0Ma6zkuuNPf4FvBJ1
> JQM/c33WWbAXK3B7tI5iQsstVi5CMOhRF0Z336/vZgq6aF9uEZvIOWEVAlM+E8Qp
> mYlZz7tERzUMs+QbcBcSdDIb8VSPwYy5kvKiJ9eEpjFGXmPBLOqiJ4M+4SOeGFq7
> BA5sbm6k4gwHc33MiKvnHE1K+k3r1OBPngjxvelsyIaqSnX3zpKPTFhkU2dvWMPt
> XPo/ICuiliGowD8xh5EhB6w0BuYZhK3dW7AKMCLbyoANwk7SLfHxC6O+rdmYyDQF
> UwiR65+3ImmeKJOZt7lFoR43BXoFuz6L1SILU8XRcclS5KwXHg3moBElU7jM9iKV
> 9vMwWkuPGUA2gq5K0oV4XFEOShxUxFiCL4FXjd/P7x9Evhio+itvaUlHzP8FGblh
> YyK+l2YqjKBnTJ0G4XE8UnJcmH8C23jJ05gwMgq92pXBQy5ly6s=
> =6kab
> -END PGP SIGNATURE-
>

Re: SolrJ, CloudSolrClient and basic authentication

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Dimitris,

On 6/1/18 02:46, Dimitris Kardarakos wrote:
> Thanks a lot Shawn. I had tried with the documented approach, but
> since I use SolrClient.add to add documents to the index, I could
> not "port" the documented approach to my case (probably I do miss
> something).
> 
> The custom HttpClient suggestion worked as expected!

Can you please explain how you did this?

I'm facing a problem where the simplest possible solution is giving
the error "org.apache.http.client.NonRepeatableRequestException:
Cannot retry request with a non-repeatable request entity.".

It seems that SolrClient is using something like BasicHttpEntity which
isn't "repeatable" when using HTTP Basic auth (where the server is
supposed to challenge the client and the client only then sends the
credentials). I need to either make the client data repeatable (which
is in SolrClient, which I'd prefer to avoid) or I need to make
HttpClient use an "expectant" credential-sending technique, or I need
to just stuff things into a header manually.

What did you do to solve this problem? It seems like this should
really probably come up more often than it does. Maybe nobody bothers
to lock-down their Solr instances?

Thanks,
- -chris

> On 31/05/2018 06:16 μμ, Shawn Heisey wrote:
>> On 5/31/2018 8:03 AM, Dimitris Kardarakos wrote:
>>> Following the feedback in the "Index protected zip" thread, I
>>> am trying to add documents to the index using SolrJ API.
>>> 
>>> The server is in SolrCloud mode with BasicAuthPlugin for
>>> authentication.
>>> 
>>> I have not managed to figure out how to pass username/password
>>> to my client.
>> There are two ways to approach this.
>> 
>> One approach is to build a custom HttpClient object that uses 
>> credentials by default, and then use that custom HttpClient
>> object to build your CloudSolrClient.  Exactly how to correctly
>> build the HttpClient object will depend on exactly which
>> HttpClient version you've included into your program.  If you go
>> with SolrJ dependency defaults, then the HttpClient version will
>> depend on the SolrJ version.
>> 
>> The other approach is the method described in the documentation,
>> where credentials are added to each request object:
>> 
>> https://lucene.apache.org/solr/guide/6_6/basic-authentication-plugin.
html#BasicAuthenticationPlugin-UsingBasicAuthwithSolrJ
>>
>>
>>
>> 
There are several different kinds of request objects.  A few examples:
>> UpdateRequest, QueryRequest, CollectionAdminRequest.
>> 
>> Thanks, Shawn
>> 
> 
-BEGIN PGP SIGNATURE-
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlzxjlEACgkQHPApP6U8
pFhoeQ/7BzlhjGGE8tnMcrdmruP+N2rgvawfLcTdzDg3U4cQFNUVRoCclZcM8LiA
iuZf+cAewTTQTjLpQuSv2WoknQgO/YRgaqTlo+b3hv9zR2awY8Mob/m5RYcYAwmn
i+2SJrG7+u+qhpfDQGSjwppUKpm2WrfvGXL3lcRF48UXQ+z7J95o2g88SnP44FKH
87/X/iYX+xMsj0bkIEOkyppuXENQQwUZ7QWhgfAxSItJr2A0Ma6zkuuNPf4FvBJ1
JQM/c33WWbAXK3B7tI5iQsstVi5CMOhRF0Z336/vZgq6aF9uEZvIOWEVAlM+E8Qp
mYlZz7tERzUMs+QbcBcSdDIb8VSPwYy5kvKiJ9eEpjFGXmPBLOqiJ4M+4SOeGFq7
BA5sbm6k4gwHc33MiKvnHE1K+k3r1OBPngjxvelsyIaqSnX3zpKPTFhkU2dvWMPt
XPo/ICuiliGowD8xh5EhB6w0BuYZhK3dW7AKMCLbyoANwk7SLfHxC6O+rdmYyDQF
UwiR65+3ImmeKJOZt7lFoR43BXoFuz6L1SILU8XRcclS5KwXHg3moBElU7jM9iKV
9vMwWkuPGUA2gq5K0oV4XFEOShxUxFiCL4FXjd/P7x9Evhio+itvaUlHzP8FGblh
YyK+l2YqjKBnTJ0G4XE8UnJcmH8C23jJ05gwMgq92pXBQy5ly6s=
=6kab
-END PGP SIGNATURE-

Zookeeper restart on solr basic authentication password change

[Schaum Mallik]

I recently updated the password on our 3 node solr cloud. We have 3
zookeeper ensemble serving it.  I have one question. Do I need to restart
the zookeeper ensemble after password change?

Thank you

Re: Solr Authentication Error - Error trying to proxy request for url

[Zheng Lin Edwin Yeo]

Hi,

When you generate the SSL certificate, did you put the IP address to the
the IP address of your system?

Regards,
Edwin

On Tue, 15 Jan 2019 at 01:31, Ganesh Sethuraman 
wrote:

> We are using Solr 7.2.1 in Solr Cloud mode, with embedded Zookeeper for
> test purposes. We enabled SSL and Authentication, and we are able to see
> the admin working fine with authentication. But queries through the UI or
> otherwise is failing with the following error. Request your help to resolve
> the same. Is this related to authentication or SSL? If you can throw some
> light on it, it will be of great help to us.
>
> https://solr-node-1:8080/solr//select?q=*:*
>
> Error:
> {
>   "error":{
> "metadata":[
>   "error-class","org.apache.solr.common.SolrException",
>
>
>  
> "root-error-class","sun.security.provider.certpath.SunCertPathBuilderException"],
> "msg":"Error trying to proxy request for url:
> https://doaminsolr/ba_test/select <https://domain/solr/ba_test/select>",
> "trace":"org.apache.solr.common.SolrException: Error trying to proxy
> request for url: https://domain/solr/ba_test/select\n\tat
>
> org.apache.solr.servlet.HttpSolrCall.remoteQuery(HttpSolrCall.java:646)\n\tat
>

Solr Authentication Error - Error trying to proxy request for url

[Ganesh Sethuraman]

We are using Solr 7.2.1 in Solr Cloud mode, with embedded Zookeeper for
test purposes. We enabled SSL and Authentication, and we are able to see
the admin working fine with authentication. But queries through the UI or
otherwise is failing with the following error. Request your help to resolve
the same. Is this related to authentication or SSL? If you can throw some
light on it, it will be of great help to us.

https://solr-node-1:8080/solr//select?q=*:*

Error:
{
  "error":{
"metadata":[
  "error-class","org.apache.solr.common.SolrException",

 
"root-error-class","sun.security.provider.certpath.SunCertPathBuilderException"],
"msg":"Error trying to proxy request for url:
https://doaminsolr/ba_test/select <https://domain/solr/ba_test/select>",
"trace":"org.apache.solr.common.SolrException: Error trying to proxy
request for url: https://domain/solr/ba_test/select\n\tat
org.apache.solr.servlet.HttpSolrCall.remoteQuery(HttpSolrCall.java:646)\n\tat

Re: Adding authentication

[Noble Paul]

This is a Solr problem and not ZK problem.

This is something we have encountered before.
Which version of java are you using?



On Sat, Dec 8, 2018 at 1:42 AM Adam Blank  wrote:
>
> Hi,
>
> I'm not sure if this would be more of a Zookeeper or Solr question, but I'm
> hoping you can help me.  I'm trying to add user authentication to my
> SolrCloud configuration (to secure my Solr admin consoles).  I have 3
> Zookeeper servers and 2 Solr nodes running.  Zookeeper version 3.4.6 and
> Solr version 5.5.0 on AIX.  I have uploaded a security.json file to
> Zookeeper using Solr's zkcli.sh script, and now I am prompted for a
> username/password when logging into the Solr admin console as expected.
> However, I am receiving the following error in my Solr log after rebooting:
>
>  2018-11-30 19:02:55.105 ERROR
> (recoveryExecutor-3-thread-2-processing-n::8983_solr
> x:formdoc_shard1_replica1 s:shard1 c:formdoc r:core_node1) [c:formdoc
> s:shard1 r:core_node1 x:formdoc_shard1
> _replica1] o.a.s.c.RecoveryStrategy Error while trying to recover.
> core=formdoc_shard1_replica1:java.util.concurrent.ExecutionException:
> org.apache.solr.common.SolrException: java.security.InvalidKeyExcep
> tion: Invalid RSA key for encrypting; n (1024) < 2048
> at java.util.concurrent.FutureTask.report(FutureTask.java:133)
> at java.util.concurrent.FutureTask.get(FutureTask.java:203)
> at
> org.apache.solr.cloud.RecoveryStrategy.sendPrepRecoveryCmd(RecoveryStrategy.java:596)
> at
> org.apache.solr.cloud.RecoveryStrategy.doRecovery(RecoveryStrategy.java:353)
> at
> org.apache.solr.cloud.RecoveryStrategy.run(RecoveryStrategy.java:224)
> at
> java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:522)
> at java.util.concurrent.FutureTask.run(FutureTask.java:277)
> at
> org.apache.solr.common.util.ExecutorUtil$MDCAwareThreadPoolExecutor$1.run(ExecutorUtil.java:231)
> at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1160)
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
> at java.lang.Thread.run(Thread.java:785)
> Caused by: org.apache.solr.common.SolrException:
> java.security.InvalidKeyException: Invalid RSA key for encrypting; n (1024)
> < 2048
> at
> org.apache.solr.util.CryptoKeys$RSAKeyPair.encrypt(CryptoKeys$RSAKeyPair.java:67)
> at
> org.apache.solr.security.PKIAuthenticationPlugin.setHeader(PKIAuthenticationPlugin.java:287)
> at
> org.apache.solr.security.PKIAuthenticationPlugin$HttpHeaderClientConfigurer.process(PKIAuthenticationPlugin.java:257)
> at
> org.apache.http.protocol.ImmutableHttpProcessor.process(ImmutableHttpProcessor.java:132)
> at
> org.apache.http.protocol.HttpRequestExecutor.preProcess(HttpRequestExecutor.java:166)
> at
> org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:485)
> at
> org.apache.http.impl.client.AbstractHttpClient.doExecute(AbstractHttpClient.java:882)
> at
> org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82)
> at
> org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:107)
> at
> org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:55)
> at
> org.apache.solr.client.solrj.impl.HttpSolrClient.executeMethod(HttpSolrClient.java:481)
> at
> org.apache.solr.client.solrj.impl.HttpSolrClient$1.call(HttpSolrClient.java:284)
> at
> org.apache.solr.client.solrj.impl.HttpSolrClient$1.call(HttpSolrClient.java:280)
> ... 5 more
> Caused by: java.security.InvalidKeyException: Invalid RSA key for
> encrypting; n (1024) < 2048
> at com.rsa.cryptoj.o.fy.engineInit(Unknown Source)
> at com.rsa.cryptoj.o.fy.engineInit(Unknown Source)
> at javax.crypto.Cipher.a(Unknown Source)
> at javax.crypto.Cipher.a(Unknown Source)
> at javax.crypto.Cipher.init(Unknown Source)
> at javax.crypto.Cipher.init(Unknown Source)
> at
> org.apache.solr.util.CryptoKeys$RSAKeyPair.encrypt(CryptoKeys$RSAKeyPair.java:62)
> ... 17 more
>
> I tried updating the Java class
> org/apache/solr/util/CryptoKeys$RSAKeyPair.class
> in ./server/solr-webapp/webapp/WEB-INF/lib/solr-core-5.5.0.jar to change
> the hardcoded value of 1024 to 2048, however then I received the following
> error:
>
>  2018-11-30 19:11:17.387 ERROR
> (recoveryExecutor-3-thread-1-processing-n::8983_solr
> x:formdoc_shard2_replica1 s:shard2 c:formdoc r:core_node2) [c:formdoc
> s:shard2 r:core_node2 x:formdoc_shard2
> _replica1] o.a.s.c.Recover

Adding authentication

[Adam Blank]

Hi,

I'm not sure if this would be more of a Zookeeper or Solr question, but I'm
hoping you can help me.  I'm trying to add user authentication to my
SolrCloud configuration (to secure my Solr admin consoles).  I have 3
Zookeeper servers and 2 Solr nodes running.  Zookeeper version 3.4.6 and
Solr version 5.5.0 on AIX.  I have uploaded a security.json file to
Zookeeper using Solr's zkcli.sh script, and now I am prompted for a
username/password when logging into the Solr admin console as expected.
However, I am receiving the following error in my Solr log after rebooting:

 2018-11-30 19:02:55.105 ERROR
(recoveryExecutor-3-thread-2-processing-n::8983_solr
x:formdoc_shard1_replica1 s:shard1 c:formdoc r:core_node1) [c:formdoc
s:shard1 r:core_node1 x:formdoc_shard1
_replica1] o.a.s.c.RecoveryStrategy Error while trying to recover.
core=formdoc_shard1_replica1:java.util.concurrent.ExecutionException:
org.apache.solr.common.SolrException: java.security.InvalidKeyExcep
tion: Invalid RSA key for encrypting; n (1024) < 2048
at java.util.concurrent.FutureTask.report(FutureTask.java:133)
at java.util.concurrent.FutureTask.get(FutureTask.java:203)
at
org.apache.solr.cloud.RecoveryStrategy.sendPrepRecoveryCmd(RecoveryStrategy.java:596)
at
org.apache.solr.cloud.RecoveryStrategy.doRecovery(RecoveryStrategy.java:353)
at
org.apache.solr.cloud.RecoveryStrategy.run(RecoveryStrategy.java:224)
at
java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:522)
at java.util.concurrent.FutureTask.run(FutureTask.java:277)
at
org.apache.solr.common.util.ExecutorUtil$MDCAwareThreadPoolExecutor$1.run(ExecutorUtil.java:231)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1160)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
at java.lang.Thread.run(Thread.java:785)
Caused by: org.apache.solr.common.SolrException:
java.security.InvalidKeyException: Invalid RSA key for encrypting; n (1024)
< 2048
at
org.apache.solr.util.CryptoKeys$RSAKeyPair.encrypt(CryptoKeys$RSAKeyPair.java:67)
at
org.apache.solr.security.PKIAuthenticationPlugin.setHeader(PKIAuthenticationPlugin.java:287)
at
org.apache.solr.security.PKIAuthenticationPlugin$HttpHeaderClientConfigurer.process(PKIAuthenticationPlugin.java:257)
at
org.apache.http.protocol.ImmutableHttpProcessor.process(ImmutableHttpProcessor.java:132)
at
org.apache.http.protocol.HttpRequestExecutor.preProcess(HttpRequestExecutor.java:166)
at
org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:485)
at
org.apache.http.impl.client.AbstractHttpClient.doExecute(AbstractHttpClient.java:882)
at
org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82)
at
org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:107)
at
org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:55)
at
org.apache.solr.client.solrj.impl.HttpSolrClient.executeMethod(HttpSolrClient.java:481)
at
org.apache.solr.client.solrj.impl.HttpSolrClient$1.call(HttpSolrClient.java:284)
at
org.apache.solr.client.solrj.impl.HttpSolrClient$1.call(HttpSolrClient.java:280)
... 5 more
Caused by: java.security.InvalidKeyException: Invalid RSA key for
encrypting; n (1024) < 2048
at com.rsa.cryptoj.o.fy.engineInit(Unknown Source)
at com.rsa.cryptoj.o.fy.engineInit(Unknown Source)
at javax.crypto.Cipher.a(Unknown Source)
at javax.crypto.Cipher.a(Unknown Source)
at javax.crypto.Cipher.init(Unknown Source)
at javax.crypto.Cipher.init(Unknown Source)
at
org.apache.solr.util.CryptoKeys$RSAKeyPair.encrypt(CryptoKeys$RSAKeyPair.java:62)
... 17 more

I tried updating the Java class
org/apache/solr/util/CryptoKeys$RSAKeyPair.class
in ./server/solr-webapp/webapp/WEB-INF/lib/solr-core-5.5.0.jar to change
the hardcoded value of 1024 to 2048, however then I received the following
error:

 2018-11-30 19:11:17.387 ERROR
(recoveryExecutor-3-thread-1-processing-n::8983_solr
x:formdoc_shard2_replica1 s:shard2 c:formdoc r:core_node2) [c:formdoc
s:shard2 r:core_node2 x:formdoc_shard2
_replica1] o.a.s.c.RecoveryStrategy Error while trying to recover.
core=formdoc_shard2_replica1:java.util.concurrent.ExecutionException:
org.apache.solr.common.SolrException: javax.crypto.IllegalBlockSize
Exception: Invalid input.
at java.util.concurrent.FutureTask.report(FutureTask.java:133)
at java.util.concurrent.FutureTask.get(FutureTask.java:203)
at
org.apache.solr.cloud.RecoveryStrategy.sendPrepRecoveryCmd(RecoveryStrategy.java:596)
at
org.apache.solr.cloud.RecoveryStrategy.doRecovery(RecoveryStrategy.java:353)
at
org.apache.solr.cloud.RecoveryStrategy.run(RecoveryStrategy

Re: Authentication between solr-exporter and solrcloud

[Dwane Hall]

Hi Sushant,

I had the same issue and unfortunately the exporter does not appear to support 
a secure cluster.  I raised a JIRA feature request so please upvote it as this 
will increase the chances of it being included in a future release.

https://issues.apache.org/jira/browse/SOLR-12584<https://issues.apache.org/jira/browse/SOLR-12584?filter=-2>

Thanks

From: Sushant Vengurlekar 
Sent: Wednesday, 15 August 2018 10:39 PM
To: solr-user@lucene.apache.org
Subject: Authentication between solr-exporter and solrcloud

I have followed this guide for monitoring the solrcloud
https://lucene.apache.org/solr/guide/7_3/monitoring-solr-with-prometheus-and-grafana.html

I have basic authentication enabled for the solrcloud. How do I configure
the solr-exporter to authenticate with the set username and password.

Thank you

Authentication between solr-exporter and solrcloud

[Sushant Vengurlekar]

I have followed this guide for monitoring the solrcloud
https://lucene.apache.org/solr/guide/7_3/monitoring-solr-with-prometheus-and-grafana.html

I have basic authentication enabled for the solrcloud. How do I configure
the solr-exporter to authenticate with the set username and password.

Thank you

Re: Solr Kerberos Authentication

[Greenhorn Techie]

Hi,

Any thoughts on this please?

Thanks


On 5 July 2018 at 15:06:26, Greenhorn Techie (greenhorntec...@gmail.com)
wrote:

Hi,

In the solr documentation, it is mentioned that blockUnknown property for
Authentication plugin has the default value of false, which means any
authenticated users will be allowed to use Solr. However, wondering whether
this parameter only makes sense for Basic Authentication only or does it
impact Kerberos authentication as well?

I couldn’t find any Kerberos plugin example in the documentation where the
blockUnknown parameter has been set or defined. Hence my question.

Thanks

Solr Kerberos Authentication

[Greenhorn Techie]

Hi,

In the solr documentation, it is mentioned that blockUnknown property for
Authentication plugin has the default value of false, which means any
authenticated users will be allowed to use Solr. However, wondering whether
this parameter only makes sense for Basic Authentication only or does it
impact Kerberos authentication as well?

I couldn’t find any Kerberos plugin example in the documentation where the
blockUnknown parameter has been set or defined. Hence my question.

Thanks

Re: solr basic authentication

[Dinesh Sundaram]

Thanks Chris for your help. I tried to find that solution but nothing is
working out. it is not accepting the credentils, may be i'm trying with
wrong base 64 algorithm.

On Thu, Jun 21, 2018 at 12:25 PM, Christopher Schultz <
ch...@christopherschultz.net> wrote:

> Dinesh,
>
> On 6/21/18 11:40 AM, Dinesh Sundaram wrote:
> > is there any way to disable basic authentication for particular domain. i
> > have proxy pass from a domain to solr which is always asking credentials
> so
> > wanted to disable basic auth only for that domain. is there any way?
>
> I wouldn't recommend this, in general, because it's not really all that
> secure, but since you have a reverse-proxy in between the client and
> Solr, why not have the proxy provide the HTTP BASIC authentication
> information to Solr?
>
> That may be a more straightforward solution.
>
> -chris
>
>

Re: solr basic authentication

[Christopher Schultz]

Dinesh,

On 6/21/18 11:40 AM, Dinesh Sundaram wrote:
> is there any way to disable basic authentication for particular domain. i
> have proxy pass from a domain to solr which is always asking credentials so
> wanted to disable basic auth only for that domain. is there any way?

I wouldn't recommend this, in general, because it's not really all that
secure, but since you have a reverse-proxy in between the client and
Solr, why not have the proxy provide the HTTP BASIC authentication
information to Solr?

That may be a more straightforward solution.

-chris



signature.asc
Description: OpenPGP digital signature

solr basic authentication

[Dinesh Sundaram]

Hi,

is there any way to disable basic authentication for particular domain. i
have proxy pass from a domain to solr which is always asking credentials so
wanted to disable basic auth only for that domain. is there any way?


Thanks,
Dinesh Sundaram.

Re: Solr failed to start after configuring Kerberos authentication

[Jason Gerlowski]

Hi,

Sorry to reply to this so late.  Hopefully you've long since figured out
the issue.  But if not...

1. Just to clarify, are you seeing the error message above when Solr tries
to talk to ZooKeeper?  Or does that error message appear in your ZK logs,
or from a ZK-client you're using to test connections to your
kerberized-ZK?  You may have done this already, but I would recommend
making sure that ZooKeeper is fully kerberized before introducing Solr into
the mix.

2. To me, the key piece of that error message is: "Server not found in
Kerberos database".  That makes is sound like the hostname (or IP) one of
your machines is using doesn't match anything the KDC knows about.
Normally this is a DNS issue.  Or if you used raw IPs when setting up your
configuration, some of them might have changed.  You can find a little more
information here:
https://steveloughran.gitbooks.io/kerberos_and_hadoop/content/sections/errors.html.
(I can't recommend that guide enough btw.  It doesn't cover Solr
explicitly, but is great for an overview on Kerberos setup and debugging.)

3. For anyone on the list to help you much beyond that, you might have to
add more information.  What do the logs tell you when you enable Kerberos
debug logging (-Dsun.security.krb5.debug=true)?  What startup parameters
are you using with Solr?  Have you tested the Zookeeper Kerberization in
isolation from Solr (i.e. with zkCli.sh)?  What do your JAAS config files
look like?

As I said above, hopefully you've long since found your problem and this
might be helpful for someone else down the road.  But if you're still
working on this, feel free to attach more information and maybe we can
figure it out.

Best,

Jason

On Thu, May 24, 2018 at 2:44 PM, adfel70  wrote:

> Hi,
> We are trying to configure Kerberos auth for Solr 6.5.1.
> We went over the steps as described through Sorl’s ref guide, but after
> restart we are getting the following error:
>
> org.apache.zookeeper.client.ZookeeperSaslClient; An error:
> (java.security.PrivilegedActionException: javax.security.sasl.
> SaslException:
> GSS initiate failed [Caused by GSSException: No valid credentials provided
> (Mechanism level: Server not found in Kerberos database (7))] occurred when
> evaluating Zookeeper Quorum Member’s received SASL token. Zookeeper Client
> will go to AUTH_FAILED state.
>
> We tested both of our keytab files (Zookeeper’s and Solr’s) using kinit and
> everything looks fine.
>
> Our Zookeeper does not configured with Kerberos yet and ‘ruok’ command
> response with ‘imok’ as expected.
>
> When examing Zokeeper’s logs we see the following:
> Successfully logged in.
> TGT refresh thread started.
> TGT valid starting at:  Thu May 21:39:10 ...
> TGT expires:   Fri May 25 07:39:44 ...
> TGT refresh sleeping until: Fri May 25 05:55:44 ...
>
> Any idea what we can do?
> Thanks.
>
>
>
> --
> Sent from: http://lucene.472066.n3.nabble.com/Solr-User-f472068.html
>

Re: SolrJ, CloudSolrClient and basic authentication

[Dimitris Kardarakos]

Thanks a lot Shawn. I had tried with the documented approach, but since 
I use SolrClient.add to add documents to the index, I could not "port" 
the documented approach to my case (probably I do miss something).


The custom HttpClient suggestion worked as expected!


On 31/05/2018 06:16 μμ, Shawn Heisey wrote:

On 5/31/2018 8:03 AM, Dimitris Kardarakos wrote:

Following the feedback in the "Index protected zip" thread, I am
trying to add documents to the index using SolrJ API.

The server is in SolrCloud mode with BasicAuthPlugin for authentication.

I have not managed to figure out how to pass username/password to my
client.

There are two ways to approach this.

One approach is to build a custom HttpClient object that uses
credentials by default, and then use that custom HttpClient object to
build your CloudSolrClient.  Exactly how to correctly build the
HttpClient object will depend on exactly which HttpClient version you've
included into your program.  If you go with SolrJ dependency defaults,
then the HttpClient version will depend on the SolrJ version.

The other approach is the method described in the documentation, where
credentials are added to each request object:

https://lucene.apache.org/solr/guide/6_6/basic-authentication-plugin.html#BasicAuthenticationPlugin-UsingBasicAuthwithSolrJ

There are several different kinds of request objects.  A few examples:
UpdateRequest, QueryRequest, CollectionAdminRequest.

Thanks,
Shawn



--
Dimitris Kardarakos

Re: SolrJ, CloudSolrClient and basic authentication

[Shawn Heisey]

On 5/31/2018 8:03 AM, Dimitris Kardarakos wrote:
> Following the feedback in the "Index protected zip" thread, I am
> trying to add documents to the index using SolrJ API.
>
> The server is in SolrCloud mode with BasicAuthPlugin for authentication.
>
> I have not managed to figure out how to pass username/password to my
> client.

There are two ways to approach this.

One approach is to build a custom HttpClient object that uses
credentials by default, and then use that custom HttpClient object to
build your CloudSolrClient.  Exactly how to correctly build the
HttpClient object will depend on exactly which HttpClient version you've
included into your program.  If you go with SolrJ dependency defaults,
then the HttpClient version will depend on the SolrJ version.

The other approach is the method described in the documentation, where
credentials are added to each request object:

https://lucene.apache.org/solr/guide/6_6/basic-authentication-plugin.html#BasicAuthenticationPlugin-UsingBasicAuthwithSolrJ

There are several different kinds of request objects.  A few examples:
UpdateRequest, QueryRequest, CollectionAdminRequest.

Thanks,
Shawn

SolrJ, CloudSolrClient and basic authentication

[Dimitris Kardarakos]

Hi.

Following the feedback in the "Index protected zip" thread, I am trying 
to add documents to the index using SolrJ API.


The server is in SolrCloud mode with BasicAuthPlugin for authentication.

I have not managed to figure out how to pass username/password to my client.

Thanks,

--
Dimitris Kardarakos

Solr failed to start after configuring Kerberos authentication

[adfel70]

Hi,
We are trying to configure Kerberos auth for Solr 6.5.1.
We went over the steps as described through Sorl’s ref guide, but after
restart we are getting the following error:

org.apache.zookeeper.client.ZookeeperSaslClient; An error:
(java.security.PrivilegedActionException: javax.security.sasl.SaslException:
GSS initiate failed [Caused by GSSException: No valid credentials provided
(Mechanism level: Server not found in Kerberos database (7))] occurred when
evaluating Zookeeper Quorum Member’s received SASL token. Zookeeper Client
will go to AUTH_FAILED state.

We tested both of our keytab files (Zookeeper’s and Solr’s) using kinit and
everything looks fine.

Our Zookeeper does not configured with Kerberos yet and ‘ruok’ command
response with ‘imok’ as expected.

When examing Zokeeper’s logs we see the following:
Successfully logged in.
TGT refresh thread started.
TGT valid starting at:  Thu May 21:39:10 ...
TGT expires:   Fri May 25 07:39:44 ...
TGT refresh sleeping until: Fri May 25 05:55:44 ...

Any idea what we can do?
Thanks.



--
Sent from: http://lucene.472066.n3.nabble.com/Solr-User-f472068.html

Issue in Authentication in solr 7.3

[Prashant Thorat]

*security.json*

{
"authentication":{
   "class":"solr.BasicAuthPlugin",
   "blockUnknown": true,
   "credentials":{"solr":"IV0EHq1OnNrj6gvRCwvFwTrZ1+z1oBbnQdiVC3otuq0=
Ndd7LKvVBAaZIF0QAVi1ekCfAJXr1GGfLtRUXhgrF8c="}
},
"authorization":{
   "class":"solr.RuleBasedAuthorizationPlugin",
   "permissions":[{
"name": "all",
"role": "admin"
},
{
"name": "security-edit",
"role": "admin"
},
{
"name": "read",
"role": "admin"
},
{
"name": "update",
"role": "admin"
},
{
"name": "collection-admin-read",
"role": "admin"
},
{
"name": "config-read",
"role": "admin"
}],
   "user-role":{"solr":"admin"}
}}

And uploaded to zookeper

d /opt/solr-7.3.0/server/scripts/cloud-scripts
sudo ./zkcli.sh -zkhost 192.168.1.120:2181,192.168.1.100:2181,
192.168.1.105:2181 -cmd putfile /security.json
/home/pc2/Desktop/security.json

Authentication is enabled by but it looks like inter node communication
issue.
3 nodes are running and in * logging it shows error*


*HTTP ERROR 401 Problem accessing
/solr/locationList_shard1_replica_n4/update. Reason:  Unauthorized
request, Response code: 401  *

Re: Resetting Authentication/Authorization

[Shawn Heisey]

On 3/30/2018 7:18 AM, Terry Steichen wrote:

The output resembles the contents of security.json, except that there's
only one authenticated user, which is the one whose credentials are
supplied.  And there are only two permissions.


I was actually wanting to SEE it.  Redact things like the encrypted 
passwords and the usernames if you like.  There should be stuff in the 
output OTHER than the json itself.



That's the essence of my question: yes, I think it should logically do
what you say, but I don't know if or how it does that.  I don't think it
loads security.json because I have to start from scratch no matter
what's in security.json, and no matter where I place that file.  I would
be happy if it did that because I could prepare a fine-tuned set of
authentications and permissions and reuse it each time.  I simply don't
know how to do that (or even if it can be done).


When you're running SolrCloud, security.json (and most other config 
files) are NOT on your disk.  They're in zookeeper. An exception is 
sometimes solr.xml ... but you can put that in zookeeper too.  Any 
versions of config files that you put on disk are completely ignored.


Unless you're doing something that creates a brand new ZK database every 
time you restart Solr, which is a very bad idea, the security settings 
should be surviving restarts.


Thanks,
Shawn

Re: Resetting Authentication/Authorization

[Terry Steichen]

On 03/29/2018 11:07 PM, Shawn Heisey wrote:
> On 3/29/2018 8:28 PM, Terry Steichen wrote:
>> When I set up the initial authentications and authorizations (I'm using
>> 6.6.0 and running in cloud mode.), I call "bin/solr auth enable
>> -credentials xxx:yyy".
>
> What does this command output?  There should definitely be something
> output when that command is run.  I don't know if it will be a lot of
> output or a little bit, but whatever it is, can you provide it?
*The output resembles the contents of security.json, except that there's
only one authenticated user, which is the one whose credentials are
supplied.  And there are only two permissions.*
>
>> I then use a series of additional API calls ( to
>> create additional users and permissions).  This creates my desired
>> security environment (and, BTW, it seems to function as it should).
>
> Can you elaborate on exactly what you did when you say "a series of
> additional API calls"?
*I issued the well-documented curl-based commands to create a user and
to create a permission.  Multiple times as needed.*
>
>> If I restart solr, it appears I must reactivate it with the same
>> 'bin/solr auth enable -credentials xxx:yyy' command.  But, it seems that
>> when solr is restarted this way, only the authorizations are retained
>> persistently.  But the authentications have to be created again from
>> scratch.
>
> Enabling the authentication when running in cloud mode should upload a
> "security.json" file to zookeeper.  It should also write some
> variables to your solr.in.sh file, so that future usage of the
> bin/solr tool can provide the authentication that is required.
*That's the essence of my question: yes, I think it should logically do
what you say, but I don't know if or how it does that.  I don't think it
loads security.json because I have to start from scratch no matter
what's in security.json, and no matter where I place that file.  I would
be happy if it did that because I could prepare a fine-tuned set of
authentications and permissions and reuse it each time.  I simply don't
know how to do that (or even if it can be done).*
>
> Thanks,
> Shawn
>
>

Re: Resetting Authentication/Authorization

[Shawn Heisey]

On 3/29/2018 8:28 PM, Terry Steichen wrote:

When I set up the initial authentications and authorizations (I'm using
6.6.0 and running in cloud mode.), I call "bin/solr auth enable
-credentials xxx:yyy".


What does this command output?  There should definitely be something 
output when that command is run.  I don't know if it will be a lot of 
output or a little bit, but whatever it is, can you provide it?



I then use a series of additional API calls ( to
create additional users and permissions).  This creates my desired
security environment (and, BTW, it seems to function as it should).


Can you elaborate on exactly what you did when you say "a series of 
additional API calls"?



If I restart solr, it appears I must reactivate it with the same
'bin/solr auth enable -credentials xxx:yyy' command.  But, it seems that
when solr is restarted this way, only the authorizations are retained
persistently.  But the authentications have to be created again from
scratch.


Enabling the authentication when running in cloud mode should upload a 
"security.json" file to zookeeper.  It should also write some variables 
to your solr.in.sh file, so that future usage of the bin/solr tool can 
provide the authentication that is required.


Thanks,
Shawn

Resetting Authentication/Authorization

[Terry Steichen]

When I set up the initial authentications and authorizations (I'm using
6.6.0 and running in cloud mode.), I call "bin/solr auth enable
-credentials xxx:yyy".  I then use a series of additional API calls ( to
create additional users and permissions).  This creates my desired
security environment (and, BTW, it seems to function as it should).

If I restart solr, it appears I must reactivate it with the same
'bin/solr auth enable -credentials xxx:yyy' command.  But, it seems that
when solr is restarted this way, only the authorizations are retained
persistently.  But the authentications have to be created again from
scratch.

I would like to (somehow) capture the authentication/authorization
information (probably in a security.json file?) and then (somehow)
reload it when there's a restart. 

Can that be done?

Re: Master Slave Replication of Solr with Basic Authentication

[Shawn Heisey]

On 3/25/2018 1:56 AM, Basheeruddin Ahmed (syedbahm) wrote:

Seems even when we use Secuirty.json with BasicAuthentication Plugin as 
documented here -- 
https://lucene.apache.org/solr/guide/7_2/basic-authentication-plugin.html
, which nicely encrypts the user password using SHA256 encryption,  when it 
comes to configuring



Please let me know how I can use the same encrypted password as in 
Security.json when setting up Master/Slave Replication for Solr.


At the moment, the cleartext password is the only way it can be configured.

It is not possible to use the same string that goes in security.json for 
a feature like replication.  That string is a one-way hash of the 
password, so it cannot be decrypted.  The replication handler must be 
able to obtain the cleartext password.


The DIH feature offers password encryption for database passwords.  
Scroll down a little bit on the following page to the description 
numbered "2":


https://lucene.apache.org/solr/guide/6_6/uploading-structured-data-store-data-with-the-data-import-handler.html#configuring-the-dih-configuration-file

The replication handler CAN be enhanced to use a the same kind of 
encryption.  Note that this is merely security through obscurity.  If 
whoever is looking at the configuration also has access to the key file, 
then they will be able to decrypt the password.


Can you file an enhancement issue in Jira to add this capability to 
other handlers like replication?


https://issues.apache.org/jira/browse/SOLR

You'll need an account to create an issue.  Anyone can create an account.

Thanks,
Shawn

Master Slave Replication of Solr with Basic Authentication

[Basheeruddin Ahmed (syedbahm)]

Hello,
Seems even when we use Secuirty.json with BasicAuthentication Plugin as 
documented here -- 
https://lucene.apache.org/solr/guide/7_2/basic-authentication-plugin.html
, which nicely encrypts the user password using SHA256 encryption,  when it 
comes to configuring the slave in a Master/Slave Index Replication Strategy, 
the slave config requires to give the
BasicAuthentication password in plain text?  Is it something I got wrong?  But 
in my setup of HA with Master/Slave replication it works in this manner.

https://lucene.apache.org/solr/guide/7_2/index-replication.html  this also 
indicates the config is in plain text.



username
password


Please let me know how I can use the same encrypted password as in 
Security.json when setting up Master/Slave Replication for Solr.

Thx
-Syed Ahmed.

Re: Setting Up Solr Authentication/Authorization

[Shawn Heisey]

On 3/9/2018 9:27 AM, Terry Steichen wrote:
> I'm trying to set up basic authentication/authorization with solr 6.6.0.
>
> The documentation says to create a security.json file and describes the
> content as:
>
> {
> "authentication":{
>"class":"solr.BasicAuthPlugin",
>"credentials":{"solr":"IV0EHq1OnNrj6gvRCwvFwTrZ1+z1oBbnQdiVC3otuq0= 
> Ndd7LKvVBAaZIF0QAVi1ekCfAJXr1GGfLtRUXhgrF8c="}
> },
> "authorization":{
>"class":"solr.RuleBasedAuthorizationPlugin",
>"permissions":[{"name":"security-edit",
>   "role":"admin"}]
>"user-role":{"solr":"admin"}
> }}
>
> Does that mean to literally use exactly the above as the security.json 
> content, or customize it (in some fashion)?

Initial disclaimer: I have never used the authentication plugins
myself.  But I have seen what people on this mailing list get told when
they ask about it.

If you can figure out how to customize that file from the documentation
to do something that you need, then feel free to customize it.  But see
info below about passwords.

> The documentation  also mentions that the initial admin person is a user 
> named "solr" with a password: "SolrRocks"  What's unclear is whether that's 
> the password on which the hash (in security.json) was created or what?
>
> What I can't figure out is whether the password hash is fixed, or whether it 
> should be generated, and if so, how?

Last I checked, the Solr documentation does NOT explain how to create a
hash in security.json from a password.  It does list the *type* of hash,
which is sha256, password+salt.

With a little bit of research and a lot of trial and error, it is
possible to figure out how to create a valid hash with a tool like openssl.

What some people have done to customize user/password is use that
'solr/SolrRocks' login to *create* another login using the
authentication API, then once they're sure everything's working, access
the API again with the new user to delete the well-documented user.

http://lucene.apache.org/solr/guide/7_2/basic-authentication-plugin.html#editing-authentication-plugin-configuration

> Also, some people on the web recommend altering the jetty xml files to do 
> this - is it necessary too?

The servlet container (almost always Jetty if you're running version 5.0
or later) is capable of doing authentication, completely independently
of whatever software is running inside it.  But configuring that
authentication involves customization of software that is completely
separate from Solr.  The security.json method is a configuration for
Solr, which then programmatically configures the vanilla Jetty install
to do authentication.

Thanks,
Shawn

Setting Up Solr Authentication/Authorization

[Terry Steichen]

I'm trying to set up basic authentication/authorization with solr 6.6.0.

The documentation says to create a security.json file and describes the
content as:

{
"authentication":{
   "class":"solr.BasicAuthPlugin",
   "credentials":{"solr":"IV0EHq1OnNrj6gvRCwvFwTrZ1+z1oBbnQdiVC3otuq0= 
Ndd7LKvVBAaZIF0QAVi1ekCfAJXr1GGfLtRUXhgrF8c="}
},
"authorization":{
   "class":"solr.RuleBasedAuthorizationPlugin",
   "permissions":[{"name":"security-edit",
  "role":"admin"}]
   "user-role":{"solr":"admin"}
}}

Does that mean to literally use exactly the above as the security.json content, 
or customize it (in some fashion)?

The documentation  also mentions that the initial admin person is a user named 
"solr" with a password: "SolrRocks"  What's unclear is whether that's the 
password on which the hash (in security.json) was created or what?

What I can't figure out is whether the password hash is fixed, or whether it 
should be generated, and if so, how?

Also, some people on the web recommend altering the jetty xml files to do this 
- is it necessary too?

I'm certain this is fairly simple once I can get started - but I'm having 
trouble getting past step 1, and any help would be appreciated.

Terry

Re: Solr CDCR doesn't work if the authentication is enabled

[Amrit Sarkar]

Nice. Can you please post the details on the JIRA too if possible:
https://issues.apache.org/jira/browse/SOLR-11959 and we can probably put up
a small patch of adding this bit of information in official documentation.

Amrit Sarkar
Search Engineer
Lucidworks, Inc.
415-589-9269
www.lucidworks.com
Twitter http://twitter.com/lucidworks
LinkedIn: https://www.linkedin.com/in/sarkaramrit2
Medium: https://medium.com/@sarkaramrit2

On Mon, Mar 5, 2018 at 8:11 PM, dimaf <friz...@gmail.com> wrote:

> To resolve the issue, I added names of Source node to /live_nodes of
> Target.
> https://stackoverflow.com/questions/48790621/solr-cdcr-doesnt-work-if-the-
> authentication-is-enabled
> <https://stackoverflow.com/questions/48790621/solr-cdcr-
> doesnt-work-if-the-authentication-is-enabled>
>
>
>
> --
> Sent from: http://lucene.472066.n3.nabble.com/Solr-User-f472068.html
>

Re: Solr CDCR doesn't work if the authentication is enabled

[dimaf]

To resolve the issue, I added names of Source node to /live_nodes of Target.
https://stackoverflow.com/questions/48790621/solr-cdcr-doesnt-work-if-the-authentication-is-enabled
<https://stackoverflow.com/questions/48790621/solr-cdcr-doesnt-work-if-the-authentication-is-enabled>
  



--
Sent from: http://lucene.472066.n3.nabble.com/Solr-User-f472068.html

Authentication and distributed search in 7.2.1

[Peter Sturge]

Hi,
In 7.2.1 there's the authentication module and associated security.json
file, which works well for single cores. (Note: standalone mode, no
SolrCloud)
It doesn't appear to work with distributed searches, including multi-shard
local searches .
  e.g. shards=localhost:8983/solr/core1,localhost:8983/solr/core2

Even when shards is just a single core  - shards=localhost:8983/solr/core1,
if the base search is to a different core (e.g.
http://localhost:8983/solr/somecore/select?
shards=localhost:8983/solr/core1.. , no error and no results are returned
status=0 numfound=0.

Can anyone please confirm if Solr 7 authentication does/doesn't support
distributed/sharded searches?

Many thanks,
Peter

Re: security authentication API via solrj?

[Peter Sturge]

Hi,

Thanks for your response.
I've done this using the 'raw' rest style, as I'm not familiar enough with
the new solrj client.
It would be quite nice to have a native solrj class for handling security
mgt operations (add/delete users, roles etc.)..kind of like the
CoreAdmin/CollectionAdmin/Configset etc.

Thanks,
Peter



On Mon, Feb 26, 2018 at 1:13 AM, Shawn Heisey <elyog...@elyograg.org> wrote:

> On 2/25/2018 1:28 PM, Peter Sturge wrote:
>
>> I was wondering if 7.2.1 solrj had native support for the
>> security/authentication endpoint? I couldn't find anything in the docs
>> about it, but maybe someone has some experience with it?
>> Note: This is about adding/deleting users on a solr instance using solrj,
>> not authenticating (that is well documented).
>>
>
> At first I was looking for how to use authentication with SolrJ. I came up
> with this:
>
> 
> Looks like this is not available when using the sugar objects like
> SolrQuery.  To use authentication, it seems you have to create the request
> objects yourself.
>
> https://lucene.apache.org/solr/guide/7_2/basic-authenticatio
> n-plugin.html#using-basic-auth-with-solrj
> 
>
> Then I noticed you were talking about the actual security endpoint --
> adding users.
>
> I have been looking over the objects available in SolrJ, and I do not see
> anything useful.  It looks like you might need a new request object class,
> implemented similar to DirectXMLRequest, but using JSON and not XML.  It
> might be possible to make it an implicitly defined class rather than
> creating a whole class file.
>
> A proper sugar class for handling the security endpoint should be
> created.  I would do it, but I'm not sure how.
>
> Thanks,
> Shawn
>
>

Re: security authentication API via solrj?

[Shawn Heisey]

On 2/25/2018 1:28 PM, Peter Sturge wrote:

I was wondering if 7.2.1 solrj had native support for the
security/authentication endpoint? I couldn't find anything in the docs
about it, but maybe someone has some experience with it?
Note: This is about adding/deleting users on a solr instance using solrj,
not authenticating (that is well documented).


At first I was looking for how to use authentication with SolrJ. I came 
up with this:



Looks like this is not available when using the sugar objects like 
SolrQuery.  To use authentication, it seems you have to create the 
request objects yourself.


https://lucene.apache.org/solr/guide/7_2/basic-authentication-plugin.html#using-basic-auth-with-solrj


Then I noticed you were talking about the actual security endpoint -- 
adding users.


I have been looking over the objects available in SolrJ, and I do not 
see anything useful.  It looks like you might need a new request object 
class, implemented similar to DirectXMLRequest, but using JSON and not 
XML.  It might be possible to make it an implicitly defined class rather 
than creating a whole class file.


A proper sugar class for handling the security endpoint should be 
created.  I would do it, but I'm not sure how.


Thanks,
Shawn

security authentication API via solrj?

[Peter Sturge]

Hi,
I was wondering if 7.2.1 solrj had native support for the
security/authentication endpoint? I couldn't find anything in the docs
about it, but maybe someone has some experience with it?
Note: This is about adding/deleting users on a solr instance using solrj,
not authenticating (that is well documented).
Thanks,
Peter

Re: Solr Basic Authentication setup issue (password SolrRocks not accepted) on Solr6.1.0/Zkp3.4.6

[Atita Arora]

Hi,

I tried the same on version 7.0.1 and it works with the same json.
However , I remember setting this up for another client who used the same
version and they reported similar issues.
They later planned an upgrade to resolve this.

I would also advice you to look into SOLR-9188
<https://issues.apache.org/jira/browse/SOLR-9188> &  SOLR-9640
<https://issues.apache.org/jira/browse/SOLR-9640>.
The internode communication is a buggy feature as far as I believe in
BasicAuth Solr V6.1 which eventually got fixed in later versions.

Thanks,
Atita


On Fri, Feb 23, 2018 at 1:25 PM, Tarjono, C. A. <c.a.tarj...@accenture.com>
wrote:

> Dear All,
>
>
>
> We are trying to implement basic authentication in our solrcloud
> implementation. We followed the PDF (for version 6.1.0) as below:
>
>1. Start Solr
>2. Created security.json
>
> {
>
> "authentication":{
>
> "blockUnknown": true,
>
> "class":"solr.BasicAuthPlugin",
>
> "credentials":{"solr":"IV0EHq1OnNrj6gvRCwvFwTrZ1+
> z1oBbnQdiVC3otuq0=Ndd7LKvVBAaZIF0QAVi1ekCfAJXr1GGfLtRUXhgrF8c="}
>
> },
>
> "authorization":{
>
> "class":"solr.RuleBasedAuthorizationPlugin",
>
> "permissions":[{"name":"security-edit",
> "role":"admin"}],
>
> "user-role":{"solr":"admin"}
>
> }
>
> }
>
>1. Uploaded the new security.json with below command
>
> # ./zkcli.sh -zkhost localhost:2181 -cmd putfile /security.json
> /u02/solr/setup/security.json
>
>1. Open up the solr admin page and prompted with authentication
>2. We try inputting username “solr” and password “SolrRocks” but it
>will not authenticate.
>
>
>
>
>
> From what I understand, that username/password combination is the default
> that will have to be changed later. Any ideas why it is not working?
>
> We tried to check for special characters in the encrypted password, there
> was none. For now we are removing the flag “blockUnknown” as a workaround.
>
>
>
> We are using SolrCloud 6.1.0 and Zookeeper 3.4.6 (ensamble) in our setup.
> Appreciate the input.
>
>
>
>
>
> Best Regards,
>
>
>
> Christopher Tarjono
>
> *Accenture Pte Ltd*
>
>
>
> +65 9347 2484
>
> c.a.tarj...@accenture.com
>
>
>
> --
>
> This message is for the designated recipient only and may contain
> privileged, proprietary, or otherwise confidential information. If you have
> received it in error, please notify the sender immediately and delete the
> original. Any other use of the e-mail by you is prohibited. Where allowed
> by local law, electronic communications with Accenture and its affiliates,
> including e-mail and instant messaging (including content), may be scanned
> by our systems for the purposes of information security and assessment of
> internal compliance with Accenture policy.
> 
> __
>
> www.accenture.com
>

Solr Basic Authentication setup issue (password SolrRocks not accepted) on Solr6.1.0/Zkp3.4.6

[Tarjono, C. A.]

Dear All,

We are trying to implement basic authentication in our solrcloud 
implementation. We followed the PDF (for version 6.1.0) as below:

  1.  Start Solr
  2.  Created security.json
{
"authentication":{
"blockUnknown": true,
"class":"solr.BasicAuthPlugin",

"credentials":{"solr":"IV0EHq1OnNrj6gvRCwvFwTrZ1+z1oBbnQdiVC3otuq0=Ndd7LKvVBAaZIF0QAVi1ekCfAJXr1GGfLtRUXhgrF8c="}
},
"authorization":{
"class":"solr.RuleBasedAuthorizationPlugin",
"permissions":[{"name":"security-edit", 
"role":"admin"}],
"user-role":{"solr":"admin"}
}
}


  1.  Uploaded the new security.json with below command

# ./zkcli.sh -zkhost localhost:2181 -cmd putfile /security.json 
/u02/solr/setup/security.json

  1.  Open up the solr admin page and prompted with authentication
  2.  We try inputting username "solr" and password "SolrRocks" but it will not 
authenticate.




>From what I understand, that username/password combination is the default that 
>will have to be changed later. Any ideas why it is not working?
We tried to check for special characters in the encrypted password, there was 
none. For now we are removing the flag "blockUnknown" as a workaround.

We are using SolrCloud 6.1.0 and Zookeeper 3.4.6 (ensamble) in our setup. 
Appreciate the input.


Best Regards,

Christopher Tarjono
Accenture Pte Ltd

+65 9347 2484
c.a.tarj...@accenture.com
[cid:image003.jpg@01D3ACBE.B7B3BD50]




This message is for the designated recipient only and may contain privileged, 
proprietary, or otherwise confidential information. If you have received it in 
error, please notify the sender immediately and delete the original. Any other 
use of the e-mail by you is prohibited. Where allowed by local law, electronic 
communications with Accenture and its affiliates, including e-mail and instant 
messaging (including content), may be scanned by our systems for the purposes 
of information security and assessment of internal compliance with Accenture 
policy.
__

www.accenture.com

Solr CDCR doesn't work if the authentication is enabled

[dimaf]

I set up CDCR in my test environment and it worked perfectly until I uploaded
security.json files to Zookeeper clusters of a Target and a Source
SolrClouds. security.json files are identical for both Clouds as well as
collections name.
The Source has the next errors:

org.apache.solr.client.solrj.impl.CloudSolrClient$RouteException: Error from
server at http://target_node:port/solr/col01_shard1_replica1: Expected mime
type application/octet-stream but got text/html. 
...
Error 401 Unauthorized request, Response code: 401

Any idea how should I fix it?
Thanks!




--
Sent from: http://lucene.472066.n3.nabble.com/Solr-User-f472068.html

Re: Using SolrJ for digest authentication

[ddramireddy]

It's running only once. When request went from client from tomcat first-time,
tomcat sent response with "WWW-Authenticate" header with nonce value, asking
to complete the challenge. This challenge is processed. But apache http
client library is checking whether request is "repeatable" or not. This
validation is getting failed and following error is thrown.

"org.apache.http.client.NonRepeatableRequestException: Cannot retry request
with a non-repeatable request entity."

I am able to make POST call by directly calling apache http client library
with the following code. But, when I used solrj, I am getting this error.
"org.apache.http.client.NonRepeatableRequestException: Cannot retry request
with a non-repeatable request entity.". I can see solrj is setting
"isrepeatable" to false in httpsolrclient.java

Working code - When called directly using apache http library:

HttpHost target = HttpHost.create("localhost:9000");
CredentialsProvider credsProvider = new BasicCredentialsProvider();
credsProvider.setCredentials(
new AuthScope(target.getHostName(), target.getPort()),
new UsernamePasswordCredentials("solr", "testpassword"));
CloseableHttpClient httpclient = HttpClients.custom()
.setDefaultCredentialsProvider(credsProvider)
.build();
try {

AuthCache authCache = new BasicAuthCache();
DigestScheme digestAuth = new DigestScheme();
digestAuth.overrideParamter("realm", "Solr");
authCache.put(target, digestAuth);

// Add AuthCache to the execution context
HttpClientContext localContext = HttpClientContext.create();
localContext.setAuthCache(authCache);


HttpPost httpPost = new
HttpPost("http://localhost:9000/solr/account/update?commit=true;);
httpPost.setHeader("Content-type", "text/xml");
StringEntity stringEntity = new
StringEntity("*:*");
httpPost.getRequestLine();
httpPost.setEntity(stringEntity);
System.out.println("Executing request " +
httpPost.getRequestLine() + " to target " + target);
for (int i = 0; i < 3; i++) {
CloseableHttpResponse response =
httpclient.execute(httpPost, localContext);
try {
   
System.out.println("");
System.out.println(response.getStatusLine());
   
System.out.println(EntityUtils.toString(response.getEntity()));
} finally {
response.close();
}
}

} finally {
httpclient.close();
} 


Failing code:


public class TestSolrWithDigest {
public static void main(String[] args) {
try {
HttpSolrClient solrClient = initialiseSOLRClient();
try {

solrClient.deleteByQuery("account", "*:*");
UpdateResponse updateResponse =
solrClient.commit("account");
System.out.println(updateResponse.getStatus());
System.out.println("completed");
final ModifiableSolrParams pStatus = new
ModifiableSolrParams();
pStatus.add("qt", "/dataimport");

final QueryResponse resp = solrClient.query("account",
pStatus, SolrRequest.METHOD.GET);
System.out.println("status:" + resp.getStatus());

} catch (final SolrServerException | IOException exn) {

throw new IllegalStateException(exn);
}

} catch (Exception e) {
e.printStackTrace(System.err);
}


}

private static HttpSolrClient initialiseSOLRClient() {
URL solrURL = null;
try {
solrURL = new URL("http://localhost:9000/solr;);
} catch (MalformedURLException e) {
System.out.println("Cannot parse the SOLR URL!!" +
"http://localhost:9000/solr;);

}
String host = solrURL.getHost();
int port = solrURL.getPort();

AuthScope authScope = new AuthScope(host, port, "Solr", "Digest");

UsernamePasswordCredentials creds = new
UsernamePasswordCredentials("solr", "testpassword");

CredentialsProvider credsProvider = new BasicCredentialsProvider();
credsProvider.setCredentials(
authScope,
creds);

HttpClientBuilder builder = create();
builder.addInterceptorFirst(new PreemptiveAuthInterceptor());
builder.setDefaultCredentialsProvider(credsProvider);
CloseableHttpClient httpClient = builder.build();

return new HttpSolrClient.Builder()
.withBaseSolrUrl("http://localhost:9000/solr;)
.withHttpClient(httpClient)
.build();
}

static class PreemptiveAuthInterceptor implements HttpRequestInterceptor
{

public void process(final 

Re: Using SolrJ for digest authentication

[Rick Leir]

Eddy
Maybe your request is getting through twice. Check your logs to see.
Cheers -- Rick

On January 31, 2018 5:59:53 AM EST, ddramireddy <ddramire...@gmail.com> wrote:
>We are currently deploying Solr in war mode(Yes, recommendation is not
>war.
>But this is something I can't change now. Planned for future). I am
>setting
>authentication for solr. As Solr provided basic authentication is not
>working in Solr 6.4.2, I am setting up digest authentication in tomcat
>for
>Solr. I am able to login into Solr admin application using credentials.
>
>Now from my Java application, when I try to run a query, which will
>delete
>documents in a core, it's throwing following error.
>
>org.apache.http.client.NonRepeatableRequestException: Cannot retry
>request
>with a non-repeatable request entity
>
>I can see in HttpSolrClient, we are setting only basic authentication.
>But,
>I am using Digest auth. Did anyone faced this error before??
>
>This is my code:
>
>public static void main(String[] args) throws ClassNotFoundException,
>SQLException, InterruptedException, IOException, SolrServerException {
>HttpSolrClient solrClient = getSolrHttpClient("solr",
>"testpassword");
>
>try {
>solrClient.deleteByQuery("account", "*:*");
>solrClient.commit("account");
>} catch (final SolrServerException | IOException exn) {
>throw new IllegalStateException(exn);
>}
>}
>
>private static HttpSolrClient getSolrHttpClient(final String userName,
>final
>String password) {
>
>final HttpSolrClient solrClient = new HttpSolrClient.Builder()
>  .withBaseSolrUrl("http://localhost:9000/solr/index.html;)
>.withHttpClient(getHttpClientWithSolrAuth(userName,
>password))
>.build();
>
>return solrClient;
>}
>
>private static HttpClient getHttpClientWithSolrAuth(final String
>userName, final String password) {
>   final CredentialsProvider provider = new BasicCredentialsProvider();
>final UsernamePasswordCredentials credentials
>= new UsernamePasswordCredentials(userName, password);
>provider.setCredentials(AuthScope.ANY, credentials);
>
>
>return HttpClientBuilder.create()
>.addInterceptorFirst(new PreemptiveAuthInterceptor())
>.setDefaultCredentialsProvider(provider)
>.build();
>
>}
>
>
>static class PreemptiveAuthInterceptor implements
>HttpRequestInterceptor
>{
>
>DigestScheme digestAuth = new DigestScheme();
>
>PreemptiveAuthInterceptor() {
>
>}
>
>@Override
>   public void process(final HttpRequest request, final HttpContext
>context)
>throws HttpException, IOException {
>final AuthState authState = (AuthState)
>context.getAttribute(HttpClientContext.TARGET_AUTH_STATE);
>
>  if (authState != null && authState.getAuthScheme() == null) {
>final CredentialsProvider credsProvider =
>(CredentialsProvider)
>context.getAttribute(HttpClientContext.CREDS_PROVIDER);
>final HttpHost targetHost = (HttpHost)
>context.getAttribute(HttpCoreContext.HTTP_TARGET_HOST);
> final Credentials creds = credsProvider.getCredentials(new
>AuthScope(targetHost.getHostName(), targetHost.getPort(), "Solr",
>"DIGEST"));
>if (creds == null) {
>System.out.println("No credentials for preemptive
>authentication");
>}
>digestAuth.overrideParamter("realm", "Solr");
>digestAuth.overrideParamter("nonce", Long.toString(new
>Random().nextLong(), 36));
>AuthCache authCache = new BasicAuthCache();
>    authCache.put(targetHost, digestAuth);
>
>// Add AuthCache to the execution context
>   HttpClientContext localContext = HttpClientContext.create();
>localContext.setAuthCache(authCache);
>
>  request.addHeader(digestAuth.authenticate(creds, request,
>localContext));
>} else {
>System.out.println("authState is null. No preemptive
>authentication.");
>}
>}
>}
>
>
>
>--
>Sent from: http://lucene.472066.n3.nabble.com/Solr-User-f472068.html

-- 
Sorry for being brief. Alternate email is rickleir at yahoo dot com 

Using SolrJ for digest authentication

[ddramireddy]

We are currently deploying Solr in war mode(Yes, recommendation is not war.
But this is something I can't change now. Planned for future). I am setting
authentication for solr. As Solr provided basic authentication is not
working in Solr 6.4.2, I am setting up digest authentication in tomcat for
Solr. I am able to login into Solr admin application using credentials.

Now from my Java application, when I try to run a query, which will delete
documents in a core, it's throwing following error.

org.apache.http.client.NonRepeatableRequestException: Cannot retry request
with a non-repeatable request entity

I can see in HttpSolrClient, we are setting only basic authentication. But,
I am using Digest auth. Did anyone faced this error before??

This is my code:

public static void main(String[] args) throws ClassNotFoundException,
SQLException, InterruptedException, IOException, SolrServerException {
HttpSolrClient solrClient = getSolrHttpClient("solr",
"testpassword");

try {
solrClient.deleteByQuery("account", "*:*");
solrClient.commit("account");
} catch (final SolrServerException | IOException exn) {
throw new IllegalStateException(exn);
}
}

private static HttpSolrClient getSolrHttpClient(final String userName, final
String password) {

final HttpSolrClient solrClient = new HttpSolrClient.Builder()
.withBaseSolrUrl("http://localhost:9000/solr/index.html;)
.withHttpClient(getHttpClientWithSolrAuth(userName,
password))
.build();

return solrClient;
}

private static HttpClient getHttpClientWithSolrAuth(final String
userName, final String password) {
final CredentialsProvider provider = new BasicCredentialsProvider();
final UsernamePasswordCredentials credentials
= new UsernamePasswordCredentials(userName, password);
provider.setCredentials(AuthScope.ANY, credentials);


return HttpClientBuilder.create()
.addInterceptorFirst(new PreemptiveAuthInterceptor())
.setDefaultCredentialsProvider(provider)
.build();

}


static class PreemptiveAuthInterceptor implements HttpRequestInterceptor
{

DigestScheme digestAuth = new DigestScheme();

PreemptiveAuthInterceptor() {

}

@Override
public void process(final HttpRequest request, final HttpContext
context)
throws HttpException, IOException {
final AuthState authState = (AuthState)
context.getAttribute(HttpClientContext.TARGET_AUTH_STATE);

if (authState != null && authState.getAuthScheme() == null) {
final CredentialsProvider credsProvider =
(CredentialsProvider)
context.getAttribute(HttpClientContext.CREDS_PROVIDER);
final HttpHost targetHost = (HttpHost)
context.getAttribute(HttpCoreContext.HTTP_TARGET_HOST);
final Credentials creds = credsProvider.getCredentials(new
AuthScope(targetHost.getHostName(), targetHost.getPort(), "Solr",
"DIGEST"));
if (creds == null) {
    System.out.println("No credentials for preemptive
authentication");
}
digestAuth.overrideParamter("realm", "Solr");
digestAuth.overrideParamter("nonce", Long.toString(new
Random().nextLong(), 36));
AuthCache authCache = new BasicAuthCache();
authCache.put(targetHost, digestAuth);

// Add AuthCache to the execution context
HttpClientContext localContext = HttpClientContext.create();
localContext.setAuthCache(authCache);

request.addHeader(digestAuth.authenticate(creds, request,
localContext));
} else {
System.out.println("authState is null. No preemptive
authentication.");
}
}
}



--
Sent from: http://lucene.472066.n3.nabble.com/Solr-User-f472068.html

configuring zookeeper authentication and authorization

[suresh pendap]

Hi,
I am following the Solr documentation to configure ZK authentication and
ACLS from here
https://lucene.apache.org/solr/guide/6_6/zookeeper-access-control.html

I am planning to go with MD5 Digest authentication mechanism

I am assuming that you still have to enable authentication on the Zookeeper
server side.

Is that correct?


The zookeeper documentation for configuring authentication is not very easy
to follow.

I am trying to follow this document
https://cwiki.apache.org/confluence/display/ZOOKEEPER/Client-Server+mutual+authentication

The above page seem to mix the instructions for SASL and DIGEST
authentication schemes and it is very hard to follow.

Is there a better resource or documentation that I can follow?



-suresh

Re: Authentication for Solr 6.4.2 , when deployed as WAR in tomcat

[Shawn Heisey]

On 1/22/2018 6:27 AM, D Dasaradha Rami Reddy wrote:
> We have solr 6.4.2 currently deployed as war in tomcat. It doesn't have 
> authentication now. I want to setup the authentication for solr. When it 
> deployed as war in tomcat, The process specified in below page is not 
> working, Even after adding security.json in solr home directory, curl request 
> of authentication says it’s not configured.
>
> https://lucene.apache.org/solr/guide/6_6/authentication-and-authorization-plugins.html#AuthenticationandAuthorizationPlugins-EnablePluginswithsecurity.json
>
> Did anyone did this before? If so, please guide me.

This isn't working because a minimum version of 6.5.0 is required to
support security.json in standalone mode.  Prior to that version, it
only worked in SolrCloud mode -- security.json was read from ZooKeeper.

https://issues.apache.org/jira/browse/SOLR-9481

You should also know that by running in Tomcat, you're running an
unsupported configuration.  Solr hasn't shipped with a war file since
version 5.3.0, and the "war" build target didn't exist in 6.4.2, so I'm
curious how you could have a war file at all.

https://wiki.apache.org/solr/WhyNoWar

Thanks,
Shawn

Authentication for Solr 6.4.2 , when deployed as WAR in tomcat

[D Dasaradha Rami Reddy]

Hi All,

We have solr 6.4.2 currently deployed as war in tomcat. It doesn't have 
authentication now. I want to setup the authentication for solr. When it 
deployed as war in tomcat, The process specified in below page is not working, 
Even after adding security.json in solr home directory, curl request of 
authentication says it’s not configured.

https://lucene.apache.org/solr/guide/6_6/authentication-and-authorization-plugins.html#AuthenticationandAuthorizationPlugins-EnablePluginswithsecurity.json

Did anyone did this before? If so, please guide me.

Thanks

Rami Reddy

Authentication Plugin

[Chris Ulicny]

Hi all,

We've got a solrcloud cluster set up on 6.3.0 with the BasicAuthentication
plugin enabled. All of the hosts are time synchronized using ntp and are on
the same network switch.

We're periodically experiencing issues where follower replicas are put into
down states by the leader in the case of requests that failed due to
invalid timestamps. To minimize the issue we've increased the pkiauth.ttl
value to 1, and that seems to have taken care of most of the
occurrences.

As vague as the question is, is there anything specific with solr that we
could look into that would affect the requests having invalid keys?

We are working on tracking ntp's performance in case there was some sort of
lapse, but everything we've seen puts the hosts within around 20
milliseconds of each other at worst.

Possibly related but only noticed yesterday. A request for recovery was
sent from a leader to a follower replica and it didn't seem to have an
authorization header, and the wrong user was chosen.

2017-12-19 23:10:44.764 INFO  (qtp759156157-8224123) [   ]
o.a.s.s.RuleBasedAuthorizationPlugin This resource is configured to have a
permission {
  "name":"core-admin-edit",
  "role":"admin"}, The principal [principal: solrwriter] does not have the
right role
2017-12-19 23:10:44.765 INFO  (qtp759156157-8224123) [   ]
o.a.s.s.HttpSolrCall USER_REQUIRED auth header null context :
userPrincipal: [[principal: solrwriter]] type: [ADMIN], collections: [],
Path: [/admin/cores] path : /admin/cores params
:core=Feeds_shard11_replica2=REQUESTRECOVERY=javabin=2

How does solr determine what user/authentication to use for inter-node
requests? Are there any of the predefined permissions that we shouldn't
have assigned to a user that are causing this?

Thanks,
Chris

Selective Solr + Zookeeper Authentication on Admin Console

[Moe Kamal]

Need feedback/help enabling authentication on my Solr admin console without
it also breaking integration (401 response) with another app (Adobe AEM).
I'm running Solr with Zookeeper and enabled admin UI Authentication via
security.json as described here:
Https://lucene.apache.org/solr/guide/6_6/authentication-and-authorization-plugins.html


Using "blockUnknown":true," in the JSON works great for authentication on
the admin console, but how do I go about having it authenticate ONLY on the
console, allowing Http requests from my app to pass through without
authentication.

Any feedback would be most appreciated. Thank You.

Re: authentication

[Jason Gerlowski]

Hey Arkadi,

Your "nagios" user is under "role_monitoring", which has "config-read"
permissions.  The default config-read gets you access to the Config
API and Request Parameters API, but not the /admin/mbeans API (afaik).

See 
https://lucene.apache.org/solr/guide/6_6/rule-based-authorization-plugin.html#Rule-BasedAuthorizationPlugin-PredefinedPermissions
for a bit more explanation.

I think you'll need to update the configured permissions to allow
access to /admin/mbeans.  (The linked page above is a good reference
for that as well).

Best,

Jason

On Thu, Nov 16, 2017 at 8:06 AM, Arkadi Colson <ark...@smartbit.be> wrote:
> Hi
>
> I'm having trouble with setting up authentication. My security.json looks
> like this:
>
> {
> "authentication":{
> "class":"solr.BasicAuthPlugin",
> "blockUnknown": false,
> "credentials":{
> "admin":"IV0EHq1OnNrj6gvRCwvFwTrZ1+z1oBbnQdiVC3otuq0=
> Ndd7LKvVBAaZIF0QAVi1ekCfAJXr1GGfLtRUXhgrF8c=",
> "nagios":"IV0EHq1OnNrj6gvRCwvFwTrZ1+z1oBbnQdiVC3otuq0=
> Ndd7LKvVBAaZIF0QAVi1ekCfAJXr1GGfLtRUXhgrF8c=",
> "smsc":"IV0EHq1OnNrj6gvRCwvFwTrZ1+z1oBbnQdiVC3otuq0=
> Ndd7LKvVBAaZIF0QAVi1ekCfAJXr1GGfLtRUXhgrF8c="
> }
> },
> "authorization":{
> "class":"solr.RuleBasedAuthorizationPlugin",
> "user-role":{
> "admin":"role_admin",
> "nagios":"role_monitoring",
> "smsc":"role_smsc"
> },
> "permissions":[
> {
> "name":"all",
> "role":"role_admin"
> },
> {
> "name":"config-read",
> "role":"role_monitoring"
> },
> {
> "name":"read",
> "role":"role_smsc"
> },
> {
> "name":"update",
> "role":"role_smsc"
> }
> ]
> }
> }
>
> When trying to login with for example check_solr_metrics.pl and the nagios
> user the output is "CRITICAL: 403 Unauthorized request, Response code: 403".
> Solr logging is showing these lines:
>
> DEBUG - 2017-11-16 13:42:51.785; [c:smsc_lvs s:shard2 r:core_node1
> x:smsc_lvs_shard2_replica1] org.apache.solr.servlet.SolrDispatchFilter;
> Request to authenticate: Request(GET
> //solr01:8983/solr/mydoc/admin/mbeans?stats=true=UPDATE=%2Fupdate=off=json=0=3)@2722dc57,
> domain: 10.1.1.42, port: 8983
> DEBUG - 2017-11-16 13:42:51.786; [c:smsc_lvs s:shard2 r:core_node1
> x:smsc_lvs_shard2_replica1] org.apache.solr.servlet.SolrDispatchFilter; User
> principal: [principal: nagios]
> DEBUG - 2017-11-16 13:42:51.786; [c:smsc_mydoc s:shard1 r:core_node2
> x:smsc_mydoc_shard1_replica1] org.apache.solr.servlet.HttpSolrCall;
> PkiAuthenticationPlugin says authorization required : true
> DEBUG - 2017-11-16 13:42:51.786; [c:smsc_mydoc s:shard1 r:core_node2
> x:smsc_mydoc_shard1_replica1] org.apache.solr.servlet.HttpSolrCall;
> AuthorizationContext : userPrincipal: [[principal: nagios]] type: [UNKNOWN],
> collections: [smsc_mydoc, smsc_mydoc,], Path: [/admin/mbeans] path :
> /admin/mbeans params
> :stats=true=off=UPDATE=0=3=json=/update=smsc_mydoc
> INFO  - 2017-11-16 13:42:51.786; [c:smsc_mydoc s:shard1 r:core_node2
> x:smsc_mydoc_shard1_replica1]
> org.apache.solr.security.RuleBasedAuthorizationPlugin; This resource is
> configured to have a permission {
>   "name":"all",
>   "role":"role_admin"}, The principal [principal: nagios] does not have the
> right role
> INFO  - 2017-11-16 13:42:51.787; [c:smsc_mydoc s:shard1 r:core_node2
> x:smsc_mydoc_shard1_replica1] org.apache.solr.servlet.HttpSolrCall;
> USER_REQUIRED auth header Basic bmFnaW9zOlNvbHJSb2Nrcw== context :
> userPrincipal: [[principal: nagios]] type: [UNKNOWN], collections:
> [smsc_mydoc, smsc_mydoc,], Path: [/admin/mbeans] path : /admin/mbeans params
> :stats=true=off=UPDATE=0=3=json=/update=smsc_mydoc
> DEBUG - 2017-11-16 13:42:51.787; [c:smsc_mydoc s:shard1 r:core_node2
> x:smsc_mydoc_shard1_replica1] org.apache.solr.servlet.HttpSolrCall; Closing
> out SolrRequest:
> {stats=true=off=UPDATE=0=3=json=/update=smsc_mydoc}
>
> Anybody an idea what I'm doing wrong here?
>
> Thx!
> Arkadi

authentication

[Arkadi Colson]

Hi

I'm having trouble with setting up authentication. My security.json 
looks like this:


{
    "authentication":{
    "class":"solr.BasicAuthPlugin",
    "blockUnknown": false,
    "credentials":{
"admin":"IV0EHq1OnNrj6gvRCwvFwTrZ1+z1oBbnQdiVC3otuq0= 
Ndd7LKvVBAaZIF0QAVi1ekCfAJXr1GGfLtRUXhgrF8c=",
"nagios":"IV0EHq1OnNrj6gvRCwvFwTrZ1+z1oBbnQdiVC3otuq0= 
Ndd7LKvVBAaZIF0QAVi1ekCfAJXr1GGfLtRUXhgrF8c=",
"smsc":"IV0EHq1OnNrj6gvRCwvFwTrZ1+z1oBbnQdiVC3otuq0= 
Ndd7LKvVBAaZIF0QAVi1ekCfAJXr1GGfLtRUXhgrF8c="

    }
    },
    "authorization":{
    "class":"solr.RuleBasedAuthorizationPlugin",
    "user-role":{
    "admin":"role_admin",
    "nagios":"role_monitoring",
    "smsc":"role_smsc"
    },
    "permissions":[
    {
    "name":"all",
    "role":"role_admin"
    },
    {
    "name":"config-read",
    "role":"role_monitoring"
    },
    {
    "name":"read",
    "role":"role_smsc"
    },
    {
    "name":"update",
    "role":"role_smsc"
    }
    ]
    }
}

When trying to login with for example check_solr_metrics.pl and the 
nagios user the output is "CRITICAL: 403 Unauthorized request, Response 
code: 403". Solr logging is showing these lines:


DEBUG - 2017-11-16 13:42:51.785; [c:smsc_lvs s:shard2 r:core_node1 
x:smsc_lvs_shard2_replica1] org.apache.solr.servlet.SolrDispatchFilter; 
Request to authenticate: Request(GET 
//solr01:8983/solr/mydoc/admin/mbeans?stats=true=UPDATE=%2Fupdate=off=json=0=3)@2722dc57, 
domain: 10.1.1.42, port: 8983
DEBUG - 2017-11-16 13:42:51.786; [c:smsc_lvs s:shard2 r:core_node1 
x:smsc_lvs_shard2_replica1] org.apache.solr.servlet.SolrDispatchFilter; 
User principal: [principal: nagios]
DEBUG - 2017-11-16 13:42:51.786; [c:smsc_mydoc s:shard1 r:core_node2 
x:smsc_mydoc_shard1_replica1] org.apache.solr.servlet.HttpSolrCall; 
PkiAuthenticationPlugin says authorization required : true
DEBUG - 2017-11-16 13:42:51.786; [c:smsc_mydoc s:shard1 r:core_node2 
x:smsc_mydoc_shard1_replica1] org.apache.solr.servlet.HttpSolrCall; 
AuthorizationContext : userPrincipal: [[principal: nagios]] type: 
[UNKNOWN], collections: [smsc_mydoc, smsc_mydoc,], Path: [/admin/mbeans] 
path : /admin/mbeans params 
:stats=true=off=UPDATE=0=3=json=/update=smsc_mydoc
INFO  - 2017-11-16 13:42:51.786; [c:smsc_mydoc s:shard1 r:core_node2 
x:smsc_mydoc_shard1_replica1] 
org.apache.solr.security.RuleBasedAuthorizationPlugin; This resource is 
configured to have a permission {

  "name":"all",
  "role":"role_admin"}, The principal [principal: nagios] does not have 
the right role
INFO  - 2017-11-16 13:42:51.787; [c:smsc_mydoc s:shard1 r:core_node2 
x:smsc_mydoc_shard1_replica1] org.apache.solr.servlet.HttpSolrCall; 
USER_REQUIRED auth header Basic bmFnaW9zOlNvbHJSb2Nrcw== context : 
userPrincipal: [[principal: nagios]] type: [UNKNOWN], collections: 
[smsc_mydoc, smsc_mydoc,], Path: [/admin/mbeans] path : /admin/mbeans 
params 
:stats=true=off=UPDATE=0=3=json=/update=smsc_mydoc 

DEBUG - 2017-11-16 13:42:51.787; [c:smsc_mydoc s:shard1 r:core_node2 
x:smsc_mydoc_shard1_replica1] org.apache.solr.servlet.HttpSolrCall; 
Closing out SolrRequest: 
{stats=true=off=UPDATE=0=3=json=/update=smsc_mydoc}


Anybody an idea what I'm doing wrong here?

Thx!
Arkadi