" However, after uploading the new security.json and restarting the
web browser,"
The browser remembers your login , So it is unlikely to prompt for the
credentials again.
Why don't you try the RELOAD operation using command line (curl) ?
On Tue, Sep 1, 2015 at 10:31 PM, Kevin Lee <kgle...@yahoo.com.invalid> wrote:
> The restart issues aside, I’m trying to lockdown usage of the Collections
> API, but that also does not seem to be working either.
>
> Here is my security.json. I’m using the “collection-admin-edit” permission
> and assigning it to the “adminRole”. However, after uploading the new
> security.json and restarting the web browser, it doesn’t seem to be requiring
> credentials when calling the RELOAD action on the Collections API. The only
> thing that seems to work is the custom permission “browse” which is requiring
> authentication before allowing me to pull up the page. Am I using the
> permissions correctly for the RuleBasedAuthorizationPlugin?
>
> {
> "authentication":{
> "class":"solr.BasicAuthPlugin",
> "credentials": {
> "admin”:”<pass> <salt>",
> "user": ”<pass> <salt>"
> }
> },
> "authorization":{
> "class":"solr.RuleBasedAuthorizationPlugin",
> "permissions": [
> {
> "name":"security-edit",
> "role":"adminRole"
> },
> {
> "name":"collection-admin-edit”,
> "role":"adminRole"
> },
> {
> "name":"browse",
> "collection": "inventory",
> "path": "/browse",
> "role":"browseRole"
> }
> ],
> "user-role": {
> "admin": [
> "adminRole",
> "browseRole"
> ],
> "user": [
> "browseRole"
> ]
> }
> }
> }
>
> Also tried adding the permission using the Authorization API, but no effect,
> still isn’t protecting the Collections API from being invoked without a
> username password. I do see in the Solr logs that it sees the updates
> because it outputs the messages “Updating /security.json …”, “Security node
> changed”, “Initializing authorization plugin:
> solr.RuleBasedAuthorizationPlugin” and “Authentication plugin class obtained
> from ZK: solr.BasicAuthPlugin”.
>
> Thanks,
> Kevin
>
>> On Sep 1, 2015, at 12:31 AM, Noble Paul <noble.p...@gmail.com> wrote:
>>
>> I'm investigating why restarts or first time start does not read the
>> security.json
>>
>> On Tue, Sep 1, 2015 at 1:00 PM, Noble Paul <noble.p...@gmail.com> wrote:
>>> I removed that statement
>>>
>>> "If activating the authorization plugin doesn't protect the admin ui,
>>> how does one protect access to it?"
>>>
>>> One does not need to protect the admin UI. You only need to protect
>>> the relevant API calls . I mean it's OK to not protect the CSS and
>>> HTML stuff. But if you perform an action to create a core or do a
>>> query through admin UI , it automatically will prompt you for
>>> credentials (if those APIs are protected)
>>>
>>> On Tue, Sep 1, 2015 at 12:41 PM, Kevin Lee <kgle...@yahoo.com.invalid>
>>> wrote:
>>>> Thanks for the clarification!
>>>>
>>>> So is the wiki page incorrect at
>>>> https://cwiki.apache.org/confluence/display/solr/Basic+Authentication+Plugin
>>>> which says that the admin ui will require authentication once the
>>>> authorization plugin is activated?
>>>>
>>>> "An authorization plugin is also available to configure Solr with
>>>> permissions to perform various activities in the system. Once activated,
>>>> access to the Solr Admin UI and all requests will need to be authenticated
>>>> and users will be required to have the proper authorization for all
>>>> requests, including using the Admin UI and making any API calls."
>>>>
>>>> If activating the authorization plugin doesn't protect the admin ui, how
>>>> does one protect access to it?
>>>>
>>>> Also, the issue I'm having is not just at restart. According to the docs
>>>> security.json should be uploaded to Zookeeper before starting any of the
>>>> Solr instances. However, I tried to upload security.json before starting
>>>> any of the Solr instances, but it would not pick up the security config
>>>> until after the Solr instances are already running and then uploading the
>>>> security.json again. I can see in the logs at startup that the Solr
>>>> instances don't see any plugin enabled even though security.json is
>>>> already in zookeeper and then after they are started and the security.json
>>>> is uploaded again I see it reconfigure to use the plugin.
>>>>
>>>> Thanks,
>>>> Kevin
>>>>
>>>>> On Aug 31, 2015, at 11:22 PM, Noble Paul <noble.p...@gmail.com> wrote:
>>>>>
>>>>> Admin UI is not protected by any of these permissions. Only if you try
>>>>> to perform a protected operation , it asks for a password.
>>>>>
>>>>> I'll investigate the restart problem and report my findings
>>>>>
>>>>>> On Tue, Sep 1, 2015 at 3:10 AM, Kevin Lee <kgle...@yahoo.com.invalid>
>>>>>> wrote:
>>>>>> Anyone else running into any issues trying to get the authentication and
>>>>>> authorization plugins in 5.3 working?
>>>>>>
>>>>>>> On Aug 29, 2015, at 2:30 AM, Kevin Lee <kgle...@yahoo.com.INVALID>
>>>>>>> wrote:
>>>>>>>
>>>>>>> Hi,
>>>>>>>
>>>>>>> I’m trying to use the new basic auth plugin for Solr 5.3 and it doesn’t
>>>>>>> seem to be working quite right. Not sure if I’m missing steps or there
>>>>>>> is a bug. I am able to get it to protect access to a URL under a
>>>>>>> collection, but am unable to get it to secure access to the Admin UI.
>>>>>>> In addition, after stopping the Solr and Zookeeper instances, the
>>>>>>> security.json is still in Zookeeper, however Solr is allowing access to
>>>>>>> everything again like the security configuration isn’t in place.
>>>>>>>
>>>>>>> Contents of security.json taken from wiki page, but edited to produce
>>>>>>> valid JSON. Had to move comma after 3rd from last “}” up to just after
>>>>>>> the last “]”.
>>>>>>>
>>>>>>> {
>>>>>>> "authentication":{
>>>>>>> "class":"solr.BasicAuthPlugin",
>>>>>>> "credentials":{"solr":"IV0EHq1OnNrj6gvRCwvFwTrZ1+z1oBbnQdiVC3otuq0=
>>>>>>> Ndd7LKvVBAaZIF0QAVi1ekCfAJXr1GGfLtRUXhgrF8c="}
>>>>>>> },
>>>>>>> "authorization":{
>>>>>>> "class":"solr.RuleBasedAuthorizationPlugin",
>>>>>>> "permissions":[{"name":"security-edit",
>>>>>>> "role":"admin"}],
>>>>>>> "user-role":{"solr":"admin"}
>>>>>>> }}
>>>>>>>
>>>>>>> Here are the steps I followed:
>>>>>>>
>>>>>>> Upload security.json to zookeeper
>>>>>>> ./zkcli.sh -z localhost:2181,localhost:2182,localhost:2183 -cmd putfile
>>>>>>> /security.json ~/solr/security.json
>>>>>>>
>>>>>>> Use zkCli.sh from Zookeeper to ensure the security.json is in Zookeeper
>>>>>>> at /security.json. It is there and looks like what was originally
>>>>>>> uploaded.
>>>>>>>
>>>>>>> Start Solr Instances
>>>>>>>
>>>>>>> Attempt to create a permission, however get the following error:
>>>>>>> {
>>>>>>> "responseHeader":{
>>>>>>> "status":400,
>>>>>>> "QTime":0},
>>>>>>> "error":{
>>>>>>> "msg":"No authorization plugin configured",
>>>>>>> "code":400}}
>>>>>>>
>>>>>>> Upload security.json again.
>>>>>>> ./zkcli.sh -z localhost:2181,localhost:2182,localhost:2183 -cmd putfile
>>>>>>> /security.json ~/solr/security.json
>>>>>>>
>>>>>>> Issue the following to try to create the permission again and this time
>>>>>>> it’s successful.
>>>>>>> // Create a permission for mysearch endpoint
>>>>>>> curl --user solr:SolrRocks -H 'Content-type:application/json'
>>>>>>> -d '{"set-permission": {"name":"mycollection-search","collection":
>>>>>>> “mycollection","path":”/mysearch","role": "search-user"}}'
>>>>>>> http://localhost:8983/solr/admin/authorization
>>>>>>>
>>>>>>> {
>>>>>>> "responseHeader":{
>>>>>>> "status":0,
>>>>>>> "QTime":7}}
>>>>>>>
>>>>>>> Issue the following commands to add users
>>>>>>> curl --user solr:SolrRocks
>>>>>>> http://localhost:8983/solr/admin/authentication -H
>>>>>>> 'Content-type:application/json' -d '{"set-user": {"admin" : “password"
>>>>>>> }}’
>>>>>>> curl --user solr:SolrRocks
>>>>>>> http://localhost:8983/solr/admin/authentication -H
>>>>>>> 'Content-type:application/json' -d '{"set-user": {"user" : “password"
>>>>>>> }}'
>>>>>>>
>>>>>>> Issue the following command to add permission to users
>>>>>>> curl -u solr:SolrRocks -H 'Content-type:application/json' -d '{
>>>>>>> "set-user-role" : {"admin": ["search-user", "admin"]}}'
>>>>>>> http://localhost:8983/solr/admin/authorization
>>>>>>> curl -u solr:SolrRocks -H 'Content-type:application/json' -d '{
>>>>>>> "set-user-role" : {"user": ["search-user"]}}'
>>>>>>> http://localhost:8983/solr/admin/authorization
>>>>>>>
>>>>>>> After executing the above, access to /mysearch is protected until I
>>>>>>> restart the Solr and Zookeeper instances. However, the admin UI is
>>>>>>> never protected like the Wiki page says it should be once activated.
>>>>>>>
>>>>>>> https://cwiki.apache.org/confluence/display/solr/Rule-Based+Authorization+Plugin
>>>>>>>
>>>>>>> <https://cwiki.apache.org/confluence/display/solr/Rule-Based+Authorization+Plugin>
>>>>>>>
>>>>>>> Why does the authentication and authorization plugin not stay activated
>>>>>>> after restart and why is the Admin UI never protected? Am I missing
>>>>>>> any steps?
>>>>>>>
>>>>>>> Thanks,
>>>>>>> Kevin
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> -----------------------------------------------------
>>>>> Noble Paul
>>>
>>>
>>>
>>> --
>>> -----------------------------------------------------
>>> Noble Paul
>>
>>
>>
>> --
>> -----------------------------------------------------
>> Noble Paul
>
--
-----------------------------------------------------
Noble Paul
