Thanks, I downloaded the source and compiled it and replaced the jar file in the dist and solr-webapp’s WEB-INF/lib directory. It does seem to be protecting the Collections API reload command now as long as I upload the security.json after startup of the Solr instances. If I shutdown and bring the instances back up, the security is no longer in place and I have to upload the security.json again for it to take effect.
- Kevin > On Sep 3, 2015, at 10:29 PM, Noble Paul <noble.p...@gmail.com> wrote: > > Both these are committed. If you could test with the latest 5.3 branch > it would be helpful > > On Wed, Sep 2, 2015 at 5:11 PM, Noble Paul <noble.p...@gmail.com> wrote: >> I opened a ticket for the same >> https://issues.apache.org/jira/browse/SOLR-8004 >> >> On Wed, Sep 2, 2015 at 1:36 PM, Kevin Lee <kgle...@yahoo.com.invalid> wrote: >>> I’ve found that completely exiting Chrome or Firefox and opening it back up >>> re-prompts for credentials when they are required. It was re-prompting >>> with the /browse path where authentication was working each time I >>> completely exited and started the browser again, however it won’t re-prompt >>> unless you exit completely and close all running instances so I closed all >>> instances each time to test. >>> >>> However, to make sure I ran it via the command line via curl as suggested >>> and it still does not give any authentication error when trying to issue >>> the command via curl. I get a success response from all the Solr instances >>> that the reload was successful. >>> >>> Not sure why the pre-canned permissions aren’t working, but the one to the >>> request handler at the /browse path is. >>> >>> >>>> On Sep 1, 2015, at 11:03 PM, Noble Paul <noble.p...@gmail.com> wrote: >>>> >>>> " However, after uploading the new security.json and restarting the >>>> web browser," >>>> >>>> The browser remembers your login , So it is unlikely to prompt for the >>>> credentials again. >>>> >>>> Why don't you try the RELOAD operation using command line (curl) ? >>>> >>>> On Tue, Sep 1, 2015 at 10:31 PM, Kevin Lee <kgle...@yahoo.com.invalid> >>>> wrote: >>>>> The restart issues aside, I’m trying to lockdown usage of the Collections >>>>> API, but that also does not seem to be working either. >>>>> >>>>> Here is my security.json. I’m using the “collection-admin-edit” >>>>> permission and assigning it to the “adminRole”. However, after uploading >>>>> the new security.json and restarting the web browser, it doesn’t seem to >>>>> be requiring credentials when calling the RELOAD action on the >>>>> Collections API. The only thing that seems to work is the custom >>>>> permission “browse” which is requiring authentication before allowing me >>>>> to pull up the page. Am I using the permissions correctly for the >>>>> RuleBasedAuthorizationPlugin? >>>>> >>>>> { >>>>> "authentication":{ >>>>> "class":"solr.BasicAuthPlugin", >>>>> "credentials": { >>>>> "admin”:”<pass> <salt>", >>>>> "user": ”<pass> <salt>" >>>>> } >>>>> }, >>>>> "authorization":{ >>>>> "class":"solr.RuleBasedAuthorizationPlugin", >>>>> "permissions": [ >>>>> { >>>>> "name":"security-edit", >>>>> "role":"adminRole" >>>>> }, >>>>> { >>>>> "name":"collection-admin-edit”, >>>>> "role":"adminRole" >>>>> }, >>>>> { >>>>> "name":"browse", >>>>> "collection": "inventory", >>>>> "path": "/browse", >>>>> "role":"browseRole" >>>>> } >>>>> ], >>>>> "user-role": { >>>>> "admin": [ >>>>> "adminRole", >>>>> "browseRole" >>>>> ], >>>>> "user": [ >>>>> "browseRole" >>>>> ] >>>>> } >>>>> } >>>>> } >>>>> >>>>> Also tried adding the permission using the Authorization API, but no >>>>> effect, still isn’t protecting the Collections API from being invoked >>>>> without a username password. I do see in the Solr logs that it sees the >>>>> updates because it outputs the messages “Updating /security.json …”, >>>>> “Security node changed”, “Initializing authorization plugin: >>>>> solr.RuleBasedAuthorizationPlugin” and “Authentication plugin class >>>>> obtained from ZK: solr.BasicAuthPlugin”. >>>>> >>>>> Thanks, >>>>> Kevin >>>>> >>>>>> On Sep 1, 2015, at 12:31 AM, Noble Paul <noble.p...@gmail.com> wrote: >>>>>> >>>>>> I'm investigating why restarts or first time start does not read the >>>>>> security.json >>>>>> >>>>>> On Tue, Sep 1, 2015 at 1:00 PM, Noble Paul <noble.p...@gmail.com> wrote: >>>>>>> I removed that statement >>>>>>> >>>>>>> "If activating the authorization plugin doesn't protect the admin ui, >>>>>>> how does one protect access to it?" >>>>>>> >>>>>>> One does not need to protect the admin UI. You only need to protect >>>>>>> the relevant API calls . I mean it's OK to not protect the CSS and >>>>>>> HTML stuff. But if you perform an action to create a core or do a >>>>>>> query through admin UI , it automatically will prompt you for >>>>>>> credentials (if those APIs are protected) >>>>>>> >>>>>>> On Tue, Sep 1, 2015 at 12:41 PM, Kevin Lee <kgle...@yahoo.com.invalid> >>>>>>> wrote: >>>>>>>> Thanks for the clarification! >>>>>>>> >>>>>>>> So is the wiki page incorrect at >>>>>>>> https://cwiki.apache.org/confluence/display/solr/Basic+Authentication+Plugin >>>>>>>> which says that the admin ui will require authentication once the >>>>>>>> authorization plugin is activated? >>>>>>>> >>>>>>>> "An authorization plugin is also available to configure Solr with >>>>>>>> permissions to perform various activities in the system. Once >>>>>>>> activated, access to the Solr Admin UI and all requests will need to >>>>>>>> be authenticated and users will be required to have the proper >>>>>>>> authorization for all requests, including using the Admin UI and >>>>>>>> making any API calls." >>>>>>>> >>>>>>>> If activating the authorization plugin doesn't protect the admin ui, >>>>>>>> how does one protect access to it? >>>>>>>> >>>>>>>> Also, the issue I'm having is not just at restart. According to the >>>>>>>> docs security.json should be uploaded to Zookeeper before starting any >>>>>>>> of the Solr instances. However, I tried to upload security.json >>>>>>>> before starting any of the Solr instances, but it would not pick up >>>>>>>> the security config until after the Solr instances are already running >>>>>>>> and then uploading the security.json again. I can see in the logs at >>>>>>>> startup that the Solr instances don't see any plugin enabled even >>>>>>>> though security.json is already in zookeeper and then after they are >>>>>>>> started and the security.json is uploaded again I see it reconfigure >>>>>>>> to use the plugin. >>>>>>>> >>>>>>>> Thanks, >>>>>>>> Kevin >>>>>>>> >>>>>>>>> On Aug 31, 2015, at 11:22 PM, Noble Paul <noble.p...@gmail.com> wrote: >>>>>>>>> >>>>>>>>> Admin UI is not protected by any of these permissions. Only if you try >>>>>>>>> to perform a protected operation , it asks for a password. >>>>>>>>> >>>>>>>>> I'll investigate the restart problem and report my findings >>>>>>>>> >>>>>>>>>> On Tue, Sep 1, 2015 at 3:10 AM, Kevin Lee >>>>>>>>>> <kgle...@yahoo.com.invalid> wrote: >>>>>>>>>> Anyone else running into any issues trying to get the authentication >>>>>>>>>> and authorization plugins in 5.3 working? >>>>>>>>>> >>>>>>>>>>> On Aug 29, 2015, at 2:30 AM, Kevin Lee <kgle...@yahoo.com.INVALID> >>>>>>>>>>> wrote: >>>>>>>>>>> >>>>>>>>>>> Hi, >>>>>>>>>>> >>>>>>>>>>> I’m trying to use the new basic auth plugin for Solr 5.3 and it >>>>>>>>>>> doesn’t seem to be working quite right. Not sure if I’m missing >>>>>>>>>>> steps or there is a bug. I am able to get it to protect access to >>>>>>>>>>> a URL under a collection, but am unable to get it to secure access >>>>>>>>>>> to the Admin UI. In addition, after stopping the Solr and >>>>>>>>>>> Zookeeper instances, the security.json is still in Zookeeper, >>>>>>>>>>> however Solr is allowing access to everything again like the >>>>>>>>>>> security configuration isn’t in place. >>>>>>>>>>> >>>>>>>>>>> Contents of security.json taken from wiki page, but edited to >>>>>>>>>>> produce valid JSON. Had to move comma after 3rd from last “}” up >>>>>>>>>>> to just after the last “]”. >>>>>>>>>>> >>>>>>>>>>> { >>>>>>>>>>> "authentication":{ >>>>>>>>>>> "class":"solr.BasicAuthPlugin", >>>>>>>>>>> "credentials":{"solr":"IV0EHq1OnNrj6gvRCwvFwTrZ1+z1oBbnQdiVC3otuq0= >>>>>>>>>>> Ndd7LKvVBAaZIF0QAVi1ekCfAJXr1GGfLtRUXhgrF8c="} >>>>>>>>>>> }, >>>>>>>>>>> "authorization":{ >>>>>>>>>>> "class":"solr.RuleBasedAuthorizationPlugin", >>>>>>>>>>> "permissions":[{"name":"security-edit", >>>>>>>>>>> "role":"admin"}], >>>>>>>>>>> "user-role":{"solr":"admin"} >>>>>>>>>>> }} >>>>>>>>>>> >>>>>>>>>>> Here are the steps I followed: >>>>>>>>>>> >>>>>>>>>>> Upload security.json to zookeeper >>>>>>>>>>> ./zkcli.sh -z localhost:2181,localhost:2182,localhost:2183 -cmd >>>>>>>>>>> putfile /security.json ~/solr/security.json >>>>>>>>>>> >>>>>>>>>>> Use zkCli.sh from Zookeeper to ensure the security.json is in >>>>>>>>>>> Zookeeper at /security.json. It is there and looks like what was >>>>>>>>>>> originally uploaded. >>>>>>>>>>> >>>>>>>>>>> Start Solr Instances >>>>>>>>>>> >>>>>>>>>>> Attempt to create a permission, however get the following error: >>>>>>>>>>> { >>>>>>>>>>> "responseHeader":{ >>>>>>>>>>> "status":400, >>>>>>>>>>> "QTime":0}, >>>>>>>>>>> "error":{ >>>>>>>>>>> "msg":"No authorization plugin configured", >>>>>>>>>>> "code":400}} >>>>>>>>>>> >>>>>>>>>>> Upload security.json again. >>>>>>>>>>> ./zkcli.sh -z localhost:2181,localhost:2182,localhost:2183 -cmd >>>>>>>>>>> putfile /security.json ~/solr/security.json >>>>>>>>>>> >>>>>>>>>>> Issue the following to try to create the permission again and this >>>>>>>>>>> time it’s successful. >>>>>>>>>>> // Create a permission for mysearch endpoint >>>>>>>>>>> curl --user solr:SolrRocks -H 'Content-type:application/json' >>>>>>>>>>> -d '{"set-permission": {"name":"mycollection-search","collection": >>>>>>>>>>> “mycollection","path":”/mysearch","role": "search-user"}}' >>>>>>>>>>> http://localhost:8983/solr/admin/authorization >>>>>>>>>>> >>>>>>>>>>> { >>>>>>>>>>> "responseHeader":{ >>>>>>>>>>> "status":0, >>>>>>>>>>> "QTime":7}} >>>>>>>>>>> >>>>>>>>>>> Issue the following commands to add users >>>>>>>>>>> curl --user solr:SolrRocks >>>>>>>>>>> http://localhost:8983/solr/admin/authentication -H >>>>>>>>>>> 'Content-type:application/json' -d '{"set-user": {"admin" : >>>>>>>>>>> “password" }}’ >>>>>>>>>>> curl --user solr:SolrRocks >>>>>>>>>>> http://localhost:8983/solr/admin/authentication -H >>>>>>>>>>> 'Content-type:application/json' -d '{"set-user": {"user" : >>>>>>>>>>> “password" }}' >>>>>>>>>>> >>>>>>>>>>> Issue the following command to add permission to users >>>>>>>>>>> curl -u solr:SolrRocks -H 'Content-type:application/json' -d '{ >>>>>>>>>>> "set-user-role" : {"admin": ["search-user", "admin"]}}' >>>>>>>>>>> http://localhost:8983/solr/admin/authorization >>>>>>>>>>> curl -u solr:SolrRocks -H 'Content-type:application/json' -d '{ >>>>>>>>>>> "set-user-role" : {"user": ["search-user"]}}' >>>>>>>>>>> http://localhost:8983/solr/admin/authorization >>>>>>>>>>> >>>>>>>>>>> After executing the above, access to /mysearch is protected until I >>>>>>>>>>> restart the Solr and Zookeeper instances. However, the admin UI is >>>>>>>>>>> never protected like the Wiki page says it should be once activated. >>>>>>>>>>> >>>>>>>>>>> https://cwiki.apache.org/confluence/display/solr/Rule-Based+Authorization+Plugin >>>>>>>>>>> >>>>>>>>>>> <https://cwiki.apache.org/confluence/display/solr/Rule-Based+Authorization+Plugin> >>>>>>>>>>> >>>>>>>>>>> Why does the authentication and authorization plugin not stay >>>>>>>>>>> activated after restart and why is the Admin UI never protected? >>>>>>>>>>> Am I missing any steps? >>>>>>>>>>> >>>>>>>>>>> Thanks, >>>>>>>>>>> Kevin >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> -- >>>>>>>>> ----------------------------------------------------- >>>>>>>>> Noble Paul >>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> ----------------------------------------------------- >>>>>>> Noble Paul >>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> ----------------------------------------------------- >>>>>> Noble Paul >>>>> >>>> >>>> >>>> >>>> -- >>>> ----------------------------------------------------- >>>> Noble Paul >>> >> >> >> >> -- >> ----------------------------------------------------- >> Noble Paul > > > > -- > ----------------------------------------------------- > Noble Paul
