Hi Kevin/Noble, What is the download link to take the latest? What are the steps to compile it, test and use? We also have a use case to have this feature in solr too. Therefore, wanted to test and above info would help a lot to get started.
Thanks. On Fri, Sep 4, 2015 at 1:45 PM, Kevin Lee <kgle...@yahoo.com.invalid> wrote: > Thanks, I downloaded the source and compiled it and replaced the jar file > in the dist and solr-webapp’s WEB-INF/lib directory. It does seem to be > protecting the Collections API reload command now as long as I upload the > security.json after startup of the Solr instances. If I shutdown and bring > the instances back up, the security is no longer in place and I have to > upload the security.json again for it to take effect. > > - Kevin > > > On Sep 3, 2015, at 10:29 PM, Noble Paul <noble.p...@gmail.com> wrote: > > > > Both these are committed. If you could test with the latest 5.3 branch > > it would be helpful > > > > On Wed, Sep 2, 2015 at 5:11 PM, Noble Paul <noble.p...@gmail.com> wrote: > >> I opened a ticket for the same > >> https://issues.apache.org/jira/browse/SOLR-8004 > >> > >> On Wed, Sep 2, 2015 at 1:36 PM, Kevin Lee <kgle...@yahoo.com.invalid> > wrote: > >>> I’ve found that completely exiting Chrome or Firefox and opening it > back up re-prompts for credentials when they are required. It was > re-prompting with the /browse path where authentication was working each > time I completely exited and started the browser again, however it won’t > re-prompt unless you exit completely and close all running instances so I > closed all instances each time to test. > >>> > >>> However, to make sure I ran it via the command line via curl as > suggested and it still does not give any authentication error when trying > to issue the command via curl. I get a success response from all the Solr > instances that the reload was successful. > >>> > >>> Not sure why the pre-canned permissions aren’t working, but the one to > the request handler at the /browse path is. > >>> > >>> > >>>> On Sep 1, 2015, at 11:03 PM, Noble Paul <noble.p...@gmail.com> wrote: > >>>> > >>>> " However, after uploading the new security.json and restarting the > >>>> web browser," > >>>> > >>>> The browser remembers your login , So it is unlikely to prompt for the > >>>> credentials again. > >>>> > >>>> Why don't you try the RELOAD operation using command line (curl) ? > >>>> > >>>> On Tue, Sep 1, 2015 at 10:31 PM, Kevin Lee <kgle...@yahoo.com.invalid> > wrote: > >>>>> The restart issues aside, I’m trying to lockdown usage of the > Collections API, but that also does not seem to be working either. > >>>>> > >>>>> Here is my security.json. I’m using the “collection-admin-edit” > permission and assigning it to the “adminRole”. However, after uploading > the new security.json and restarting the web browser, it doesn’t seem to be > requiring credentials when calling the RELOAD action on the Collections > API. The only thing that seems to work is the custom permission “browse” > which is requiring authentication before allowing me to pull up the page. > Am I using the permissions correctly for the RuleBasedAuthorizationPlugin? > >>>>> > >>>>> { > >>>>> "authentication":{ > >>>>> "class":"solr.BasicAuthPlugin", > >>>>> "credentials": { > >>>>> "admin”:”<pass> <salt>", > >>>>> "user": ”<pass> <salt>" > >>>>> } > >>>>> }, > >>>>> "authorization":{ > >>>>> "class":"solr.RuleBasedAuthorizationPlugin", > >>>>> "permissions": [ > >>>>> { > >>>>> "name":"security-edit", > >>>>> "role":"adminRole" > >>>>> }, > >>>>> { > >>>>> "name":"collection-admin-edit”, > >>>>> "role":"adminRole" > >>>>> }, > >>>>> { > >>>>> "name":"browse", > >>>>> "collection": "inventory", > >>>>> "path": "/browse", > >>>>> "role":"browseRole" > >>>>> } > >>>>> ], > >>>>> "user-role": { > >>>>> "admin": [ > >>>>> "adminRole", > >>>>> "browseRole" > >>>>> ], > >>>>> "user": [ > >>>>> "browseRole" > >>>>> ] > >>>>> } > >>>>> } > >>>>> } > >>>>> > >>>>> Also tried adding the permission using the Authorization API, but no > effect, still isn’t protecting the Collections API from being invoked > without a username password. I do see in the Solr logs that it sees the > updates because it outputs the messages “Updating /security.json …”, > “Security node changed”, “Initializing authorization plugin: > solr.RuleBasedAuthorizationPlugin” and “Authentication plugin class > obtained from ZK: solr.BasicAuthPlugin”. > >>>>> > >>>>> Thanks, > >>>>> Kevin > >>>>> > >>>>>> On Sep 1, 2015, at 12:31 AM, Noble Paul <noble.p...@gmail.com> > wrote: > >>>>>> > >>>>>> I'm investigating why restarts or first time start does not read the > >>>>>> security.json > >>>>>> > >>>>>> On Tue, Sep 1, 2015 at 1:00 PM, Noble Paul <noble.p...@gmail.com> > wrote: > >>>>>>> I removed that statement > >>>>>>> > >>>>>>> "If activating the authorization plugin doesn't protect the admin > ui, > >>>>>>> how does one protect access to it?" > >>>>>>> > >>>>>>> One does not need to protect the admin UI. You only need to protect > >>>>>>> the relevant API calls . I mean it's OK to not protect the CSS and > >>>>>>> HTML stuff. But if you perform an action to create a core or do a > >>>>>>> query through admin UI , it automatically will prompt you for > >>>>>>> credentials (if those APIs are protected) > >>>>>>> > >>>>>>> On Tue, Sep 1, 2015 at 12:41 PM, Kevin Lee > <kgle...@yahoo.com.invalid> wrote: > >>>>>>>> Thanks for the clarification! > >>>>>>>> > >>>>>>>> So is the wiki page incorrect at > >>>>>>>> > https://cwiki.apache.org/confluence/display/solr/Basic+Authentication+Plugin > which says that the admin ui will require authentication once the > authorization plugin is activated? > >>>>>>>> > >>>>>>>> "An authorization plugin is also available to configure Solr with > permissions to perform various activities in the system. Once activated, > access to the Solr Admin UI and all requests will need to be authenticated > and users will be required to have the proper authorization for all > requests, including using the Admin UI and making any API calls." > >>>>>>>> > >>>>>>>> If activating the authorization plugin doesn't protect the admin > ui, how does one protect access to it? > >>>>>>>> > >>>>>>>> Also, the issue I'm having is not just at restart. According to > the docs security.json should be uploaded to Zookeeper before starting any > of the Solr instances. However, I tried to upload security.json before > starting any of the Solr instances, but it would not pick up the security > config until after the Solr instances are already running and then > uploading the security.json again. I can see in the logs at startup that > the Solr instances don't see any plugin enabled even though security.json > is already in zookeeper and then after they are started and the > security.json is uploaded again I see it reconfigure to use the plugin. > >>>>>>>> > >>>>>>>> Thanks, > >>>>>>>> Kevin > >>>>>>>> > >>>>>>>>> On Aug 31, 2015, at 11:22 PM, Noble Paul <noble.p...@gmail.com> > wrote: > >>>>>>>>> > >>>>>>>>> Admin UI is not protected by any of these permissions. Only if > you try > >>>>>>>>> to perform a protected operation , it asks for a password. > >>>>>>>>> > >>>>>>>>> I'll investigate the restart problem and report my findings > >>>>>>>>> > >>>>>>>>>> On Tue, Sep 1, 2015 at 3:10 AM, Kevin Lee > <kgle...@yahoo.com.invalid> wrote: > >>>>>>>>>> Anyone else running into any issues trying to get the > authentication and authorization plugins in 5.3 working? > >>>>>>>>>> > >>>>>>>>>>> On Aug 29, 2015, at 2:30 AM, Kevin Lee > <kgle...@yahoo.com.INVALID> wrote: > >>>>>>>>>>> > >>>>>>>>>>> Hi, > >>>>>>>>>>> > >>>>>>>>>>> I’m trying to use the new basic auth plugin for Solr 5.3 and > it doesn’t seem to be working quite right. Not sure if I’m missing steps > or there is a bug. I am able to get it to protect access to a URL under a > collection, but am unable to get it to secure access to the Admin UI. In > addition, after stopping the Solr and Zookeeper instances, the > security.json is still in Zookeeper, however Solr is allowing access to > everything again like the security configuration isn’t in place. > >>>>>>>>>>> > >>>>>>>>>>> Contents of security.json taken from wiki page, but edited to > produce valid JSON. Had to move comma after 3rd from last “}” up to just > after the last “]”. > >>>>>>>>>>> > >>>>>>>>>>> { > >>>>>>>>>>> "authentication":{ > >>>>>>>>>>> "class":"solr.BasicAuthPlugin", > >>>>>>>>>>> > "credentials":{"solr":"IV0EHq1OnNrj6gvRCwvFwTrZ1+z1oBbnQdiVC3otuq0= > Ndd7LKvVBAaZIF0QAVi1ekCfAJXr1GGfLtRUXhgrF8c="} > >>>>>>>>>>> }, > >>>>>>>>>>> "authorization":{ > >>>>>>>>>>> "class":"solr.RuleBasedAuthorizationPlugin", > >>>>>>>>>>> "permissions":[{"name":"security-edit", > >>>>>>>>>>> "role":"admin"}], > >>>>>>>>>>> "user-role":{"solr":"admin"} > >>>>>>>>>>> }} > >>>>>>>>>>> > >>>>>>>>>>> Here are the steps I followed: > >>>>>>>>>>> > >>>>>>>>>>> Upload security.json to zookeeper > >>>>>>>>>>> ./zkcli.sh -z localhost:2181,localhost:2182,localhost:2183 > -cmd putfile /security.json ~/solr/security.json > >>>>>>>>>>> > >>>>>>>>>>> Use zkCli.sh from Zookeeper to ensure the security.json is in > Zookeeper at /security.json. It is there and looks like what was > originally uploaded. > >>>>>>>>>>> > >>>>>>>>>>> Start Solr Instances > >>>>>>>>>>> > >>>>>>>>>>> Attempt to create a permission, however get the following > error: > >>>>>>>>>>> { > >>>>>>>>>>> "responseHeader":{ > >>>>>>>>>>> "status":400, > >>>>>>>>>>> "QTime":0}, > >>>>>>>>>>> "error":{ > >>>>>>>>>>> "msg":"No authorization plugin configured", > >>>>>>>>>>> "code":400}} > >>>>>>>>>>> > >>>>>>>>>>> Upload security.json again. > >>>>>>>>>>> ./zkcli.sh -z localhost:2181,localhost:2182,localhost:2183 > -cmd putfile /security.json ~/solr/security.json > >>>>>>>>>>> > >>>>>>>>>>> Issue the following to try to create the permission again and > this time it’s successful. > >>>>>>>>>>> // Create a permission for mysearch endpoint > >>>>>>>>>>> curl --user solr:SolrRocks -H > 'Content-type:application/json' -d '{"set-permission": > {"name":"mycollection-search","collection": > “mycollection","path":”/mysearch","role": "search-user"}}' > http://localhost:8983/solr/admin/authorization > >>>>>>>>>>> > >>>>>>>>>>> { > >>>>>>>>>>> "responseHeader":{ > >>>>>>>>>>> "status":0, > >>>>>>>>>>> "QTime":7}} > >>>>>>>>>>> > >>>>>>>>>>> Issue the following commands to add users > >>>>>>>>>>> curl --user solr:SolrRocks > http://localhost:8983/solr/admin/authentication -H > 'Content-type:application/json' -d '{"set-user": {"admin" : “password" }}’ > >>>>>>>>>>> curl --user solr:SolrRocks > http://localhost:8983/solr/admin/authentication -H > 'Content-type:application/json' -d '{"set-user": {"user" : “password" }}' > >>>>>>>>>>> > >>>>>>>>>>> Issue the following command to add permission to users > >>>>>>>>>>> curl -u solr:SolrRocks -H 'Content-type:application/json' -d > '{ "set-user-role" : {"admin": ["search-user", "admin"]}}' > http://localhost:8983/solr/admin/authorization > >>>>>>>>>>> curl -u solr:SolrRocks -H 'Content-type:application/json' -d > '{ "set-user-role" : {"user": ["search-user"]}}' > http://localhost:8983/solr/admin/authorization > >>>>>>>>>>> > >>>>>>>>>>> After executing the above, access to /mysearch is protected > until I restart the Solr and Zookeeper instances. However, the admin UI is > never protected like the Wiki page says it should be once activated. > >>>>>>>>>>> > >>>>>>>>>>> > https://cwiki.apache.org/confluence/display/solr/Rule-Based+Authorization+Plugin > < > https://cwiki.apache.org/confluence/display/solr/Rule-Based+Authorization+Plugin > > > >>>>>>>>>>> > >>>>>>>>>>> Why does the authentication and authorization plugin not stay > activated after restart and why is the Admin UI never protected? Am I > missing any steps? > >>>>>>>>>>> > >>>>>>>>>>> Thanks, > >>>>>>>>>>> Kevin > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> -- > >>>>>>>>> ----------------------------------------------------- > >>>>>>>>> Noble Paul > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>> -- > >>>>>>> ----------------------------------------------------- > >>>>>>> Noble Paul > >>>>>> > >>>>>> > >>>>>> > >>>>>> -- > >>>>>> ----------------------------------------------------- > >>>>>> Noble Paul > >>>>> > >>>> > >>>> > >>>> > >>>> -- > >>>> ----------------------------------------------------- > >>>> Noble Paul > >>> > >> > >> > >> > >> -- > >> ----------------------------------------------------- > >> Noble Paul > > > > > > > > -- > > ----------------------------------------------------- > > Noble Paul > >
