Hey Arkadi, Your "nagios" user is under "role_monitoring", which has "config-read" permissions. The default config-read gets you access to the Config API and Request Parameters API, but not the /admin/mbeans API (afaik).
See https://lucene.apache.org/solr/guide/6_6/rule-based-authorization-plugin.html#Rule-BasedAuthorizationPlugin-PredefinedPermissions for a bit more explanation. I think you'll need to update the configured permissions to allow access to /admin/mbeans. (The linked page above is a good reference for that as well). Best, Jason On Thu, Nov 16, 2017 at 8:06 AM, Arkadi Colson <ark...@smartbit.be> wrote: > Hi > > I'm having trouble with setting up authentication. My security.json looks > like this: > > { > "authentication":{ > "class":"solr.BasicAuthPlugin", > "blockUnknown": false, > "credentials":{ > "admin":"IV0EHq1OnNrj6gvRCwvFwTrZ1+z1oBbnQdiVC3otuq0= > Ndd7LKvVBAaZIF0QAVi1ekCfAJXr1GGfLtRUXhgrF8c=", > "nagios":"IV0EHq1OnNrj6gvRCwvFwTrZ1+z1oBbnQdiVC3otuq0= > Ndd7LKvVBAaZIF0QAVi1ekCfAJXr1GGfLtRUXhgrF8c=", > "smsc":"IV0EHq1OnNrj6gvRCwvFwTrZ1+z1oBbnQdiVC3otuq0= > Ndd7LKvVBAaZIF0QAVi1ekCfAJXr1GGfLtRUXhgrF8c=" > } > }, > "authorization":{ > "class":"solr.RuleBasedAuthorizationPlugin", > "user-role":{ > "admin":"role_admin", > "nagios":"role_monitoring", > "smsc":"role_smsc" > }, > "permissions":[ > { > "name":"all", > "role":"role_admin" > }, > { > "name":"config-read", > "role":"role_monitoring" > }, > { > "name":"read", > "role":"role_smsc" > }, > { > "name":"update", > "role":"role_smsc" > } > ] > } > } > > When trying to login with for example check_solr_metrics.pl and the nagios > user the output is "CRITICAL: 403 Unauthorized request, Response code: 403". > Solr logging is showing these lines: > > DEBUG - 2017-11-16 13:42:51.785; [c:smsc_lvs s:shard2 r:core_node1 > x:smsc_lvs_shard2_replica1] org.apache.solr.servlet.SolrDispatchFilter; > Request to authenticate: Request(GET > //solr01:8983/solr/mydoc/admin/mbeans?stats=true&cat=UPDATE&key=%2Fupdate&omitHeader=off&wt=json&start=0&rows=3)@2722dc57, > domain: 10.1.1.42, port: 8983 > DEBUG - 2017-11-16 13:42:51.786; [c:smsc_lvs s:shard2 r:core_node1 > x:smsc_lvs_shard2_replica1] org.apache.solr.servlet.SolrDispatchFilter; User > principal: [principal: nagios] > DEBUG - 2017-11-16 13:42:51.786; [c:smsc_mydoc s:shard1 r:core_node2 > x:smsc_mydoc_shard1_replica1] org.apache.solr.servlet.HttpSolrCall; > PkiAuthenticationPlugin says authorization required : true > DEBUG - 2017-11-16 13:42:51.786; [c:smsc_mydoc s:shard1 r:core_node2 > x:smsc_mydoc_shard1_replica1] org.apache.solr.servlet.HttpSolrCall; > AuthorizationContext : userPrincipal: [[principal: nagios]] type: [UNKNOWN], > collections: [smsc_mydoc, smsc_mydoc,], Path: [/admin/mbeans] path : > /admin/mbeans params > :stats=true&omitHeader=off&cat=UPDATE&start=0&rows=3&wt=json&key=/update&collection=smsc_mydoc > INFO - 2017-11-16 13:42:51.786; [c:smsc_mydoc s:shard1 r:core_node2 > x:smsc_mydoc_shard1_replica1] > org.apache.solr.security.RuleBasedAuthorizationPlugin; This resource is > configured to have a permission { > "name":"all", > "role":"role_admin"}, The principal [principal: nagios] does not have the > right role > INFO - 2017-11-16 13:42:51.787; [c:smsc_mydoc s:shard1 r:core_node2 > x:smsc_mydoc_shard1_replica1] org.apache.solr.servlet.HttpSolrCall; > USER_REQUIRED auth header Basic bmFnaW9zOlNvbHJSb2Nrcw== context : > userPrincipal: [[principal: nagios]] type: [UNKNOWN], collections: > [smsc_mydoc, smsc_mydoc,], Path: [/admin/mbeans] path : /admin/mbeans params > :stats=true&omitHeader=off&cat=UPDATE&start=0&rows=3&wt=json&key=/update&collection=smsc_mydoc > DEBUG - 2017-11-16 13:42:51.787; [c:smsc_mydoc s:shard1 r:core_node2 > x:smsc_mydoc_shard1_replica1] org.apache.solr.servlet.HttpSolrCall; Closing > out SolrRequest: > {stats=true&omitHeader=off&cat=UPDATE&start=0&rows=3&wt=json&key=/update&collection=smsc_mydoc} > > Anybody an idea what I'm doing wrong here? > > Thx! > Arkadi
