On 3/9/2018 9:27 AM, Terry Steichen wrote:
> I'm trying to set up basic authentication/authorization with solr 6.6.0.
>
> The documentation says to create a security.json file and describes the
> content as:
>
> {
> "authentication":{
> "class":"solr.BasicAuthPlugin",
> "credentials":{"solr":"IV0EHq1OnNrj6gvRCwvFwTrZ1+z1oBbnQdiVC3otuq0=
> Ndd7LKvVBAaZIF0QAVi1ekCfAJXr1GGfLtRUXhgrF8c="}
> },
> "authorization":{
> "class":"solr.RuleBasedAuthorizationPlugin",
> "permissions":[{"name":"security-edit",
> "role":"admin"}]
> "user-role":{"solr":"admin"}
> }}
>
> Does that mean to literally use exactly the above as the security.json
> content, or customize it (in some fashion)?
Initial disclaimer: I have never used the authentication plugins
myself. But I have seen what people on this mailing list get told when
they ask about it.
If you can figure out how to customize that file from the documentation
to do something that you need, then feel free to customize it. But see
info below about passwords.
> The documentation also mentions that the initial admin person is a user
> named "solr" with a password: "SolrRocks" What's unclear is whether that's
> the password on which the hash (in security.json) was created or what?
>
> What I can't figure out is whether the password hash is fixed, or whether it
> should be generated, and if so, how?
Last I checked, the Solr documentation does NOT explain how to create a
hash in security.json from a password. It does list the *type* of hash,
which is sha256, password+salt.
With a little bit of research and a lot of trial and error, it is
possible to figure out how to create a valid hash with a tool like openssl.
What some people have done to customize user/password is use that
'solr/SolrRocks' login to *create* another login using the
authentication API, then once they're sure everything's working, access
the API again with the new user to delete the well-documented user.
http://lucene.apache.org/solr/guide/7_2/basic-authentication-plugin.html#editing-authentication-plugin-configuration
> Also, some people on the web recommend altering the jetty xml files to do
> this - is it necessary too?
The servlet container (almost always Jetty if you're running version 5.0
or later) is capable of doing authentication, completely independently
of whatever software is running inside it. But configuring that
authentication involves customization of software that is completely
separate from Solr. The security.json method is a configuration for
Solr, which then programmatically configures the vanilla Jetty install
to do authentication.
Thanks,
Shawn
