On 3/9/2018 9:27 AM, Terry Steichen wrote: > I'm trying to set up basic authentication/authorization with solr 6.6.0. > > The documentation says to create a security.json file and describes the > content as: > > { > "authentication":{ > "class":"solr.BasicAuthPlugin", > "credentials":{"solr":"IV0EHq1OnNrj6gvRCwvFwTrZ1+z1oBbnQdiVC3otuq0= > Ndd7LKvVBAaZIF0QAVi1ekCfAJXr1GGfLtRUXhgrF8c="} > }, > "authorization":{ > "class":"solr.RuleBasedAuthorizationPlugin", > "permissions":[{"name":"security-edit", > "role":"admin"}] > "user-role":{"solr":"admin"} > }} > > Does that mean to literally use exactly the above as the security.json > content, or customize it (in some fashion)?
Initial disclaimer: I have never used the authentication plugins myself. But I have seen what people on this mailing list get told when they ask about it. If you can figure out how to customize that file from the documentation to do something that you need, then feel free to customize it. But see info below about passwords. > The documentation also mentions that the initial admin person is a user > named "solr" with a password: "SolrRocks" What's unclear is whether that's > the password on which the hash (in security.json) was created or what? > > What I can't figure out is whether the password hash is fixed, or whether it > should be generated, and if so, how? Last I checked, the Solr documentation does NOT explain how to create a hash in security.json from a password. It does list the *type* of hash, which is sha256, password+salt. With a little bit of research and a lot of trial and error, it is possible to figure out how to create a valid hash with a tool like openssl. What some people have done to customize user/password is use that 'solr/SolrRocks' login to *create* another login using the authentication API, then once they're sure everything's working, access the API again with the new user to delete the well-documented user. http://lucene.apache.org/solr/guide/7_2/basic-authentication-plugin.html#editing-authentication-plugin-configuration > Also, some people on the web recommend altering the jetty xml files to do > this - is it necessary too? The servlet container (almost always Jetty if you're running version 5.0 or later) is capable of doing authentication, completely independently of whatever software is running inside it. But configuring that authentication involves customization of software that is completely separate from Solr. The security.json method is a configuration for Solr, which then programmatically configures the vanilla Jetty install to do authentication. Thanks, Shawn