I switched solr from standalone to cloud and created the two collections
(emails1 and emails2). 

I was able to create a basic set of credentials via the curl-based
API's.  I could create users, and toggle the blockUnknown property
status. However, the system refused to allow me to delete a user, or to
set a permission. 

Here are the curl commands (with *terry:admin* as admin credentials) and

*succeeded in setting blockUnknown property (verified by
admin/authentication dump):*

curl --user terry:admin http://localhost:8983/solr/admin/authentication
-H 'Content-type:application/json' -d '{
  "set-property": {"blockUnknown" : true}}'

*succeeded in adding a user (verified by admin/authentication dump):*

curl --user terry:admin http://localhost:8983/solr/admin/authentication
-H 'Content-type:application/json' -d '{
>   "set-user": {"lanny" : "hawaii"}}'

*succeeded in changing lanny's password (verified by
admin/authentication dump):*

curl --user terry:admin http://localhost:8983/solr/admin/authentication
-H 'Content-type:application/json' -d '{
 "set-user": {"lanny" : "hawaii_five_o"}}'

*failed to delete a user:*

 curl --user terry:admin http://localhost:8983/solr/admin/authentication
-H 'Content-type:application/json' -d '{
 "delete-user": {"lanny"}}'

  "error":{ "msg":"Expected key,value separator ':': char=},position=26
BEFORE='{ \"delete-user\": {\"lanny\"}' AFTER='}'",
[terry here: plus a very long stack trace}

*failed to set a permission: *

curl --user terry:admin http://localhost:8983/solr/admin/authentication
-H 'Content-type:application/json' -d '{"set-permission" :
{"name":"collection-admin-edit", "role":"admin"}}'
      "errorMessages":["Unknown operation 'set-permission' "]}]}

This really makes no sense at all (or, I'm really losing it - always a
distinct possibility).  It's almost as if half of the documented
parameters must have been changed, though I can't find any references to
any such changes. 

I confess I'm about to just give up and find some other route to go. 


On 03/12/2018 11:15 PM, Shawn Heisey wrote:
> On 3/12/2018 8:39 PM, Terry Steichen wrote:
>> I'm increasingly of the view that Solr's authentication/authorization
>> mechanism doesn't work correctly in a _standalone_ mode.  It was present
>> in the cloud mode for quite a few versions back, but as of 6.0.0 (or so)
>> it was supposed to be available in standalone mode too.  It seems to
>> partly work (when using the built-in permissions), but does not seem to
>> work with customized, core-specific permissions.
> I suspected based on your last message that the authorization feature
> might only work correctly in SolrCloud.  The entire authentication
> feature was designed for SolrCloud.  Version 6.5 brought the
> security.json file to standalone mode.  This was LONG after the
> feature was introduced in 5.2 and had a LOT of bugs fixed in the three
> 5.3.x releases.
> I just found the section in the documentation confirming what I
> suspected.
> https://lucene.apache.org/solr/guide/7_2/authentication-and-authorization-plugins.html#authorization
> There is a note here that says "The authorization plugin is only
> supported in SolrCloud mode. Also, reloading the plugin isn’t yet
> supported and requires a restart of the Solr installation (meaning,
> the JVM should be restarted, not simply a core reload)."  The 6.6
> documentation contains the same note that you can see here in the
> latest docs.
> I have no idea how hard it would be to extend the authorization plugin
> to support standalone cores as well as collections.  I imagine that if
> it were easy, it would have been done already.
> Thanks,
> Shawn

Reply via email to