> *failed to delete a user:*
"delete-user" is expecting an array of users in the json, so the data
should be: {"delete-user": ["lanny"]}
> *failed to set a permission: *
There are separate endpoints for authorization and authentication. You
should use ".../solr/admin/authorization" for the permissions instead of
"../solr/admin/authentication"
https://lucene.apache.org/solr/guide/7_2/rule-based-authorization-plugin.html#manage-permissions
Disclaimer: I've never worked with 6.6, but I've not noticed any big
differences between the security for our 6.3 deployments and the 7.X ones.
Best,
Chris
On Tue, Mar 13, 2018 at 12:47 PM Terry Steichen <te...@net-frame.com> wrote:
> I switched solr from standalone to cloud and created the two collections
> (emails1 and emails2).
>
> I was able to create a basic set of credentials via the curl-based
> API's. I could create users, and toggle the blockUnknown property
> status. However, the system refused to allow me to delete a user, or to
> set a permission.
>
> Here are the curl commands (with *terry:admin* as admin credentials) and
> results:
>
> *succeeded in setting blockUnknown property (verified by
> admin/authentication dump):*
>
> curl --user terry:admin http://localhost:8983/solr/admin/authentication
> -H <http://localhost:8983/solr/admin/authentication-H>
> 'Content-type:application/json' -d '{
> "set-property": {"blockUnknown" : true}}'
>
> *succeeded in adding a user (verified by admin/authentication dump):*
>
> curl --user terry:admin http://localhost:8983/solr/admin/authentication
> -H <http://localhost:8983/solr/admin/authentication-H>
> 'Content-type:application/json' -d '{
> > "set-user": {"lanny" : "hawaii"}}'
>
> *succeeded in changing lanny's password (verified by
> admin/authentication dump):*
>
> curl --user terry:admin http://localhost:8983/solr/admin/authentication
> -H <http://localhost:8983/solr/admin/authentication-H>
> 'Content-type:application/json' -d '{
> "set-user": {"lanny" : "hawaii_five_o"}}'
>
> *failed to delete a user:*
>
> curl --user terry:admin http://localhost:8983/solr/admin/authentication
> -H <http://localhost:8983/solr/admin/authentication-H>
> 'Content-type:application/json' -d '{
> "delete-user": {"lanny"}}'
> {
> "responseHeader":{
> "status":500,
> "QTime":1},
>
> "error":{ "msg":"Expected key,value separator ':': char=},position=26
> BEFORE='{ \"delete-user\": {\"lanny\"}' AFTER='}'",
> [terry here: plus a very long stack trace}
>
> *failed to set a permission: *
>
> curl --user terry:admin http://localhost:8983/solr/admin/authentication
> -H <http://localhost:8983/solr/admin/authentication-H>
> 'Content-type:application/json' -d '{"set-permission" :
> {"name":"collection-admin-edit", "role":"admin"}}'
> {
> "responseHeader":{
> "status":0,
> "QTime":2},
> "errorMessages":[{
> "set-permission":{
> "name":"collection-admin-edit",
> "role":"admin"},
> "errorMessages":["Unknown operation 'set-permission' "]}]}
>
>
> This really makes no sense at all (or, I'm really losing it - always a
> distinct possibility). It's almost as if half of the documented
> parameters must have been changed, though I can't find any references to
> any such changes.
>
> I confess I'm about to just give up and find some other route to go.
>
> Terry
>
>
> On 03/12/2018 11:15 PM, Shawn Heisey wrote:
> > On 3/12/2018 8:39 PM, Terry Steichen wrote:
> >> I'm increasingly of the view that Solr's authentication/authorization
> >> mechanism doesn't work correctly in a _standalone_ mode. It was present
> >> in the cloud mode for quite a few versions back, but as of 6.0.0 (or so)
> >> it was supposed to be available in standalone mode too. It seems to
> >> partly work (when using the built-in permissions), but does not seem to
> >> work with customized, core-specific permissions.
> >
> > I suspected based on your last message that the authorization feature
> > might only work correctly in SolrCloud. The entire authentication
> > feature was designed for SolrCloud. Version 6.5 brought the
> > security.json file to standalone mode. This was LONG after the
> > feature was introduced in 5.2 and had a LOT of bugs fixed in the three
> > 5.3.x releases.
> >
> > I just found the section in the documentation confirming what I
> > suspected.
> >
> >
> https://lucene.apache.org/solr/guide/7_2/authentication-and-authorization-plugins.html#authorization
> >
> >
> > There is a note here that says "The authorization plugin is only
> > supported in SolrCloud mode. Also, reloading the plugin isn’t yet
> > supported and requires a restart of the Solr installation (meaning,
> > the JVM should be restarted, not simply a core reload)." The 6.6
> > documentation contains the same note that you can see here in the
> > latest docs.
> >
> > I have no idea how hard it would be to extend the authorization plugin
> > to support standalone cores as well as collections. I imagine that if
> > it were easy, it would have been done already.
> >
> > Thanks,
> > Shawn
> >
> >
>
>
