Chris, many, many thanks. From a quick check, those changes seem to work. I think I'm getting too old to differentiate between brackets and curly braces. I'll get back on track and see if I can (finally) set this up right.
What also puzzles me is that I can't find any "security.json" file. Clearly, solr is persistently keeping track of the authentication/authorization information, but I don't see where. I suppose it might be kept in zookeeper (which perhaps survives solr restarts - but I don't know). Any insights on that? Terry On 03/13/2018 01:01 PM, Chris Ulicny wrote: >> *failed to delete a user:* > "delete-user" is expecting an array of users in the json, so the data > should be: {"delete-user": ["lanny"]} > > >> *failed to set a permission: * > There are separate endpoints for authorization and authentication. You > should use ".../solr/admin/authorization" for the permissions instead of > "../solr/admin/authentication" > https://lucene.apache.org/solr/guide/7_2/rule-based-authorization-plugin.html#manage-permissions > > Disclaimer: I've never worked with 6.6, but I've not noticed any big > differences between the security for our 6.3 deployments and the 7.X ones. > > Best, > Chris > > On Tue, Mar 13, 2018 at 12:47 PM Terry Steichen <te...@net-frame.com> wrote: > >> I switched solr from standalone to cloud and created the two collections >> (emails1 and emails2). >> >> I was able to create a basic set of credentials via the curl-based >> API's. I could create users, and toggle the blockUnknown property >> status. However, the system refused to allow me to delete a user, or to >> set a permission. >> >> Here are the curl commands (with *terry:admin* as admin credentials) and >> results: >> >> *succeeded in setting blockUnknown property (verified by >> admin/authentication dump):* >> >> curl --user terry:admin http://localhost:8983/solr/admin/authentication >> -H <http://localhost:8983/solr/admin/authentication-H> >> 'Content-type:application/json' -d '{ >> "set-property": {"blockUnknown" : true}}' >> >> *succeeded in adding a user (verified by admin/authentication dump):* >> >> curl --user terry:admin http://localhost:8983/solr/admin/authentication >> -H <http://localhost:8983/solr/admin/authentication-H> >> 'Content-type:application/json' -d '{ >>> "set-user": {"lanny" : "hawaii"}}' >> *succeeded in changing lanny's password (verified by >> admin/authentication dump):* >> >> curl --user terry:admin http://localhost:8983/solr/admin/authentication >> -H <http://localhost:8983/solr/admin/authentication-H> >> 'Content-type:application/json' -d '{ >> "set-user": {"lanny" : "hawaii_five_o"}}' >> >> *failed to delete a user:* >> >> curl --user terry:admin http://localhost:8983/solr/admin/authentication >> -H <http://localhost:8983/solr/admin/authentication-H> >> 'Content-type:application/json' -d '{ >> "delete-user": {"lanny"}}' >> { >> "responseHeader":{ >> "status":500, >> "QTime":1}, >> >> "error":{ "msg":"Expected key,value separator ':': char=},position=26 >> BEFORE='{ \"delete-user\": {\"lanny\"}' AFTER='}'", >> [terry here: plus a very long stack trace} >> >> *failed to set a permission: * >> >> curl --user terry:admin http://localhost:8983/solr/admin/authentication >> -H <http://localhost:8983/solr/admin/authentication-H> >> 'Content-type:application/json' -d '{"set-permission" : >> {"name":"collection-admin-edit", "role":"admin"}}' >> { >> "responseHeader":{ >> "status":0, >> "QTime":2}, >> "errorMessages":[{ >> "set-permission":{ >> "name":"collection-admin-edit", >> "role":"admin"}, >> "errorMessages":["Unknown operation 'set-permission' "]}]} >> >> >> This really makes no sense at all (or, I'm really losing it - always a >> distinct possibility). It's almost as if half of the documented >> parameters must have been changed, though I can't find any references to >> any such changes. >> >> I confess I'm about to just give up and find some other route to go. >> >> Terry >> >> >> On 03/12/2018 11:15 PM, Shawn Heisey wrote: >>> On 3/12/2018 8:39 PM, Terry Steichen wrote: >>>> I'm increasingly of the view that Solr's authentication/authorization >>>> mechanism doesn't work correctly in a _standalone_ mode. It was present >>>> in the cloud mode for quite a few versions back, but as of 6.0.0 (or so) >>>> it was supposed to be available in standalone mode too. It seems to >>>> partly work (when using the built-in permissions), but does not seem to >>>> work with customized, core-specific permissions. >>> I suspected based on your last message that the authorization feature >>> might only work correctly in SolrCloud. The entire authentication >>> feature was designed for SolrCloud. Version 6.5 brought the >>> security.json file to standalone mode. This was LONG after the >>> feature was introduced in 5.2 and had a LOT of bugs fixed in the three >>> 5.3.x releases. >>> >>> I just found the section in the documentation confirming what I >>> suspected. >>> >>> >> https://lucene.apache.org/solr/guide/7_2/authentication-and-authorization-plugins.html#authorization >>> >>> There is a note here that says "The authorization plugin is only >>> supported in SolrCloud mode. Also, reloading the plugin isn’t yet >>> supported and requires a restart of the Solr installation (meaning, >>> the JVM should be restarted, not simply a core reload)." The 6.6 >>> documentation contains the same note that you can see here in the >>> latest docs. >>> >>> I have no idea how hard it would be to extend the authorization plugin >>> to support standalone cores as well as collections. I imagine that if >>> it were easy, it would have been done already. >>> >>> Thanks, >>> Shawn >>> >>> >>