On 03/29/2018 11:07 PM, Shawn Heisey wrote:
> On 3/29/2018 8:28 PM, Terry Steichen wrote:
>> When I set up the initial authentications and authorizations (I'm using
>> 6.6.0 and running in cloud mode.), I call "bin/solr auth enable
>> -credentials xxx:yyy".
>
> What does this command output? There should definitely be something
> output when that command is run. I don't know if it will be a lot of
> output or a little bit, but whatever it is, can you provide it?
*The output resembles the contents of security.json, except that there's
only one authenticated user, which is the one whose credentials are
supplied. And there are only two permissions.*
>
>> I then use a series of additional API calls ( to
>> create additional users and permissions). This creates my desired
>> security environment (and, BTW, it seems to function as it should).
>
> Can you elaborate on exactly what you did when you say "a series of
> additional API calls"?
*I issued the well-documented curl-based commands to create a user and
to create a permission. Multiple times as needed.*
>
>> If I restart solr, it appears I must reactivate it with the same
>> 'bin/solr auth enable -credentials xxx:yyy' command. But, it seems that
>> when solr is restarted this way, only the authorizations are retained
>> persistently. But the authentications have to be created again from
>> scratch.
>
> Enabling the authentication when running in cloud mode should upload a
> "security.json" file to zookeeper. It should also write some
> variables to your solr.in.sh file, so that future usage of the
> bin/solr tool can provide the authentication that is required.
*That's the essence of my question: yes, I think it should logically do
what you say, but I don't know if or how it does that. I don't think it
loads security.json because I have to start from scratch no matter
what's in security.json, and no matter where I place that file. I would
be happy if it did that because I could prepare a fine-tuned set of
authentications and permissions and reuse it each time. I simply don't
know how to do that (or even if it can be done).*
>
> Thanks,
> Shawn
>
>
