Fwd: Securing solr 5.2 basic auth permission rules

[Aziz Gaou]

Hi,

I try to follow:
https://cwiki.apache.org/confluence/display/solr/Basic+Authentication+Plugin,
to protect Solr 5.2 Admin with password, but I have not been able to secure.

1) When I run the following command:

curl --user solr:SolrRocks http://localhost:8983/solr/admin/authentication
-H 'Content-type:application/json'-d '{
  "set-user": {"tom" : "TomIsCool" }}'

no update on the file security.json

2) I launched the following 2 commands:

curl --user solr:SolrRocks http://localhost:8983/solr/admin/authorization
-H 'Content-type:application/json'-d '{"set-permission": {
"name":"updates", "collection":"MyCollection", "role": "dev"}}'

curl --user solr:SolrRocks http://localhost:8983/solr/admin/authorization
-H 'Content-type:application/json' -d '{ "set-user-role": {"tom":["dev"}}'

always MyCollection is not protected.


thank you for your help.

Re: Securing solr 5.2 basic auth permission rules

[Aziz Gaou]

thank you so much for your reply

2015-09-16 18:58 GMT+00:00 Anshum Gupta :

> Basic authentication (and the API support, that you're trying to use) was
> only released with 5.3.0 so it wouldn't work with 5.2.
> 5.2 only had the authentication and authorization frameworks, and shipped
> with Kerberos authentication plugin out of the box.
>
> There are a few known issues with that though, and a 5.3.1 release is just
> around the corner.
>
> On Wed, Sep 16, 2015 at 10:11 AM, Aziz Gaou  wrote:
>
> > Hi,
> >
> > I try to follow:
> >
> >
> https://cwiki.apache.org/confluence/display/solr/Basic+Authentication+Plugin
> > ,
> > to protect Solr 5.2 Admin with password, but I have not been able to
> > secure.
> >
> > 1) When I run the following command:
> >
> > curl --user solr:SolrRocks
> http://localhost:8983/solr/admin/authentication
> > -H 'Content-type:application/json'-d '{
> >   "set-user": {"tom" : "TomIsCool" }}'
> >
> > no update on the file security.json
> >
> > 2) I launched the following 2 commands:
> >
> > curl --user solr:SolrRocks
> http://localhost:8983/solr/admin/authorization
> > -H 'Content-type:application/json'-d '{"set-permission": {
> > "name":"updates", "collection":"MyCollection", "role": "dev"}}'
> >
> > curl --user solr:SolrRocks
> http://localhost:8983/solr/admin/authorization
> > -H 'Content-type:application/json' -d '{ "set-user-role":
> {"tom":["dev"}}'
> >
> > always MyCollection is not protected.
> >
> >
> > thank you for your help.
> >
>
>
>
> --
> Anshum Gupta
>

Re: Securing solr 5.2 basic auth permission rules

[Aziz Gaou]

thank you so much for your reply,

Now, i try to protect Apache Solr 5 admin with jetty, when I change

1) sudo nano /opt/solr/server/etc/webdefault.xml








  
Solr
/*
  
  
search-role
  



  BASIC
  Solr Realm




2) i changed too "*jetty.xml *
<https://gist.github.com/jstrassburg/9777027#file-jetty-xml> " and "
*realm.properties*
<https://gist.github.com/jstrassburg/9777027#file-realm-properties>"

3) the following message will appear on browser:

 - http://localhost:8983/solr/


HTTP ERROR: 503

Problem accessing /solr/. Reason:

Service Unavailable

--
*Powered by Jetty://*


Thanks for your help

2015-09-16 18:58 GMT+00:00 Anshum Gupta :

> Basic authentication (and the API support, that you're trying to use) was
> only released with 5.3.0 so it wouldn't work with 5.2.
> 5.2 only had the authentication and authorization frameworks, and shipped
> with Kerberos authentication plugin out of the box.
>
> There are a few known issues with that though, and a 5.3.1 release is just
> around the corner.
>
> On Wed, Sep 16, 2015 at 10:11 AM, Aziz Gaou  wrote:
>
> > Hi,
> >
> > I try to follow:
> >
> >
> https://cwiki.apache.org/confluence/display/solr/Basic+Authentication+Plugin
> > ,
> > to protect Solr 5.2 Admin with password, but I have not been able to
> > secure.
> >
> > 1) When I run the following command:
> >
> > curl --user solr:SolrRocks
> http://localhost:8983/solr/admin/authentication
> > -H 'Content-type:application/json'-d '{
> >   "set-user": {"tom" : "TomIsCool" }}'
> >
> > no update on the file security.json
> >
> > 2) I launched the following 2 commands:
> >
> > curl --user solr:SolrRocks
> http://localhost:8983/solr/admin/authorization
> > -H 'Content-type:application/json'-d '{"set-permission": {
> > "name":"updates", "collection":"MyCollection", "role": "dev"}}'
> >
> > curl --user solr:SolrRocks
> http://localhost:8983/solr/admin/authorization
> > -H 'Content-type:application/json' -d '{ "set-user-role":
> {"tom":["dev"}}'
> >
> > always MyCollection is not protected.
> >
> >
> > thank you for your help.
> >
>
>
>
> --
> Anshum Gupta
>

Re: Securing solr 5.2 basic auth permission rules

[Aziz Gaou]

Hi,

Thank you Sanders for your quick reply,

I ty now to follow the steps

2015-09-17 19:37 GMT+00:00 Sanders, Marshall (AT - Atlanta) <
marshall.sand...@autotrader.com>:

> So the issue is that when it's stated that solr runs on jetty 9 what it
> really means is that it runs on 5% of jetty9 and the other 95% has been
> stripped out.  (WH!  It's only ~13 MB)
>
> You'll need to download the appropriate version of jetty and before
> starting up do the following
>
> 1. Copy modules/jaas.mod to the unpacked solr directory server/modules
> 2. Copy etc/jetty-jaas.xml to server/etc
> 3. Copy the jetty-jaas-.jar to server/lib
> 4. Call the following before starting solr: java -jar start.jar
> --add-to-startd=jaas
>
> Now when you start solr JAAS will be available and you should be able to
> configure it with all of the defaults that you would expect.
> http://www.eclipse.org/jetty/documentation/current/jaas-support.html
>
>
> I'll reiterate that I think it's a pretty bad decision to have stripped
> out the modules from the version of jetty shipped.  Especially since they
> won't be loaded into the classloader with the new jetty modules setup.
>
>
> Marshall Sanders
> Technical Lead – Software Engineer
> Autotrader.com
> 404-568-7130
>
> -Original Message-
> From: Sanders, Marshall (AT - Atlanta) [mailto:
> marshall.sand...@autotrader.com]
> Sent: Thursday, September 17, 2015 2:28 PM
> To: solr-user@lucene.apache.org
> Subject: RE: Securing solr 5.2 basic auth permission rules
>
> I'm actually trying to do something similar with 5.3
>
> We're in the process of upgrading from 4.10 and were previously using jaas
> to secure dih pages and a few others and had a config similar to what you
> described.
>
> The Error I get is the following (Might only visible when you change the
> log4j startup log level, I didn't check what the default log level is):
>
> 2015-09-17 11:19:10,121 [main] WARN  xml.XmlConfiguration Config error at
> 
>name="Name">SolrRealm name="LoginModuleName">multiloginmodule
>   
>
> From what I gather now with jetty 9 the modules have to be enabled
> individually:
> http://www.eclipse.org/jetty/documentation/current/startup-modules.html
>
> However: when I run
> java -jar start.jar --list-modules
>
> I only get a few modules as possibilities (server,http,https,ssl).  I
> tried adding the jetty-jaas jar for the version of jetty with 5.3 to /lib
> but I still am not able to figure out how to turn it on as it doesn't show
> up in the list.
>
> I'm much less familiar with jetty than I am with others so I'm still
> fumbling a bit here.  But it seems we need to:
>
> 1. Add the jetty-jaas.jar that's missing via an outside script  (Also note
> that if you want ldap you'll have to use an additional jar) 2. Execute the
> following (java -jar start.jar --add-to-startd=jaas) 3. Start the server
> (either with your own script or the new ./solr scripts)
>
> I've got the jar added, but either it's not in the right place (I've got
> it in /lib maybe it needs to be in /lib/ext?) or jetty needs to be
> configured to recognize it.
>
> Not sure what the thinking was behind the decision that only people
> running solr cloud would want authentication, or even how solr made it to
> 5.2 before adding anything in at all!
>
> We had all this working great in jetty8 solr versions but with the new
> jetty9 modules/classloaders it's proving a challenge.
>
> Marshall Sanders
> Technical Lead – Software Engineer
> Autotrader.com
> 404-568-7130
>
> -Original Message-
> From: Aziz Gaou [mailto:gaoua...@gmail.com]
> Sent: Thursday, September 17, 2015 5:55 AM
> To: solr-user@lucene.apache.org
> Subject: Re: Securing solr 5.2 basic auth permission rules
>
> thank you so much for your reply,
>
> Now, i try to protect Apache Solr 5 admin with jetty, when I change
>
> 1) sudo nano /opt/solr/server/etc/webdefault.xml
>
>
>  
>
> 
>
> 
>   
> Solr
> /*
>   
>   
> search-role
>   
> 
>
> 
>   BASIC
>   Solr Realm
> 
>
> 
>
> 2) i changed too "*jetty.xml *
> <https://gist.github.com/jstrassburg/9777027#file-jetty-xml> " and "
> *realm.properties*
> <https://gist.github.com/jstrassburg/9777027#file-realm-properties>"
>
> 3) the following message will appear on browser:
>
>  - http://localhost:8983/solr/
>
>
> HTTP ERROR: 503
>
> Problem accessing /solr/. Reason:
>
> Service Unavailable
>
> --
> *Powered b