"Although I'm not sure why you took this approach instead of supporting simple built-in basic auth and let us configure security the "old/easy" way"
Going with Jetty basic auth is not useful in a large enough cluster. Where do you store the credentials and how would you propagate it across the cluster. When you use Solr, you need a SOlr like way of managing that. The other problem is inter-node communication. How do you pass credentials along in that case "I'm guessing it has to do with future requirement of field/doc level security" Acutally that is an orthogonal requirement "I hope you can get rid of the war file soon and start promoting Solr as a set of libraries so one can easily embed/extend Solr" That is not what we have in mind. We want Solr to be a server which controls every aspect of its running . We should have the choice of getting rid of jetty or whatsoever and move to a new system. We only guarantee to interface/protocol to remain constant On Tue, Jul 28, 2015 at 2:19 AM, Fadi Mohsen <fadi.moh...@gmail.com> wrote: > Thank you, I tested providing my implementation of authentication in > security.json, uploaded file to ZK (just considering authentication), started > nodes and it worked like a charm. > > That required of course turning off Jetty basic auth. > > Although I'm not sure why you took this approach instead of supporting > simple built-in basic auth and let us configure security the "old/easy" way. > > I'm guessing it has to do with future requirement of field/doc level security. > > I hope you can get rid of the war file soon and start promoting Solr as a set > of libraries so one can easily embed/extend Solr, since some (especially me) > might consider command line ZK operations are not that "continues > delivery/automate everything/production" friendly. > > It's easy today to spin up a jetty and wire / point out resource classes or > wire up CXF alongside to get things playing, but I'm probably missing out of > other things since I see many mails usually in consensus of not embedding and > rather want people to consider Solr as a stand-alone service, not sure why! > I'm probably getting out of context here. > > Regards > >> On 27 Jul 2015, at 13:17, Noble Paul <noble.p...@gmail.com> wrote: >> >> Q.do you know when it would be released? >> 5.3 will be released in another 3-4 weeks . >> >> Q.Are there any requirements of ZK authentication must be there as well? >> NO >> >> bq.Providing my own security.json + class/implementation to verify >> user/pass should work today with 5.2, right? >> >> Yes. But, if you modify your credentials or anything in that JSON, you >> will have to restart all your nodes . >> >> Q.SOLR-7274 pluggable security is already in 5.2 (my requirement is to >> provide user/pass in a secure manner, not as argument on cmd or from >> (our unsecured) ZK but from a configuration restful service, >> >> I'm not clear what your question is. Basic Auth is a well-known >> standard. We are just implementing that standard. We store all >> credentials & permissions in ZK . That means it is only as secure as >> your ZK . As long as nobody can write to ZK, your system is safe >> >>> On Wed, Jul 22, 2015 at 11:10 PM, Fadi Mohsen <fadi.moh...@gmail.com> wrote: >>> Hi, I have some questions regarding basic auth and proper support in 5.3: >>> >>> do you know when it would be released? >>> >>> Are there any requirements of ZK authentication must be there as well? >>> >>> Do we store the user/pass in ZK? >>> >>> SOLR-7274 pluggable security is already in 5.2 (my requirement is to >>> provide user/pass in a secure manner, not as argument on cmd or from (our >>> unsecured) ZK but from a configuration restful service, >>> I'm not sure 5.3 release would fit above requirement, can you reflect on >>> this? >>> >>> Providing my own security.json + class/implementation to verify user/pass >>> should work today with 5.2, right? >>> >>> Thanks >>> Fadi >>> >>>> On 22 Jul 2015, at 14:33, Noble Paul <noble.p...@gmail.com> wrote: >>>> >>>> Solr 5.3 is coming with proper basic auth support >>>> >>>> >>>> https://issues.apache.org/jira/browse/SOLR-7692 >>>> >>>>> On Wed, Jul 22, 2015 at 5:28 PM, Peter Sturge <peter.stu...@gmail.com> >>>>> wrote: >>>>> if you're using Jetty you can use the standard realms mechanism for Basic >>>>> Auth, and it works the same on Windows or UNIX. There's plenty of docs on >>>>> the Jetty site about getting this working, although it does vary somewhat >>>>> depending on the version of Jetty you're running (N.B. I would suggest >>>>> using Jetty 9, and not 8, as 8 is missing some key authentication >>>>> classes). >>>>> If, when you execute a search query to your Solr instance you get a >>>>> username and password popup, then Jetty's auth is setup. If you don't then >>>>> something's wrong in the Jetty config. >>>>> >>>>> it's worth noting that if you're doing distributed searches Basic Auth on >>>>> its own will not work for you. This is because Solr sends distributed >>>>> requests to remote instances on behalf of the user, and it has no >>>>> knowledge >>>>> of the web container's auth mechanics. We got 'round this by customizing >>>>> Solr to receive credentials and use them for authentication to remote >>>>> instances - SOLR-1861 is an old implementation for a previous release, and >>>>> there has been some significant refactoring of SearchHandler since then, >>>>> but the concept works well for distributed queries. >>>>> >>>>> Thanks, >>>>> Peter >>>>> >>>>> >>>>> >>>>>> On Wed, Jul 22, 2015 at 11:18 AM, O. Klein <kl...@octoweb.nl> wrote: >>>>>> >>>>>> Steven White wrote >>>>>>> Thanks for updating the wiki page. However, my issue remains, I cannot >>>>>>> get >>>>>>> Basic auth working. Has anyone got it working, on Windows? >>>>>> >>>>>> Doesn't work for me on Linux either. >>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> View this message in context: >>>>>> http://lucene.472066.n3.nabble.com/Basic-auth-tp4218053p4218519.html >>>>>> Sent from the Solr - User mailing list archive at Nabble.com. >>>> >>>> >>>> >>>> -- >>>> ----------------------------------------------------- >>>> Noble Paul >> >> >> >> -- >> ----------------------------------------------------- >> Noble Paul -- ----------------------------------------------------- Noble Paul
