Hi,
I’m trying to use the new basic auth plugin for Solr 5.3 and it doesn’t seem to
be working quite right. Not sure if I’m missing steps or there is a bug. I am
able to get it to protect access to a URL under a collection, but am unable to
get it to secure access to the Admin UI. In addition, after stopping the Solr
and Zookeeper instances, the security.json is still in Zookeeper, however Solr
is allowing access to everything again like the security configuration isn’t in
place.
Contents of security.json taken from wiki page, but edited to produce valid
JSON. Had to move comma after 3rd from last “}” up to just after the last “]”.
{
"authentication":{
"class":"solr.BasicAuthPlugin",
"credentials":{"solr":"IV0EHq1OnNrj6gvRCwvFwTrZ1+z1oBbnQdiVC3otuq0=
Ndd7LKvVBAaZIF0QAVi1ekCfAJXr1GGfLtRUXhgrF8c="}
},
"authorization":{
"class":"solr.RuleBasedAuthorizationPlugin",
"permissions":[{"name":"security-edit",
"role":"admin"}],
"user-role":{"solr":"admin"}
}}
Here are the steps I followed:
Upload security.json to zookeeper
./zkcli.sh -z localhost:2181,localhost:2182,localhost:2183 -cmd putfile
/security.json ~/solr/security.json
Use zkCli.sh from Zookeeper to ensure the security.json is in Zookeeper at
/security.json. It is there and looks like what was originally uploaded.
Start Solr Instances
Attempt to create a permission, however get the following error:
{
"responseHeader":{
"status":400,
"QTime":0},
"error":{
"msg":"No authorization plugin configured",
"code":400}}
Upload security.json again.
./zkcli.sh -z localhost:2181,localhost:2182,localhost:2183 -cmd putfile
/security.json ~/solr/security.json
Issue the following to try to create the permission again and this time it’s
successful.
// Create a permission for mysearch endpoint
curl --user solr:SolrRocks -H
'Content-type:application/json' -d '{"set-permission":
{"name":"mycollection-search","collection":
“mycollection","path":”/mysearch","role": "search-user"}}'
http://localhost:8983/solr/admin/authorization
{
"responseHeader":{
"status":0,
"QTime":7}}
Issue the following commands to add users
curl --user solr:SolrRocks http://localhost:8983/solr/admin/authentication -H
'Content-type:application/json' -d '{"set-user": {"admin" : “password" }}’
curl --user solr:SolrRocks http://localhost:8983/solr/admin/authentication -H
'Content-type:application/json' -d '{"set-user": {"user" : “password" }}'
Issue the following command to add permission to users
curl -u solr:SolrRocks -H 'Content-type:application/json' -d '{ "set-user-role"
: {"admin": ["search-user", "admin"]}}'
http://localhost:8983/solr/admin/authorization
curl -u solr:SolrRocks -H 'Content-type:application/json' -d '{ "set-user-role"
: {"user": ["search-user"]}}' http://localhost:8983/solr/admin/authorization
After executing the above, access to /mysearch is protected until I restart the
Solr and Zookeeper instances. However, the admin UI is never protected like
the Wiki page says it should be once activated.
https://cwiki.apache.org/confluence/display/solr/Rule-Based+Authorization+Plugin
<https://cwiki.apache.org/confluence/display/solr/Rule-Based+Authorization+Plugin>
Why does the authentication and authorization plugin not stay activated after
restart and why is the Admin UI never protected? Am I missing any steps?
Thanks,
Kevin
