Anyone else running into any issues trying to get the authentication and
authorization plugins in 5.3 working?
> On Aug 29, 2015, at 2:30 AM, Kevin Lee <kgle...@yahoo.com.INVALID> wrote:
>
> Hi,
>
> I’m trying to use the new basic auth plugin for Solr 5.3 and it doesn’t seem
> to be working quite right. Not sure if I’m missing steps or there is a bug.
> I am able to get it to protect access to a URL under a collection, but am
> unable to get it to secure access to the Admin UI. In addition, after
> stopping the Solr and Zookeeper instances, the security.json is still in
> Zookeeper, however Solr is allowing access to everything again like the
> security configuration isn’t in place.
>
> Contents of security.json taken from wiki page, but edited to produce valid
> JSON. Had to move comma after 3rd from last “}” up to just after the last
> “]”.
>
> {
> "authentication":{
> "class":"solr.BasicAuthPlugin",
> "credentials":{"solr":"IV0EHq1OnNrj6gvRCwvFwTrZ1+z1oBbnQdiVC3otuq0=
> Ndd7LKvVBAaZIF0QAVi1ekCfAJXr1GGfLtRUXhgrF8c="}
> },
> "authorization":{
> "class":"solr.RuleBasedAuthorizationPlugin",
> "permissions":[{"name":"security-edit",
> "role":"admin"}],
> "user-role":{"solr":"admin"}
> }}
>
> Here are the steps I followed:
>
> Upload security.json to zookeeper
> ./zkcli.sh -z localhost:2181,localhost:2182,localhost:2183 -cmd putfile
> /security.json ~/solr/security.json
>
> Use zkCli.sh from Zookeeper to ensure the security.json is in Zookeeper at
> /security.json. It is there and looks like what was originally uploaded.
>
> Start Solr Instances
>
> Attempt to create a permission, however get the following error:
> {
> "responseHeader":{
> "status":400,
> "QTime":0},
> "error":{
> "msg":"No authorization plugin configured",
> "code":400}}
>
> Upload security.json again.
> ./zkcli.sh -z localhost:2181,localhost:2182,localhost:2183 -cmd putfile
> /security.json ~/solr/security.json
>
> Issue the following to try to create the permission again and this time it’s
> successful.
> // Create a permission for mysearch endpoint
> curl --user solr:SolrRocks -H 'Content-type:application/json' -d
> '{"set-permission": {"name":"mycollection-search","collection":
> “mycollection","path":”/mysearch","role": "search-user"}}'
> http://localhost:8983/solr/admin/authorization
>
> {
> "responseHeader":{
> "status":0,
> "QTime":7}}
>
> Issue the following commands to add users
> curl --user solr:SolrRocks http://localhost:8983/solr/admin/authentication -H
> 'Content-type:application/json' -d '{"set-user": {"admin" : “password" }}’
> curl --user solr:SolrRocks http://localhost:8983/solr/admin/authentication -H
> 'Content-type:application/json' -d '{"set-user": {"user" : “password" }}'
>
> Issue the following command to add permission to users
> curl -u solr:SolrRocks -H 'Content-type:application/json' -d '{
> "set-user-role" : {"admin": ["search-user", "admin"]}}'
> http://localhost:8983/solr/admin/authorization
> curl -u solr:SolrRocks -H 'Content-type:application/json' -d '{
> "set-user-role" : {"user": ["search-user"]}}'
> http://localhost:8983/solr/admin/authorization
>
> After executing the above, access to /mysearch is protected until I restart
> the Solr and Zookeeper instances. However, the admin UI is never protected
> like the Wiki page says it should be once activated.
>
> https://cwiki.apache.org/confluence/display/solr/Rule-Based+Authorization+Plugin
>
> <https://cwiki.apache.org/confluence/display/solr/Rule-Based+Authorization+Plugin>
>
> Why does the authentication and authorization plugin not stay activated after
> restart and why is the Admin UI never protected? Am I missing any steps?
>
> Thanks,
> Kevin
