I'm investigating why restarts or first time start does not read the security.json
On Tue, Sep 1, 2015 at 1:00 PM, Noble Paul <noble.p...@gmail.com> wrote: > I removed that statement > > "If activating the authorization plugin doesn't protect the admin ui, > how does one protect access to it?" > > One does not need to protect the admin UI. You only need to protect > the relevant API calls . I mean it's OK to not protect the CSS and > HTML stuff. But if you perform an action to create a core or do a > query through admin UI , it automatically will prompt you for > credentials (if those APIs are protected) > > On Tue, Sep 1, 2015 at 12:41 PM, Kevin Lee <kgle...@yahoo.com.invalid> wrote: >> Thanks for the clarification! >> >> So is the wiki page incorrect at >> https://cwiki.apache.org/confluence/display/solr/Basic+Authentication+Plugin >> which says that the admin ui will require authentication once the >> authorization plugin is activated? >> >> "An authorization plugin is also available to configure Solr with >> permissions to perform various activities in the system. Once activated, >> access to the Solr Admin UI and all requests will need to be authenticated >> and users will be required to have the proper authorization for all >> requests, including using the Admin UI and making any API calls." >> >> If activating the authorization plugin doesn't protect the admin ui, how >> does one protect access to it? >> >> Also, the issue I'm having is not just at restart. According to the docs >> security.json should be uploaded to Zookeeper before starting any of the >> Solr instances. However, I tried to upload security.json before starting >> any of the Solr instances, but it would not pick up the security config >> until after the Solr instances are already running and then uploading the >> security.json again. I can see in the logs at startup that the Solr >> instances don't see any plugin enabled even though security.json is already >> in zookeeper and then after they are started and the security.json is >> uploaded again I see it reconfigure to use the plugin. >> >> Thanks, >> Kevin >> >>> On Aug 31, 2015, at 11:22 PM, Noble Paul <noble.p...@gmail.com> wrote: >>> >>> Admin UI is not protected by any of these permissions. Only if you try >>> to perform a protected operation , it asks for a password. >>> >>> I'll investigate the restart problem and report my findings >>> >>>> On Tue, Sep 1, 2015 at 3:10 AM, Kevin Lee <kgle...@yahoo.com.invalid> >>>> wrote: >>>> Anyone else running into any issues trying to get the authentication and >>>> authorization plugins in 5.3 working? >>>> >>>>> On Aug 29, 2015, at 2:30 AM, Kevin Lee <kgle...@yahoo.com.INVALID> wrote: >>>>> >>>>> Hi, >>>>> >>>>> I’m trying to use the new basic auth plugin for Solr 5.3 and it doesn’t >>>>> seem to be working quite right. Not sure if I’m missing steps or there >>>>> is a bug. I am able to get it to protect access to a URL under a >>>>> collection, but am unable to get it to secure access to the Admin UI. In >>>>> addition, after stopping the Solr and Zookeeper instances, the >>>>> security.json is still in Zookeeper, however Solr is allowing access to >>>>> everything again like the security configuration isn’t in place. >>>>> >>>>> Contents of security.json taken from wiki page, but edited to produce >>>>> valid JSON. Had to move comma after 3rd from last “}” up to just after >>>>> the last “]”. >>>>> >>>>> { >>>>> "authentication":{ >>>>> "class":"solr.BasicAuthPlugin", >>>>> "credentials":{"solr":"IV0EHq1OnNrj6gvRCwvFwTrZ1+z1oBbnQdiVC3otuq0= >>>>> Ndd7LKvVBAaZIF0QAVi1ekCfAJXr1GGfLtRUXhgrF8c="} >>>>> }, >>>>> "authorization":{ >>>>> "class":"solr.RuleBasedAuthorizationPlugin", >>>>> "permissions":[{"name":"security-edit", >>>>> "role":"admin"}], >>>>> "user-role":{"solr":"admin"} >>>>> }} >>>>> >>>>> Here are the steps I followed: >>>>> >>>>> Upload security.json to zookeeper >>>>> ./zkcli.sh -z localhost:2181,localhost:2182,localhost:2183 -cmd putfile >>>>> /security.json ~/solr/security.json >>>>> >>>>> Use zkCli.sh from Zookeeper to ensure the security.json is in Zookeeper >>>>> at /security.json. It is there and looks like what was originally >>>>> uploaded. >>>>> >>>>> Start Solr Instances >>>>> >>>>> Attempt to create a permission, however get the following error: >>>>> { >>>>> "responseHeader":{ >>>>> "status":400, >>>>> "QTime":0}, >>>>> "error":{ >>>>> "msg":"No authorization plugin configured", >>>>> "code":400}} >>>>> >>>>> Upload security.json again. >>>>> ./zkcli.sh -z localhost:2181,localhost:2182,localhost:2183 -cmd putfile >>>>> /security.json ~/solr/security.json >>>>> >>>>> Issue the following to try to create the permission again and this time >>>>> it’s successful. >>>>> // Create a permission for mysearch endpoint >>>>> curl --user solr:SolrRocks -H 'Content-type:application/json' -d >>>>> '{"set-permission": {"name":"mycollection-search","collection": >>>>> “mycollection","path":”/mysearch","role": "search-user"}}' >>>>> http://localhost:8983/solr/admin/authorization >>>>> >>>>> { >>>>> "responseHeader":{ >>>>> "status":0, >>>>> "QTime":7}} >>>>> >>>>> Issue the following commands to add users >>>>> curl --user solr:SolrRocks >>>>> http://localhost:8983/solr/admin/authentication -H >>>>> 'Content-type:application/json' -d '{"set-user": {"admin" : “password" }}’ >>>>> curl --user solr:SolrRocks >>>>> http://localhost:8983/solr/admin/authentication -H >>>>> 'Content-type:application/json' -d '{"set-user": {"user" : “password" }}' >>>>> >>>>> Issue the following command to add permission to users >>>>> curl -u solr:SolrRocks -H 'Content-type:application/json' -d '{ >>>>> "set-user-role" : {"admin": ["search-user", "admin"]}}' >>>>> http://localhost:8983/solr/admin/authorization >>>>> curl -u solr:SolrRocks -H 'Content-type:application/json' -d '{ >>>>> "set-user-role" : {"user": ["search-user"]}}' >>>>> http://localhost:8983/solr/admin/authorization >>>>> >>>>> After executing the above, access to /mysearch is protected until I >>>>> restart the Solr and Zookeeper instances. However, the admin UI is never >>>>> protected like the Wiki page says it should be once activated. >>>>> >>>>> https://cwiki.apache.org/confluence/display/solr/Rule-Based+Authorization+Plugin >>>>> >>>>> <https://cwiki.apache.org/confluence/display/solr/Rule-Based+Authorization+Plugin> >>>>> >>>>> Why does the authentication and authorization plugin not stay activated >>>>> after restart and why is the Admin UI never protected? Am I missing any >>>>> steps? >>>>> >>>>> Thanks, >>>>> Kevin >>> >>> >>> >>> -- >>> ----------------------------------------------------- >>> Noble Paul > > > > -- > ----------------------------------------------------- > Noble Paul -- ----------------------------------------------------- Noble Paul
