Looks like there is a bug in that . On start/restart the security.json is not loaded I shall open a ticket
https://issues.apache.org/jira/browse/SOLR-8000 On Tue, Sep 1, 2015 at 1:01 PM, Noble Paul <noble.p...@gmail.com> wrote: > I'm investigating why restarts or first time start does not read the > security.json > > On Tue, Sep 1, 2015 at 1:00 PM, Noble Paul <noble.p...@gmail.com> wrote: >> I removed that statement >> >> "If activating the authorization plugin doesn't protect the admin ui, >> how does one protect access to it?" >> >> One does not need to protect the admin UI. You only need to protect >> the relevant API calls . I mean it's OK to not protect the CSS and >> HTML stuff. But if you perform an action to create a core or do a >> query through admin UI , it automatically will prompt you for >> credentials (if those APIs are protected) >> >> On Tue, Sep 1, 2015 at 12:41 PM, Kevin Lee <kgle...@yahoo.com.invalid> wrote: >>> Thanks for the clarification! >>> >>> So is the wiki page incorrect at >>> https://cwiki.apache.org/confluence/display/solr/Basic+Authentication+Plugin >>> which says that the admin ui will require authentication once the >>> authorization plugin is activated? >>> >>> "An authorization plugin is also available to configure Solr with >>> permissions to perform various activities in the system. Once activated, >>> access to the Solr Admin UI and all requests will need to be authenticated >>> and users will be required to have the proper authorization for all >>> requests, including using the Admin UI and making any API calls." >>> >>> If activating the authorization plugin doesn't protect the admin ui, how >>> does one protect access to it? >>> >>> Also, the issue I'm having is not just at restart. According to the docs >>> security.json should be uploaded to Zookeeper before starting any of the >>> Solr instances. However, I tried to upload security.json before starting >>> any of the Solr instances, but it would not pick up the security config >>> until after the Solr instances are already running and then uploading the >>> security.json again. I can see in the logs at startup that the Solr >>> instances don't see any plugin enabled even though security.json is already >>> in zookeeper and then after they are started and the security.json is >>> uploaded again I see it reconfigure to use the plugin. >>> >>> Thanks, >>> Kevin >>> >>>> On Aug 31, 2015, at 11:22 PM, Noble Paul <noble.p...@gmail.com> wrote: >>>> >>>> Admin UI is not protected by any of these permissions. Only if you try >>>> to perform a protected operation , it asks for a password. >>>> >>>> I'll investigate the restart problem and report my findings >>>> >>>>> On Tue, Sep 1, 2015 at 3:10 AM, Kevin Lee <kgle...@yahoo.com.invalid> >>>>> wrote: >>>>> Anyone else running into any issues trying to get the authentication and >>>>> authorization plugins in 5.3 working? >>>>> >>>>>> On Aug 29, 2015, at 2:30 AM, Kevin Lee <kgle...@yahoo.com.INVALID> wrote: >>>>>> >>>>>> Hi, >>>>>> >>>>>> I’m trying to use the new basic auth plugin for Solr 5.3 and it doesn’t >>>>>> seem to be working quite right. Not sure if I’m missing steps or there >>>>>> is a bug. I am able to get it to protect access to a URL under a >>>>>> collection, but am unable to get it to secure access to the Admin UI. >>>>>> In addition, after stopping the Solr and Zookeeper instances, the >>>>>> security.json is still in Zookeeper, however Solr is allowing access to >>>>>> everything again like the security configuration isn’t in place. >>>>>> >>>>>> Contents of security.json taken from wiki page, but edited to produce >>>>>> valid JSON. Had to move comma after 3rd from last “}” up to just after >>>>>> the last “]”. >>>>>> >>>>>> { >>>>>> "authentication":{ >>>>>> "class":"solr.BasicAuthPlugin", >>>>>> "credentials":{"solr":"IV0EHq1OnNrj6gvRCwvFwTrZ1+z1oBbnQdiVC3otuq0= >>>>>> Ndd7LKvVBAaZIF0QAVi1ekCfAJXr1GGfLtRUXhgrF8c="} >>>>>> }, >>>>>> "authorization":{ >>>>>> "class":"solr.RuleBasedAuthorizationPlugin", >>>>>> "permissions":[{"name":"security-edit", >>>>>> "role":"admin"}], >>>>>> "user-role":{"solr":"admin"} >>>>>> }} >>>>>> >>>>>> Here are the steps I followed: >>>>>> >>>>>> Upload security.json to zookeeper >>>>>> ./zkcli.sh -z localhost:2181,localhost:2182,localhost:2183 -cmd putfile >>>>>> /security.json ~/solr/security.json >>>>>> >>>>>> Use zkCli.sh from Zookeeper to ensure the security.json is in Zookeeper >>>>>> at /security.json. It is there and looks like what was originally >>>>>> uploaded. >>>>>> >>>>>> Start Solr Instances >>>>>> >>>>>> Attempt to create a permission, however get the following error: >>>>>> { >>>>>> "responseHeader":{ >>>>>> "status":400, >>>>>> "QTime":0}, >>>>>> "error":{ >>>>>> "msg":"No authorization plugin configured", >>>>>> "code":400}} >>>>>> >>>>>> Upload security.json again. >>>>>> ./zkcli.sh -z localhost:2181,localhost:2182,localhost:2183 -cmd putfile >>>>>> /security.json ~/solr/security.json >>>>>> >>>>>> Issue the following to try to create the permission again and this time >>>>>> it’s successful. >>>>>> // Create a permission for mysearch endpoint >>>>>> curl --user solr:SolrRocks -H 'Content-type:application/json' >>>>>> -d '{"set-permission": {"name":"mycollection-search","collection": >>>>>> “mycollection","path":”/mysearch","role": "search-user"}}' >>>>>> http://localhost:8983/solr/admin/authorization >>>>>> >>>>>> { >>>>>> "responseHeader":{ >>>>>> "status":0, >>>>>> "QTime":7}} >>>>>> >>>>>> Issue the following commands to add users >>>>>> curl --user solr:SolrRocks >>>>>> http://localhost:8983/solr/admin/authentication -H >>>>>> 'Content-type:application/json' -d '{"set-user": {"admin" : “password" >>>>>> }}’ >>>>>> curl --user solr:SolrRocks >>>>>> http://localhost:8983/solr/admin/authentication -H >>>>>> 'Content-type:application/json' -d '{"set-user": {"user" : “password" }}' >>>>>> >>>>>> Issue the following command to add permission to users >>>>>> curl -u solr:SolrRocks -H 'Content-type:application/json' -d '{ >>>>>> "set-user-role" : {"admin": ["search-user", "admin"]}}' >>>>>> http://localhost:8983/solr/admin/authorization >>>>>> curl -u solr:SolrRocks -H 'Content-type:application/json' -d '{ >>>>>> "set-user-role" : {"user": ["search-user"]}}' >>>>>> http://localhost:8983/solr/admin/authorization >>>>>> >>>>>> After executing the above, access to /mysearch is protected until I >>>>>> restart the Solr and Zookeeper instances. However, the admin UI is >>>>>> never protected like the Wiki page says it should be once activated. >>>>>> >>>>>> https://cwiki.apache.org/confluence/display/solr/Rule-Based+Authorization+Plugin >>>>>> >>>>>> <https://cwiki.apache.org/confluence/display/solr/Rule-Based+Authorization+Plugin> >>>>>> >>>>>> Why does the authentication and authorization plugin not stay activated >>>>>> after restart and why is the Admin UI never protected? Am I missing any >>>>>> steps? >>>>>> >>>>>> Thanks, >>>>>> Kevin >>>> >>>> >>>> >>>> -- >>>> ----------------------------------------------------- >>>> Noble Paul >> >> >> >> -- >> ----------------------------------------------------- >> Noble Paul > > > > -- > ----------------------------------------------------- > Noble Paul -- ----------------------------------------------------- Noble Paul
