I’ve found that completely exiting Chrome or Firefox and opening it back up
re-prompts for credentials when they are required. It was re-prompting with
the /browse path where authentication was working each time I completely exited
and started the browser again, however it won’t re-prompt unless you exit
completely and close all running instances so I closed all instances each time
to test.
However, to make sure I ran it via the command line via curl as suggested and
it still does not give any authentication error when trying to issue the
command via curl. I get a success response from all the Solr instances that
the reload was successful.
Not sure why the pre-canned permissions aren’t working, but the one to the
request handler at the /browse path is.
> On Sep 1, 2015, at 11:03 PM, Noble Paul <noble.p...@gmail.com> wrote:
>
> " However, after uploading the new security.json and restarting the
> web browser,"
>
> The browser remembers your login , So it is unlikely to prompt for the
> credentials again.
>
> Why don't you try the RELOAD operation using command line (curl) ?
>
> On Tue, Sep 1, 2015 at 10:31 PM, Kevin Lee <kgle...@yahoo.com.invalid> wrote:
>> The restart issues aside, I’m trying to lockdown usage of the Collections
>> API, but that also does not seem to be working either.
>>
>> Here is my security.json. I’m using the “collection-admin-edit” permission
>> and assigning it to the “adminRole”. However, after uploading the new
>> security.json and restarting the web browser, it doesn’t seem to be
>> requiring credentials when calling the RELOAD action on the Collections API.
>> The only thing that seems to work is the custom permission “browse” which
>> is requiring authentication before allowing me to pull up the page. Am I
>> using the permissions correctly for the RuleBasedAuthorizationPlugin?
>>
>> {
>> "authentication":{
>> "class":"solr.BasicAuthPlugin",
>> "credentials": {
>> "admin”:”<pass> <salt>",
>> "user": ”<pass> <salt>"
>> }
>> },
>> "authorization":{
>> "class":"solr.RuleBasedAuthorizationPlugin",
>> "permissions": [
>> {
>> "name":"security-edit",
>> "role":"adminRole"
>> },
>> {
>> "name":"collection-admin-edit”,
>> "role":"adminRole"
>> },
>> {
>> "name":"browse",
>> "collection": "inventory",
>> "path": "/browse",
>> "role":"browseRole"
>> }
>> ],
>> "user-role": {
>> "admin": [
>> "adminRole",
>> "browseRole"
>> ],
>> "user": [
>> "browseRole"
>> ]
>> }
>> }
>> }
>>
>> Also tried adding the permission using the Authorization API, but no effect,
>> still isn’t protecting the Collections API from being invoked without a
>> username password. I do see in the Solr logs that it sees the updates
>> because it outputs the messages “Updating /security.json …”, “Security node
>> changed”, “Initializing authorization plugin:
>> solr.RuleBasedAuthorizationPlugin” and “Authentication plugin class obtained
>> from ZK: solr.BasicAuthPlugin”.
>>
>> Thanks,
>> Kevin
>>
>>> On Sep 1, 2015, at 12:31 AM, Noble Paul <noble.p...@gmail.com> wrote:
>>>
>>> I'm investigating why restarts or first time start does not read the
>>> security.json
>>>
>>> On Tue, Sep 1, 2015 at 1:00 PM, Noble Paul <noble.p...@gmail.com> wrote:
>>>> I removed that statement
>>>>
>>>> "If activating the authorization plugin doesn't protect the admin ui,
>>>> how does one protect access to it?"
>>>>
>>>> One does not need to protect the admin UI. You only need to protect
>>>> the relevant API calls . I mean it's OK to not protect the CSS and
>>>> HTML stuff. But if you perform an action to create a core or do a
>>>> query through admin UI , it automatically will prompt you for
>>>> credentials (if those APIs are protected)
>>>>
>>>> On Tue, Sep 1, 2015 at 12:41 PM, Kevin Lee <kgle...@yahoo.com.invalid>
>>>> wrote:
>>>>> Thanks for the clarification!
>>>>>
>>>>> So is the wiki page incorrect at
>>>>> https://cwiki.apache.org/confluence/display/solr/Basic+Authentication+Plugin
>>>>> which says that the admin ui will require authentication once the
>>>>> authorization plugin is activated?
>>>>>
>>>>> "An authorization plugin is also available to configure Solr with
>>>>> permissions to perform various activities in the system. Once activated,
>>>>> access to the Solr Admin UI and all requests will need to be
>>>>> authenticated and users will be required to have the proper authorization
>>>>> for all requests, including using the Admin UI and making any API calls."
>>>>>
>>>>> If activating the authorization plugin doesn't protect the admin ui, how
>>>>> does one protect access to it?
>>>>>
>>>>> Also, the issue I'm having is not just at restart. According to the docs
>>>>> security.json should be uploaded to Zookeeper before starting any of the
>>>>> Solr instances. However, I tried to upload security.json before starting
>>>>> any of the Solr instances, but it would not pick up the security config
>>>>> until after the Solr instances are already running and then uploading the
>>>>> security.json again. I can see in the logs at startup that the Solr
>>>>> instances don't see any plugin enabled even though security.json is
>>>>> already in zookeeper and then after they are started and the
>>>>> security.json is uploaded again I see it reconfigure to use the plugin.
>>>>>
>>>>> Thanks,
>>>>> Kevin
>>>>>
>>>>>> On Aug 31, 2015, at 11:22 PM, Noble Paul <noble.p...@gmail.com> wrote:
>>>>>>
>>>>>> Admin UI is not protected by any of these permissions. Only if you try
>>>>>> to perform a protected operation , it asks for a password.
>>>>>>
>>>>>> I'll investigate the restart problem and report my findings
>>>>>>
>>>>>>> On Tue, Sep 1, 2015 at 3:10 AM, Kevin Lee <kgle...@yahoo.com.invalid>
>>>>>>> wrote:
>>>>>>> Anyone else running into any issues trying to get the authentication
>>>>>>> and authorization plugins in 5.3 working?
>>>>>>>
>>>>>>>> On Aug 29, 2015, at 2:30 AM, Kevin Lee <kgle...@yahoo.com.INVALID>
>>>>>>>> wrote:
>>>>>>>>
>>>>>>>> Hi,
>>>>>>>>
>>>>>>>> I’m trying to use the new basic auth plugin for Solr 5.3 and it
>>>>>>>> doesn’t seem to be working quite right. Not sure if I’m missing steps
>>>>>>>> or there is a bug. I am able to get it to protect access to a URL
>>>>>>>> under a collection, but am unable to get it to secure access to the
>>>>>>>> Admin UI. In addition, after stopping the Solr and Zookeeper
>>>>>>>> instances, the security.json is still in Zookeeper, however Solr is
>>>>>>>> allowing access to everything again like the security configuration
>>>>>>>> isn’t in place.
>>>>>>>>
>>>>>>>> Contents of security.json taken from wiki page, but edited to produce
>>>>>>>> valid JSON. Had to move comma after 3rd from last “}” up to just
>>>>>>>> after the last “]”.
>>>>>>>>
>>>>>>>> {
>>>>>>>> "authentication":{
>>>>>>>> "class":"solr.BasicAuthPlugin",
>>>>>>>> "credentials":{"solr":"IV0EHq1OnNrj6gvRCwvFwTrZ1+z1oBbnQdiVC3otuq0=
>>>>>>>> Ndd7LKvVBAaZIF0QAVi1ekCfAJXr1GGfLtRUXhgrF8c="}
>>>>>>>> },
>>>>>>>> "authorization":{
>>>>>>>> "class":"solr.RuleBasedAuthorizationPlugin",
>>>>>>>> "permissions":[{"name":"security-edit",
>>>>>>>> "role":"admin"}],
>>>>>>>> "user-role":{"solr":"admin"}
>>>>>>>> }}
>>>>>>>>
>>>>>>>> Here are the steps I followed:
>>>>>>>>
>>>>>>>> Upload security.json to zookeeper
>>>>>>>> ./zkcli.sh -z localhost:2181,localhost:2182,localhost:2183 -cmd
>>>>>>>> putfile /security.json ~/solr/security.json
>>>>>>>>
>>>>>>>> Use zkCli.sh from Zookeeper to ensure the security.json is in
>>>>>>>> Zookeeper at /security.json. It is there and looks like what was
>>>>>>>> originally uploaded.
>>>>>>>>
>>>>>>>> Start Solr Instances
>>>>>>>>
>>>>>>>> Attempt to create a permission, however get the following error:
>>>>>>>> {
>>>>>>>> "responseHeader":{
>>>>>>>> "status":400,
>>>>>>>> "QTime":0},
>>>>>>>> "error":{
>>>>>>>> "msg":"No authorization plugin configured",
>>>>>>>> "code":400}}
>>>>>>>>
>>>>>>>> Upload security.json again.
>>>>>>>> ./zkcli.sh -z localhost:2181,localhost:2182,localhost:2183 -cmd
>>>>>>>> putfile /security.json ~/solr/security.json
>>>>>>>>
>>>>>>>> Issue the following to try to create the permission again and this
>>>>>>>> time it’s successful.
>>>>>>>> // Create a permission for mysearch endpoint
>>>>>>>> curl --user solr:SolrRocks -H 'Content-type:application/json'
>>>>>>>> -d '{"set-permission": {"name":"mycollection-search","collection":
>>>>>>>> “mycollection","path":”/mysearch","role": "search-user"}}'
>>>>>>>> http://localhost:8983/solr/admin/authorization
>>>>>>>>
>>>>>>>> {
>>>>>>>> "responseHeader":{
>>>>>>>> "status":0,
>>>>>>>> "QTime":7}}
>>>>>>>>
>>>>>>>> Issue the following commands to add users
>>>>>>>> curl --user solr:SolrRocks
>>>>>>>> http://localhost:8983/solr/admin/authentication -H
>>>>>>>> 'Content-type:application/json' -d '{"set-user": {"admin" : “password"
>>>>>>>> }}’
>>>>>>>> curl --user solr:SolrRocks
>>>>>>>> http://localhost:8983/solr/admin/authentication -H
>>>>>>>> 'Content-type:application/json' -d '{"set-user": {"user" : “password"
>>>>>>>> }}'
>>>>>>>>
>>>>>>>> Issue the following command to add permission to users
>>>>>>>> curl -u solr:SolrRocks -H 'Content-type:application/json' -d '{
>>>>>>>> "set-user-role" : {"admin": ["search-user", "admin"]}}'
>>>>>>>> http://localhost:8983/solr/admin/authorization
>>>>>>>> curl -u solr:SolrRocks -H 'Content-type:application/json' -d '{
>>>>>>>> "set-user-role" : {"user": ["search-user"]}}'
>>>>>>>> http://localhost:8983/solr/admin/authorization
>>>>>>>>
>>>>>>>> After executing the above, access to /mysearch is protected until I
>>>>>>>> restart the Solr and Zookeeper instances. However, the admin UI is
>>>>>>>> never protected like the Wiki page says it should be once activated.
>>>>>>>>
>>>>>>>> https://cwiki.apache.org/confluence/display/solr/Rule-Based+Authorization+Plugin
>>>>>>>>
>>>>>>>> <https://cwiki.apache.org/confluence/display/solr/Rule-Based+Authorization+Plugin>
>>>>>>>>
>>>>>>>> Why does the authentication and authorization plugin not stay
>>>>>>>> activated after restart and why is the Admin UI never protected? Am I
>>>>>>>> missing any steps?
>>>>>>>>
>>>>>>>> Thanks,
>>>>>>>> Kevin
>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> -----------------------------------------------------
>>>>>> Noble Paul
>>>>
>>>>
>>>>
>>>> --
>>>> -----------------------------------------------------
>>>> Noble Paul
>>>
>>>
>>>
>>> --
>>> -----------------------------------------------------
>>> Noble Paul
>>
>
>
>
> --
> -----------------------------------------------------
> Noble Paul
