Kevin & Noble, I'll take it on to test this. I've built from source before, and I've wanted this authorization capability for awhile.
On Fri, Sep 4, 2015 at 9:59 AM, Kevin Lee <kgle...@yahoo.com.invalid> wrote: > Noble, > > Does SOLR-8000 need to be re-opened? Has anyone else been able to test > the restart fix? > > At startup, these are the log messages that say there is no security > configuration and the plugins aren’t being used even though security.json > is in Zookeeper: > 2015-09-04 08:06:21.205 INFO (main) [ ] o.a.s.c.CoreContainer Security > conf doesn't exist. Skipping setup for authorization module. > 2015-09-04 08:06:21.205 INFO (main) [ ] o.a.s.c.CoreContainer No > authentication plugin used. > > Thanks, > Kevin > > > On Sep 4, 2015, at 5:47 AM, Noble Paul <noble.p...@gmail.com> wrote: > > > > There are no download links for 5.3.x branch till we do a bug fix > release > > > > If you wish to download the trunk nightly (which is not same as 5.3.0) > > check here > https://builds.apache.org/job/Solr-Artifacts-trunk/lastSuccessfulBuild/artifact/solr/package/ > > > > If you wish to get the binaries for 5.3 branch you will have to make it > > (you will need to install svn and ant) > > > > Here are the steps > > > > svn checkout > http://svn.apache.org/repos/asf/lucene/dev/branches/lucene_solr_5_3/ > > cd lucene_solr_5_3/solr > > ant server > > > > > > > > On Fri, Sep 4, 2015 at 4:11 PM, davidphilip cherian > > <davidphilipcher...@gmail.com> wrote: > >> Hi Kevin/Noble, > >> > >> What is the download link to take the latest? What are the steps to > compile > >> it, test and use? > >> We also have a use case to have this feature in solr too. Therefore, > wanted > >> to test and above info would help a lot to get started. > >> > >> Thanks. > >> > >> > >> On Fri, Sep 4, 2015 at 1:45 PM, Kevin Lee <kgle...@yahoo.com.invalid> > wrote: > >> > >>> Thanks, I downloaded the source and compiled it and replaced the jar > file > >>> in the dist and solr-webapp’s WEB-INF/lib directory. It does seem to > be > >>> protecting the Collections API reload command now as long as I upload > the > >>> security.json after startup of the Solr instances. If I shutdown and > bring > >>> the instances back up, the security is no longer in place and I have to > >>> upload the security.json again for it to take effect. > >>> > >>> - Kevin > >>> > >>>> On Sep 3, 2015, at 10:29 PM, Noble Paul <noble.p...@gmail.com> wrote: > >>>> > >>>> Both these are committed. If you could test with the latest 5.3 branch > >>>> it would be helpful > >>>> > >>>> On Wed, Sep 2, 2015 at 5:11 PM, Noble Paul <noble.p...@gmail.com> > wrote: > >>>>> I opened a ticket for the same > >>>>> https://issues.apache.org/jira/browse/SOLR-8004 > >>>>> > >>>>> On Wed, Sep 2, 2015 at 1:36 PM, Kevin Lee <kgle...@yahoo.com.invalid > > > >>> wrote: > >>>>>> I’ve found that completely exiting Chrome or Firefox and opening it > >>> back up re-prompts for credentials when they are required. It was > >>> re-prompting with the /browse path where authentication was working > each > >>> time I completely exited and started the browser again, however it > won’t > >>> re-prompt unless you exit completely and close all running instances > so I > >>> closed all instances each time to test. > >>>>>> > >>>>>> However, to make sure I ran it via the command line via curl as > >>> suggested and it still does not give any authentication error when > trying > >>> to issue the command via curl. I get a success response from all the > Solr > >>> instances that the reload was successful. > >>>>>> > >>>>>> Not sure why the pre-canned permissions aren’t working, but the one > to > >>> the request handler at the /browse path is. > >>>>>> > >>>>>> > >>>>>>> On Sep 1, 2015, at 11:03 PM, Noble Paul <noble.p...@gmail.com> > wrote: > >>>>>>> > >>>>>>> " However, after uploading the new security.json and restarting the > >>>>>>> web browser," > >>>>>>> > >>>>>>> The browser remembers your login , So it is unlikely to prompt for > the > >>>>>>> credentials again. > >>>>>>> > >>>>>>> Why don't you try the RELOAD operation using command line (curl) ? > >>>>>>> > >>>>>>> On Tue, Sep 1, 2015 at 10:31 PM, Kevin Lee > <kgle...@yahoo.com.invalid> > >>> wrote: > >>>>>>>> The restart issues aside, I’m trying to lockdown usage of the > >>> Collections API, but that also does not seem to be working either. > >>>>>>>> > >>>>>>>> Here is my security.json. I’m using the “collection-admin-edit” > >>> permission and assigning it to the “adminRole”. However, after > uploading > >>> the new security.json and restarting the web browser, it doesn’t seem > to be > >>> requiring credentials when calling the RELOAD action on the Collections > >>> API. The only thing that seems to work is the custom permission > “browse” > >>> which is requiring authentication before allowing me to pull up the > page. > >>> Am I using the permissions correctly for the > RuleBasedAuthorizationPlugin? > >>>>>>>> > >>>>>>>> { > >>>>>>>> "authentication":{ > >>>>>>>> "class":"solr.BasicAuthPlugin", > >>>>>>>> "credentials": { > >>>>>>>> "admin”:”<pass> <salt>", > >>>>>>>> "user": ”<pass> <salt>" > >>>>>>>> } > >>>>>>>> }, > >>>>>>>> "authorization":{ > >>>>>>>> "class":"solr.RuleBasedAuthorizationPlugin", > >>>>>>>> "permissions": [ > >>>>>>>> { > >>>>>>>> "name":"security-edit", > >>>>>>>> "role":"adminRole" > >>>>>>>> }, > >>>>>>>> { > >>>>>>>> "name":"collection-admin-edit”, > >>>>>>>> "role":"adminRole" > >>>>>>>> }, > >>>>>>>> { > >>>>>>>> "name":"browse", > >>>>>>>> "collection": "inventory", > >>>>>>>> "path": "/browse", > >>>>>>>> "role":"browseRole" > >>>>>>>> } > >>>>>>>> ], > >>>>>>>> "user-role": { > >>>>>>>> "admin": [ > >>>>>>>> "adminRole", > >>>>>>>> "browseRole" > >>>>>>>> ], > >>>>>>>> "user": [ > >>>>>>>> "browseRole" > >>>>>>>> ] > >>>>>>>> } > >>>>>>>> } > >>>>>>>> } > >>>>>>>> > >>>>>>>> Also tried adding the permission using the Authorization API, but > no > >>> effect, still isn’t protecting the Collections API from being invoked > >>> without a username password. I do see in the Solr logs that it sees > the > >>> updates because it outputs the messages “Updating /security.json …”, > >>> “Security node changed”, “Initializing authorization plugin: > >>> solr.RuleBasedAuthorizationPlugin” and “Authentication plugin class > >>> obtained from ZK: solr.BasicAuthPlugin”. > >>>>>>>> > >>>>>>>> Thanks, > >>>>>>>> Kevin > >>>>>>>> > >>>>>>>>> On Sep 1, 2015, at 12:31 AM, Noble Paul <noble.p...@gmail.com> > >>> wrote: > >>>>>>>>> > >>>>>>>>> I'm investigating why restarts or first time start does not read > the > >>>>>>>>> security.json > >>>>>>>>> > >>>>>>>>> On Tue, Sep 1, 2015 at 1:00 PM, Noble Paul <noble.p...@gmail.com > > > >>> wrote: > >>>>>>>>>> I removed that statement > >>>>>>>>>> > >>>>>>>>>> "If activating the authorization plugin doesn't protect the > admin > >>> ui, > >>>>>>>>>> how does one protect access to it?" > >>>>>>>>>> > >>>>>>>>>> One does not need to protect the admin UI. You only need to > protect > >>>>>>>>>> the relevant API calls . I mean it's OK to not protect the CSS > and > >>>>>>>>>> HTML stuff. But if you perform an action to create a core or > do a > >>>>>>>>>> query through admin UI , it automatically will prompt you for > >>>>>>>>>> credentials (if those APIs are protected) > >>>>>>>>>> > >>>>>>>>>> On Tue, Sep 1, 2015 at 12:41 PM, Kevin Lee > >>> <kgle...@yahoo.com.invalid> wrote: > >>>>>>>>>>> Thanks for the clarification! > >>>>>>>>>>> > >>>>>>>>>>> So is the wiki page incorrect at > >>>>>>>>>>> > >>> > https://cwiki.apache.org/confluence/display/solr/Basic+Authentication+Plugin > >>> which says that the admin ui will require authentication once the > >>> authorization plugin is activated? > >>>>>>>>>>> > >>>>>>>>>>> "An authorization plugin is also available to configure Solr > with > >>> permissions to perform various activities in the system. Once > activated, > >>> access to the Solr Admin UI and all requests will need to be > authenticated > >>> and users will be required to have the proper authorization for all > >>> requests, including using the Admin UI and making any API calls." > >>>>>>>>>>> > >>>>>>>>>>> If activating the authorization plugin doesn't protect the > admin > >>> ui, how does one protect access to it? > >>>>>>>>>>> > >>>>>>>>>>> Also, the issue I'm having is not just at restart. According > to > >>> the docs security.json should be uploaded to Zookeeper before starting > any > >>> of the Solr instances. However, I tried to upload security.json before > >>> starting any of the Solr instances, but it would not pick up the > security > >>> config until after the Solr instances are already running and then > >>> uploading the security.json again. I can see in the logs at startup > that > >>> the Solr instances don't see any plugin enabled even though > security.json > >>> is already in zookeeper and then after they are started and the > >>> security.json is uploaded again I see it reconfigure to use the plugin. > >>>>>>>>>>> > >>>>>>>>>>> Thanks, > >>>>>>>>>>> Kevin > >>>>>>>>>>> > >>>>>>>>>>>> On Aug 31, 2015, at 11:22 PM, Noble Paul < > noble.p...@gmail.com> > >>> wrote: > >>>>>>>>>>>> > >>>>>>>>>>>> Admin UI is not protected by any of these permissions. Only if > >>> you try > >>>>>>>>>>>> to perform a protected operation , it asks for a password. > >>>>>>>>>>>> > >>>>>>>>>>>> I'll investigate the restart problem and report my findings > >>>>>>>>>>>> > >>>>>>>>>>>>> On Tue, Sep 1, 2015 at 3:10 AM, Kevin Lee > >>> <kgle...@yahoo.com.invalid> wrote: > >>>>>>>>>>>>> Anyone else running into any issues trying to get the > >>> authentication and authorization plugins in 5.3 working? > >>>>>>>>>>>>> > >>>>>>>>>>>>>> On Aug 29, 2015, at 2:30 AM, Kevin Lee > >>> <kgle...@yahoo.com.INVALID> wrote: > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> Hi, > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> I’m trying to use the new basic auth plugin for Solr 5.3 and > >>> it doesn’t seem to be working quite right. Not sure if I’m missing > steps > >>> or there is a bug. I am able to get it to protect access to a URL > under a > >>> collection, but am unable to get it to secure access to the Admin UI. > In > >>> addition, after stopping the Solr and Zookeeper instances, the > >>> security.json is still in Zookeeper, however Solr is allowing access to > >>> everything again like the security configuration isn’t in place. > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> Contents of security.json taken from wiki page, but edited > to > >>> produce valid JSON. Had to move comma after 3rd from last “}” up to > just > >>> after the last “]”. > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> { > >>>>>>>>>>>>>> "authentication":{ > >>>>>>>>>>>>>> "class":"solr.BasicAuthPlugin", > >>>>>>>>>>>>>> > >>> "credentials":{"solr":"IV0EHq1OnNrj6gvRCwvFwTrZ1+z1oBbnQdiVC3otuq0= > >>> Ndd7LKvVBAaZIF0QAVi1ekCfAJXr1GGfLtRUXhgrF8c="} > >>>>>>>>>>>>>> }, > >>>>>>>>>>>>>> "authorization":{ > >>>>>>>>>>>>>> "class":"solr.RuleBasedAuthorizationPlugin", > >>>>>>>>>>>>>> "permissions":[{"name":"security-edit", > >>>>>>>>>>>>>> "role":"admin"}], > >>>>>>>>>>>>>> "user-role":{"solr":"admin"} > >>>>>>>>>>>>>> }} > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> Here are the steps I followed: > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> Upload security.json to zookeeper > >>>>>>>>>>>>>> ./zkcli.sh -z localhost:2181,localhost:2182,localhost:2183 > >>> -cmd putfile /security.json ~/solr/security.json > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> Use zkCli.sh from Zookeeper to ensure the security.json is > in > >>> Zookeeper at /security.json. It is there and looks like what was > >>> originally uploaded. > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> Start Solr Instances > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> Attempt to create a permission, however get the following > >>> error: > >>>>>>>>>>>>>> { > >>>>>>>>>>>>>> "responseHeader":{ > >>>>>>>>>>>>>> "status":400, > >>>>>>>>>>>>>> "QTime":0}, > >>>>>>>>>>>>>> "error":{ > >>>>>>>>>>>>>> "msg":"No authorization plugin configured", > >>>>>>>>>>>>>> "code":400}} > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> Upload security.json again. > >>>>>>>>>>>>>> ./zkcli.sh -z localhost:2181,localhost:2182,localhost:2183 > >>> -cmd putfile /security.json ~/solr/security.json > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> Issue the following to try to create the permission again > and > >>> this time it’s successful. > >>>>>>>>>>>>>> // Create a permission for mysearch endpoint > >>>>>>>>>>>>>> curl --user solr:SolrRocks -H > >>> 'Content-type:application/json' -d '{"set-permission": > >>> {"name":"mycollection-search","collection": > >>> “mycollection","path":”/mysearch","role": "search-user"}}' > >>> http://localhost:8983/solr/admin/authorization > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> { > >>>>>>>>>>>>>> "responseHeader":{ > >>>>>>>>>>>>>> "status":0, > >>>>>>>>>>>>>> "QTime":7}} > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> Issue the following commands to add users > >>>>>>>>>>>>>> curl --user solr:SolrRocks > >>> http://localhost:8983/solr/admin/authentication -H > >>> 'Content-type:application/json' -d '{"set-user": {"admin" : “password" > }}’ > >>>>>>>>>>>>>> curl --user solr:SolrRocks > >>> http://localhost:8983/solr/admin/authentication -H > >>> 'Content-type:application/json' -d '{"set-user": {"user" : “password" > }}' > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> Issue the following command to add permission to users > >>>>>>>>>>>>>> curl -u solr:SolrRocks -H 'Content-type:application/json' -d > >>> '{ "set-user-role" : {"admin": ["search-user", "admin"]}}' > >>> http://localhost:8983/solr/admin/authorization > >>>>>>>>>>>>>> curl -u solr:SolrRocks -H 'Content-type:application/json' -d > >>> '{ "set-user-role" : {"user": ["search-user"]}}' > >>> http://localhost:8983/solr/admin/authorization > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> After executing the above, access to /mysearch is protected > >>> until I restart the Solr and Zookeeper instances. However, the admin > UI is > >>> never protected like the Wiki page says it should be once activated. > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>> > https://cwiki.apache.org/confluence/display/solr/Rule-Based+Authorization+Plugin > >>> < > >>> > https://cwiki.apache.org/confluence/display/solr/Rule-Based+Authorization+Plugin > >>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> Why does the authentication and authorization plugin not > stay > >>> activated after restart and why is the Admin UI never protected? Am I > >>> missing any steps? > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> Thanks, > >>>>>>>>>>>>>> Kevin > >>>>>>>>>>>> > >>>>>>>>>>>> > >>>>>>>>>>>> > >>>>>>>>>>>> -- > >>>>>>>>>>>> ----------------------------------------------------- > >>>>>>>>>>>> Noble Paul > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> -- > >>>>>>>>>> ----------------------------------------------------- > >>>>>>>>>> Noble Paul > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> -- > >>>>>>>>> ----------------------------------------------------- > >>>>>>>>> Noble Paul > >>>>>>>> > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>> -- > >>>>>>> ----------------------------------------------------- > >>>>>>> Noble Paul > >>>>>> > >>>>> > >>>>> > >>>>> > >>>>> -- > >>>>> ----------------------------------------------------- > >>>>> Noble Paul > >>>> > >>>> > >>>> > >>>> -- > >>>> ----------------------------------------------------- > >>>> Noble Paul > >>> > >>> > > > > > > > > -- > > ----------------------------------------------------- > > Noble Paul > >
