I had a similar problem attempting to use JNDI when the Jetty included with Solr does not include jetty-plus... I'd like to second the suggestion to include more of jetty.
In my case, there was a better solution - I just wrote a JDBC driver to wrap each driverClass I needed (Oracle, MySQL, PostgreSQL), and that fixed the problem of getting passwords out of my data-config.xml files, which is important. -----Original Message----- From: Sanders, Marshall (AT - Atlanta) [mailto:marshall.sand...@autotrader.com] Sent: Thursday, September 17, 2015 3:37 PM To: solr-user@lucene.apache.org Subject: RE: Securing solr 5.2 basic auth permission rules So the issue is that when it's stated that solr runs on jetty 9 what it really means is that it runs on 5% of jetty9 and the other 95% has been stripped out. (WHYYYY! It's only ~13 MB) You'll need to download the appropriate version of jetty and before starting up do the following 1. Copy modules/jaas.mod to the unpacked solr directory server/modules 2. Copy etc/jetty-jaas.xml to server/etc 3. Copy the jetty-jaas-<version>.jar to server/lib 4. Call the following before starting solr: java -jar start.jar --add-to-startd=jaas Now when you start solr JAAS will be available and you should be able to configure it with all of the defaults that you would expect. http://www.eclipse.org/jetty/documentation/current/jaas-support.html I'll reiterate that I think it's a pretty bad decision to have stripped out the modules from the version of jetty shipped. Especially since they won't be loaded into the classloader with the new jetty modules setup. Marshall Sanders Technical Lead – Software Engineer Autotrader.com 404-568-7130 -----Original Message----- From: Sanders, Marshall (AT - Atlanta) [mailto:marshall.sand...@autotrader.com] Sent: Thursday, September 17, 2015 2:28 PM To: solr-user@lucene.apache.org Subject: RE: Securing solr 5.2 basic auth permission rules I'm actually trying to do something similar with 5.3 We're in the process of upgrading from 4.10 and were previously using jaas to secure dih pages and a few others and had a config similar to what you described. The Error I get is the following (Might only visible when you change the log4j startup log level, I didn't check what the default log level is): 2015-09-17 11:19:10,121 [main] WARN xml.XmlConfiguration Config error at <Call name="addBean"><Arg> <New class="org.eclipse.jetty.plus.jaas.JAASLoginService"><Set name="Name">SolrRealm</Set><Set name="LoginModuleName">multiloginmodule</Set></New> </Arg></Call> From what I gather now with jetty 9 the modules have to be enabled individually: http://www.eclipse.org/jetty/documentation/current/startup-modules.html However: when I run java -jar start.jar --list-modules I only get a few modules as possibilities (server,http,https,ssl). I tried adding the jetty-jaas jar for the version of jetty with 5.3 to /lib but I still am not able to figure out how to turn it on as it doesn't show up in the list. I'm much less familiar with jetty than I am with others so I'm still fumbling a bit here. But it seems we need to: 1. Add the jetty-jaas.jar that's missing via an outside script (Also note that if you want ldap you'll have to use an additional jar) 2. Execute the following (java -jar start.jar --add-to-startd=jaas) 3. Start the server (either with your own script or the new ./solr scripts) I've got the jar added, but either it's not in the right place (I've got it in /lib maybe it needs to be in /lib/ext?) or jetty needs to be configured to recognize it. Not sure what the thinking was behind the decision that only people running solr cloud would want authentication, or even how solr made it to 5.2 before adding anything in at all! We had all this working great in jetty8 solr versions but with the new jetty9 modules/classloaders it's proving a challenge. Marshall Sanders Technical Lead – Software Engineer Autotrader.com 404-568-7130 -----Original Message----- From: Aziz Gaou [mailto:gaoua...@gmail.com] Sent: Thursday, September 17, 2015 5:55 AM To: solr-user@lucene.apache.org Subject: Re: Securing solr 5.2 basic auth permission rules thank you so much for your reply, Now, i try to protect Apache Solr 5 admin with jetty, when I change 1) sudo nano /opt/solr/server/etc/webdefault.xml <?xml version="1.0" encoding="ISO-8859-1"?> <web-app ......> <!-- only the relevant addition is listed here --> <security-constraint> <web-resource-collection> <web-resource-name>Solr</web-resource-name> <url-pattern>/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>search-role</role-name> </auth-constraint> </security-constraint> <login-config> <auth-method>BASIC</auth-method> <realm-name>Solr Realm</realm-name> </login-config> </web-app> 2) i changed too "*jetty.xml * <https://gist.github.com/jstrassburg/9777027#file-jetty-xml> " and " *realm.properties* <https://gist.github.com/jstrassburg/9777027#file-realm-properties>" 3) the following message will appear on browser: - http://localhost:8983/solr/ HTTP ERROR: 503 Problem accessing /solr/. Reason: Service Unavailable ------------------------------ *Powered by Jetty://* Thanks for your help 2015-09-16 18:58 GMT+00:00 Anshum Gupta <ans...@anshumgupta.net>: > Basic authentication (and the API support, that you're trying to use) > was only released with 5.3.0 so it wouldn't work with 5.2. > 5.2 only had the authentication and authorization frameworks, and > shipped with Kerberos authentication plugin out of the box. > > There are a few known issues with that though, and a 5.3.1 release is > just around the corner. > > On Wed, Sep 16, 2015 at 10:11 AM, Aziz Gaou <gaoua...@gmail.com> wrote: > > > Hi, > > > > I try to follow: > > > > > https://cwiki.apache.org/confluence/display/solr/Basic+Authentication+ > Plugin > > , > > to protect Solr 5.2 Admin with password, but I have not been able to > > secure. > > > > 1) When I run the following command: > > > > curl --user solr:SolrRocks > http://localhost:8983/solr/admin/authentication > > -H 'Content-type:application/json'-d '{ > > "set-user": {"tom" : "TomIsCool" }}' > > > > no update on the file security.json > > > > 2) I launched the following 2 commands: > > > > curl --user solr:SolrRocks > http://localhost:8983/solr/admin/authorization > > -H 'Content-type:application/json'-d '{"set-permission": { > > "name":"updates", "collection":"MyCollection", "role": "dev"}}' > > > > curl --user solr:SolrRocks > http://localhost:8983/solr/admin/authorization > > -H 'Content-type:application/json' -d '{ "set-user-role": > {"tom":["dev"}}' > > > > always MyCollection is not protected. > > > > > > thank you for your help. > > > > > > -- > Anshum Gupta >
