Re: how to config split authentication methods -- BasicAuth for WebUI, & none (or SSL client) for client connections?

Wed, 14 Oct 2020 01:00:01 -0700 

Hello,

If you enable authentication, this will work on your HTTP port. Solr won’t make 
a difference on whether the request comes from the Web UI or Dovecot.

I guess the workaround could be to put the web UI behind a proxy like NGINX and 
have authentication there?

But if anyone can have direct HTTP access to Solr, then it’s not really secure.

Best regards,
Radu
--
Sematext Cloud - Full Stack Observability - https://sematext.com
Solr and Elasticsearch Consulting, Training and Production Support

> On 12 Oct 2020, at 05:11, PGNet Dev <pgnet....@gmail.com> wrote:
> 
>  I'm running,
> 
>       solr -version
>               8.6.3
> 
> on
> 
>       uname -rm
>               5.8.13-200.fc32.x86_64 x86_64
> 
>       grep _NAME /etc/os-release
>               PRETTY_NAME="Fedora 32 (Server Edition)"
>               CPE_NAME="cpe:/o:fedoraproject:fedora:32"
> 
> with
> 
>       java -version
>               openjdk version "15" 2020-09-15
>               OpenJDK Runtime Environment 20.9 (build 15+36)
>               OpenJDK 64-Bit Server VM 20.9 (build 15+36, mixed mode, sharing)
> 
> solr's configured for SSL usage.  both client search connections and WebUI 
> access work OK, with EC certs in use
> 
>       SOLR_SSL_KEY_STORE="/srv/ssl/solr.server.EC.pfx"
>       SOLR_SSL_TRUST_STORE="/srv/ssl/solr.server.EC.pfx"
> 
> If I enable BasicAuth, adding
> 
>       /security.json
>               {
>                       "authentication":{
>                               "blockUnknown": true,
>                               "class":"solr.BasicAuthPlugin",
>                               "credentials":{
>                                       "myuser":"jO... Fe..."
> 
>                               },
>                               "realm":"Solr REALM",
>                               "forwardCredentials": false
>                       },
>                       "authorization":{
>                               "class":"solr.RuleBasedAuthorizationPlugin",
>                               "permissions":[{
>                                       "name":"security-edit",
>                                       "role":"admin"
>                               }],
>                               "user-role":{
>                                       "solr":"admin"
>                               }
>                       }
>               }
> 
> as expected, WebUI requires/accepts valid credentials for access.
> 
> BUT ... client connections, e.g. from a mail MUA using dovecot's fts solr 
> plugin, immediately fail, returning "401 Unauthorized".
> 
> How can solr authentication be configured to split method -- using BasicAuth 
> for WebUI access ONLY, and still allowing the client connections?
> 
> Eventually, I want those client connections to require solr-side SSL client 
> auth.
> Atm, I'd just like to get it working -- _with_ the BasicAuth WebUI protection 
> in place.
>

Reply via email to