There are a few topics and articles on Solr authentication & authorization, but I cannot get it to work (the way I like).
I followed these tutorials / information sources: https://cwiki.apache.org/confluence/display/solr/Authentication+and+Authorization+Plugins and https://lucidworks.com/blog/2015/08/17/securing-solr-basic-auth-permission-rules/
Then I created this security.json and I confirmed it is active in Zookeeper:
{
"authentication":{
"class":"solr.BasicAuthPlugin",
"credentials":{
"solr":"...",
"admin":"...",
"monitor":"...",
"data_import":"..."},
"":{"v":8}},
"authorization":{
"class":"solr.RuleBasedAuthorizationPlugin",
"permissions":[
{
"name":"security-edit",
"role":"adminRole"},
{
"name":"security-read",
"role":"adminRole"},
{
"name":"schema-edit",
"role":"adminRole"},
{
"name":"schema-read",
"role":"collectionRole"},
{
"name":"config-edit",
"role":"adminRole"},
{
"name":"config-read",
"role":"collectionRole"},
{
"name":"collection-admin-edit",
"role":"adminRole"},
{
"name":"collection-admin-read",
"role":"collectionRole"},
{
"name":"update",
"role":"dataImportRole"},
{
"name":"read",
"role":"dataImportRole"}],
"user-role":{
"solr":[
"adminRole",
"collectionRole",
"dataImportRole"],
"admin":[
"adminRole",
"collectionRole",
"dataImportRole"],
"monitor":[
"collectionRole",
"dataImportRole"],
"data_import":["dataImportRole"]}}}
I now have a security.json that works for curl requests from command line:
curl "http://localhost:8983/solr/admin/authorization"
Unauthorized request, Response code: 401
curl --user solr:<pwd> "http://localhost:8983/solr/admin/authorization"
Normal response with the info
So far so good.
Now I try and select something from a collection, which shouldn't work anonymously according to my security.json, however it still works
curl "http://localhost:8983/solr/outlets_shard1_replica1/select?q=*%3A*&wt=json&indent=true"
"responseHeader":{
"status":0,
"QTime":1,
"params":{
"indent":"true",
"q":"*:*",
"wt":"json"}},
"response":{"numFound":2000,"start":0,"d.. }
This is the first thing that vexes me. I probably can create some custom path permission for /select, but having the read right assigned to a specific role should do the trick right? but [1] How can I disable all anonymous access?
Continuing on, probably related, it bothers me that the Solr Admin UI(http://solrurl:8983/solr/#) is still accessible. In previous Solr installations (with tomcat) I remember that even this interface was secured. It also seems that I still have complete access to the entire core (reload worked) and I can also inspect cloud configuration.[2] How can I restrict access to Solr Admin UI?
The only stuff that actually seems to be secure is all the /solr/admin related commands
Which brings me to the 3rd thing I can't seem to figure out: How do I configure solr.in.sh so that solr authentication is passed with /bin/solr commands
I see the SOLR_AUTHENTICATION_CLIENT_CONFIGURER and SOLR_AUTHENTICATION_OPTS options, but I have no clue how to modify those to feed basic realm authentication into solr commandline. So [3] How do I keep all access from commandline to Solr (and Zookeeper) authorized & authenticated?
eg. solr status now returns
Found 1 Solr nodes:
Solr process 15931 running on port 8983
ERROR: Failed to get system information from http://localhost:8983/solr due to: org.apache.http.client.ClientProtocolException: Expected JSON response from server but received: <html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/>
<title>Error 401 Unauthorized request, Response code: 401</title>
</head>
<body><h2>HTTP ERROR 401</h2>
<p>Problem accessing /solr/admin/collections. Reason:
<pre> Unauthorized request, Response code: 401</pre></p><hr><i><small>Powered by Jetty://</small></i><hr/>
</body>
</html>
I've tested with
SOLR_AUTHENTICATION_OPTS="-DinternalAuthCredentialsBasicAuthUsername=solr -DinternalAuthCredentialsBasicAuthPassword=<pass>"
To no avail
I also faced the same issue and then I looked at the source code.
The read permission in RuleBasedAuthorizationPlugin is defined as :
read :{" +
path:['/update/*', '/get']}," +
Which will never work.
I have raised an issue:
https://issues.apache.org/jira/browse/SOLR-8439
Now, to lock down your admin ui completely, you need to define a new permission, with path="/", which will going to solve your issue, something like this:
curl --user solr:SolrRocks http://localhost:8983/solr/admin/authorization -H 'Content-type:application/json' -d '{
"set-permission" : {"name":"admin-ui",
"path":"/",
"before":"update",
"role":"admin"}}'
Start by using the default user/Pw given in the Solr tutorials.
The passwords are hashed sha512 with a salt. Solr provides the encryption from the plaintext passwords when you create new authenticated users, but the pw in the Lucidworks instructions is already encrypted for the plaintext value: solrRocks (or similar) - use that account to create others, give them appropriate permissions, then remove the solr:solrRocks account.
Did you forget setting the blockUnknown to true?
Your authentication block in security.json should be:
"authentication":{
"blockUnknown": true,
"class":"solr.BasicAuthPlugin",
"credentials":{"solr":"..."}
},
If you don't set it, it will allow all anonymous access! It is strange but here is the source:
'blockUknown:true' means that unauthenticated requests are not allowed to pass through [1]
来源:https://stackoverflow.com/questions/33263535/solr-5-3-zookeeper-security-authentication-authorization