1
votes

There are a few topics and articles on Solr authentication & authorization, but I cannot get it to work (the way I like).

I followed these tutorials / information sources: https://cwiki.apache.org/confluence/display/solr/Authentication+and+Authorization+Plugins and https://lucidworks.com/blog/2015/08/17/securing-solr-basic-auth-permission-rules/

Then I created this security.json and I confirmed it is active in Zookeeper:

    {
  "authentication":{
    "class":"solr.BasicAuthPlugin",
    "credentials":{
      "solr":"...",
      "admin":"...",
      "monitor":"...",
      "data_import":"..."},
    "":{"v":8}},
  "authorization":{
    "class":"solr.RuleBasedAuthorizationPlugin",
    "permissions":[
      {
        "name":"security-edit",
        "role":"adminRole"},
      {
        "name":"security-read",
        "role":"adminRole"},
      {
        "name":"schema-edit",
        "role":"adminRole"},
      {
        "name":"schema-read",
        "role":"collectionRole"},
      {
        "name":"config-edit",
        "role":"adminRole"},
      {
        "name":"config-read",
        "role":"collectionRole"},
      {
        "name":"collection-admin-edit",
        "role":"adminRole"},
      {
        "name":"collection-admin-read",
        "role":"collectionRole"},
      {
        "name":"update",
        "role":"dataImportRole"},
      {
        "name":"read",
        "role":"dataImportRole"}],
    "user-role":{
      "solr":[
        "adminRole",
        "collectionRole",
        "dataImportRole"],
      "admin":[
        "adminRole",
        "collectionRole",
        "dataImportRole"],
      "monitor":[
        "collectionRole",
        "dataImportRole"],
      "data_import":["dataImportRole"]}}}

I now have a security.json that works for curl requests from command line:

curl "http://localhost:8983/solr/admin/authorization"

Unauthorized request, Response code: 401

curl --user solr:<pwd> "http://localhost:8983/solr/admin/authorization"

Normal response with the info


So far so good.

Now I try and select something from a collection, which shouldn't work anonymously according to my security.json, however it still works

curl "http://localhost:8983/solr/outlets_shard1_replica1/select?q=*%3A*&wt=json&indent=true"

"responseHeader":{
    "status":0,
    "QTime":1,
    "params":{
      "indent":"true",
      "q":"*:*",
      "wt":"json"}},
  "response":{"numFound":2000,"start":0,"d.. }

This is the first thing that vexes me. I probably can create some custom path permission for /select, but having the read right assigned to a specific role should do the trick right? but [1] How can I disable all anonymous access?

Continuing on, probably related, it bothers me that the Solr Admin UI(http://solrurl:8983/solr/#) is still accessible. In previous Solr installations (with tomcat) I remember that even this interface was secured. It also seems that I still have complete access to the entire core (reload worked) and I can also inspect cloud configuration.[2] How can I restrict access to Solr Admin UI?

The only stuff that actually seems to be secure is all the /solr/admin related commands

Which brings me to the 3rd thing I can't seem to figure out: How do I configure solr.in.sh so that solr authentication is passed with /bin/solr commands

I see the SOLR_AUTHENTICATION_CLIENT_CONFIGURER and SOLR_AUTHENTICATION_OPTS options, but I have no clue how to modify those to feed basic realm authentication into solr commandline. So [3] How do I keep all access from commandline to Solr (and Zookeeper) authorized & authenticated?

eg. solr status now returns

Found 1 Solr nodes:

Solr process 15931 running on port 8983

ERROR: Failed to get system information from http://localhost:8983/solr due to: org.apache.http.client.ClientProtocolException: Expected JSON response from server but received: <html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/>
<title>Error 401 Unauthorized request, Response code: 401</title>
</head>
<body><h2>HTTP ERROR 401</h2>
<p>Problem accessing /solr/admin/collections. Reason:
<pre>    Unauthorized request, Response code: 401</pre></p><hr><i><small>Powered by Jetty://</small></i><hr/>

</body>
</html>

I've tested with

SOLR_AUTHENTICATION_OPTS="-DinternalAuthCredentialsBasicAuthUsername=solr -DinternalAuthCredentialsBasicAuthPassword=<pass>"

To no avail

3

3 Answers

1
votes

I also faced the same issue and then I looked at the source code.

The read permission in RuleBasedAuthorizationPlugin is defined as :

         read :{" +
         path:['/update/*', '/get']}," +

Which will never work.

I have raised an issue:

https://issues.apache.org/jira/browse/SOLR-8439

Now, to lock down your admin ui completely, you need to define a new permission, with path="/", which will going to solve your issue, something like this:

curl --user solr:SolrRocks http://localhost:8983/solr/admin/authorization -H 'Content-type:application/json' -d '{
"set-permission" : {"name":"admin-ui",
                     "path":"/",
                     "before":"update",
                     "role":"admin"}}' 
0
votes

Start by using the default user/Pw given in the Solr tutorials.

The passwords are hashed sha512 with a salt. Solr provides the encryption from the plaintext passwords when you create new authenticated users, but the pw in the Lucidworks instructions is already encrypted for the plaintext value: solrRocks (or similar) - use that account to create others, give them appropriate permissions, then remove the solr:solrRocks account.

0
votes

Did you forget setting the blockUnknown to true? Your authentication block in security.json should be:

"authentication":{
   "blockUnknown": true,
   "class":"solr.BasicAuthPlugin",
   "credentials":{"solr":"..."}
},

If you don't set it, it will allow all anonymous access! It is strange but here is the source: 'blockUknown:true' means that unauthenticated requests are not allowed to pass through [1]