1
votes

I am using Solr version 8.5.1 as a standalone application and would like to secure the solr dashboard UI with basic auth. I know that there is a built-in basic auth with security.json but when I do that all the select query url that is called from my application got blocked also. I want to leave the query urls open but only secure the dashboard. Is this possible?

I am using basic security.json setup found on https://lucene.apache.org/solr/guide/8_5/basic-authentication-plugin.html#basic-authentication-plugin

EDIT: I saw this page How can I secure Solr 5.3.1 only admin pages but adding authentication in jetty.xml and web.xml doesn't seem to work anymore with version 8.5.1

2
See lucene.apache.org/solr/guide/8_5/… - the read permission gives read access to most features by default, but adding a custom rule with /select that doesn't require authentication should be possible, then having password authentication for all other endpoints. The example given under permission ordering resolution should be close to what you want. lucene.apache.org/solr/guide/8_5/…MatsLindh
Thank you for the response MatsLindh but can you explain how would you add a custom rule that doesn't require authentication? I have been trying but no success so far. There is property "blockUnknown" that needs to set to be set to true for authentication to started working but this will prevent the request without authentication alltogether.Phudith Pattharakositkul
You ahve to set blockUnknown to false, then add a rule that blocks everything - blockUnknown is in relation to those request that doesn't match any of your rules (All requests w/o credentials will be rejected with a 401 error. Set 'blockUnknown' to false (or remove it altogether) if you wish to let unauthenticated requests to go through. However, if a particular resource is protected by a rule, they are rejected anyway with a 401 error.)MatsLindh
Okay that make sense MatsLindh. Can you please provide an example of security.json you have in mind? I'm struggle to understand how rule can be applied to unauthenticated user. aren't rules suppose to apply to only specific roles? How do you apply rules to unauthenticated user?Phudith Pattharakositkul
Okay I finally got it to work. I took your suggestion to set the blockUnknown to false and I make sure to have at least one user to have "core-admin-read" permission. This automatically requires the authentication when attempting to login on the UIPhudith Pattharakositkul

2 Answers

1
votes

Okay I finally got it to work. I took MatsLindh's suggestion to set the blockUnknown to false and I make sure to have at least one user to have "core-admin-read" permission. This automatically requires the authentication when attempting to login on the UI

Here is an example of my security.json

{
   "authentication":{
      "blockUnknown":false,
      "class":"solr.BasicAuthPlugin",
      "credentials":{
         "solr":"...."
      },
      "realm":"My Solr users",
      "forwardCredentials":false,
      "":{
         "v":0
      }
   },
   "authorization":{
      "class":"solr.RuleBasedAuthorizationPlugin",
      "permissions":[
         {
            "name":"core-admin-read",
            "role":"admin"
         }
      ],
      "user-role":{
         "solr":"admin"
      }
   }
}
1
votes

I got the following to work in 8.8

{
  "authentication":{
    "blockUnknown":false,
    "class":"solr.BasicAuthPlugin",
    "credentials":{"solr":"..."}},
  "authorization":{
    "class":"solr.RuleBasedAuthorizationPlugin",
    "user-role":{"solr":"admin"},
    "permissions":[
      {
        "name":"all",
        "role":"admin",
        "index":1},
      {
        "name":"open_select",
        "collection":"*",
        "path":"/select",
        "role":null,
        "index":2}],
    "":{"v":0}}}