Setting Up Solr Authentication/Authorization

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Setting Up Solr Authentication/Authorization

Terry Steichen
I'm trying to set up basic authentication/authorization with solr 6.6.0.

The documentation says to create a security.json file and describes the
content as:

{
"authentication":{
   "class":"solr.BasicAuthPlugin",
   "credentials":{"solr":"IV0EHq1OnNrj6gvRCwvFwTrZ1+z1oBbnQdiVC3otuq0= Ndd7LKvVBAaZIF0QAVi1ekCfAJXr1GGfLtRUXhgrF8c="}
},
"authorization":{
   "class":"solr.RuleBasedAuthorizationPlugin",
   "permissions":[{"name":"security-edit",
      "role":"admin"}]
   "user-role":{"solr":"admin"}
}}

Does that mean to literally use exactly the above as the security.json content, or customize it (in some fashion)?

The documentation  also mentions that the initial admin person is a user named "solr" with a password: "SolrRocks"  What's unclear is whether that's the password on which the hash (in security.json) was created or what?

What I can't figure out is whether the password hash is fixed, or whether it should be generated, and if so, how?

Also, some people on the web recommend altering the jetty xml files to do this - is it necessary too?

I'm certain this is fairly simple once I can get started - but I'm having trouble getting past step 1, and any help would be appreciated.

Terry

Reply | Threaded
Open this post in threaded view
|

Re: Setting Up Solr Authentication/Authorization

Shawn Heisey-2
On 3/9/2018 9:27 AM, Terry Steichen wrote:

> I'm trying to set up basic authentication/authorization with solr 6.6.0.
>
> The documentation says to create a security.json file and describes the
> content as:
>
> {
> "authentication":{
>    "class":"solr.BasicAuthPlugin",
>    "credentials":{"solr":"IV0EHq1OnNrj6gvRCwvFwTrZ1+z1oBbnQdiVC3otuq0= Ndd7LKvVBAaZIF0QAVi1ekCfAJXr1GGfLtRUXhgrF8c="}
> },
> "authorization":{
>    "class":"solr.RuleBasedAuthorizationPlugin",
>    "permissions":[{"name":"security-edit",
>       "role":"admin"}]
>    "user-role":{"solr":"admin"}
> }}
>
> Does that mean to literally use exactly the above as the security.json content, or customize it (in some fashion)?

Initial disclaimer: I have never used the authentication plugins
myself.  But I have seen what people on this mailing list get told when
they ask about it.

If you can figure out how to customize that file from the documentation
to do something that you need, then feel free to customize it.  But see
info below about passwords.

> The documentation  also mentions that the initial admin person is a user named "solr" with a password: "SolrRocks"  What's unclear is whether that's the password on which the hash (in security.json) was created or what?
>
> What I can't figure out is whether the password hash is fixed, or whether it should be generated, and if so, how?

Last I checked, the Solr documentation does NOT explain how to create a
hash in security.json from a password.  It does list the *type* of hash,
which is sha256, password+salt.

With a little bit of research and a lot of trial and error, it is
possible to figure out how to create a valid hash with a tool like openssl.

What some people have done to customize user/password is use that
'solr/SolrRocks' login to *create* another login using the
authentication API, then once they're sure everything's working, access
the API again with the new user to delete the well-documented user.

http://lucene.apache.org/solr/guide/7_2/basic-authentication-plugin.html#editing-authentication-plugin-configuration

> Also, some people on the web recommend altering the jetty xml files to do this - is it necessary too?

The servlet container (almost always Jetty if you're running version 5.0
or later) is capable of doing authentication, completely independently
of whatever software is running inside it.  But configuring that
authentication involves customization of software that is completely
separate from Solr.  The security.json method is a configuration for
Solr, which then programmatically configures the vanilla Jetty install
to do authentication.

Thanks,
Shawn