how to config split authentication methods -- BasicAuth for WebUI, & none (or SSL client) for client connections?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

how to config split authentication methods -- BasicAuth for WebUI, & none (or SSL client) for client connections?

PGNet Dev
 I'm running,

        solr -version
                8.6.3

on

        uname -rm
                5.8.13-200.fc32.x86_64 x86_64

        grep _NAME /etc/os-release
                PRETTY_NAME="Fedora 32 (Server Edition)"
                CPE_NAME="cpe:/o:fedoraproject:fedora:32"

with

        java -version
                openjdk version "15" 2020-09-15
                OpenJDK Runtime Environment 20.9 (build 15+36)
                OpenJDK 64-Bit Server VM 20.9 (build 15+36, mixed mode, sharing)

solr's configured for SSL usage.  both client search connections and WebUI access work OK, with EC certs in use

        SOLR_SSL_KEY_STORE="/srv/ssl/solr.server.EC.pfx"
        SOLR_SSL_TRUST_STORE="/srv/ssl/solr.server.EC.pfx"

If I enable BasicAuth, adding

        /security.json
                {
                        "authentication":{
                                "blockUnknown": true,
                                "class":"solr.BasicAuthPlugin",
                                "credentials":{
                                        "myuser":"jO... Fe..."

                                },
                                "realm":"Solr REALM",
                                "forwardCredentials": false
                        },
                        "authorization":{
                                "class":"solr.RuleBasedAuthorizationPlugin",
                                "permissions":[{
                                        "name":"security-edit",
                                        "role":"admin"
                                }],
                                "user-role":{
                                        "solr":"admin"
                                }
                        }
                }

as expected, WebUI requires/accepts valid credentials for access.

BUT ... client connections, e.g. from a mail MUA using dovecot's fts solr plugin, immediately fail, returning "401 Unauthorized".

How can solr authentication be configured to split method -- using BasicAuth for WebUI access ONLY, and still allowing the client connections?

Eventually, I want those client connections to require solr-side SSL client auth.
Atm, I'd just like to get it working -- _with_ the BasicAuth WebUI protection in place.

Reply | Threaded
Open this post in threaded view
|

Re: how to config split authentication methods -- BasicAuth for WebUI, & none (or SSL client) for client connections?

Radu Gheorghe
Hello,

If you enable authentication, this will work on your HTTP port. Solr won’t make a difference on whether the request comes from the Web UI or Dovecot.

I guess the workaround could be to put the web UI behind a proxy like NGINX and have authentication there?

But if anyone can have direct HTTP access to Solr, then it’s not really secure.

Best regards,
Radu
--
Sematext Cloud - Full Stack Observability - https://sematext.com
Solr and Elasticsearch Consulting, Training and Production Support

> On 12 Oct 2020, at 05:11, PGNet Dev <[hidden email]> wrote:
>
>  I'm running,
>
> solr -version
> 8.6.3
>
> on
>
> uname -rm
> 5.8.13-200.fc32.x86_64 x86_64
>
> grep _NAME /etc/os-release
> PRETTY_NAME="Fedora 32 (Server Edition)"
> CPE_NAME="cpe:/o:fedoraproject:fedora:32"
>
> with
>
> java -version
> openjdk version "15" 2020-09-15
> OpenJDK Runtime Environment 20.9 (build 15+36)
> OpenJDK 64-Bit Server VM 20.9 (build 15+36, mixed mode, sharing)
>
> solr's configured for SSL usage.  both client search connections and WebUI access work OK, with EC certs in use
>
> SOLR_SSL_KEY_STORE="/srv/ssl/solr.server.EC.pfx"
> SOLR_SSL_TRUST_STORE="/srv/ssl/solr.server.EC.pfx"
>
> If I enable BasicAuth, adding
>
> /security.json
> {
> "authentication":{
> "blockUnknown": true,
> "class":"solr.BasicAuthPlugin",
> "credentials":{
> "myuser":"jO... Fe..."
>
> },
> "realm":"Solr REALM",
> "forwardCredentials": false
> },
> "authorization":{
> "class":"solr.RuleBasedAuthorizationPlugin",
> "permissions":[{
> "name":"security-edit",
> "role":"admin"
> }],
> "user-role":{
> "solr":"admin"
> }
> }
> }
>
> as expected, WebUI requires/accepts valid credentials for access.
>
> BUT ... client connections, e.g. from a mail MUA using dovecot's fts solr plugin, immediately fail, returning "401 Unauthorized".
>
> How can solr authentication be configured to split method -- using BasicAuth for WebUI access ONLY, and still allowing the client connections?
>
> Eventually, I want those client connections to require solr-side SSL client auth.
> Atm, I'd just like to get it working -- _with_ the BasicAuth WebUI protection in place.
>