Solr 5.3 &Zookeeper安全认证&授权 [英] Solr 5.3 & Zookeeper Security Authentication & Authorization
问题描述
有一些关于 Solr 认证 & 的主题和文章.授权,但我无法让它工作(我喜欢的方式).
There are a few topics and articles on Solr authentication & authorization, but I cannot get it to work (the way I like).
我遵循了这些教程/信息来源:https://cwiki.apache.org/confluence/display/solr/Authentication+and+Authorization+Plugins和https://lucidworks.com/blog/2015/08/17/securing-solr-basic-auth-permission-rules/
I followed these tutorials / information sources: https://cwiki.apache.org/confluence/display/solr/Authentication+and+Authorization+Plugins and https://lucidworks.com/blog/2015/08/17/securing-solr-basic-auth-permission-rules/
然后我创建了这个 security.json 并确认它在 Zookeeper 中处于活动状态:
Then I created this security.json and I confirmed it is active in Zookeeper:
{
"authentication":{
"class":"solr.BasicAuthPlugin",
"credentials":{
"solr":"...",
"admin":"...",
"monitor":"...",
"data_import":"..."},
"":{"v":8}},
"authorization":{
"class":"solr.RuleBasedAuthorizationPlugin",
"permissions":[
{
"name":"security-edit",
"role":"adminRole"},
{
"name":"security-read",
"role":"adminRole"},
{
"name":"schema-edit",
"role":"adminRole"},
{
"name":"schema-read",
"role":"collectionRole"},
{
"name":"config-edit",
"role":"adminRole"},
{
"name":"config-read",
"role":"collectionRole"},
{
"name":"collection-admin-edit",
"role":"adminRole"},
{
"name":"collection-admin-read",
"role":"collectionRole"},
{
"name":"update",
"role":"dataImportRole"},
{
"name":"read",
"role":"dataImportRole"}],
"user-role":{
"solr":[
"adminRole",
"collectionRole",
"dataImportRole"],
"admin":[
"adminRole",
"collectionRole",
"dataImportRole"],
"monitor":[
"collectionRole",
"dataImportRole"],
"data_import":["dataImportRole"]}}}
我现在有一个适用于来自命令行的 curl 请求的 security.json:
I now have a security.json that works for curl requests from command line:
curl "http://localhost:8983/solr/admin/authorization"
未经授权的请求,响应代码:401
Unauthorized request, Response code: 401
curl --user solr:
正常回复信息
<小时>
到目前为止一切顺利.
So far so good.
现在我尝试从集合中选择一些东西,根据我的 security.json 不应该匿名工作,但它仍然有效
Now I try and select something from a collection, which shouldn't work anonymously according to my security.json, however it still works
curl "http://localhost:8983/solr/outlets_shard1_replica1/select?q=*%3A*&wt=json&indent=true"
"responseHeader":{
"status":0,
"QTime":1,
"params":{
"indent":"true",
"q":"*:*",
"wt":"json"}},
"response":{"numFound":2000,"start":0,"d.. }
这是让我烦恼的第一件事.我可能可以为/select 创建一些自定义路径权限,但是将读取权限分配给特定角色应该可以解决问题吗?但是[1] 如何禁用所有匿名访问?
This is the first thing that vexes me. I probably can create some custom path permission for /select, but having the read right assigned to a specific role should do the trick right? but [1] How can I disable all anonymous access?
继续,可能是相关的,Solr Admin UI(http://solrurl:8983/solr/#) 仍然可以访问.在以前的 Solr 安装(使用 tomcat)中,我记得即使这个接口也是安全的.似乎我仍然可以完全访问整个核心(重新加载工作),我还可以检查云配置.[2] 如何限制对 Solr 管理 UI 的访问?
Continuing on, probably related, it bothers me that the Solr Admin UI(http://solrurl:8983/solr/#) is still accessible. In previous Solr installations (with tomcat) I remember that even this interface was secured. It also seems that I still have complete access to the entire core (reload worked) and I can also inspect cloud configuration.[2] How can I restrict access to Solr Admin UI?
实际上似乎安全的唯一内容是所有与/solr/admin 相关的命令
The only stuff that actually seems to be secure is all the /solr/admin related commands
这让我想到了我似乎无法弄清楚的第三件事:如何配置 solr.in.sh 以便使用/bin/solr 命令传递 solr 身份验证
Which brings me to the 3rd thing I can't seem to figure out: How do I configure solr.in.sh so that solr authentication is passed with /bin/solr commands
我看到了 SOLR_AUTHENTICATION_CLIENT_CONFIGURER 和 SOLR_AUTHENTICATION_OPTS 选项,但我不知道如何修改它们以将基本领域身份验证输入 solr 命令行.所以 [3] 我如何保持从命令行到 Solr(和 Zookeeper)的所有访问授权&已通过身份验证?
I see the SOLR_AUTHENTICATION_CLIENT_CONFIGURER and SOLR_AUTHENTICATION_OPTS options, but I have no clue how to modify those to feed basic realm authentication into solr commandline. So [3] How do I keep all access from commandline to Solr (and Zookeeper) authorized & authenticated?
例如.solr status 现在返回
Found 1 Solr nodes:
Solr process 15931 running on port 8983
ERROR: Failed to get system information from http://localhost:8983/solr due to: org.apache.http.client.ClientProtocolException: Expected JSON response from server but received: <html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/>
<title>Error 401 Unauthorized request, Response code: 401</title>
</head>
<body><h2>HTTP ERROR 401</h2>
<p>Problem accessing /solr/admin/collections. Reason:
<pre> Unauthorized request, Response code: 401</pre></p><hr><i><small>Powered by Jetty://</small></i><hr/>
</body>
</html>
我已经测试过
SOLR_AUTHENTICATION_OPTS="-DinternalAuthCredentialsBasicAuthUsername=solr -DinternalAuthCredentialsBasicAuthPassword=<pass>"
无济于事
推荐答案
我也遇到了同样的问题,然后我查看了源代码.
I also faced the same issue and then I looked at the source code.
RuleBasedAuthorizationPlugin 中的读取权限定义为:
The read permission in RuleBasedAuthorizationPlugin is defined as :
read :{" +
path:['/update/*', '/get']}," +
这永远行不通.
我提出了一个问题:
https://issues.apache.org/jira/browse/SOLR-8439
现在,要完全锁定您的管理 ui,您需要定义一个新权限,使用 path="/",这将解决您的问题,如下所示:
Now, to lock down your admin ui completely, you need to define a new permission, with path="/", which will going to solve your issue, something like this:
curl --user solr:SolrRocks http://localhost:8983/solr/admin/authorization -H 'Content-type:application/json' -d '{
"set-permission" : {"name":"admin-ui",
"path":"/",
"before":"update",
"role":"admin"}}'
这篇关于Solr 5.3 &Zookeeper安全认证&授权的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
