Solr的5.3&安培;动物园管理员安全认证和放大器;授权 [英] Solr 5.3 & Zookeeper Security Authentication & Authorization
问题描述
有关于Solr的认证和放几个主题和文章;授权,但我不能得到它的工作(我喜欢的方式)。
There are a few topics and articles on Solr authentication & authorization, but I cannot get it to work (the way I like).
我跟着这些教程/信息来源:
的https://cwiki.apache.org/confluence/display/solr/Authentication+and+Authorization+Plugins
和
的https://lucidworks.com/blog/2015/08/17/securing-solr-basic-auth-permission-rules/
I followed these tutorials / information sources: https://cwiki.apache.org/confluence/display/solr/Authentication+and+Authorization+Plugins and https://lucidworks.com/blog/2015/08/17/securing-solr-basic-auth-permission-rules/
然后,我创造了这个security.json,我确认这是活跃在动物园管理员:
Then I created this security.json and I confirmed it is active in Zookeeper:
{
"authentication":{
"class":"solr.BasicAuthPlugin",
"credentials":{
"solr":"...",
"admin":"...",
"monitor":"...",
"data_import":"..."},
"":{"v":8}},
"authorization":{
"class":"solr.RuleBasedAuthorizationPlugin",
"permissions":[
{
"name":"security-edit",
"role":"adminRole"},
{
"name":"security-read",
"role":"adminRole"},
{
"name":"schema-edit",
"role":"adminRole"},
{
"name":"schema-read",
"role":"collectionRole"},
{
"name":"config-edit",
"role":"adminRole"},
{
"name":"config-read",
"role":"collectionRole"},
{
"name":"collection-admin-edit",
"role":"adminRole"},
{
"name":"collection-admin-read",
"role":"collectionRole"},
{
"name":"update",
"role":"dataImportRole"},
{
"name":"read",
"role":"dataImportRole"}],
"user-role":{
"solr":[
"adminRole",
"collectionRole",
"dataImportRole"],
"admin":[
"adminRole",
"collectionRole",
"dataImportRole"],
"monitor":[
"collectionRole",
"dataImportRole"],
"data_import":["dataImportRole"]}}}
我现在有一个命令行的卷曲请求工作的security.json:
I now have a security.json that works for curl requests from command line:
卷曲的http://本地主机:8983 / Solr的/管理/授权
未经授权的请求,响应code:401
Unauthorized request, Response code: 401
卷曲--user Solr的:其中; PWD> HTTP://本地主机:8983 / Solr的/管理/授权
与信息正常响应
到目前为止好。
现在我尝试和选择的集合,不应根据我security.json匿名行事的东西,但它仍然有效。
Now I try and select something from a collection, which shouldn't work anonymously according to my security.json, however it still works
卷曲\"http://localhost:8983/solr/outlets_shard1_replica1/select?q=*%3A*&wt=json&indent=true\"$c$c>
"responseHeader":{
"status":0,
"QTime":1,
"params":{
"indent":"true",
"q":"*:*",
"wt":"json"}},
"response":{"numFound":2000,"start":0,"d.. }
这是我vexes的第一件事。我大概可以创造一些自定义路径许可/选择,但具有看错分配给特定的角色应该做的伎俩吗?但 [1]如何禁用所有的匿名访问
This is the first thing that vexes me. I probably can create some custom path permission for /select, but having the read right assigned to a specific role should do the trick right? but [1] How can I disable all anonymous access?
继续,可能有关,它困扰我,Solr管理UI(的http:// solrurl:8983 / Solr的/#)仍然是访问。在previous Solr的安装(使用Tomcat)我记得,即使这个接口保证。它还看来我还是要整个核心的完全访问权限(重装工作),我还可以检查云配置。 [2]我怎么才能限制Solr管理UI?
Continuing on, probably related, it bothers me that the Solr Admin UI(http://solrurl:8983/solr/#) is still accessible. In previous Solr installations (with tomcat) I remember that even this interface was secured. It also seems that I still have complete access to the entire core (reload worked) and I can also inspect cloud configuration.[2] How can I restrict access to Solr Admin UI?
这实际上似乎是安全的唯一的东西是所有的/ Solr的/ admin相关命令
The only stuff that actually seems to be secure is all the /solr/admin related commands
这使我想到第三件事,我似乎无法弄清楚:我如何配置solr.in.sh让Solr的认证与/斌/ Solr的命令通过
Which brings me to the 3rd thing I can't seem to figure out: How do I configure solr.in.sh so that solr authentication is passed with /bin/solr commands
我看的 SOLR_AUTHENTICATION_CLIENT_CONFIGURER 的和的 SOLR_AUTHENTICATION_OPTS 的选项,但我不知道如何修改这些基础领域验证反馈到Solr的命令行。因此, [3]如何保持从命令行来授权和放大器的Solr(和动物园管理员)的所有访问;验证?
I see the SOLR_AUTHENTICATION_CLIENT_CONFIGURER and SOLR_AUTHENTICATION_OPTS options, but I have no clue how to modify those to feed basic realm authentication into solr commandline. So [3] How do I keep all access from commandline to Solr (and Zookeeper) authorized & authenticated?
如。 Solr的状态
现在返回
Found 1 Solr nodes:
Solr process 15931 running on port 8983
ERROR: Failed to get system information from http://localhost:8983/solr due to: org.apache.http.client.ClientProtocolException: Expected JSON response from server but received: <html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/>
<title>Error 401 Unauthorized request, Response code: 401</title>
</head>
<body><h2>HTTP ERROR 401</h2>
<p>Problem accessing /solr/admin/collections. Reason:
<pre> Unauthorized request, Response code: 401</pre></p><hr><i><small>Powered by Jetty://</small></i><hr/>
</body>
</html>
我已经测试过
SOLR_AUTHENTICATION_OPTS = - DinternalAuthCredentialsBasicAuthUsername = Solr的-DinternalAuthCredentialsBasicAuthPassword =&LT;通&gt;中
要无果
推荐答案
我也面临着同样的问题,然后我看了看源$ C $ C。
I also faced the same issue and then I looked at the source code.
在RuleBasedAuthorizationPlugin的读取权限的定义是:
The read permission in RuleBasedAuthorizationPlugin is defined as :
read :{" +
path:['/update/*', '/get']}," +
这不会有任何效果。
Which will never work.
我提出一个问题:
https://issues.apache.org/jira/browse/SOLR-8439
现在,锁定您的管理员用户界面完全,你需要定义一个新的权限,与路径=/,这将要去解决您的问题,这样的事情:
Now, to lock down your admin ui completely, you need to define a new permission, with path="/", which will going to solve your issue, something like this:
curl --user solr:SolrRocks http://localhost:8983/solr/admin/authorization -H 'Content-type:application/json' -d '{
"set-permission" : {"name":"admin-ui",
"path":"/",
"before":"update",
"role":"admin"}}'
这篇关于Solr的5.3&安培;动物园管理员安全认证和放大器;授权的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!