-----Original Message-----
From: Terry Steichen [mailto:terry@net-frame.com]
Sent: 13 March 2018 22:17
To: solr-user@lucene.apache.org
Subject: Continuing Saga of Authorization on 6.6.0
I switched solr from standalone to cloud and created the two collections
(emails1 and emails2).
I was able to create a basic set of credentials via the curl-based API's. I
could create users, and toggle the blockUnknown property status. However,
the system refused to allow me to delete a user, or to set a permission.
Here are the curl commands (with *terry:admin* as admin credentials) and
results:
*succeeded in setting blockUnknown property (verified by
admin/authentication dump):*
curl --user terry:admin http://localhost:8983/solr/admin/authentication
-H 'Content-type:application/json' -d '{
"set-property": {"blockUnknown" : true}}'
*succeeded in adding a user (verified by admin/authentication dump):*
curl --user terry:admin http://localhost:8983/solr/admin/authentication
-H 'Content-type:application/json' -d '{
> "set-user": {"lanny" : "hawaii"}}'
*succeeded in changing lanny's password (verified by admin/authentication
dump):*
curl --user terry:admin http://localhost:8983/solr/admin/authentication
-H 'Content-type:application/json' -d '{
"set-user": {"lanny" : "hawaii_five_o"}}'
*failed to delete a user:*
curl --user terry:admin http://localhost:8983/solr/admin/authentication
-H 'Content-type:application/json' -d '{
"delete-user": {"lanny"}}'
{
"responseHeader":{
"status":500,
"QTime":1},
"error":{ "msg":"Expected key,value separator ':': char=},position=26
BEFORE='{ \"delete-user\": {\"lanny\"}' AFTER='}'", [terry here: plus a very
long stack trace}
*failed to set a permission: *
curl --user terry:admin http://localhost:8983/solr/admin/authentication
-H 'Content-type:application/json' -d '{"set-permission" :
{"name":"collection-admin-edit", "role":"admin"}}'
{
"responseHeader":{
"status":0,
"QTime":2},
"errorMessages":[{
"set-permission":{
"name":"collection-admin-edit",
"role":"admin"},
"errorMessages":["Unknown operation 'set-permission' "]}]}
This really makes no sense at all (or, I'm really losing it - always a
distinct possibility). It's almost as if half of the documented parameters
must have been changed, though I can't find any references to any such
changes.
I confess I'm about to just give up and find some other route to go.
Terry
On 03/12/2018 11:15 PM, Shawn Heisey wrote:
> On 3/12/2018 8:39 PM, Terry Steichen wrote:
>> I'm increasingly of the view that Solr's authentication/authorization
>> mechanism doesn't work correctly in a _standalone_ mode. It was
>> present in the cloud mode for quite a few versions back, but as of
>> 6.0.0 (or so) it was supposed to be available in standalone mode too.
>> It seems to partly work (when using the built-in permissions), but
>> does not seem to work with customized, core-specific permissions.
>
> I suspected based on your last message that the authorization feature
> might only work correctly in SolrCloud. The entire authentication
> feature was designed for SolrCloud. Version 6.5 brought the
> security.json file to standalone mode. This was LONG after the
> feature was introduced in 5.2 and had a LOT of bugs fixed in the three
> 5.3.x releases.
>
> I just found the section in the documentation confirming what I
> suspected.
>
> https://lucene.apache.org/solr/guide/7_2/authentication-and-authorizat
> ion-plugins.html#authorization
>
>
> There is a note here that says "The authorization plugin is only
> supported in SolrCloud mode. Also, reloading the plugin isn't yet
> supported and requires a restart of the Solr installation (meaning,
> the JVM should be restarted, not simply a core reload)." The 6.6
> documentation contains the same note that you can see here in the
> latest docs.
>
> I have no idea how hard it would be to extend the authorization plugin
> to support standalone cores as well as collections. I imagine that if
> it were easy, it would have been done already.
>
> Thanks,
> Shawn
>
>
No comments:
Post a Comment