You are viewing a plain text version of this content. The canonical link for it is here.

Posted to solr-user@lucene.apache.org by Merlin Morgenstern <me...@gmail.com> on 2015/09/09 11:05:50 UTC

How to secure Admin UI with Basic Auth in Solr 5.3.x

I just installed solr cloud 5.3.x and found that the way to secure the amin
ui has changed. Aparently there is a new plugin which does role based
authentification and all info on how to secure the admin UI found on the
net is outdated.

I do not need role based authentification but just simply want to put basic
authentification to the Admin UI.

How do I configure solr cloud 5.3.x in order to restrict access to the
Admin UI via Basic Authentification?

Thank you for any help

RE: How to secure Admin UI with Basic Auth in Solr 5.3.x

Posted by "Davis, Daniel (NIH/NLM) [C]" <da...@nih.gov>.

The authorization plugin is new in Solr 5.3.    It is hard to describe a secure Solr 5.2.1 environment simply - the basics are to protect /solr by placing it behind Apache httpd or nginx, and also a port-based firewall.   I am most familiar with Apache httpd and Linux/RedHat family.

Within the Apache httpd configuration, I have a single virtual host, but multiple locations defined, each with different security.

So, now we're past simple and on to specific and complicated.   Here's a sample fictionalized fragment of an Apache httpd.conf, perhaps something you would put in /etc/httpd/conf.d/solr.conf on CentOS or /etc/apache/conf.enabled.d/solr.conf on Ubuntu:

# Solr is admin and requires specific users to login with particular AuthType - basic is pretty basic
<Location /solr>
  AuthName "NLM Login"
  AuthType Basic
  Require user merlin

  ProxyPass http://127.0.0.1:8983/solr retry=0
  ProxyPassReverse http://127.0.0.1:8983/solr
</Location>

# Allow select on on lrprod collection from 10.1.0.0/24 subnet
<Location /proxy/lrprod/select>
  ProxyPass http://127.0.0.1:8983/solr/lrprod/select
  ProxyPassReverse http://127.0.0.1:8983/solr/lrprod/select
  Options -MultiViews
  Order allow,deny
  Allow from 10.1.0.0/24 127.0.0.1
</Location>

# Allow update on lrprod collection from specific IPs in that subnet
<Location /proxy/lrprod/update>
  ProxyPass http://127.0.0.1:8983/solr/lrprod/update
  ProxyPassReverse http://127.0.0.1:8983/solr/lrprod/update
  Options -MultiViews
  Order allow,deny
  Allow from 10.1.0.17 10.1.0.18 127.0.0.1
</Location>

In addition, I open the following ports on my hosts to the other hosts using Linux iptables for the cluster

# allow other nodes to reach other
ACCEPT     tcp  --  10.1.1.0/24            0.0.0.0/0           state NEW tcp dpt:8983
# zookeeper is running locally in my setup, so:
ACCEPT     tcp  --  10.1.1.0/24            0.0.0.0/0           state NEW tcp dpt:2181
ACCEPT     tcp  --  10.1.1.0/24            0.0.0.0/0           state NEW tcp dpt:2888
ACCEPT     tcp  --  10.1.1.0/24            0.0.0.0/0           state NEW tcp dpt:3888

I hope this too long post is not didn't read.

-----Original Message-----
From: Merlin Morgenstern [mailto:merlin.morgenstern@gmail.com] 
Sent: Friday, September 11, 2015 10:30 AM
To: solr-user@lucene.apache.org; noble.paul@gmail.com
Subject: Re: How to secure Admin UI with Basic Auth in Solr 5.3.x

Thank you for the info.

I have already downgraded to 5.2.x as this is a production setup.
Unfortunatelly I have the same trouble there ... Any suggestions how to fix this? What is the recommended procedure in securing the admin gui on prod setups?

2015-09-11 14:26 GMT+02:00 Noble Paul <no...@gmail.com>:

> There were some bugs with the 5.3.0 release and 5.3.1 is in the 
> process of getting released.
>
> try out the option #2 with the RC here
>
>
> https://dist.apache.org/repos/dist/dev/lucene/lucene-solr-5.3.1-RC1-re
> v1702389/solr/
>
>
>
> On Fri, Sep 11, 2015 at 5:16 PM, Merlin Morgenstern 
> <me...@gmail.com> wrote:
> > OK, I downgraded to solr 5.2.x
> >
> > Unfortunatelly still no luck. I followed 2 aproaches:
> >
> > 1. Secure it the old fashioned way like described here:
> >
> http://stackoverflow.com/questions/28043957/how-to-set-apache-solr-adm
> in-password
> >
> > 2. Using the Basic Authentication Plugin like described here:
> > http://lucidworks.com/blog/securing-solr-basic-auth-permission-rules
> > /
> >
> > Both aproaches created unsolved problems.
> >
> > While following option 1, I was able to secure the Admin UI with 
> > basic authentication, but no longer able to access my application 
> > despite the fact that it was working on solr 3.x with the same type 
> > of authentication procedure and credentials.
> >
> > While following option 2, I was stuck right after uploading the 
> > security.json file to the zookeeper ensemble. The described 
> > behaviour to
> curl
> > http://localhost:8983/solr/admin/authentication responded with a 404 
> > not found and then solr could not connect to zookeeper. I had to 
> > remove that file from zookeeper and restart all solr nodes.
> >
> > Please could someone lead me the way on how to secure the Admin UI 
> > and password protect solr cloud? I have a perfectly running system 
> > with solr 3.x and one core and now taking it to solr cloud 5.2.x 
> > into production seems to be stoped by simple authorization problems.
> >
> > Thank you in advane for any help.
> >
> >
> >
> > 2015-09-10 20:42 GMT+02:00 Noble Paul <no...@gmail.com>:
> >
> >> Check this
> https://cwiki.apache.org/confluence/display/solr/Securing+Solr
> >>
> >> There a couple of bugs in 5.3.o and a bug fix release is coming up 
> >> over the next few days.
> >>
> >> We don't provide any specific means to restrict access to admin UI 
> >> itself. However we let users specify fine grained ACLs on various 
> >> operations such collection-admin-edit, read etc
> >>
> >> On Wed, Sep 9, 2015 at 2:35 PM, Merlin Morgenstern 
> >> <me...@gmail.com> wrote:
> >> > I just installed solr cloud 5.3.x and found that the way to 
> >> > secure the
> >> amin
> >> > ui has changed. Aparently there is a new plugin which does role 
> >> > based authentification and all info on how to secure the admin UI 
> >> > found on
> the
> >> > net is outdated.
> >> >
> >> > I do not need role based authentification but just simply want to 
> >> > put
> >> basic
> >> > authentification to the Admin UI.
> >> >
> >> > How do I configure solr cloud 5.3.x in order to restrict access 
> >> > to the Admin UI via Basic Authentification?
> >> >
> >> > Thank you for any help
> >>
> >>
> >>
> >> --
> >> -----------------------------------------------------
> >> Noble Paul
> >>
>
>
>
> --
> -----------------------------------------------------
> Noble Paul
>

Re: How to secure Admin UI with Basic Auth in Solr 5.3.x

Posted by Anshum Gupta <an...@anshumgupta.net>.

Hi Merlin,

Solr 5.2.x only supported Kerberos out of the box and introduced a
framework to write your own authentication/authorization plugin. If you
don't use Kerberos, the only sensible way forward for you would be to wait
for the 5.3.1 release to come out and then move to it.

Until then, or without the upgrade, your best bet would be to try what
Davis suggested.

On Fri, Sep 11, 2015 at 7:30 AM, Merlin Morgenstern <
merlin.morgenstern@gmail.com> wrote:

> Thank you for the info.
>
> I have already downgraded to 5.2.x as this is a production setup.
> Unfortunatelly I have the same trouble there ... Any suggestions how to fix
> this? What is the recommended procedure in securing the admin gui on prod
> setups?
>
> 2015-09-11 14:26 GMT+02:00 Noble Paul <no...@gmail.com>:
>
> > There were some bugs with the 5.3.0 release and 5.3.1 is in the
> > process of getting released.
> >
> > try out the option #2 with the RC here
> >
> >
> >
> https://dist.apache.org/repos/dist/dev/lucene/lucene-solr-5.3.1-RC1-rev1702389/solr/
> >
> >
> >
> > On Fri, Sep 11, 2015 at 5:16 PM, Merlin Morgenstern
> > <me...@gmail.com> wrote:
> > > OK, I downgraded to solr 5.2.x
> > >
> > > Unfortunatelly still no luck. I followed 2 aproaches:
> > >
> > > 1. Secure it the old fashioned way like described here:
> > >
> >
> http://stackoverflow.com/questions/28043957/how-to-set-apache-solr-admin-password
> > >
> > > 2. Using the Basic Authentication Plugin like described here:
> > > http://lucidworks.com/blog/securing-solr-basic-auth-permission-rules/
> > >
> > > Both aproaches created unsolved problems.
> > >
> > > While following option 1, I was able to secure the Admin UI with basic
> > > authentication, but no longer able to access my application despite the
> > > fact that it was working on solr 3.x with the same type of
> authentication
> > > procedure and credentials.
> > >
> > > While following option 2, I was stuck right after uploading the
> > > security.json file to the zookeeper ensemble. The described behaviour
> to
> > curl
> > > http://localhost:8983/solr/admin/authentication responded with a 404
> not
> > > found and then solr could not connect to zookeeper. I had to remove
> that
> > > file from zookeeper and restart all solr nodes.
> > >
> > > Please could someone lead me the way on how to secure the Admin UI and
> > > password protect solr cloud? I have a perfectly running system with
> solr
> > > 3.x and one core and now taking it to solr cloud 5.2.x into production
> > > seems to be stoped by simple authorization problems.
> > >
> > > Thank you in advane for any help.
> > >
> > >
> > >
> > > 2015-09-10 20:42 GMT+02:00 Noble Paul <no...@gmail.com>:
> > >
> > >> Check this
> > https://cwiki.apache.org/confluence/display/solr/Securing+Solr
> > >>
> > >> There a couple of bugs in 5.3.o and a bug fix release is coming up
> > >> over the next few days.
> > >>
> > >> We don't provide any specific means to restrict access to admin UI
> > >> itself. However we let users specify fine grained ACLs on various
> > >> operations such collection-admin-edit, read etc
> > >>
> > >> On Wed, Sep 9, 2015 at 2:35 PM, Merlin Morgenstern
> > >> <me...@gmail.com> wrote:
> > >> > I just installed solr cloud 5.3.x and found that the way to secure
> the
> > >> amin
> > >> > ui has changed. Aparently there is a new plugin which does role
> based
> > >> > authentification and all info on how to secure the admin UI found on
> > the
> > >> > net is outdated.
> > >> >
> > >> > I do not need role based authentification but just simply want to
> put
> > >> basic
> > >> > authentification to the Admin UI.
> > >> >
> > >> > How do I configure solr cloud 5.3.x in order to restrict access to
> the
> > >> > Admin UI via Basic Authentification?
> > >> >
> > >> > Thank you for any help
> > >>
> > >>
> > >>
> > >> --
> > >> -----------------------------------------------------
> > >> Noble Paul
> > >>
> >
> >
> >
> > --
> > -----------------------------------------------------
> > Noble Paul
> >
>



-- 
Anshum Gupta

Re: How to secure Admin UI with Basic Auth in Solr 5.3.x

Posted by Merlin Morgenstern <me...@gmail.com>.

Thank you for the info.

I have already downgraded to 5.2.x as this is a production setup.
Unfortunatelly I have the same trouble there ... Any suggestions how to fix
this? What is the recommended procedure in securing the admin gui on prod
setups?

2015-09-11 14:26 GMT+02:00 Noble Paul <no...@gmail.com>:

> There were some bugs with the 5.3.0 release and 5.3.1 is in the
> process of getting released.
>
> try out the option #2 with the RC here
>
>
> https://dist.apache.org/repos/dist/dev/lucene/lucene-solr-5.3.1-RC1-rev1702389/solr/
>
>
>
> On Fri, Sep 11, 2015 at 5:16 PM, Merlin Morgenstern
> <me...@gmail.com> wrote:
> > OK, I downgraded to solr 5.2.x
> >
> > Unfortunatelly still no luck. I followed 2 aproaches:
> >
> > 1. Secure it the old fashioned way like described here:
> >
> http://stackoverflow.com/questions/28043957/how-to-set-apache-solr-admin-password
> >
> > 2. Using the Basic Authentication Plugin like described here:
> > http://lucidworks.com/blog/securing-solr-basic-auth-permission-rules/
> >
> > Both aproaches created unsolved problems.
> >
> > While following option 1, I was able to secure the Admin UI with basic
> > authentication, but no longer able to access my application despite the
> > fact that it was working on solr 3.x with the same type of authentication
> > procedure and credentials.
> >
> > While following option 2, I was stuck right after uploading the
> > security.json file to the zookeeper ensemble. The described behaviour to
> curl
> > http://localhost:8983/solr/admin/authentication responded with a 404 not
> > found and then solr could not connect to zookeeper. I had to remove that
> > file from zookeeper and restart all solr nodes.
> >
> > Please could someone lead me the way on how to secure the Admin UI and
> > password protect solr cloud? I have a perfectly running system with solr
> > 3.x and one core and now taking it to solr cloud 5.2.x into production
> > seems to be stoped by simple authorization problems.
> >
> > Thank you in advane for any help.
> >
> >
> >
> > 2015-09-10 20:42 GMT+02:00 Noble Paul <no...@gmail.com>:
> >
> >> Check this
> https://cwiki.apache.org/confluence/display/solr/Securing+Solr
> >>
> >> There a couple of bugs in 5.3.o and a bug fix release is coming up
> >> over the next few days.
> >>
> >> We don't provide any specific means to restrict access to admin UI
> >> itself. However we let users specify fine grained ACLs on various
> >> operations such collection-admin-edit, read etc
> >>
> >> On Wed, Sep 9, 2015 at 2:35 PM, Merlin Morgenstern
> >> <me...@gmail.com> wrote:
> >> > I just installed solr cloud 5.3.x and found that the way to secure the
> >> amin
> >> > ui has changed. Aparently there is a new plugin which does role based
> >> > authentification and all info on how to secure the admin UI found on
> the
> >> > net is outdated.
> >> >
> >> > I do not need role based authentification but just simply want to put
> >> basic
> >> > authentification to the Admin UI.
> >> >
> >> > How do I configure solr cloud 5.3.x in order to restrict access to the
> >> > Admin UI via Basic Authentification?
> >> >
> >> > Thank you for any help
> >>
> >>
> >>
> >> --
> >> -----------------------------------------------------
> >> Noble Paul
> >>
>
>
>
> --
> -----------------------------------------------------
> Noble Paul
>

Re: How to secure Admin UI with Basic Auth in Solr 5.3.x

Posted by Noble Paul <no...@gmail.com>.

There were some bugs with the 5.3.0 release and 5.3.1 is in the
process of getting released.

try out the option #2 with the RC here

https://dist.apache.org/repos/dist/dev/lucene/lucene-solr-5.3.1-RC1-rev1702389/solr/



On Fri, Sep 11, 2015 at 5:16 PM, Merlin Morgenstern
<me...@gmail.com> wrote:
> OK, I downgraded to solr 5.2.x
>
> Unfortunatelly still no luck. I followed 2 aproaches:
>
> 1. Secure it the old fashioned way like described here:
> http://stackoverflow.com/questions/28043957/how-to-set-apache-solr-admin-password
>
> 2. Using the Basic Authentication Plugin like described here:
> http://lucidworks.com/blog/securing-solr-basic-auth-permission-rules/
>
> Both aproaches created unsolved problems.
>
> While following option 1, I was able to secure the Admin UI with basic
> authentication, but no longer able to access my application despite the
> fact that it was working on solr 3.x with the same type of authentication
> procedure and credentials.
>
> While following option 2, I was stuck right after uploading the
> security.json file to the zookeeper ensemble. The described behaviour to curl
> http://localhost:8983/solr/admin/authentication responded with a 404 not
> found and then solr could not connect to zookeeper. I had to remove that
> file from zookeeper and restart all solr nodes.
>
> Please could someone lead me the way on how to secure the Admin UI and
> password protect solr cloud? I have a perfectly running system with solr
> 3.x and one core and now taking it to solr cloud 5.2.x into production
> seems to be stoped by simple authorization problems.
>
> Thank you in advane for any help.
>
>
>
> 2015-09-10 20:42 GMT+02:00 Noble Paul <no...@gmail.com>:
>
>> Check this https://cwiki.apache.org/confluence/display/solr/Securing+Solr
>>
>> There a couple of bugs in 5.3.o and a bug fix release is coming up
>> over the next few days.
>>
>> We don't provide any specific means to restrict access to admin UI
>> itself. However we let users specify fine grained ACLs on various
>> operations such collection-admin-edit, read etc
>>
>> On Wed, Sep 9, 2015 at 2:35 PM, Merlin Morgenstern
>> <me...@gmail.com> wrote:
>> > I just installed solr cloud 5.3.x and found that the way to secure the
>> amin
>> > ui has changed. Aparently there is a new plugin which does role based
>> > authentification and all info on how to secure the admin UI found on the
>> > net is outdated.
>> >
>> > I do not need role based authentification but just simply want to put
>> basic
>> > authentification to the Admin UI.
>> >
>> > How do I configure solr cloud 5.3.x in order to restrict access to the
>> > Admin UI via Basic Authentification?
>> >
>> > Thank you for any help
>>
>>
>>
>> --
>> -----------------------------------------------------
>> Noble Paul
>>



-- 
-----------------------------------------------------
Noble Paul

Re: How to secure Admin UI with Basic Auth in Solr 5.3.x

Posted by Merlin Morgenstern <me...@gmail.com>.

OK, I downgraded to solr 5.2.x

Unfortunatelly still no luck. I followed 2 aproaches:

1. Secure it the old fashioned way like described here:
http://stackoverflow.com/questions/28043957/how-to-set-apache-solr-admin-password

2. Using the Basic Authentication Plugin like described here:
http://lucidworks.com/blog/securing-solr-basic-auth-permission-rules/

Both aproaches created unsolved problems.

While following option 1, I was able to secure the Admin UI with basic
authentication, but no longer able to access my application despite the
fact that it was working on solr 3.x with the same type of authentication
procedure and credentials.

While following option 2, I was stuck right after uploading the
security.json file to the zookeeper ensemble. The described behaviour to curl
http://localhost:8983/solr/admin/authentication responded with a 404 not
found and then solr could not connect to zookeeper. I had to remove that
file from zookeeper and restart all solr nodes.

Please could someone lead me the way on how to secure the Admin UI and
password protect solr cloud? I have a perfectly running system with solr
3.x and one core and now taking it to solr cloud 5.2.x into production
seems to be stoped by simple authorization problems.

Thank you in advane for any help.

2015-09-10 20:42 GMT+02:00 Noble Paul <no...@gmail.com>:

> Check this https://cwiki.apache.org/confluence/display/solr/Securing+Solr
>
> There a couple of bugs in 5.3.o and a bug fix release is coming up
> over the next few days.
>
> We don't provide any specific means to restrict access to admin UI
> itself. However we let users specify fine grained ACLs on various
> operations such collection-admin-edit, read etc
>
> On Wed, Sep 9, 2015 at 2:35 PM, Merlin Morgenstern
> <me...@gmail.com> wrote:
> > I just installed solr cloud 5.3.x and found that the way to secure the
> amin
> > ui has changed. Aparently there is a new plugin which does role based
> > authentification and all info on how to secure the admin UI found on the
> > net is outdated.
> >
> > I do not need role based authentification but just simply want to put
> basic
> > authentification to the Admin UI.
> >
> > How do I configure solr cloud 5.3.x in order to restrict access to the
> > Admin UI via Basic Authentification?
> >
> > Thank you for any help
>
>
>
> --
> -----------------------------------------------------
> Noble Paul
>

Re: How to secure Admin UI with Basic Auth in Solr 5.3.x

Posted by Noble Paul <no...@gmail.com>.

Check this https://cwiki.apache.org/confluence/display/solr/Securing+Solr

There a couple of bugs in 5.3.o and a bug fix release is coming up
over the next few days.

We don't provide any specific means to restrict access to admin UI
itself. However we let users specify fine grained ACLs on various
operations such collection-admin-edit, read etc

On Wed, Sep 9, 2015 at 2:35 PM, Merlin Morgenstern
<me...@gmail.com> wrote:
> I just installed solr cloud 5.3.x and found that the way to secure the amin
> ui has changed. Aparently there is a new plugin which does role based
> authentification and all info on how to secure the admin UI found on the
> net is outdated.
>
> I do not need role based authentification but just simply want to put basic
> authentification to the Admin UI.
>
> How do I configure solr cloud 5.3.x in order to restrict access to the
> Admin UI via Basic Authentification?
>
> Thank you for any help



-- 
-----------------------------------------------------
Noble Paul

Re: How to secure Admin UI with Basic Auth in Solr 5.3.x

Posted by Imtiaz Shakil Siddique <sh...@gmail.com>.

If you are using Linux server you can always iptables to restrict access to
solr admin panel.
On Sep 9, 2015 3:05 PM, "Merlin Morgenstern" <me...@gmail.com>
wrote:

> I just installed solr cloud 5.3.x and found that the way to secure the amin
> ui has changed. Aparently there is a new plugin which does role based
> authentification and all info on how to secure the admin UI found on the
> net is outdated.
>
> I do not need role based authentification but just simply want to put basic
> authentification to the Admin UI.
>
> How do I configure solr cloud 5.3.x in order to restrict access to the
> Admin UI via Basic Authentification?
>
> Thank you for any help
>