You are viewing a plain text version of this content. The canonical link for it is here.
Posted to solr-user@lucene.apache.org by Dinesh Sundaram <sd...@gmail.com> on 2018/06/14 20:24:45 UTC
Solr basic auth
Hi,
I have configured basic auth for solrcloud. it works well when i access the
solr url directly. i have integrated this solr with test.com domain. now if
I access the solr url like test.com/solr it prompts the credentials but I
dont want to ask this time since it is known domain. is there any way to
achieve this. much appreciate your quick response.
my security json below. i'm using the default security, want to allow my
domain default without prompting any credentials.
{"authentication":{
"blockUnknown": true,
"class":"solr.BasicAuthPlugin",
"credentials":{"solr":"IV0EHq1OnNrj6gvRCwvFwTrZ1+z1oBbnQdiVC3otuq0=
Ndd7LKvVBAaZIF0QAVi1ekCfAJXr1GGfLtRUXhgrF8c="}
},"authorization":{
"class":"solr.RuleBasedAuthorizationPlugin",
"permissions":[{"name":"security-edit",
"role":"admin"}],
"user-role":{"solr":"admin"}
}}
Re: Solr basic auth
Posted by Dinesh Sundaram <sd...@gmail.com>.
yes, Thanks. I would like to whitelist one domain from the authlogin.
On Thu, Jun 21, 2018 at 12:57 PM, Jan Høydahl <ja...@cominvent.com> wrote:
> Hi,
>
> As I said there is not way to combine multiple authentication plugins at
> the moment.
> So your best shot is probably to create your own CustomAuthPlugin where you
> implement the logic that you need. You can fork the code from BasicAuth
> and add
> the logic you need to whitelist the requests you need.
>
> It is very hard to understand from your initial email how Solr should see
> the
> difference between a request to "the solr URL directly" vs requests done
> indirectly, whatever that would mean. From solr's standpoint ALL requests
> are done to Solr directly :-) I suppose you mean that if a request
> originates
> from a particular frontend server's IP address then it should be
> whitelisted?
>
> You could also suggest in a new JIRA issue to extend Solr's auth feature
> to allow a chain of AuthPlugins, and if the request passes any of them it
> is let through.
>
> --
> Jan Høydahl, search solution architect
> Cominvent AS - www.cominvent.com
>
> > 21. jun. 2018 kl. 17:47 skrev Dinesh Sundaram <sd...@gmail.com>:
> >
> > thanks for your valuable feedback. I really want to allow this domain
> > without any credentials. i need basic auth only if anyone access the solr
> > url directly. so no option in solr to do that?
> >
> > On Sun, Jun 17, 2018 at 4:18 PM, Jan Høydahl <ja...@cominvent.com>
> wrote:
> >
> >> Of course, but Dinesh explicitly set blockUnknown=true below, so in this
> >> case ALL requests must have credentials. There is currently no feature
> that
> >> lets Solr accept any request by other rules, all requests are forwarded
> to
> >> the chosen authentication plugin.
> >>
> >> --
> >> Jan Høydahl, search solution architect
> >> Cominvent AS - www.cominvent.com
> >>
> >>> 15. jun. 2018 kl. 19:12 skrev Terry Steichen <te...@net-frame.com>:
> >>>
> >>> "When authentication is enabled ALL requests must carry valid
> >>> credentials." I believe this behavior depends on the value you set for
> >>> the *blockUnknown* authentication parameter.
> >>>
> >>>
> >>> On 06/15/2018 06:25 AM, Jan Høydahl wrote:
> >>>> When authentication is enabled ALL requests must carry valid
> >> credentials.
> >>>>
> >>>> Are you asking for a feature where a request is authenticated based on
> >> IP address of the client, not username/password?
> >>>>
> >>>> Jan
> >>>>
> >>>> Sendt fra min iPhone
> >>>>
> >>>>> 14. jun. 2018 kl. 22:24 skrev Dinesh Sundaram <
> sdineshroshan@gmail.com
> >>> :
> >>>>>
> >>>>> Hi,
> >>>>>
> >>>>> I have configured basic auth for solrcloud. it works well when i
> >> access the
> >>>>> solr url directly. i have integrated this solr with test.com domain.
> >> now if
> >>>>> I access the solr url like test.com/solr it prompts the credentials
> >> but I
> >>>>> dont want to ask this time since it is known domain. is there any way
> >> to
> >>>>> achieve this. much appreciate your quick response.
> >>>>>
> >>>>> my security json below. i'm using the default security, want to allow
> >> my
> >>>>> domain default without prompting any credentials.
> >>>>>
> >>>>> {"authentication":{
> >>>>> "blockUnknown": true,
> >>>>> "class":"solr.BasicAuthPlugin",
> >>>>> "credentials":{"solr":"IV0EHq1OnNrj6gvRCwvFwTrZ1+z1oBbnQdiVC3otuq0=
> >>>>> Ndd7LKvVBAaZIF0QAVi1ekCfAJXr1GGfLtRUXhgrF8c="}
> >>>>> },"authorization":{
> >>>>> "class":"solr.RuleBasedAuthorizationPlugin",
> >>>>> "permissions":[{"name":"security-edit",
> >>>>> "role":"admin"}],
> >>>>> "user-role":{"solr":"admin"}
> >>>>> }}
> >>>
> >>
> >>
>
>
Re: Solr basic auth
Posted by Jan Høydahl <ja...@cominvent.com>.
Hi,
As I said there is not way to combine multiple authentication plugins at the moment.
So your best shot is probably to create your own CustomAuthPlugin where you
implement the logic that you need. You can fork the code from BasicAuth and add
the logic you need to whitelist the requests you need.
It is very hard to understand from your initial email how Solr should see the
difference between a request to "the solr URL directly" vs requests done
indirectly, whatever that would mean. From solr's standpoint ALL requests
are done to Solr directly :-) I suppose you mean that if a request originates
from a particular frontend server's IP address then it should be whitelisted?
You could also suggest in a new JIRA issue to extend Solr's auth feature
to allow a chain of AuthPlugins, and if the request passes any of them it
is let through.
--
Jan Høydahl, search solution architect
Cominvent AS - www.cominvent.com
> 21. jun. 2018 kl. 17:47 skrev Dinesh Sundaram <sd...@gmail.com>:
>
> thanks for your valuable feedback. I really want to allow this domain
> without any credentials. i need basic auth only if anyone access the solr
> url directly. so no option in solr to do that?
>
> On Sun, Jun 17, 2018 at 4:18 PM, Jan Høydahl <ja...@cominvent.com> wrote:
>
>> Of course, but Dinesh explicitly set blockUnknown=true below, so in this
>> case ALL requests must have credentials. There is currently no feature that
>> lets Solr accept any request by other rules, all requests are forwarded to
>> the chosen authentication plugin.
>>
>> --
>> Jan Høydahl, search solution architect
>> Cominvent AS - www.cominvent.com
>>
>>> 15. jun. 2018 kl. 19:12 skrev Terry Steichen <te...@net-frame.com>:
>>>
>>> "When authentication is enabled ALL requests must carry valid
>>> credentials." I believe this behavior depends on the value you set for
>>> the *blockUnknown* authentication parameter.
>>>
>>>
>>> On 06/15/2018 06:25 AM, Jan Høydahl wrote:
>>>> When authentication is enabled ALL requests must carry valid
>> credentials.
>>>>
>>>> Are you asking for a feature where a request is authenticated based on
>> IP address of the client, not username/password?
>>>>
>>>> Jan
>>>>
>>>> Sendt fra min iPhone
>>>>
>>>>> 14. jun. 2018 kl. 22:24 skrev Dinesh Sundaram <sdineshroshan@gmail.com
>>> :
>>>>>
>>>>> Hi,
>>>>>
>>>>> I have configured basic auth for solrcloud. it works well when i
>> access the
>>>>> solr url directly. i have integrated this solr with test.com domain.
>> now if
>>>>> I access the solr url like test.com/solr it prompts the credentials
>> but I
>>>>> dont want to ask this time since it is known domain. is there any way
>> to
>>>>> achieve this. much appreciate your quick response.
>>>>>
>>>>> my security json below. i'm using the default security, want to allow
>> my
>>>>> domain default without prompting any credentials.
>>>>>
>>>>> {"authentication":{
>>>>> "blockUnknown": true,
>>>>> "class":"solr.BasicAuthPlugin",
>>>>> "credentials":{"solr":"IV0EHq1OnNrj6gvRCwvFwTrZ1+z1oBbnQdiVC3otuq0=
>>>>> Ndd7LKvVBAaZIF0QAVi1ekCfAJXr1GGfLtRUXhgrF8c="}
>>>>> },"authorization":{
>>>>> "class":"solr.RuleBasedAuthorizationPlugin",
>>>>> "permissions":[{"name":"security-edit",
>>>>> "role":"admin"}],
>>>>> "user-role":{"solr":"admin"}
>>>>> }}
>>>
>>
>>
Re: Solr basic auth
Posted by Dinesh Sundaram <sd...@gmail.com>.
thanks for your valuable feedback. I really want to allow this domain
without any credentials. i need basic auth only if anyone access the solr
url directly. so no option in solr to do that?
On Sun, Jun 17, 2018 at 4:18 PM, Jan Høydahl <ja...@cominvent.com> wrote:
> Of course, but Dinesh explicitly set blockUnknown=true below, so in this
> case ALL requests must have credentials. There is currently no feature that
> lets Solr accept any request by other rules, all requests are forwarded to
> the chosen authentication plugin.
>
> --
> Jan Høydahl, search solution architect
> Cominvent AS - www.cominvent.com
>
> > 15. jun. 2018 kl. 19:12 skrev Terry Steichen <te...@net-frame.com>:
> >
> > "When authentication is enabled ALL requests must carry valid
> > credentials." I believe this behavior depends on the value you set for
> > the *blockUnknown* authentication parameter.
> >
> >
> > On 06/15/2018 06:25 AM, Jan Høydahl wrote:
> >> When authentication is enabled ALL requests must carry valid
> credentials.
> >>
> >> Are you asking for a feature where a request is authenticated based on
> IP address of the client, not username/password?
> >>
> >> Jan
> >>
> >> Sendt fra min iPhone
> >>
> >>> 14. jun. 2018 kl. 22:24 skrev Dinesh Sundaram <sdineshroshan@gmail.com
> >:
> >>>
> >>> Hi,
> >>>
> >>> I have configured basic auth for solrcloud. it works well when i
> access the
> >>> solr url directly. i have integrated this solr with test.com domain.
> now if
> >>> I access the solr url like test.com/solr it prompts the credentials
> but I
> >>> dont want to ask this time since it is known domain. is there any way
> to
> >>> achieve this. much appreciate your quick response.
> >>>
> >>> my security json below. i'm using the default security, want to allow
> my
> >>> domain default without prompting any credentials.
> >>>
> >>> {"authentication":{
> >>> "blockUnknown": true,
> >>> "class":"solr.BasicAuthPlugin",
> >>> "credentials":{"solr":"IV0EHq1OnNrj6gvRCwvFwTrZ1+z1oBbnQdiVC3otuq0=
> >>> Ndd7LKvVBAaZIF0QAVi1ekCfAJXr1GGfLtRUXhgrF8c="}
> >>> },"authorization":{
> >>> "class":"solr.RuleBasedAuthorizationPlugin",
> >>> "permissions":[{"name":"security-edit",
> >>> "role":"admin"}],
> >>> "user-role":{"solr":"admin"}
> >>> }}
> >
>
>
Re: Solr basic auth
Posted by Jan Høydahl <ja...@cominvent.com>.
Of course, but Dinesh explicitly set blockUnknown=true below, so in this case ALL requests must have credentials. There is currently no feature that lets Solr accept any request by other rules, all requests are forwarded to the chosen authentication plugin.
--
Jan Høydahl, search solution architect
Cominvent AS - www.cominvent.com
> 15. jun. 2018 kl. 19:12 skrev Terry Steichen <te...@net-frame.com>:
>
> "When authentication is enabled ALL requests must carry valid
> credentials." I believe this behavior depends on the value you set for
> the *blockUnknown* authentication parameter.
>
>
> On 06/15/2018 06:25 AM, Jan Høydahl wrote:
>> When authentication is enabled ALL requests must carry valid credentials.
>>
>> Are you asking for a feature where a request is authenticated based on IP address of the client, not username/password?
>>
>> Jan
>>
>> Sendt fra min iPhone
>>
>>> 14. jun. 2018 kl. 22:24 skrev Dinesh Sundaram <sd...@gmail.com>:
>>>
>>> Hi,
>>>
>>> I have configured basic auth for solrcloud. it works well when i access the
>>> solr url directly. i have integrated this solr with test.com domain. now if
>>> I access the solr url like test.com/solr it prompts the credentials but I
>>> dont want to ask this time since it is known domain. is there any way to
>>> achieve this. much appreciate your quick response.
>>>
>>> my security json below. i'm using the default security, want to allow my
>>> domain default without prompting any credentials.
>>>
>>> {"authentication":{
>>> "blockUnknown": true,
>>> "class":"solr.BasicAuthPlugin",
>>> "credentials":{"solr":"IV0EHq1OnNrj6gvRCwvFwTrZ1+z1oBbnQdiVC3otuq0=
>>> Ndd7LKvVBAaZIF0QAVi1ekCfAJXr1GGfLtRUXhgrF8c="}
>>> },"authorization":{
>>> "class":"solr.RuleBasedAuthorizationPlugin",
>>> "permissions":[{"name":"security-edit",
>>> "role":"admin"}],
>>> "user-role":{"solr":"admin"}
>>> }}
>
Re: Solr basic auth
Posted by Terry Steichen <te...@net-frame.com>.
"When authentication is enabled ALL requests must carry valid
credentials." I believe this behavior depends on the value you set for
the *blockUnknown* authentication parameter.
On 06/15/2018 06:25 AM, Jan Høydahl wrote:
> When authentication is enabled ALL requests must carry valid credentials.
>
> Are you asking for a feature where a request is authenticated based on IP address of the client, not username/password?
>
> Jan
>
> Sendt fra min iPhone
>
>> 14. jun. 2018 kl. 22:24 skrev Dinesh Sundaram <sd...@gmail.com>:
>>
>> Hi,
>>
>> I have configured basic auth for solrcloud. it works well when i access the
>> solr url directly. i have integrated this solr with test.com domain. now if
>> I access the solr url like test.com/solr it prompts the credentials but I
>> dont want to ask this time since it is known domain. is there any way to
>> achieve this. much appreciate your quick response.
>>
>> my security json below. i'm using the default security, want to allow my
>> domain default without prompting any credentials.
>>
>> {"authentication":{
>> "blockUnknown": true,
>> "class":"solr.BasicAuthPlugin",
>> "credentials":{"solr":"IV0EHq1OnNrj6gvRCwvFwTrZ1+z1oBbnQdiVC3otuq0=
>> Ndd7LKvVBAaZIF0QAVi1ekCfAJXr1GGfLtRUXhgrF8c="}
>> },"authorization":{
>> "class":"solr.RuleBasedAuthorizationPlugin",
>> "permissions":[{"name":"security-edit",
>> "role":"admin"}],
>> "user-role":{"solr":"admin"}
>> }}
Re: Solr basic auth
Posted by Jan Høydahl <ja...@cominvent.com>.
When authentication is enabled ALL requests must carry valid credentials.
Are you asking for a feature where a request is authenticated based on IP address of the client, not username/password?
Jan
Sendt fra min iPhone
> 14. jun. 2018 kl. 22:24 skrev Dinesh Sundaram <sd...@gmail.com>:
>
> Hi,
>
> I have configured basic auth for solrcloud. it works well when i access the
> solr url directly. i have integrated this solr with test.com domain. now if
> I access the solr url like test.com/solr it prompts the credentials but I
> dont want to ask this time since it is known domain. is there any way to
> achieve this. much appreciate your quick response.
>
> my security json below. i'm using the default security, want to allow my
> domain default without prompting any credentials.
>
> {"authentication":{
> "blockUnknown": true,
> "class":"solr.BasicAuthPlugin",
> "credentials":{"solr":"IV0EHq1OnNrj6gvRCwvFwTrZ1+z1oBbnQdiVC3otuq0=
> Ndd7LKvVBAaZIF0QAVi1ekCfAJXr1GGfLtRUXhgrF8c="}
> },"authorization":{
> "class":"solr.RuleBasedAuthorizationPlugin",
> "permissions":[{"name":"security-edit",
> "role":"admin"}],
> "user-role":{"solr":"admin"}
> }}