I am using Solr version 8.5.1 as a standalone application and would like to secure the solr dashboard UI with basic auth. I know that there is a built-in basic auth with security.json but when I do that all the select query url that is called from my application got blocked also. I want to leave the query urls open but only secure the dashboard. Is this possible?
I am using basic security.json setup found on https://lucene.apache.org/solr/guide/8_5/basic-authentication-plugin.html#basic-authentication-plugin
EDIT: I saw this page How can I secure Solr 5.3.1 only admin pages but adding authentication in jetty.xml and web.xml doesn’t seem to work anymore with version 8.5.1
Olaf Kock
Phudith Pattharakositkul-
See lucene.apache.org/solr/guide/8_5/… – the read permission gives read access to most features by default, but adding a custom rule with /select that doesn’t require authentication should be possible, then having password authentication for all other endpoints. The example given under permission ordering resolution should be close to what you want. lucene.apache.org/solr/guide/8_5/…
– MatsLindhJun 12, 2020 at 18:51
-
Thank you for the response MatsLindh but can you explain how would you add a custom rule that doesn’t require authentication? I have been trying but no success so far. There is property “blockUnknown” that needs to set to be set to true for authentication to started working but this will prevent the request without authentication alltogether.
– Phudith PattharakositkulJun 12, 2020 at 20:20
-
You have to set blockUnknown to false, then add a rule that blocks everything – blockUnknown is in relation to those request that doesn’t match any of your rules (All requests w/o credentials will be rejected with a 401 error. Set ‘blockUnknown’ to false (or remove it altogether) if you wish to let unauthenticated requests to go through. However, if a particular resource is protected by a rule, they are rejected anyway with a 401 error.)
– MatsLindhJun 12, 2020 at 20:38
-
Okay that make sense MatsLindh. Can you please provide an example of security.json you have in mind? I’m struggle to understand how rule can be applied to unauthenticated user. aren’t rules suppose to apply to only specific roles? How do you apply rules to unauthenticated user?
– Phudith PattharakositkulJun 12, 2020 at 21:14
- Okay I finally got it to work. I took MatsLindh’s suggestion to set the blockUnknown to false and I make sure to have at least one user to have “core-admin-read” permission. This automatically requires the authentication when attempting to login on the UI
Here is an example of my security.json
{
"authentication":{
"blockUnknown":false,
"class":"solr.BasicAuthPlugin",
"credentials":{
"solr":"...."
},
"realm":"My Solr users",
"forwardCredentials":false,
"":{
"v":0
}
},
"authorization":{
"class":"solr.RuleBasedAuthorizationPlugin",
"permissions":[
{
"name":"core-admin-read",
"role":"admin"
}
],
"user-role":{
"solr":"admin"
}
}
}- I got the following to work in 8.8
{
"authentication":{
"blockUnknown":false,
"class":"solr.BasicAuthPlugin",
"credentials":{"solr":"..."}},
"authorization":{
"class":"solr.RuleBasedAuthorizationPlugin",
"user-role":{"solr":"admin"},
"permissions":[
{
"name":"all",
"role":"admin",
"index":1},
{
"name":"open_select",
"collection":"*",
"path":"/select",
"role":null,
"index":2}],
"":{"v":0}
}
}
Accidental AdminContent retrieved from: https://stackoverflow.com/questions/62350486/is-it-possible-to-secure-apache-solr-8-5-1-dashboard-page-but-not-the-query-page.
