有幾個關於Solr驗證&授權的主題和文章,但我無法讓它工作(我喜歡這種方式)。Solr 5.3&Zookeeper安全驗證和授權
我跟着這些教程/信息來源: https://cwiki.apache.org/confluence/display/solr/Authentication+and+Authorization+Plugins 和 https://lucidworks.com/blog/2015/08/17/securing-solr-basic-auth-permission-rules/
然後,我創造了這個security.json我證實,它是活躍在動物園管理員:
{
"authentication":{
"class":"solr.BasicAuthPlugin",
"credentials":{
"solr":"...",
"admin":"...",
"monitor":"...",
"data_import":"..."},
"":{"v":8}},
"authorization":{
"class":"solr.RuleBasedAuthorizationPlugin",
"permissions":[
{
"name":"security-edit",
"role":"adminRole"},
{
"name":"security-read",
"role":"adminRole"},
{
"name":"schema-edit",
"role":"adminRole"},
{
"name":"schema-read",
"role":"collectionRole"},
{
"name":"config-edit",
"role":"adminRole"},
{
"name":"config-read",
"role":"collectionRole"},
{
"name":"collection-admin-edit",
"role":"adminRole"},
{
"name":"collection-admin-read",
"role":"collectionRole"},
{
"name":"update",
"role":"dataImportRole"},
{
"name":"read",
"role":"dataImportRole"}],
"user-role":{
"solr":[
"adminRole",
"collectionRole",
"dataImportRole"],
"admin":[
"adminRole",
"collectionRole",
"dataImportRole"],
"monitor":[
"collectionRole",
"dataImportRole"],
"data_import":["dataImportRole"]}}}
我現在有一個安全.json適用於來自命令行的捲曲請求:
curl "http://localhost:8983/solr/admin/authorization"
未經授權的請求,響應代碼:401
curl --user solr:<pwd> "http://localhost:8983/solr/admin/authorization"
與信息
到目前爲止好正常響應。
現在我嘗試和選擇一個集合,它不應根據我security.json匿名行事的東西,但它仍然有效
curl "http://localhost:8983/solr/outlets_shard1_replica1/select?q=*%3A*&wt=json&indent=true"
"responseHeader":{
"status":0,
"QTime":1,
"params":{
"indent":"true",
"q":"*:*",
"wt":"json"}},
"response":{"numFound":2000,"start":0,"d.. }
這是vexes的第一件事我。我可能可以爲/ select創建一些自定義路徑權限,但是將讀取權限分配給特定角色應該可以解決這個問題嗎?但[1]如何禁用所有匿名訪問?
繼續下去,可能與此有關,它讓我困擾Solr Admin UI(http://solrurl:8983/solr/#)仍然可以訪問。在之前的Solr安裝(使用tomcat)中,我記得即使這個界面也是安全的。似乎我仍然可以完全訪問整個核心(重新加載工作),並且我還可以檢查雲配置。 [2]如何限制對Solr Admin UI的訪問?
,實際上似乎是安全的唯一的東西是所有的/ Solr的/ admin相關命令
這使我想到第三件事,我似乎無法弄清楚:如何配置solr.in .SH讓Solr的認證通過與/斌/ Solr的命令
我看到SOLR_AUTHENTICATION_CLIENT_CONFIGURER和SOLR_AUTHENTICATION_OPTS選項,但我不知道如何修改這些基本的領域驗證反饋到Solr的命令行。所以[3]我如何保持從命令行到Solr(和Zookeeper)授權的&認證的所有訪問?
例如,solr status現在返回
Found 1 Solr nodes:
Solr process 15931 running on port 8983
ERROR: Failed to get system information from http://localhost:8983/solr due to: org.apache.http.client.ClientProtocolException: Expected JSON response from server but received: <html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/>
<title>Error 401 Unauthorized request, Response code: 401</title>
</head>
<body><h2>HTTP ERROR 401</h2>
<p>Problem accessing /solr/admin/collections. Reason:
<pre> Unauthorized request, Response code: 401</pre></p><hr><i><small>Powered by Jetty://</small></i><hr/>
</body>
</html>
我已經與
SOLR_AUTHENTICATION_OPTS="-DinternalAuthCredentialsBasicAuthUsername=solr -DinternalAuthCredentialsBasicAuthPassword=<pass>"
測試無濟於事
謝謝,但我真的這樣做。問題不在於用戶名密碼組合不起作用,而在於它仍允許匿名訪問集合(點[1])。不保護Solr管理界面(點[2])並且不會自動爲CLI命令提供,並在401(點[3])中恢復 –