Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Authentication not woking with solr-cloud. Pods are getting restarted. #681

Closed
sgauchan88 opened this issue Jan 25, 2024 · 4 comments
Closed

Authentication not woking with solr-cloud. Pods are getting restarted. #681

sgauchan88 opened this issue Jan 25, 2024 · 4 comments

Comments

@sgauchan88
Copy link

sgauchan88 commented Jan 25, 2024
edited
Loading

I have created 2 secrets for below configuration:



 security:
    authenticationType: Basic
    basicAuthSecret: user-provided-secret 
    bootstrapSecurityJson:
      name: solr-basic-auth 
      key: security.json

Security.json file which i used:

security.json:
{
  "authentication": {
    "blockUnknown": true,
    "class": "solr.BasicAuthPlugin",
    "credentials": {
      "sandip": "XohImNooBHFR0OVvjcYpJ3NgPQ1qq73WKhHvch0VQtg="
    }
  },
  "authorization": {
    "class": "solr.RuleBasedAuthorizationPlugin",
    "permissions": [
      {
        "name": "security-edit",
        "role": "admin"
      },
      {
        "name": "all",
        "role": "admin"
      }
    ],
    "user-role": {
      "sandip": "admin"
    }
  }
}

kubectl create secret generic user-provided-secret --from-literal=username=sandip --from-literal=password=password --type=kubernetes.io/basic-auth
kubectl create secret generic solr-basic-auth --from-file=security.json=security.json

My solr-cloud pods are getting restarted when i add the above security configuration in the helm chart. Testing it with 0.6.0 chart version.
@dan-niles
Copy link
Contributor

@sgauchan88 The password in your security.json should be a sha256(password+salt) hash. You can try using this online encryption tool to generate a password.

I tested out the security.json given below and it worked for me. I added some other endpoints in the permissions list and set the blockUnknown option as false.

If you really want to secure all your endpoints (Including the probes) you can set probesRequireAuth:true in the security config and use the following security.json to setup Solr. After the setup you can use the Solr UI or the Authorization API to update the permission for the probes.

{
  "authentication": {
    "blockUnknown": false,
    "class": "solr.BasicAuthPlugin",
    "credentials": {
      "sandip": "kOPO6E/MScdL8KTc9nmFey0/JpJwZGRdo0RJQO+O4+w= ZnNibnR0Z2NzeG4wN2Jt"
    },
    "realm": "Solr Basic Auth",
    "forwardCredentials": false
  },
  "authorization": {
    "class": "solr.RuleBasedAuthorizationPlugin",
    "user-role": {
      "sandip": ["admin"]
    },
    "permissions": [
      {
        "name": "k8s-probe-0",
        "role": null,
        "collection": null,
        "path": "/admin/info/health"
      },
      {
        "name": "k8s-probe-1",
        "role": null,
        "collection": null,
        "path": "/admin/info/system"
      },
      {
        "name": "k8s-status",
        "role": "admin",
        "collection": null,
        "path": "/admin/collections"
      },
      {
        "name": "k8s-metrics",
        "role": "admin",
        "collection": null,
        "path": "/admin/metrics"
      },
      {
        "name": "k8s-zk",
        "role": "admin",
        "collection": null,
        "path": "/admin/zookeeper/status"
      },
      {
        "name": "k8s-ping",
        "role": "admin",
        "collection": "*",
        "path": "/admin/ping"
      },
      {
        "name": "read",
        "role": ["admin"]
      },
      {
        "name": "update",
        "role": ["admin"]
      },
      {
        "name": "security-read",
        "role": ["admin"]
      },
      {
        "name": "security-edit",
        "role": ["admin"]
      },
      {
        "name": "all",
        "role": ["admin"]
      }
    ]
  }
}

@sgauchan88
Copy link
Author

@dan-niles thanks. this worked for me. is it necessary to create 2 secrets for solr authentication or it would work only with one secret.

@dan-niles
Copy link
Contributor

dan-niles commented Feb 24, 2024
edited
Loading

@sgauchan88 Yes, I think both secrets are required initially.

  • The user-provided-secret credential you created, is required by the Solr Operator to check Solr status, ZK status and metrics.
  • The solr-basic-auth you created holds the custom security.json that needs to be bootstrapped by the operator.

Once you have successfully setup authentication on Solr and verified everything is working correctly, I think you can safely delete the solr-basic-auth secret. But the user-provided-secret secret is still required.

@HoustonPutman
Copy link
Contributor

Thanks for helping solve this @dan-niles !

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@HoustonPutman @dan-niles @sgauchan88