Authentication not woking with solr-cloud. Pods are getting restarted.
sgauchan88 opened this issue · 4 comments
I have created 2 secrets for below configuration:
security:
authenticationType: Basic
basicAuthSecret: user-provided-secret
bootstrapSecurityJson:
name: solr-basic-auth
key: security.json
Security.json file which i used:
security.json:
{
"authentication": {
"blockUnknown": true,
"class": "solr.BasicAuthPlugin",
"credentials": {
"sandip": "XohImNooBHFR0OVvjcYpJ3NgPQ1qq73WKhHvch0VQtg="
}
},
"authorization": {
"class": "solr.RuleBasedAuthorizationPlugin",
"permissions": [
{
"name": "security-edit",
"role": "admin"
},
{
"name": "all",
"role": "admin"
}
],
"user-role": {
"sandip": "admin"
}
}
}
kubectl create secret generic user-provided-secret --from-literal=username=sandip --from-literal=password=password --type=kubernetes.io/basic-auth
kubectl create secret generic solr-basic-auth --from-file=security.json=security.json
My solr-cloud pods are getting restarted when i add the above security configuration in the helm chart. Testing it with 0.6.0 chart version.
@sgauchan88 The password in your security.json should be a sha256(password+salt) hash. You can try using this online encryption tool to generate a password.
I tested out the security.json given below and it worked for me. I added some other endpoints in the permissions list and set the blockUnknown option as false.
If you really want to secure all your endpoints (Including the probes) you can set probesRequireAuth:true in the security config and use the following security.json to setup Solr. After the setup you can use the Solr UI or the Authorization API to update the permission for the probes.
{
"authentication": {
"blockUnknown": false,
"class": "solr.BasicAuthPlugin",
"credentials": {
"sandip": "kOPO6E/MScdL8KTc9nmFey0/JpJwZGRdo0RJQO+O4+w= ZnNibnR0Z2NzeG4wN2Jt"
},
"realm": "Solr Basic Auth",
"forwardCredentials": false
},
"authorization": {
"class": "solr.RuleBasedAuthorizationPlugin",
"user-role": {
"sandip": ["admin"]
},
"permissions": [
{
"name": "k8s-probe-0",
"role": null,
"collection": null,
"path": "/admin/info/health"
},
{
"name": "k8s-probe-1",
"role": null,
"collection": null,
"path": "/admin/info/system"
},
{
"name": "k8s-status",
"role": "admin",
"collection": null,
"path": "/admin/collections"
},
{
"name": "k8s-metrics",
"role": "admin",
"collection": null,
"path": "/admin/metrics"
},
{
"name": "k8s-zk",
"role": "admin",
"collection": null,
"path": "/admin/zookeeper/status"
},
{
"name": "k8s-ping",
"role": "admin",
"collection": "*",
"path": "/admin/ping"
},
{
"name": "read",
"role": ["admin"]
},
{
"name": "update",
"role": ["admin"]
},
{
"name": "security-read",
"role": ["admin"]
},
{
"name": "security-edit",
"role": ["admin"]
},
{
"name": "all",
"role": ["admin"]
}
]
}
}@dan-niles thanks. this worked for me. is it necessary to create 2 secrets for solr authentication or it would work only with one secret.
@sgauchan88 Yes, I think both secrets are required initially.
- The
user-provided-secretcredential you created, is required by the Solr Operator to check Solr status, ZK status and metrics. - The
solr-basic-authyou created holds the custom security.json that needs to be bootstrapped by the operator.
Once you have successfully setup authentication on Solr and verified everything is working correctly, I think you can safely delete the solr-basic-auth secret. But the user-provided-secret secret is still required.
Thanks for helping solve this @dan-niles !