I an not very familiar with solr. I have installed solr successfully. It is using jetty webserver. My solr version is 4.10.3. It admin page is not protected by password. Anyone can access it. I want to apply a paaword on solr admin. How I will do it?
Enable authentication in solr admin running with solr 6.1 and jetty
Pre condition:
Solr version 6.1
Solr is running successfully in the system
Solr Admin running through jetty
Process:
1. Edit jetty.xml
Edit the file “server/etc/jetty.xml”
Add following before the Configure tag ends
<Call name="addBean">
<Arg>
<New class="org.eclipse.jetty.security.HashLoginService">
<Set name="name">Test Realm</Set>
<Set name="config"><SystemProperty name="jetty.home" default="."/>/etc/realm.properties</Set>
<Set name="refreshInterval">0</Set>
</New>
</Arg>
</Call>
2. Edit webdefault.xml
Edit the file “server/etc/webdefault.xml”
Add following before the web-app tag ends
<security-constraint>
<web-resource-collection>
<web-resource-name>Solr authenticated application</web-resource-name>
<url-pattern>/</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>core1-role</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>Test Realm</realm-name>
</login-config>
Special Note:
Value used in the role-name tag need to be same used in “realm.properties” file
3. Create new file “realm.properties”
Create a file named “realm.properties” in the location “server/etc/” and put the below content
admin: admin123,core1-role
User Name: admin
Password: admin123
Role name: core1-role
(This need to be same as the name used in role-name tag in server/etc/webdefault.xml” file )
4. Final Step
Restart Solr server
Now access Solr in your browser http://localhost:8983/solr/
You will find the browser is asking for username and password. Enter the username and password.
For version below 5
If you are using solr-webapp then you need to modify web.xml file and add these lines:
<security-constraint>
<web-resource-collection>
<web-resource-name>Solr Lockdown</web-resource-name>
<url-pattern>/</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>solr_admin</role-name>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>Solr</realm-name>
</login-config>
For Jetty server, you need to add below lines in /example/etc/webdefault.xml
<security-constraint>
<web-resource-collection>
<web-resource-name>Solr authenticated application</web-resource-name>
<url-pattern>/</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>**admin-role**</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>Test Realm</realm-name>
</login-config>
Update /example/etc/jetty.xml file
<Call name="addBean">
<Arg>
<New class="org.eclipse.jetty.security.HashLoginService">
<Set name="name">Test Realm</Set>
<Set name="config"><SystemProperty name="jetty.home" default="."/>/etc/realm.properties</Set>
<Set name="refreshInterval">0</Set>
</New>
</Arg>
</Call>
/example/etc/realm.properties :
admin: s3cr3t, admin-role
Username = admin
password = s3cr3t.
Role name = admin-role
Solr version 5+
In latest Solr version folder structure got changed. You will find all files in below folder-path.
{SOLR_HOME}/server/etc/jetty.xml
{SOLR_HOME}/server/etc/webdefault.xml
Create new credential file at {SOLR_HOME}/server/etc/realm.properties:
admin: s3cr3t, admin-role
For more info you can help solr wiki docs
If you are using tomcat,
Open [Tomcat install dir]\tomcat-users.xml for editing.
Add the following lines within the <tomcat-user> element and save the changes (using your own username and password):
<role rolename="solr_admin"/><user username="your_username" password="your_password" roles="solr_admin"/>
Open Tomcat install dir\webapps\solr\WEB-INF\web.xml for editing.
"solr" in the path is the name of the instance you want to secure. Typically this is "solr," but may be different if you are running an advanced setup.
Add the following lines within the <web-app> element:
<security-constraint>
<web-resource-collection>
<web-resource-name>Solr Lockdown</web-resource-name>
<url-pattern>/</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>solr_admin</role-name>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>Solr</realm-name></login-config>
Save the changes and restart Tomcat. Test your changes by starting a new browser session and navigating to your site, for ex. http://localhost:8080/solr/ You should be prompted for credentials.
If your Tomcat install dir tomcat-users.xml file is being modified then
go to tomcat-users.xml file under Servers in Project Explorer and add your changes there.
As setting a password to Solr is a pain in the ass (sorry, but some time you have to name it as it is) I propose an other solution: Restrict access to it using iptables.
If you install Apache Solr Server usually the Server will listen on Port 8983. Hence the servers admin interface will be available under:
http://YOUR_SERVERS_IP:8983/solr/
So we can restrict connections to port 8983 as follows:
iptables -A INPUT -p tcp -s localhost --dport 8983 -j ACCEPT
iptables -A INPUT -p tcp -s YOUR_SERVERS_IP --dport 8983 -j ACCEPT
iptables -A INPUT -p tcp --dport 8983 -j DROP
This will accept all requests from localhost (first line) and from the server's IP itself (second line), but drop all other connections (last line). The second line is not necessary but helps us to find easy access to Solr's admin interface. To access the admin interface form a local machine, we have to forward all connections to the server at first. The easiest way to do this, is using sshuttle (lazy mans VPN):
sshuttle --dns -r root#YOUR_SERVERS_IP 0/0
Performing this command on the local machine, from where we want to access the admin interface.
An other option is, to use ssh tunnelling with the open ssh client:
ssh -D 1080 root#YOUR_SERVERS_IP
Set up a socks proxy in your browser to port 1080.
I'm dealing with Solr v.4.10 too and this is really annoyingly hard. None of the so-called "solutions" works for me. I ended up installing Nginx on my Ubuntu box and proxy the :8983 port to docker, where password is required by Nginx. This works for me.
I have just to inform what was solution in my case. Actually my website was written in ajax that's why by setting passowrd also protect my website. So its not the solution in case where solr has to be used by open internet. So its best solution as guided by solr wiki is to use proxies like node.js, nginex etc. as given here
Using node.js proxy and applying iptable rules ( as guided above) solve my problem.
Related
I am applying authentication on SOLR Admin Panel using jetty (I am using solr-6.1.0):
Added following code in /packaging/j2eemedadm82/m-infra/apps/solr/solr-6.1.0/server/etc/jetty.xml
<Call name="addBean">
<Arg>
<New class="org.eclipse.jetty.security.HashLoginService">
<Set name="name">Test Realm</Set>
<Set name="config"><SystemProperty name="jetty.home" default="."/>/packaging/j2eemedadm82/m-infra/apps/solr/solr-6.1.0/server/etc</Set>
<Set name="refreshInterval">0</Set>
</New>
</Arg>
</Call>
Added following code in /packaging/j2eemedadm82/m-infra/apps/solr/solr-6.1.0/server/solr-webapp/webapp/WEB-INF/web.xml
<security-constraint>
<web-resource-collection>
<web-resource-name>Solr authenticated application</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>Test Realm</realm-name>
</login-config>
After restarting solr, I can see that an authentication pop up is there:
Then I have generated the encrypted password using this command:
/soft/jdk_64b/jdk1.8.0_181/jre/bin/java -cp jetty-util-9.3.8.v20160314.jar org.eclipse.jetty.util.security.Password admin admin
The output was:
2021-12-20 14:08:09.004:INFO::main: Logging initialized #86ms
admin
OBF:1u2a1toa1w8v1tok1u30
MD5:21232f297a57a5a743894a0e4a801fc3
CRYPT:adpexzg3FUZAk
Under /packaging/j2eemedadm82/m-infra/apps/solr/solr-6.1.0/server/etc, I have create a realm.properties file to insert the authentication credentials:
admin: MD5:21232f297a57a5a743894a0e4a801fc3, admin
After restarting solr, when I use the login/pwd to login, it doesn't work as expected. I have no error, but the login pop up appears again.
Is there something that I did wrong ? Maybe the jetty.home variable is not correctly defined in the jetty.xml file.
When auth-constraint is specified in AppEngine Development server web.xml file. The User injected to endpoint and User received from UserService.getCurrentUser() in HttpServlet are different.
The user Id for endpoint user is zero and for HttpServlet it is a fixed number. When the auth-constraint tag is removed from web.xml file, both user ids are zero. But this tag is required for production server.
How to get a single user for development server?
<security-constraint>
<web-resource-collection>
<web-resource-name>all</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
Installed Solr6.1 on Ubuntu14 and imported data from MySql table. Can somebody guide me how to secure mydomain/ip:8983/solr from public.
I tried instructions given on https://cwiki.apache.org/confluence/display/solr/Basic+Authentication+Plugin but zookeepr connection failed while adding security.json.
First of all go to your webdefault.xml present in etc directory . Put follwing lines in your web.xml .
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>samplerealm</realm-name>
</login-config>
<security-constraint>
<web-resource-collection>
<web-resource-name>Secure resources</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>user</role-name>
</auth-constraint>
</security-constraint>
In etc folder, create a samplerealm.txt file and add follwing content to that file user1: user1pass,user . Here user1 is your username and user1pass is the password , for the role user which you just defined in web.xml. After that go to jetty.xml file in your etc folder and look for following line <Configure id="Server" class="org.eclipse.jetty.server.Server"> Just below this line paste the following code :
<Call name="addBean">
<Arg>
<New class="org.eclipse.jetty.security.HashLoginService">
<Set name="name">samplerealm</Set>
<Set name="config"><SystemProperty name="jetty.home" default="."/>/etc/samplerealm.txt</Set>
<Set name="refreshInterval">0</Set>
</New>
</Arg>
</Call>
After that , stop and restart your Solr server . When you visit solr page now, it will ask you for credentials . Provide user1 as your username and user1pass as password , as declared in your sample realm.txt file . Later on, you can change the password as you wish . This is how you do a http basic authentication in Solr . It works 100% . Let me know if that helps :)
You could enable SSL. I'm not sure whether that's the desired security - you'll have to provide more info.
With SSL are you atleast able to encrypt communication between the SolrCloud and clients, along with the inter-Solr-node-communication.
Link for enabling SSL: https://cwiki.apache.org/confluence/display/solr/Enabling+SSL
I have a GAE project I'm about to deploy. Everything is going well except I seemingly can't protect certain files. In particular I've uploaded my .p12 key file to use with APNS. I had it in WEB-INF originally but due to a " java.io.IOException: DerInputStream.getLength(): lengthTag=111, too big." I've moved the file outside of this directory. The issue I'm having now is that I'm able to download the .p12 file. Working on the local dev server I have the following permissions and therefore blocking access to the file. However, once I push this out to production I'm still able to download the file. What might it be about the GAE production environment that is not enforcing this security constraint? Thank you for any help.
<security-constraint>
<web-resource-collection>
<web-resource-name>certificates</web-resource-name>
<url-pattern>/certificates/*</url-pattern>
</web-resource-collection>
<auth-constraint />
</security-constraint>
Looking into the documents, you need to have a role specified inside of "auth-constraint", as shown here
So something like
<security-constraint>
<web-resource-collection>
<web-resource-name>certificates</web-resource-name>
<url-pattern>/certificates/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
</security-constraint>
should do the trick.
I develop an application with GAE and GWT where the user has to be logged in with his Google Account when he access the site. So I defined the following in the web.xml file...
<security-constraint>
<web-resource-collection>
<url-pattern>/index.html</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
</security-constraint>
When I'm running the local dev server I get promted with the test login-screen when I open the app the first time, but when I deploy it, I directly come to my application without any authentication.
First I thought, that could be, because I'm already logged in to other Google services, but I tried it in other browsers and in incognito mode too.
I would suggest trying one is to use the URL pattern to * so that all your resources are secure and secondly addind web-resource-name tag to "all" value, as shown in code snippet below.
And I am assuming you already have servlet mapping to service etc
<security-constraint>
<web-resource-collection>
<web-resource-name>all</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
</security-constraint>