search

apache / solr-operator

Official Kubernetes operator for Apache Solr
https://solr.apache.org/operator
Apache License 2.0
242 stars 112 forks source link

Authentication not woking with solr-cloud. Pods are getting restarted. #681

Closed sgauchan88 closed 4 months ago

sgauchan88 commented 5 months ago

I have created 2 secrets for below configuration:



 security:
    authenticationType: Basic
    basicAuthSecret: user-provided-secret 
    bootstrapSecurityJson:
      name: solr-basic-auth 
      key: security.json

Security.json file which i used:

security.json:
{
  "authentication": {
    "blockUnknown": true,
    "class": "solr.BasicAuthPlugin",
    "credentials": {
      "sandip": "XohImNooBHFR0OVvjcYpJ3NgPQ1qq73WKhHvch0VQtg="
    }
  },
  "authorization": {
    "class": "solr.RuleBasedAuthorizationPlugin",
    "permissions": [
      {
        "name": "security-edit",
        "role": "admin"
      },
      {
        "name": "all",
        "role": "admin"
      }
    ],
    "user-role": {
      "sandip": "admin"
    }
  }
}

kubectl create secret generic user-provided-secret --from-literal=username=sandip --from-literal=password=password --type=kubernetes.io/basic-auth kubectl create secret generic solr-basic-auth --from-file=security.json=security.json

My solr-cloud pods are getting restarted when i add the above security configuration in the helm chart. Testing it with 0.6.0 chart version.

dan-niles commented 5 months ago

@sgauchan88 The password in your security.json should be a sha256(password+salt) hash. You can try using this online encryption tool to generate a password.

I tested out the security.json given below and it worked for me. I added some other endpoints in the permissions list and set the blockUnknown option as false.

If you really want to secure all your endpoints (Including the probes) you can set probesRequireAuth:true in the security config and use the following security.json to setup Solr. After the setup you can use the Solr UI or the Authorization API to update the permission for the probes.

{
  "authentication": {
    "blockUnknown": false,
    "class": "solr.BasicAuthPlugin",
    "credentials": {
      "sandip": "kOPO6E/MScdL8KTc9nmFey0/JpJwZGRdo0RJQO+O4+w= ZnNibnR0Z2NzeG4wN2Jt"
    },
    "realm": "Solr Basic Auth",
    "forwardCredentials": false
  },
  "authorization": {
    "class": "solr.RuleBasedAuthorizationPlugin",
    "user-role": {
      "sandip": ["admin"]
    },
    "permissions": [
      {
        "name": "k8s-probe-0",
        "role": null,
        "collection": null,
        "path": "/admin/info/health"
      },
      {
        "name": "k8s-probe-1",
        "role": null,
        "collection": null,
        "path": "/admin/info/system"
      },
      {
        "name": "k8s-status",
        "role": "admin",
        "collection": null,
        "path": "/admin/collections"
      },
      {
        "name": "k8s-metrics",
        "role": "admin",
        "collection": null,
        "path": "/admin/metrics"
      },
      {
        "name": "k8s-zk",
        "role": "admin",
        "collection": null,
        "path": "/admin/zookeeper/status"
      },
      {
        "name": "k8s-ping",
        "role": "admin",
        "collection": "*",
        "path": "/admin/ping"
      },
      {
        "name": "read",
        "role": ["admin"]
      },
      {
        "name": "update",
        "role": ["admin"]
      },
      {
        "name": "security-read",
        "role": ["admin"]
      },
      {
        "name": "security-edit",
        "role": ["admin"]
      },
      {
        "name": "all",
        "role": ["admin"]
      }
    ]
  }
}
sgauchan88 commented 4 months ago

@dan-niles thanks. this worked for me. is it necessary to create 2 secrets for solr authentication or it would work only with one secret.

dan-niles commented 4 months ago

@sgauchan88 Yes, I think both secrets are required initially.

Once you have successfully setup authentication on Solr and verified everything is working correctly, I think you can safely delete the solr-basic-auth secret. But the user-provided-secret secret is still required.

HoustonPutman commented 4 months ago

Thanks for helping solve this @dan-niles !