mirror of https://github.com/apache/lucene.git
SOLR-8440: Support for enabling basic authentication using bin/solr|bin/solr.cmd
This commit is contained in:
parent
9c6279d439
commit
9be68cc307
164
solr/bin/solr
164
solr/bin/solr
|
@ -294,7 +294,7 @@ function print_usage() {
|
|||
if [ -z "$CMD" ]; then
|
||||
echo ""
|
||||
echo "Usage: solr COMMAND OPTIONS"
|
||||
echo " where COMMAND is one of: start, stop, restart, status, healthcheck, create, create_core, create_collection, delete, version, zk"
|
||||
echo " where COMMAND is one of: start, stop, restart, status, healthcheck, create, create_core, create_collection, delete, version, zk, auth"
|
||||
echo ""
|
||||
echo " Standalone server example (start Solr running in the background on port 8984):"
|
||||
echo ""
|
||||
|
@ -544,6 +544,35 @@ function print_usage() {
|
|||
echo " <path>: The Zookeeper path to create. Leading slash is assumed if not present."
|
||||
echo " Intermediate nodes are created as needed if not present."
|
||||
echo ""
|
||||
elif [ "$CMD" == "auth" ]; then
|
||||
echo ""
|
||||
echo "Usage: solr auth enable [-type basicAuth] -credentials user:pass [-blockUnknown <true|false>] [-updateIncludeFileOnly <true|false>]"
|
||||
echo " solr auth enable [-type basicAuth] -prompt <true|false> [-blockUnknown <true|false>] [-updateIncludeFileOnly <true|false>]"
|
||||
echo " solr auth disable [-updateIncludeFileOnly <true|false>]"
|
||||
echo ""
|
||||
echo " -type <type> The authentication mechanism to enable. Defaults to 'basicAuth'."
|
||||
echo ""
|
||||
echo " -credentials <user:pass> The username and password of the initial user"
|
||||
echo " Note: only one of -prompt or -credentials must be provided"
|
||||
echo ""
|
||||
echo " -prompt <true|false> Prompts the user to provide the credentials"
|
||||
echo " Note: only one of -prompt or -credentials must be provided"
|
||||
echo ""
|
||||
echo " -blockUnknown <true|false> When true, this blocks out access to unauthenticated users. When not provided,"
|
||||
echo " this defaults to false (i.e. unauthenticated users can access all endpoints, except the"
|
||||
echo " operations like collection-edit, security-edit, core-admin-edit etc.). Check the reference"
|
||||
echo " guide for Basic Authentication for more details."
|
||||
echo ""
|
||||
echo " -updateIncludeFileOnly <true|false> Only update the solr.in.sh or solr.in.cmd file, and skip actual enabling/disabling"
|
||||
echo " authentication (i.e. don't update security.json)"
|
||||
echo ""
|
||||
echo " -z zkHost Zookeeper connection string"
|
||||
echo ""
|
||||
echo " -d <dir> Specify the Solr server directory"
|
||||
echo ""
|
||||
echo " -s <dir> Specify the Solr home directory. This is where any credentials or authentication"
|
||||
echo " configuration files (e.g. basicAuth.conf) would be placed."
|
||||
echo ""
|
||||
fi
|
||||
} # end print_usage
|
||||
|
||||
|
@ -1187,19 +1216,130 @@ if [[ "$SCRIPT_CMD" == "zk" ]]; then
|
|||
fi
|
||||
|
||||
if [[ "$SCRIPT_CMD" == "auth" ]]; then
|
||||
if [ -z "$AUTH_PORT" ]; then
|
||||
for ID in `ps auxww | grep java | grep start\.jar | awk '{print $2}' | sort -r`
|
||||
do
|
||||
port=`jetty_port "$ID"`
|
||||
if [ "$port" != "" ]; then
|
||||
AUTH_PORT=$port
|
||||
declare -a AUTH_PARAMS
|
||||
if [ $# -gt 0 ]; then
|
||||
while true; do
|
||||
case "$1" in
|
||||
enable|disable)
|
||||
AUTH_OP=$1
|
||||
AUTH_PARAMS=("${AUTH_PARAMS[@]}" "$AUTH_OP")
|
||||
shift
|
||||
;;
|
||||
-z|-zkhost|zkHost)
|
||||
ZK_HOST="$2"
|
||||
AUTH_PARAMS=("${AUTH_PARAMS[@]}" "-zkHost" "$ZK_HOST")
|
||||
shift 2
|
||||
;;
|
||||
-t|-type)
|
||||
AUTH_TYPE="$2"
|
||||
AUTH_PARAMS=("${AUTH_PARAMS[@]}" "-type" "$AUTH_TYPE")
|
||||
shift 2
|
||||
;;
|
||||
-credentials)
|
||||
AUTH_CREDENTIALS="$2"
|
||||
AUTH_PARAMS=("${AUTH_PARAMS[@]}" "-credentials" "$AUTH_CREDENTIALS")
|
||||
shift 2
|
||||
;;
|
||||
-solrIncludeFile)
|
||||
SOLR_INCLUDE="$2"
|
||||
shift 2
|
||||
;;
|
||||
-prompt)
|
||||
AUTH_PARAMS=("${AUTH_PARAMS[@]}" "-prompt" "$2")
|
||||
shift
|
||||
;;
|
||||
-blockUnknown)
|
||||
AUTH_PARAMS=("${AUTH_PARAMS[@]}" "-blockUnknown" "$2")
|
||||
shift
|
||||
break
|
||||
fi
|
||||
done
|
||||
;;
|
||||
-updateIncludeFileOnly)
|
||||
AUTH_PARAMS=("${AUTH_PARAMS[@]}" "-updateIncludeFileOnly" "$2")
|
||||
shift
|
||||
break
|
||||
;;
|
||||
-d|-dir)
|
||||
if [[ -z "$2" || "${2:0:1}" == "-" ]]; then
|
||||
print_usage "$SCRIPT_CMD" "Server directory is required when using the $1 option!"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if [[ "$2" == "." || "$2" == "./" || "$2" == ".." || "$2" == "../" ]]; then
|
||||
SOLR_SERVER_DIR="$(pwd)/$2"
|
||||
else
|
||||
# see if the arg value is relative to the tip vs full path
|
||||
if [[ "$2" != /* ]] && [[ -d "$SOLR_TIP/$2" ]]; then
|
||||
SOLR_SERVER_DIR="$SOLR_TIP/$2"
|
||||
else
|
||||
SOLR_SERVER_DIR="$2"
|
||||
fi
|
||||
fi
|
||||
# resolve it to an absolute path
|
||||
SOLR_SERVER_DIR="$(cd "$SOLR_SERVER_DIR"; pwd)"
|
||||
shift 2
|
||||
;;
|
||||
-s|-solr.home)
|
||||
if [[ -z "$2" || "${2:0:1}" == "-" ]]; then
|
||||
print_usage "$SCRIPT_CMD" "Solr home directory is required when using the $1 option!"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
SOLR_HOME="$2"
|
||||
shift 2
|
||||
;;
|
||||
-help|-usage|-h)
|
||||
print_usage "$SCRIPT_CMD"
|
||||
exit 0
|
||||
;;
|
||||
--)
|
||||
shift
|
||||
break
|
||||
;;
|
||||
*)
|
||||
shift
|
||||
break
|
||||
;;
|
||||
esac
|
||||
done
|
||||
fi
|
||||
|
||||
if [ -z "$SOLR_SERVER_DIR" ]; then
|
||||
SOLR_SERVER_DIR="$DEFAULT_SERVER_DIR"
|
||||
fi
|
||||
if [ ! -e "$SOLR_SERVER_DIR" ]; then
|
||||
echo -e "\nSolr server directory $SOLR_SERVER_DIR not found!\n"
|
||||
exit 1
|
||||
fi
|
||||
if [ -z "$SOLR_HOME" ]; then
|
||||
SOLR_HOME="$SOLR_SERVER_DIR/solr"
|
||||
else
|
||||
if [[ $SOLR_HOME != /* ]] && [[ -d "$SOLR_SERVER_DIR/$SOLR_HOME" ]]; then
|
||||
SOLR_HOME="$SOLR_SERVER_DIR/$SOLR_HOME"
|
||||
SOLR_PID_DIR="$SOLR_HOME"
|
||||
elif [[ $SOLR_HOME != /* ]] && [[ -d "`pwd`/$SOLR_HOME" ]]; then
|
||||
SOLR_HOME="$(pwd)/$SOLR_HOME"
|
||||
fi
|
||||
solr_include_file=$SOLR_INCLUDE
|
||||
run_tool auth "$@" -solrUrl "$SOLR_URL_SCHEME://$SOLR_TOOL_HOST:$AUTH_PORT/solr" -solrIncludeFile "$solr_include_file"
|
||||
exit $?
|
||||
fi
|
||||
|
||||
if [ -z "$AUTH_OP" ]; then
|
||||
print_usage "$SCRIPT_CMD"
|
||||
exit 0
|
||||
fi
|
||||
|
||||
AUTH_PARAMS=("${AUTH_PARAMS[@]}" "-solrIncludeFile" "$SOLR_INCLUDE")
|
||||
|
||||
if [ -z "$AUTH_PORT" ]; then
|
||||
for ID in `ps auxww | grep java | grep start\.jar | awk '{print $2}' | sort -r`
|
||||
do
|
||||
port=`jetty_port "$ID"`
|
||||
if [ "$port" != "" ]; then
|
||||
AUTH_PORT=$port
|
||||
break
|
||||
fi
|
||||
done
|
||||
fi
|
||||
run_tool auth ${AUTH_PARAMS[@]} -solrUrl "$SOLR_URL_SCHEME://$SOLR_TOOL_HOST:$AUTH_PORT/solr" -authConfDir "$SOLR_HOME"
|
||||
exit $?
|
||||
fi
|
||||
|
||||
|
||||
|
|
|
@ -276,7 +276,7 @@ goto done
|
|||
:script_usage
|
||||
@echo.
|
||||
@echo Usage: solr COMMAND OPTIONS
|
||||
@echo where COMMAND is one of: start, stop, restart, healthcheck, create, create_core, create_collection, delete, version, zk
|
||||
@echo where COMMAND is one of: start, stop, restart, healthcheck, create, create_core, create_collection, delete, version, zk, auth
|
||||
@echo.
|
||||
@echo Standalone server example (start Solr running in the background on port 8984):
|
||||
@echo.
|
||||
|
@ -554,6 +554,35 @@ IF "%ZK_FULL%"=="true" (
|
|||
)
|
||||
goto done
|
||||
|
||||
:auth_usage
|
||||
echo Usage: solr auth enable [-type basicAuth] -credentials user:pass [-blockUnknown ^<true|false^>] [-updateIncludeFileOnly ^<true|false^>]
|
||||
echo solr auth enable [-type basicAuth] -prompt ^<true|false^> [-blockUnknown ^<true|false^>] [-updateIncludeFileOnly ^<true|false^>]
|
||||
echo solr auth disable [-updateIncludeFileOnly ^<true|false^>]
|
||||
echo
|
||||
echo -type ^<type^> The authentication mechanism to enable. Defaults to 'basicAuth'.
|
||||
echo
|
||||
echo -credentials ^<user:pass^> The username and password of the initial user
|
||||
echo Note: only one of -prompt or -credentials must be provided
|
||||
echo
|
||||
echo -prompt ^<true|false^> Prompts the user to provide the credentials
|
||||
echo Note: only one of -prompt or -credentials must be provided
|
||||
echo
|
||||
echo -blockUnknown ^<true|false^> When true, this blocks out access to unauthenticated users. When not provided,
|
||||
echo this defaults to false (i.e. unauthenticated users can access all endpoints, except the
|
||||
echo operations like collection-edit, security-edit, core-admin-edit etc.). Check the reference
|
||||
echo guide for Basic Authentication for more details.
|
||||
echo
|
||||
echo -updateIncludeFileOnly ^<true|false^> Only update the solr.in.sh or solr.in.cmd file, and skip actual enabling/disabling"
|
||||
echo authentication (i.e. don't update security.json)"
|
||||
echo
|
||||
echo -z zkHost Zookeeper connection string
|
||||
echo
|
||||
echo -d <dir> Specify the Solr server directory"
|
||||
echo
|
||||
echo -s <dir> Specify the Solr home directory. This is where any credentials or authentication"
|
||||
echo configuration files (e.g. basicAuth.conf) would be placed."
|
||||
echo
|
||||
goto done
|
||||
|
||||
REM Really basic command-line arg parsing
|
||||
:parse_args
|
||||
|
@ -1648,6 +1677,44 @@ goto done
|
|||
|
||||
|
||||
:run_auth
|
||||
IF "%1"=="-help" goto usage
|
||||
IF "%1"=="-usage" goto usage
|
||||
|
||||
REM Options parsing.
|
||||
REM Note: With the following technique of parsing, it is not possible
|
||||
REM to have an option without a value.
|
||||
set "AUTH_PARAMS=%1"
|
||||
set "option="
|
||||
for %%a in (%*) do (
|
||||
if not defined option (
|
||||
set arg=%%a
|
||||
if "!arg:~0,1!" equ "-" set "option=!arg!"
|
||||
) else (
|
||||
set "option!option!=%%a"
|
||||
if "!option!" equ "-d" set "SOLR_SERVER_DIR=%%a"
|
||||
if "!option!" equ "-s" set "SOLR_HOME=%%a"
|
||||
if not "!option!" equ "-s" if not "!option!" equ "-d" (
|
||||
set "AUTH_PARAMS=!AUTH_PARAMS! !option! %%a"
|
||||
)
|
||||
set "option="
|
||||
)
|
||||
)
|
||||
IF "%SOLR_SERVER_DIR%"=="" set "SOLR_SERVER_DIR=%DEFAULT_SERVER_DIR%"
|
||||
IF NOT EXIST "%SOLR_SERVER_DIR%" (
|
||||
set "SCRIPT_ERROR=Solr server directory %SOLR_SERVER_DIR% not found!"
|
||||
goto err
|
||||
)
|
||||
IF "%SOLR_HOME%"=="" set "SOLR_HOME=%SOLR_SERVER_DIR%\solr"
|
||||
IF EXIST "%cd%\%SOLR_HOME%" set "SOLR_HOME=%cd%\%SOLR_HOME%"
|
||||
IF NOT EXIST "%SOLR_HOME%\" (
|
||||
IF EXIST "%SOLR_SERVER_DIR%\%SOLR_HOME%" (
|
||||
set "SOLR_HOME=%SOLR_SERVER_DIR%\%SOLR_HOME%"
|
||||
) ELSE (
|
||||
set "SCRIPT_ERROR=Solr home directory %SOLR_HOME% not found!"
|
||||
goto err
|
||||
)
|
||||
)
|
||||
|
||||
if "!AUTH_PORT!"=="" (
|
||||
for /f "usebackq" %%i in (`dir /b "%SOLR_TIP%\bin" ^| findstr /i "^solr-.*\.port$"`) do (
|
||||
set SOME_SOLR_PORT=
|
||||
|
@ -1659,11 +1726,10 @@ if "!AUTH_PORT!"=="" (
|
|||
)
|
||||
)
|
||||
)
|
||||
for /f "tokens=1,* delims= " %%a in ("%*") do set auth_params=%%b
|
||||
"%JAVA%" %SOLR_SSL_OPTS% %AUTHC_OPTS% %SOLR_ZK_CREDS_AND_ACLS% -Dsolr.install.dir="%SOLR_TIP%" ^
|
||||
-Dlog4j.configuration="file:%DEFAULT_SERVER_DIR%\scripts\cloud-scripts\log4j.properties" ^
|
||||
-classpath "%DEFAULT_SERVER_DIR%\solr-webapp\webapp\WEB-INF\lib\*;%DEFAULT_SERVER_DIR%\lib\ext\*" ^
|
||||
org.apache.solr.util.SolrCLI auth %auth_params% -solrIncludeFile "%SOLR_INCLUDE%" ^
|
||||
org.apache.solr.util.SolrCLI auth %AUTH_PARAMS% -solrIncludeFile "%SOLR_INCLUDE%" -authConfDir "%SOLR_HOME%" ^
|
||||
-solrUrl !SOLR_URL_SCHEME!://%SOLR_TOOL_HOST%:!AUTH_PORT!/solr
|
||||
goto done
|
||||
|
||||
|
|
|
@ -3526,49 +3526,59 @@ public class SolrCLI {
|
|||
public Option[] getOptions() {
|
||||
return new Option[]{
|
||||
OptionBuilder
|
||||
.withArgName("enable")
|
||||
.withDescription("Enable authentication.")
|
||||
.create("enable"),
|
||||
.withArgName("type")
|
||||
.hasArg()
|
||||
.withDescription("The authentication mechanism to enable. Defaults to 'basicAuth'.")
|
||||
.create("type"),
|
||||
OptionBuilder
|
||||
.withArgName("disable")
|
||||
.withDescription("Disable existing authentication.")
|
||||
.create("disable"),
|
||||
.withArgName("credentials")
|
||||
.hasArg()
|
||||
.withDescription("Credentials in the format username:password. Example: -credentials solr:SolrRocks")
|
||||
.create("credentials"),
|
||||
OptionBuilder
|
||||
.withArgName("type")
|
||||
.hasArg()
|
||||
.withDescription("basicAuth")
|
||||
.create("type"),
|
||||
.withArgName("prompt")
|
||||
.hasArg()
|
||||
.withDescription("Prompts the user to provide the credentials. Use either -credentials or -prompt, not both")
|
||||
.create("prompt"),
|
||||
OptionBuilder
|
||||
.withArgName("credentials")
|
||||
.hasArg()
|
||||
.withDescription("Credentials in the format username:password. Example: -credentials solr:SolrRocks")
|
||||
.create("credentials"),
|
||||
.withArgName("blockUnknown")
|
||||
.withDescription("Blocks all access for unknown users (requires authentication for all endpoints)")
|
||||
.hasArg()
|
||||
.create("blockUnknown"),
|
||||
OptionBuilder
|
||||
.withArgName("prompt")
|
||||
.withDescription("Prompt for credentials. Use either -credentials or -prompt, not both")
|
||||
.create("prompt"),
|
||||
.withArgName("solrIncludeFile")
|
||||
.hasArg()
|
||||
.withDescription("The Solr include file which contains overridable environment variables for configuring Solr configurations")
|
||||
.create("solrIncludeFile"),
|
||||
OptionBuilder
|
||||
.withArgName("blockUnknown")
|
||||
.withDescription("Blocks all access for unknown users (requires authentication for all endpoints)")
|
||||
.hasOptionalArg()
|
||||
.create("blockUnknown"),
|
||||
.withArgName("updateIncludeFileOnly")
|
||||
.withDescription("Only update the solr.in.sh or solr.in.cmd file, and skip actual enabling/disabling"
|
||||
+ " authentication (i.e. don't update security.json)")
|
||||
.hasArg()
|
||||
.create("updateIncludeFileOnly"),
|
||||
OptionBuilder
|
||||
.withArgName("solrIncludeFile")
|
||||
.hasArg()
|
||||
.withDescription("The Solr include file which contains overridable environment variables for configuring Solr configurations")
|
||||
.create("solrIncludeFile"),
|
||||
.withArgName("authConfDir")
|
||||
.hasArg()
|
||||
.isRequired()
|
||||
.withDescription("This is where any authentication related configuration files, if any, would be placed.")
|
||||
.create("authConfDir"),
|
||||
OptionBuilder
|
||||
.withArgName("solrUrl")
|
||||
.hasArg()
|
||||
.withDescription("Solr URL")
|
||||
.create("solrUrl"),
|
||||
.withArgName("solrUrl")
|
||||
.hasArg()
|
||||
.withDescription("Solr URL")
|
||||
.create("solrUrl"),
|
||||
OptionBuilder
|
||||
.withArgName("zkHost")
|
||||
.hasArg()
|
||||
.withDescription("ZooKeeper host")
|
||||
.create("zkHost"),
|
||||
};
|
||||
}
|
||||
|
||||
@Override
|
||||
public int runTool(CommandLine cli) throws Exception {
|
||||
if (cli.getOptions().length == 0 || cli.getArgs().length > 0 || cli.hasOption("h")) {
|
||||
new HelpFormatter().printHelp("bin/solr auth [OPTIONS]", getToolOptions(this));
|
||||
if (cli.getOptions().length == 0 || cli.getArgs().length == 0 || cli.getArgs().length > 1 || cli.hasOption("h")) {
|
||||
new HelpFormatter().printHelp("bin/solr auth <enable|disable> [OPTIONS]", getToolOptions(this));
|
||||
return 1;
|
||||
}
|
||||
|
||||
|
@ -3578,128 +3588,153 @@ public class SolrCLI {
|
|||
exit(1);
|
||||
}
|
||||
|
||||
if (cli.hasOption("enable") && cli.hasOption("disable")) {
|
||||
System.out.println("You have specified both -enable and -disable. Only one should be provided.");
|
||||
return 1;
|
||||
}
|
||||
if (cli.hasOption("enable")) {
|
||||
String zkHost = getZkHost(cli);
|
||||
if (zkHost == null) {
|
||||
System.out.println("ZK Host not found. Solr should be running in cloud mode");
|
||||
exit(1);
|
||||
}
|
||||
String cmd = cli.getArgs()[0];
|
||||
boolean prompt = Boolean.parseBoolean(cli.getOptionValue("prompt", "false"));
|
||||
boolean updateIncludeFileOnly = Boolean.parseBoolean(cli.getOptionValue("updateIncludeFileOnly", "false"));
|
||||
switch (cmd) {
|
||||
case "enable":
|
||||
if (!prompt && !cli.hasOption("credentials")) {
|
||||
System.out.println("Option -credentials or -prompt is required with enable.");
|
||||
new HelpFormatter().printHelp("bin/solr auth <enable|disable> [OPTIONS]", getToolOptions(this));
|
||||
exit(1);
|
||||
} else if (!prompt && (cli.getOptionValue("credentials") == null || !cli.getOptionValue("credentials").contains(":"))) {
|
||||
System.out.println("Option -credentials is not in correct format.");
|
||||
new HelpFormatter().printHelp("bin/solr auth <enable|disable> [OPTIONS]", getToolOptions(this));
|
||||
exit(1);
|
||||
}
|
||||
|
||||
|
||||
if (cli.hasOption("credentials") == false && cli.hasOption("prompt") == false) {
|
||||
System.out.println("Option -credentials or -prompt is required with -enable.");
|
||||
new HelpFormatter().printHelp("bin/solr auth [OPTIONS]", getToolOptions(this));
|
||||
exit(1);
|
||||
} else if (cli.hasOption("prompt") == false &&
|
||||
(cli.getOptionValue("credentials") == null || !cli.getOptionValue("credentials").contains(":"))) {
|
||||
System.out.println("Option -credentials is not in correct format.");
|
||||
new HelpFormatter().printHelp("bin/solr auth [OPTIONS]", getToolOptions(this));
|
||||
exit(1);
|
||||
}
|
||||
String zkHost = null;
|
||||
|
||||
String username, password;
|
||||
if (cli.hasOption("credentials")) {
|
||||
String credentials = cli.getOptionValue("credentials");
|
||||
username = credentials.split(":")[0];
|
||||
password = credentials.split(":")[1];
|
||||
} else {
|
||||
Console console = System.console();
|
||||
username = console.readLine("Enter username: ");
|
||||
password = new String(console.readPassword("Enter password: "));
|
||||
}
|
||||
// check if security is already enabled or not
|
||||
try (SolrZkClient zkClient = new SolrZkClient(zkHost, 10000)) {
|
||||
if (zkClient.exists("/security.json", true)) {
|
||||
byte oldSecurityBytes[] = zkClient.getData("/security.json", null, null, true);
|
||||
if (!"{}".equals(new String(oldSecurityBytes, StandardCharsets.UTF_8).trim())) {
|
||||
System.out.println("Security is already enabled. You can disable it with 'bin/solr auth -disable'. Existing security.json: \n"
|
||||
+ new String(oldSecurityBytes, StandardCharsets.UTF_8));
|
||||
if (!updateIncludeFileOnly) {
|
||||
try {
|
||||
zkHost = getZkHost(cli);
|
||||
} catch (Exception ex) {
|
||||
if (cli.hasOption("zkHost")) {
|
||||
System.out.println("Couldn't get ZooKeeper host. Please make sure that ZooKeeper is running and the correct zkHost has been passed in.");
|
||||
} else {
|
||||
System.out.println("Couldn't get ZooKeeper host. Please make sure Solr is running in cloud mode, or a zkHost has been passed in.");
|
||||
}
|
||||
exit(1);
|
||||
}
|
||||
if (zkHost == null) {
|
||||
if (cli.hasOption("zkHost")) {
|
||||
System.out.println("Couldn't get ZooKeeper host. Please make sure that ZooKeeper is running and the correct zkHost has been passed in.");
|
||||
} else {
|
||||
System.out.println("Couldn't get ZooKeeper host. Please make sure Solr is running in cloud mode, or a zkHost has been passed in.");
|
||||
}
|
||||
exit(1);
|
||||
}
|
||||
|
||||
// check if security is already enabled or not
|
||||
try (SolrZkClient zkClient = new SolrZkClient(zkHost, 10000)) {
|
||||
if (zkClient.exists("/security.json", true)) {
|
||||
byte oldSecurityBytes[] = zkClient.getData("/security.json", null, null, true);
|
||||
if (!"{}".equals(new String(oldSecurityBytes, StandardCharsets.UTF_8).trim())) {
|
||||
System.out.println("Security is already enabled. You can disable it with 'bin/solr auth disable'. Existing security.json: \n"
|
||||
+ new String(oldSecurityBytes, StandardCharsets.UTF_8));
|
||||
exit(1);
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
boolean blockUnknown = cli.getOptionValue("blockUnknown") == null ?
|
||||
cli.hasOption("blockUnknown"): Boolean.valueOf(cli.getOptionValue("blockUnknown"));
|
||||
String username, password;
|
||||
if (cli.hasOption("credentials")) {
|
||||
String credentials = cli.getOptionValue("credentials");
|
||||
username = credentials.split(":")[0];
|
||||
password = credentials.split(":")[1];
|
||||
} else {
|
||||
Console console = System.console();
|
||||
username = console.readLine("Enter username: ");
|
||||
password = new String(console.readPassword("Enter password: "));
|
||||
}
|
||||
|
||||
String securityJson = "{" +
|
||||
"\n \"authentication\":{" +
|
||||
"\n \"blockUnknown\": " + blockUnknown + "," +
|
||||
"\n \"class\":\"solr.BasicAuthPlugin\"," +
|
||||
"\n \"credentials\":{\""+username+"\":\"" + Sha256AuthenticationProvider.getSaltedHashedValue(password) + "\"}" +
|
||||
"\n }," +
|
||||
"\n \"authorization\":{" +
|
||||
"\n \"class\":\"solr.RuleBasedAuthorizationPlugin\"," +
|
||||
"\n \"permissions\":[" +
|
||||
"\n {\"name\":\"security-edit\", \"role\":\"admin\"}," +
|
||||
"\n {\"name\":\"collection-admin-edit\", \"role\":\"admin\"}," +
|
||||
"\n {\"name\":\"core-admin-edit\", \"role\":\"admin\"}" +
|
||||
"\n ]," +
|
||||
"\n \"user-role\":{\""+username+"\":\"admin\"}" +
|
||||
"\n }" +
|
||||
"\n}";
|
||||
boolean blockUnknown = Boolean.valueOf(cli.getOptionValue("blockUnknown", "false"));
|
||||
|
||||
String securityJson = "{" +
|
||||
"\n \"authentication\":{" +
|
||||
"\n \"blockUnknown\": " + blockUnknown + "," +
|
||||
"\n \"class\":\"solr.BasicAuthPlugin\"," +
|
||||
"\n \"credentials\":{\"" + username + "\":\"" + Sha256AuthenticationProvider.getSaltedHashedValue(password) + "\"}" +
|
||||
"\n }," +
|
||||
"\n \"authorization\":{" +
|
||||
"\n \"class\":\"solr.RuleBasedAuthorizationPlugin\"," +
|
||||
"\n \"permissions\":[" +
|
||||
"\n {\"name\":\"security-edit\", \"role\":\"admin\"}," +
|
||||
"\n {\"name\":\"collection-admin-edit\", \"role\":\"admin\"}," +
|
||||
"\n {\"name\":\"core-admin-edit\", \"role\":\"admin\"}" +
|
||||
"\n ]," +
|
||||
"\n \"user-role\":{\"" + username + "\":\"admin\"}" +
|
||||
"\n }" +
|
||||
"\n}";
|
||||
|
||||
if (!updateIncludeFileOnly) {
|
||||
System.out.println("Uploading following security.json: " + securityJson);
|
||||
|
||||
try (SolrZkClient zkClient = new SolrZkClient(zkHost, 10000)) {
|
||||
zkClient.setData("/security.json", securityJson.getBytes(StandardCharsets.UTF_8), true);
|
||||
}
|
||||
}
|
||||
|
||||
String solrIncludeFilename = cli.getOptionValue("solrIncludeFile");
|
||||
File includeFile = new File(solrIncludeFilename);
|
||||
if (includeFile.exists() == false || includeFile.canWrite() == false) {
|
||||
System.out.println("Solr include file " + solrIncludeFilename + " doesn't exist or is not writeable.");
|
||||
printAuthEnablingInstructions(username, password);
|
||||
System.exit(0);
|
||||
}
|
||||
File basicAuthConfFile = new File(includeFile.getParent() + File.separator + "basicAuth.conf");
|
||||
|
||||
if (basicAuthConfFile.getParentFile().canWrite() == false) {
|
||||
System.out.println("Cannot write to file: " + basicAuthConfFile.getAbsolutePath());
|
||||
printAuthEnablingInstructions(username, password);
|
||||
System.exit(0);
|
||||
}
|
||||
|
||||
FileUtils.writeStringToFile(basicAuthConfFile,
|
||||
"httpBasicAuthUser=" + username + "\nhttpBasicAuthPassword=" + password, StandardCharsets.UTF_8);
|
||||
String solrIncludeFilename = cli.getOptionValue("solrIncludeFile");
|
||||
File includeFile = new File(solrIncludeFilename);
|
||||
if (includeFile.exists() == false || includeFile.canWrite() == false) {
|
||||
System.out.println("Solr include file " + solrIncludeFilename + " doesn't exist or is not writeable.");
|
||||
printAuthEnablingInstructions(username, password);
|
||||
System.exit(0);
|
||||
}
|
||||
String authConfDir = cli.getOptionValue("authConfDir");
|
||||
File basicAuthConfFile = new File(authConfDir + File.separator + "basicAuth.conf");
|
||||
|
||||
// update the solr.in.sh file to contain the necessary authentication lines
|
||||
updateIncludeFileEnableAuth(includeFile, basicAuthConfFile.getAbsolutePath(), username, password);
|
||||
return 0;
|
||||
} else if (cli.hasOption("disable")) {
|
||||
String zkHost = getZkHost(cli);
|
||||
if (zkHost == null) {
|
||||
stdout.print("ZK Host not found. Solr should be running in cloud mode");
|
||||
if (basicAuthConfFile.getParentFile().canWrite() == false) {
|
||||
System.out.println("Cannot write to file: " + basicAuthConfFile.getAbsolutePath());
|
||||
printAuthEnablingInstructions(username, password);
|
||||
System.exit(0);
|
||||
}
|
||||
|
||||
FileUtils.writeStringToFile(basicAuthConfFile,
|
||||
"httpBasicAuthUser=" + username + "\nhttpBasicAuthPassword=" + password, StandardCharsets.UTF_8);
|
||||
|
||||
// update the solr.in.sh file to contain the necessary authentication lines
|
||||
updateIncludeFileEnableAuth(includeFile, basicAuthConfFile.getAbsolutePath());
|
||||
return 0;
|
||||
|
||||
case "disable":
|
||||
if (!updateIncludeFileOnly) {
|
||||
zkHost = getZkHost(cli);
|
||||
if (zkHost == null) {
|
||||
stdout.print("ZK Host not found. Solr should be running in cloud mode");
|
||||
exit(1);
|
||||
}
|
||||
|
||||
System.out.println("Uploading following security.json: {}");
|
||||
|
||||
try (SolrZkClient zkClient = new SolrZkClient(zkHost, 10000)) {
|
||||
zkClient.setData("/security.json", "{}".getBytes(StandardCharsets.UTF_8), true);
|
||||
}
|
||||
}
|
||||
|
||||
solrIncludeFilename = cli.getOptionValue("solrIncludeFile");
|
||||
includeFile = new File(solrIncludeFilename);
|
||||
if (!includeFile.exists() || !includeFile.canWrite()) {
|
||||
System.out.println("Solr include file " + solrIncludeFilename + " doesn't exist or is not writeable.");
|
||||
System.out.println("Security has been disabled. Please remove any SOLR_AUTH_TYPE or SOLR_AUTHENTICATION_OPTS configuration from solr.in.sh/solr.in.cmd.\n");
|
||||
System.exit(0);
|
||||
}
|
||||
|
||||
// update the solr.in.sh file to comment out the necessary authentication lines
|
||||
updateIncludeFileDisableAuth(includeFile);
|
||||
return 0;
|
||||
|
||||
default:
|
||||
System.out.println("Valid auth commands are: enable, disable");
|
||||
exit(1);
|
||||
}
|
||||
|
||||
System.out.println("Uploading following security.json: {}");
|
||||
|
||||
try (SolrZkClient zkClient = new SolrZkClient(zkHost, 10000)) {
|
||||
zkClient.setData("/security.json", "{}".getBytes(StandardCharsets.UTF_8), true);
|
||||
}
|
||||
|
||||
String solrIncludeFilename = cli.getOptionValue("solrIncludeFile");
|
||||
File includeFile = new File(solrIncludeFilename);
|
||||
if (includeFile.exists() == false || includeFile.canWrite() == false) {
|
||||
System.out.println("Solr include file " + solrIncludeFilename + " doesn't exist or is not writeable.");
|
||||
System.out.println("Security has been disabled. Please remove any SOLR_AUTH_TYPE or SOLR_AUTHENTICATION_OPTS configuration from solr.in.sh/solr.in.cmd.\n");
|
||||
System.exit(0);
|
||||
}
|
||||
|
||||
// update the solr.in.sh file to comment out the necessary authentication lines
|
||||
updateIncludeFileDisableAuth(includeFile);
|
||||
return 0;
|
||||
}
|
||||
|
||||
System.out.println("Options not understood (should be -enable or -disable).");
|
||||
new HelpFormatter().printHelp("bin/solr auth [OPTIONS]", getToolOptions(this));
|
||||
System.out.println("Options not understood.");
|
||||
new HelpFormatter().printHelp("bin/solr auth <enable|disable> [OPTIONS]", getToolOptions(this));
|
||||
return 1;
|
||||
}
|
||||
|
||||
|
||||
private void printAuthEnablingInstructions(String username, String password) {
|
||||
if (SystemUtils.IS_OS_WINDOWS) {
|
||||
System.out.println("\nAdd the following lines to the solr.in.cmd file so that the solr.cmd script can use subsequently.\n");
|
||||
|
@ -3708,11 +3743,11 @@ public class SolrCLI {
|
|||
} else {
|
||||
System.out.println("\nAdd the following lines to the solr.in.sh file so that the ./solr script can use subsequently.\n");
|
||||
System.out.println("SOLR_AUTH_TYPE=\"basic\"\n"
|
||||
+ "SOLR_AUTHENTICATION_OPTS=\"-DbasicAuth=" + username + ":" + password + "\"\n");
|
||||
+ "SOLR_AUTHENTICATION_OPTS=\"-Dbasicauth=" + username + ":" + password + "\"\n");
|
||||
}
|
||||
}
|
||||
|
||||
private void updateIncludeFileEnableAuth(File includeFile, String basicAuthConfFile, String username, String password) throws IOException {
|
||||
private void updateIncludeFileEnableAuth(File includeFile, String basicAuthConfFile) throws IOException {
|
||||
List<String> includeFileLines = FileUtils.readLines(includeFile, StandardCharsets.UTF_8);
|
||||
for (int i=0; i<includeFileLines.size(); i++) {
|
||||
String line = includeFileLines.get(i);
|
||||
|
@ -3738,7 +3773,7 @@ public class SolrCLI {
|
|||
|
||||
System.out.println("Written out credentials file: " + basicAuthConfFile + ", updated Solr include file: " + includeFile.getAbsolutePath() + ".");
|
||||
}
|
||||
|
||||
|
||||
private void updateIncludeFileDisableAuth(File includeFile) throws IOException {
|
||||
List<String> includeFileLines = FileUtils.readLines(includeFile, StandardCharsets.UTF_8);
|
||||
boolean hasChanged = false;
|
||||
|
@ -3762,7 +3797,7 @@ public class SolrCLI {
|
|||
@Override
|
||||
protected void runImpl(CommandLine cli) throws Exception {}
|
||||
}
|
||||
|
||||
|
||||
public static class UtilsTool extends ToolBase {
|
||||
private Path serverPath;
|
||||
private Path logsPath;
|
||||
|
|
Loading…
Reference in New Issue