SOLR-8440: Support for enabling basic authentication using bin/solr|bin/solr.cmd

This commit is contained in:
Ishan Chattopadhyaya 2017-05-15 22:06:26 +05:30
parent 9c6279d439
commit 9be68cc307
3 changed files with 395 additions and 154 deletions

View File

@ -294,7 +294,7 @@ function print_usage() {
if [ -z "$CMD" ]; then
echo ""
echo "Usage: solr COMMAND OPTIONS"
echo " where COMMAND is one of: start, stop, restart, status, healthcheck, create, create_core, create_collection, delete, version, zk"
echo " where COMMAND is one of: start, stop, restart, status, healthcheck, create, create_core, create_collection, delete, version, zk, auth"
echo ""
echo " Standalone server example (start Solr running in the background on port 8984):"
echo ""
@ -544,6 +544,35 @@ function print_usage() {
echo " <path>: The Zookeeper path to create. Leading slash is assumed if not present."
echo " Intermediate nodes are created as needed if not present."
echo ""
elif [ "$CMD" == "auth" ]; then
echo ""
echo "Usage: solr auth enable [-type basicAuth] -credentials user:pass [-blockUnknown <true|false>] [-updateIncludeFileOnly <true|false>]"
echo " solr auth enable [-type basicAuth] -prompt <true|false> [-blockUnknown <true|false>] [-updateIncludeFileOnly <true|false>]"
echo " solr auth disable [-updateIncludeFileOnly <true|false>]"
echo ""
echo " -type <type> The authentication mechanism to enable. Defaults to 'basicAuth'."
echo ""
echo " -credentials <user:pass> The username and password of the initial user"
echo " Note: only one of -prompt or -credentials must be provided"
echo ""
echo " -prompt <true|false> Prompts the user to provide the credentials"
echo " Note: only one of -prompt or -credentials must be provided"
echo ""
echo " -blockUnknown <true|false> When true, this blocks out access to unauthenticated users. When not provided,"
echo " this defaults to false (i.e. unauthenticated users can access all endpoints, except the"
echo " operations like collection-edit, security-edit, core-admin-edit etc.). Check the reference"
echo " guide for Basic Authentication for more details."
echo ""
echo " -updateIncludeFileOnly <true|false> Only update the solr.in.sh or solr.in.cmd file, and skip actual enabling/disabling"
echo " authentication (i.e. don't update security.json)"
echo ""
echo " -z zkHost Zookeeper connection string"
echo ""
echo " -d <dir> Specify the Solr server directory"
echo ""
echo " -s <dir> Specify the Solr home directory. This is where any credentials or authentication"
echo " configuration files (e.g. basicAuth.conf) would be placed."
echo ""
fi
} # end print_usage
@ -1187,6 +1216,118 @@ if [[ "$SCRIPT_CMD" == "zk" ]]; then
fi
if [[ "$SCRIPT_CMD" == "auth" ]]; then
declare -a AUTH_PARAMS
if [ $# -gt 0 ]; then
while true; do
case "$1" in
enable|disable)
AUTH_OP=$1
AUTH_PARAMS=("${AUTH_PARAMS[@]}" "$AUTH_OP")
shift
;;
-z|-zkhost|zkHost)
ZK_HOST="$2"
AUTH_PARAMS=("${AUTH_PARAMS[@]}" "-zkHost" "$ZK_HOST")
shift 2
;;
-t|-type)
AUTH_TYPE="$2"
AUTH_PARAMS=("${AUTH_PARAMS[@]}" "-type" "$AUTH_TYPE")
shift 2
;;
-credentials)
AUTH_CREDENTIALS="$2"
AUTH_PARAMS=("${AUTH_PARAMS[@]}" "-credentials" "$AUTH_CREDENTIALS")
shift 2
;;
-solrIncludeFile)
SOLR_INCLUDE="$2"
shift 2
;;
-prompt)
AUTH_PARAMS=("${AUTH_PARAMS[@]}" "-prompt" "$2")
shift
;;
-blockUnknown)
AUTH_PARAMS=("${AUTH_PARAMS[@]}" "-blockUnknown" "$2")
shift
break
;;
-updateIncludeFileOnly)
AUTH_PARAMS=("${AUTH_PARAMS[@]}" "-updateIncludeFileOnly" "$2")
shift
break
;;
-d|-dir)
if [[ -z "$2" || "${2:0:1}" == "-" ]]; then
print_usage "$SCRIPT_CMD" "Server directory is required when using the $1 option!"
exit 1
fi
if [[ "$2" == "." || "$2" == "./" || "$2" == ".." || "$2" == "../" ]]; then
SOLR_SERVER_DIR="$(pwd)/$2"
else
# see if the arg value is relative to the tip vs full path
if [[ "$2" != /* ]] && [[ -d "$SOLR_TIP/$2" ]]; then
SOLR_SERVER_DIR="$SOLR_TIP/$2"
else
SOLR_SERVER_DIR="$2"
fi
fi
# resolve it to an absolute path
SOLR_SERVER_DIR="$(cd "$SOLR_SERVER_DIR"; pwd)"
shift 2
;;
-s|-solr.home)
if [[ -z "$2" || "${2:0:1}" == "-" ]]; then
print_usage "$SCRIPT_CMD" "Solr home directory is required when using the $1 option!"
exit 1
fi
SOLR_HOME="$2"
shift 2
;;
-help|-usage|-h)
print_usage "$SCRIPT_CMD"
exit 0
;;
--)
shift
break
;;
*)
shift
break
;;
esac
done
fi
if [ -z "$SOLR_SERVER_DIR" ]; then
SOLR_SERVER_DIR="$DEFAULT_SERVER_DIR"
fi
if [ ! -e "$SOLR_SERVER_DIR" ]; then
echo -e "\nSolr server directory $SOLR_SERVER_DIR not found!\n"
exit 1
fi
if [ -z "$SOLR_HOME" ]; then
SOLR_HOME="$SOLR_SERVER_DIR/solr"
else
if [[ $SOLR_HOME != /* ]] && [[ -d "$SOLR_SERVER_DIR/$SOLR_HOME" ]]; then
SOLR_HOME="$SOLR_SERVER_DIR/$SOLR_HOME"
SOLR_PID_DIR="$SOLR_HOME"
elif [[ $SOLR_HOME != /* ]] && [[ -d "`pwd`/$SOLR_HOME" ]]; then
SOLR_HOME="$(pwd)/$SOLR_HOME"
fi
fi
if [ -z "$AUTH_OP" ]; then
print_usage "$SCRIPT_CMD"
exit 0
fi
AUTH_PARAMS=("${AUTH_PARAMS[@]}" "-solrIncludeFile" "$SOLR_INCLUDE")
if [ -z "$AUTH_PORT" ]; then
for ID in `ps auxww | grep java | grep start\.jar | awk '{print $2}' | sort -r`
do
@ -1197,8 +1338,7 @@ if [[ "$SCRIPT_CMD" == "auth" ]]; then
fi
done
fi
solr_include_file=$SOLR_INCLUDE
run_tool auth "$@" -solrUrl "$SOLR_URL_SCHEME://$SOLR_TOOL_HOST:$AUTH_PORT/solr" -solrIncludeFile "$solr_include_file"
run_tool auth ${AUTH_PARAMS[@]} -solrUrl "$SOLR_URL_SCHEME://$SOLR_TOOL_HOST:$AUTH_PORT/solr" -authConfDir "$SOLR_HOME"
exit $?
fi

View File

@ -276,7 +276,7 @@ goto done
:script_usage
@echo.
@echo Usage: solr COMMAND OPTIONS
@echo where COMMAND is one of: start, stop, restart, healthcheck, create, create_core, create_collection, delete, version, zk
@echo where COMMAND is one of: start, stop, restart, healthcheck, create, create_core, create_collection, delete, version, zk, auth
@echo.
@echo Standalone server example (start Solr running in the background on port 8984):
@echo.
@ -554,6 +554,35 @@ IF "%ZK_FULL%"=="true" (
)
goto done
:auth_usage
echo Usage: solr auth enable [-type basicAuth] -credentials user:pass [-blockUnknown ^<true|false^>] [-updateIncludeFileOnly ^<true|false^>]
echo solr auth enable [-type basicAuth] -prompt ^<true|false^> [-blockUnknown ^<true|false^>] [-updateIncludeFileOnly ^<true|false^>]
echo solr auth disable [-updateIncludeFileOnly ^<true|false^>]
echo
echo -type ^<type^> The authentication mechanism to enable. Defaults to 'basicAuth'.
echo
echo -credentials ^<user:pass^> The username and password of the initial user
echo Note: only one of -prompt or -credentials must be provided
echo
echo -prompt ^<true|false^> Prompts the user to provide the credentials
echo Note: only one of -prompt or -credentials must be provided
echo
echo -blockUnknown ^<true|false^> When true, this blocks out access to unauthenticated users. When not provided,
echo this defaults to false (i.e. unauthenticated users can access all endpoints, except the
echo operations like collection-edit, security-edit, core-admin-edit etc.). Check the reference
echo guide for Basic Authentication for more details.
echo
echo -updateIncludeFileOnly ^<true|false^> Only update the solr.in.sh or solr.in.cmd file, and skip actual enabling/disabling"
echo authentication (i.e. don't update security.json)"
echo
echo -z zkHost Zookeeper connection string
echo
echo -d <dir> Specify the Solr server directory"
echo
echo -s <dir> Specify the Solr home directory. This is where any credentials or authentication"
echo configuration files (e.g. basicAuth.conf) would be placed."
echo
goto done
REM Really basic command-line arg parsing
:parse_args
@ -1648,6 +1677,44 @@ goto done
:run_auth
IF "%1"=="-help" goto usage
IF "%1"=="-usage" goto usage
REM Options parsing.
REM Note: With the following technique of parsing, it is not possible
REM to have an option without a value.
set "AUTH_PARAMS=%1"
set "option="
for %%a in (%*) do (
if not defined option (
set arg=%%a
if "!arg:~0,1!" equ "-" set "option=!arg!"
) else (
set "option!option!=%%a"
if "!option!" equ "-d" set "SOLR_SERVER_DIR=%%a"
if "!option!" equ "-s" set "SOLR_HOME=%%a"
if not "!option!" equ "-s" if not "!option!" equ "-d" (
set "AUTH_PARAMS=!AUTH_PARAMS! !option! %%a"
)
set "option="
)
)
IF "%SOLR_SERVER_DIR%"=="" set "SOLR_SERVER_DIR=%DEFAULT_SERVER_DIR%"
IF NOT EXIST "%SOLR_SERVER_DIR%" (
set "SCRIPT_ERROR=Solr server directory %SOLR_SERVER_DIR% not found!"
goto err
)
IF "%SOLR_HOME%"=="" set "SOLR_HOME=%SOLR_SERVER_DIR%\solr"
IF EXIST "%cd%\%SOLR_HOME%" set "SOLR_HOME=%cd%\%SOLR_HOME%"
IF NOT EXIST "%SOLR_HOME%\" (
IF EXIST "%SOLR_SERVER_DIR%\%SOLR_HOME%" (
set "SOLR_HOME=%SOLR_SERVER_DIR%\%SOLR_HOME%"
) ELSE (
set "SCRIPT_ERROR=Solr home directory %SOLR_HOME% not found!"
goto err
)
)
if "!AUTH_PORT!"=="" (
for /f "usebackq" %%i in (`dir /b "%SOLR_TIP%\bin" ^| findstr /i "^solr-.*\.port$"`) do (
set SOME_SOLR_PORT=
@ -1659,11 +1726,10 @@ if "!AUTH_PORT!"=="" (
)
)
)
for /f "tokens=1,* delims= " %%a in ("%*") do set auth_params=%%b
"%JAVA%" %SOLR_SSL_OPTS% %AUTHC_OPTS% %SOLR_ZK_CREDS_AND_ACLS% -Dsolr.install.dir="%SOLR_TIP%" ^
-Dlog4j.configuration="file:%DEFAULT_SERVER_DIR%\scripts\cloud-scripts\log4j.properties" ^
-classpath "%DEFAULT_SERVER_DIR%\solr-webapp\webapp\WEB-INF\lib\*;%DEFAULT_SERVER_DIR%\lib\ext\*" ^
org.apache.solr.util.SolrCLI auth %auth_params% -solrIncludeFile "%SOLR_INCLUDE%" ^
org.apache.solr.util.SolrCLI auth %AUTH_PARAMS% -solrIncludeFile "%SOLR_INCLUDE%" -authConfDir "%SOLR_HOME%" ^
-solrUrl !SOLR_URL_SCHEME!://%SOLR_TOOL_HOST%:!AUTH_PORT!/solr
goto done

View File

@ -3525,18 +3525,10 @@ public class SolrCLI {
@SuppressWarnings("static-access")
public Option[] getOptions() {
return new Option[]{
OptionBuilder
.withArgName("enable")
.withDescription("Enable authentication.")
.create("enable"),
OptionBuilder
.withArgName("disable")
.withDescription("Disable existing authentication.")
.create("disable"),
OptionBuilder
.withArgName("type")
.hasArg()
.withDescription("basicAuth")
.withDescription("The authentication mechanism to enable. Defaults to 'basicAuth'.")
.create("type"),
OptionBuilder
.withArgName("credentials")
@ -3545,12 +3537,13 @@ public class SolrCLI {
.create("credentials"),
OptionBuilder
.withArgName("prompt")
.withDescription("Prompt for credentials. Use either -credentials or -prompt, not both")
.hasArg()
.withDescription("Prompts the user to provide the credentials. Use either -credentials or -prompt, not both")
.create("prompt"),
OptionBuilder
.withArgName("blockUnknown")
.withDescription("Blocks all access for unknown users (requires authentication for all endpoints)")
.hasOptionalArg()
.hasArg()
.create("blockUnknown"),
OptionBuilder
.withArgName("solrIncludeFile")
@ -3558,17 +3551,34 @@ public class SolrCLI {
.withDescription("The Solr include file which contains overridable environment variables for configuring Solr configurations")
.create("solrIncludeFile"),
OptionBuilder
.withArgName("updateIncludeFileOnly")
.withDescription("Only update the solr.in.sh or solr.in.cmd file, and skip actual enabling/disabling"
+ " authentication (i.e. don't update security.json)")
.hasArg()
.create("updateIncludeFileOnly"),
OptionBuilder
.withArgName("authConfDir")
.hasArg()
.isRequired()
.withDescription("This is where any authentication related configuration files, if any, would be placed.")
.create("authConfDir"),
OptionBuilder
.withArgName("solrUrl")
.hasArg()
.withDescription("Solr URL")
.create("solrUrl"),
OptionBuilder
.withArgName("zkHost")
.hasArg()
.withDescription("ZooKeeper host")
.create("zkHost"),
};
}
@Override
public int runTool(CommandLine cli) throws Exception {
if (cli.getOptions().length == 0 || cli.getArgs().length > 0 || cli.hasOption("h")) {
new HelpFormatter().printHelp("bin/solr auth [OPTIONS]", getToolOptions(this));
if (cli.getOptions().length == 0 || cli.getArgs().length == 0 || cli.getArgs().length > 1 || cli.hasOption("h")) {
new HelpFormatter().printHelp("bin/solr auth <enable|disable> [OPTIONS]", getToolOptions(this));
return 1;
}
@ -3578,29 +3588,56 @@ public class SolrCLI {
exit(1);
}
if (cli.hasOption("enable") && cli.hasOption("disable")) {
System.out.println("You have specified both -enable and -disable. Only one should be provided.");
return 1;
}
if (cli.hasOption("enable")) {
String zkHost = getZkHost(cli);
if (zkHost == null) {
System.out.println("ZK Host not found. Solr should be running in cloud mode");
String cmd = cli.getArgs()[0];
boolean prompt = Boolean.parseBoolean(cli.getOptionValue("prompt", "false"));
boolean updateIncludeFileOnly = Boolean.parseBoolean(cli.getOptionValue("updateIncludeFileOnly", "false"));
switch (cmd) {
case "enable":
if (!prompt && !cli.hasOption("credentials")) {
System.out.println("Option -credentials or -prompt is required with enable.");
new HelpFormatter().printHelp("bin/solr auth <enable|disable> [OPTIONS]", getToolOptions(this));
exit(1);
}
if (cli.hasOption("credentials") == false && cli.hasOption("prompt") == false) {
System.out.println("Option -credentials or -prompt is required with -enable.");
new HelpFormatter().printHelp("bin/solr auth [OPTIONS]", getToolOptions(this));
exit(1);
} else if (cli.hasOption("prompt") == false &&
(cli.getOptionValue("credentials") == null || !cli.getOptionValue("credentials").contains(":"))) {
} else if (!prompt && (cli.getOptionValue("credentials") == null || !cli.getOptionValue("credentials").contains(":"))) {
System.out.println("Option -credentials is not in correct format.");
new HelpFormatter().printHelp("bin/solr auth [OPTIONS]", getToolOptions(this));
new HelpFormatter().printHelp("bin/solr auth <enable|disable> [OPTIONS]", getToolOptions(this));
exit(1);
}
String zkHost = null;
if (!updateIncludeFileOnly) {
try {
zkHost = getZkHost(cli);
} catch (Exception ex) {
if (cli.hasOption("zkHost")) {
System.out.println("Couldn't get ZooKeeper host. Please make sure that ZooKeeper is running and the correct zkHost has been passed in.");
} else {
System.out.println("Couldn't get ZooKeeper host. Please make sure Solr is running in cloud mode, or a zkHost has been passed in.");
}
exit(1);
}
if (zkHost == null) {
if (cli.hasOption("zkHost")) {
System.out.println("Couldn't get ZooKeeper host. Please make sure that ZooKeeper is running and the correct zkHost has been passed in.");
} else {
System.out.println("Couldn't get ZooKeeper host. Please make sure Solr is running in cloud mode, or a zkHost has been passed in.");
}
exit(1);
}
// check if security is already enabled or not
try (SolrZkClient zkClient = new SolrZkClient(zkHost, 10000)) {
if (zkClient.exists("/security.json", true)) {
byte oldSecurityBytes[] = zkClient.getData("/security.json", null, null, true);
if (!"{}".equals(new String(oldSecurityBytes, StandardCharsets.UTF_8).trim())) {
System.out.println("Security is already enabled. You can disable it with 'bin/solr auth disable'. Existing security.json: \n"
+ new String(oldSecurityBytes, StandardCharsets.UTF_8));
exit(1);
}
}
}
}
String username, password;
if (cli.hasOption("credentials")) {
String credentials = cli.getOptionValue("credentials");
@ -3611,26 +3648,14 @@ public class SolrCLI {
username = console.readLine("Enter username: ");
password = new String(console.readPassword("Enter password: "));
}
// check if security is already enabled or not
try (SolrZkClient zkClient = new SolrZkClient(zkHost, 10000)) {
if (zkClient.exists("/security.json", true)) {
byte oldSecurityBytes[] = zkClient.getData("/security.json", null, null, true);
if (!"{}".equals(new String(oldSecurityBytes, StandardCharsets.UTF_8).trim())) {
System.out.println("Security is already enabled. You can disable it with 'bin/solr auth -disable'. Existing security.json: \n"
+ new String(oldSecurityBytes, StandardCharsets.UTF_8));
exit(1);
}
}
}
boolean blockUnknown = cli.getOptionValue("blockUnknown") == null ?
cli.hasOption("blockUnknown"): Boolean.valueOf(cli.getOptionValue("blockUnknown"));
boolean blockUnknown = Boolean.valueOf(cli.getOptionValue("blockUnknown", "false"));
String securityJson = "{" +
"\n \"authentication\":{" +
"\n \"blockUnknown\": " + blockUnknown + "," +
"\n \"class\":\"solr.BasicAuthPlugin\"," +
"\n \"credentials\":{\""+username+"\":\"" + Sha256AuthenticationProvider.getSaltedHashedValue(password) + "\"}" +
"\n \"credentials\":{\"" + username + "\":\"" + Sha256AuthenticationProvider.getSaltedHashedValue(password) + "\"}" +
"\n }," +
"\n \"authorization\":{" +
"\n \"class\":\"solr.RuleBasedAuthorizationPlugin\"," +
@ -3639,14 +3664,16 @@ public class SolrCLI {
"\n {\"name\":\"collection-admin-edit\", \"role\":\"admin\"}," +
"\n {\"name\":\"core-admin-edit\", \"role\":\"admin\"}" +
"\n ]," +
"\n \"user-role\":{\""+username+"\":\"admin\"}" +
"\n \"user-role\":{\"" + username + "\":\"admin\"}" +
"\n }" +
"\n}";
System.out.println("Uploading following security.json: " + securityJson);
if (!updateIncludeFileOnly) {
System.out.println("Uploading following security.json: " + securityJson);
try (SolrZkClient zkClient = new SolrZkClient(zkHost, 10000)) {
zkClient.setData("/security.json", securityJson.getBytes(StandardCharsets.UTF_8), true);
}
}
String solrIncludeFilename = cli.getOptionValue("solrIncludeFile");
File includeFile = new File(solrIncludeFilename);
@ -3655,7 +3682,8 @@ public class SolrCLI {
printAuthEnablingInstructions(username, password);
System.exit(0);
}
File basicAuthConfFile = new File(includeFile.getParent() + File.separator + "basicAuth.conf");
String authConfDir = cli.getOptionValue("authConfDir");
File basicAuthConfFile = new File(authConfDir + File.separator + "basicAuth.conf");
if (basicAuthConfFile.getParentFile().canWrite() == false) {
System.out.println("Cannot write to file: " + basicAuthConfFile.getAbsolutePath());
@ -3667,10 +3695,12 @@ public class SolrCLI {
"httpBasicAuthUser=" + username + "\nhttpBasicAuthPassword=" + password, StandardCharsets.UTF_8);
// update the solr.in.sh file to contain the necessary authentication lines
updateIncludeFileEnableAuth(includeFile, basicAuthConfFile.getAbsolutePath(), username, password);
updateIncludeFileEnableAuth(includeFile, basicAuthConfFile.getAbsolutePath());
return 0;
} else if (cli.hasOption("disable")) {
String zkHost = getZkHost(cli);
case "disable":
if (!updateIncludeFileOnly) {
zkHost = getZkHost(cli);
if (zkHost == null) {
stdout.print("ZK Host not found. Solr should be running in cloud mode");
exit(1);
@ -3681,10 +3711,11 @@ public class SolrCLI {
try (SolrZkClient zkClient = new SolrZkClient(zkHost, 10000)) {
zkClient.setData("/security.json", "{}".getBytes(StandardCharsets.UTF_8), true);
}
}
String solrIncludeFilename = cli.getOptionValue("solrIncludeFile");
File includeFile = new File(solrIncludeFilename);
if (includeFile.exists() == false || includeFile.canWrite() == false) {
solrIncludeFilename = cli.getOptionValue("solrIncludeFile");
includeFile = new File(solrIncludeFilename);
if (!includeFile.exists() || !includeFile.canWrite()) {
System.out.println("Solr include file " + solrIncludeFilename + " doesn't exist or is not writeable.");
System.out.println("Security has been disabled. Please remove any SOLR_AUTH_TYPE or SOLR_AUTHENTICATION_OPTS configuration from solr.in.sh/solr.in.cmd.\n");
System.exit(0);
@ -3693,10 +3724,14 @@ public class SolrCLI {
// update the solr.in.sh file to comment out the necessary authentication lines
updateIncludeFileDisableAuth(includeFile);
return 0;
default:
System.out.println("Valid auth commands are: enable, disable");
exit(1);
}
System.out.println("Options not understood (should be -enable or -disable).");
new HelpFormatter().printHelp("bin/solr auth [OPTIONS]", getToolOptions(this));
System.out.println("Options not understood.");
new HelpFormatter().printHelp("bin/solr auth <enable|disable> [OPTIONS]", getToolOptions(this));
return 1;
}
@ -3708,11 +3743,11 @@ public class SolrCLI {
} else {
System.out.println("\nAdd the following lines to the solr.in.sh file so that the ./solr script can use subsequently.\n");
System.out.println("SOLR_AUTH_TYPE=\"basic\"\n"
+ "SOLR_AUTHENTICATION_OPTS=\"-DbasicAuth=" + username + ":" + password + "\"\n");
+ "SOLR_AUTHENTICATION_OPTS=\"-Dbasicauth=" + username + ":" + password + "\"\n");
}
}
private void updateIncludeFileEnableAuth(File includeFile, String basicAuthConfFile, String username, String password) throws IOException {
private void updateIncludeFileEnableAuth(File includeFile, String basicAuthConfFile) throws IOException {
List<String> includeFileLines = FileUtils.readLines(includeFile, StandardCharsets.UTF_8);
for (int i=0; i<includeFileLines.size(); i++) {
String line = includeFileLines.get(i);