Appearance
<div style="display: none;" hidden="true" aria-hidden="true">Are you an LLM? You can read better optimized documentation at /guides/solr/configuring_solr/authentication_and_authorization.md for this page in Markdown format</div>
Authentication & authorization
To secure your solr server you must create a server.json file inside /solr-root-dir/server/solr/.
Edit your server.json, and paste the following:
json
{
"authentication": {
"class": "solr.BasicAuthPlugin",
"credentials": {
"solr": "IV0EHq1OnNrj6gvRCwvFwTrZ1+z1oBbnQdiVC3otuq0= Ndd7LKvVBAaZIF0QAVi1ekCfAJXr1GGfLtRUXhgrF8c="
}
},
"authorization": {
"class": "solr.RuleBasedAuthorizationPlugin",
"permissions": [
{
"name": "core-admin-read",
"role": [
"admin",
"manager"
]
},
{
"name": "collection-admin-read",
"role": [
"admin",
"manager"
]
},
{
"name": "metrics-read",
"role": [
"admin",
"manager"
]
},
{
"name": "schema-read",
"role": [
"admin",
"manager"
]
},
{
"name": "schema-edit",
"role": [
"admin",
"manager"
]
},
{
"name": "read",
"role": [
"admin",
"manager"
]
},
{
"name": "update",
"role": [
"admin",
"manager"
]
},
{
"name": "all",
"role": "admin"
}
],
"user-role": {
"solr": "admin"
}
}
}Going through the contents of server.json
There are two objects. authorization and authentication.
authentication contains all configuration related to the authentication phase (Does the user exist?)
authentication.classtells solr which class to use upon authenticationauthentication.credentialsContains a list of users in key-value pairs. Key for the username and value for the encrypted password. In this instance, we have the usersolrwith passwordSolrRocks
authorization contains all configuration related to the user's authorization phase. (What can the user do in solr?)
authorization.classtells solr which class to use upon user's authorizationauthorization.permissionsis an array of permission rule objects- Each permission rule object must contain at least a
nameand aroleattribute.- The
nameattribute MUST be a string. For information about what permission names are available, please refer to Rule Based Authorization Plugin - Predefined Permissions section - The
roleattribute can be either a string, or an array of strings, that specify for which roles, the permission rule object applies to.
- The
- Each permission rule object must contain at least a
authorization.user-rolecontains an array, to which users are assigned to a specific role in a"key": "value"pair fashion wherekeyis the user, andvaluethe role they are assigned to.
The APIs
Notice: In order to call the endpoints below, using the suggested
server.jsonsettings above, you need to attach a basic Authorization header for every http request you make. The format of this header is:
Authorization: Basic base64_encode("$user:$password")For example, for the user
solrand passwordSolrRocksthe Authorization header would be:
Authorization: Basic c29scjpTb2xyUm9ja3M=
Authentication API
The authentication API endpoint is located at: <http-protocol>://<solr-host>:<solr-port>/solr/admin/authentication
To add a user, POST to the authentication API's endpoint with the following message body:
json
{
"set-user": {
"myuser":"mypassword"
}
}Authorization API
The authorization API endpoint is located at: <httpprotocol>://<solr-host>:<solr-port>/solr/admin/authentication
To set a user's role, POST to authorization API's endpoint with the following message body:
json
{
"set-user-role": {
"myuser": "manager",
}Few Caveats
Solr's security feature is not designed to protect the server from non-trusted parties.
The order of which
authorization.permissionsrules are defined is important!If a permission name is defined elsewhere, only the first permission rule with that permission name will apply.
Even when the permission rule
rolediffers in two permission rules with samename, it will still be overwritten by the first rule. For example: say we have two roles. The"manager"and the"admin".jsonpermissions: [ { "name": "read", "role": "manager" }, { "name": "all", "role": "admin" }, ]In this case, the
"admin"role won't have access to"read"permission because that permission's role is overwritten by the first rule. To solve this problem, you need to specify all the roles the permission name applies to in therolefield. Like this:jsonpermissions: [ { "name": "read", "role": ["admin", "manager"] }, { "name": "all", "role": "admin" }, ]
If a permission (
name) isn't defined anywhere inauthorization.permissions, solr assumes that the permission should be accessible by everyone!! For example, say we want to have the"manager"role to only have access to"read"permission and nothing else. If solr sees something like this:jsonpermissions: [ { "name": "read", "role": "manager" } }It will interpret it as: "Only the
"manager"role has access to permission"read"". However, since no other permissions are specified, every user role will have access to every other permission that exists, including the manager. To tackle this, it is good practice to introduce an"admin"role, which inherits all permissions. This can be accomplished with the"all"wildcard. Here's a solution to the issue above:jsonpermissions: [ { "name": "read", "role": "manager" }, { "name": "all", "role": "admin" }, }
What's next
Now that you've secured your solr server, you can start creating a new core