Contrib.social

Apache Solr Server Unavailable After Adding Security.json

Open on Drupal.org →
Created on 7 May 2024, over 1 year ago

Respect the submission guidelines above! Drupal.org issue forks cause additional work for the project maintainer!

Setup

  • Solr version: 9.5.0
  • Drupal Core version: 9.5.11
  • Search API version: 8.x-1.30
  • Search API Solr version: 4.3.1
  • Configured Solr Connector: Standard

Issue

Everything worked fine until I added a security.json to the solr home directory.

I have started using about 2 weeks now. After reading enough documentation, I had everything set up and a server that was reachable.
I have installed the Apache Solr Server on my Centos server.

However, when I add the security.json the and do a restart. The Apache Solr Server I set up under Search API goes unavailable.
The authentication seems to work fine but I can't index or search any data from the site because the server becomes unavailable.

Errors Shown under logging in the Solr UI

SolrLogAuditLoggerPlugin
type="REJECTED" message="Rejected" method="GET" status="401" requestType="ADMIN" username="null" resource="/admin/info/system" queryString="wt=json&json.nl=flat" collections=null
SolrLogAuditLoggerPlugin
type="REJECTED" message="Rejected" method="GET" status="401" requestType="UNKNOWN" username="null" resource="/racenrallied/mlt" queryString="omitHeader=true&TZ=Europe%2FLondon&wt=json&json.nl=flat&q=id%3A%225e8bfv-solr_randr_classifieds_index-entity%3Anode%2F901%3Aen%22&start=0&rows=3&fl=ss_search_api_id%2Css_search_api_language%2Cscore%2Chash&fq=bs_status%3A%22true%22&fq=%2Bindex_id%3Asolr_randr_classifieds_index&fq=ss_search_api_language%3A%28%22en%22+%22und%22%29&mlt.fl=tm_X3b_en_body_1%2Ctm_X3b_und_body_1%2Ctm_X3b_en_title%2Ctm_X3b_und_title&mlt.mintf=1&mlt.mindf=1&mlt.maxqt=100&mlt.maxntp=2000&mlt.boost=false&mlt.match.include=false&mlt.match.offset=0&mlt.interestingTerms=none" collections=null
SolrLogAuditLoggerPlugin
type="REJECTED" message="Rejected" method="GET" status="401" requestType="ADMIN" username="null" resource="/admin/info/system" queryString="wt=json&json.nl=flat" collections=null

Errors shown in Drupal recent logs

Path: /admin/reports/dblog/event/3723. Drupal\Core\Http\Exception\CacheableAccessDeniedHttpException: The 'access site reports' permission is required. in Drupal\Core\Routing\AccessAwareRouter->checkAccess() (line 118 of /var/www/vhosts/d.com/dcore/lib/Drupal/Core/Routing/AccessAwareRouter.php).

Path: /admin/config/search/search-api. Drupal\Core\Http\Exception\CacheableAccessDeniedHttpException: The 'administer search_api' permission is required. in Drupal\Core\Routing\AccessAwareRouter->checkAccess() (line 118 of /var/www/vhosts/d.com/d.com/core/lib/Drupal/Core/Routing/AccessAwareRouter.php).

Drupal\search_api_solr\SearchApiSolrException: Solr endpoint http://localhost:8983/ access denied (code:

My Security.josn Setup 

{
    "authentication": {
        "blockUnknown": true,
        "class": "solr.BasicAuthPlugin",
        "credentials": {
            "cnm_solr_admin": "<paswd>",
            "cnm_solr_dev": "<paswd>",
            "solr_end_users": "<paswd>"
         },
        "realm": "CNM Solr Users",
        "fowardCredentials": false
    },
    "authorization": {
       "class": "solr.RuleBasedAuthorizationPlugin",
       "user-role": {
           "cnm_solr_admin": "admin",
           "cnm_solr_dev": "dev",
           "solr_end_users": ["users"]
        },
       "permissions": [
            {
                "name": "rcore",
                "collection": null,
                "path": ["/rcore/select", "/admin/cores"],
                "role": "*"
            }
            {
                "name":"read",
                "role": ["admin", "dev", "users"]
            },
            {
                "name":"update",
                "role": ["admin"]
            },
            {
                "name":"security-edit",
                "role": "admin"
            },
            {
                "name":"security-read",
                "role": ["admin", "dev"]
            },
            {
                "name":"all",
                "role": "admin"
            }

        ]
    },
    "auditlogging": {
      "class": "solr.SolrLogAuditLoggerPlugin",
      "async": true,
      "blockAsync": false,
      "numThreads": 2,
      "queueSize": 4096,
      "eventTypes": ["AUTHENTICATED", "REJECTED", "ANONYMOUS", "AUTHORIZED",  "ANONYMOUS_REJECTED", "UNAUTHORIZED", "COMPLETED", "ERROR"]
    }
}

My lack of knowledge concludes that I may have to use a specific user in my json file but I am not sure.

May you shed some light, please?
I think

💬 Support request
Status

Active

Version

4.3

Component

Solr Connectors

Created by

🇧🇧Barbados ShockWave08

Live updates comments and jobs are added and updated live.
  • Security improvements

    It makes Drupal less vulnerable to abuse or misuse. Note, this is the preferred tag, though the Security tag has a large body of issues tagged to it. Do NOT publicly disclose security vulnerabilities; contact the security team instead. Anyone (whether security team or not) can apply this tag to security improvements that do not directly present a vulnerability e.g. hardening an API to add filtering to reduce a common mistake in contributed modules.

Sign in to follow issues

Comments & Activities

  • Issue created by @ShockWave08
  • Comment over 1 year ago
    🇧🇧Barbados ShockWave08
  • Comment over 1 year ago
    🇩🇪Germany mkalkbrenner 🇩🇪

    Your security.json activates basic auth. So you need to configure the Basic Auth connector in Search API Solr, not the Standard connector.

  • Status changed to Fixed over 1 year ago
  • Comment over 1 year ago
    🇩🇪Germany mkalkbrenner 🇩🇪
  • Status changed to Needs review over 1 year ago
  • Comment over 1 year ago
    🇧🇧Barbados ShockWave08
  • Comment over 1 year ago
    🇧🇧Barbados ShockWave08
  • Comment over 1 year ago
    🇧🇧Barbados ShockWave08

    Thanks much for the response..
    I know it's difficult having to keep up with these isues.

    So I'm using Basic Auth now.
    Set the username and password to solr:SolrRocks..

    Same user/pass in the security.json.
    Using this tool to create encrypt the passwords.

    I am able to sign into the Solr Admin UI with the user/Pass So I know it works..

    I also went ahead and set these op:

    SOLR_AUTH_TYPE="basic"
SOLR_AUTHENTICATION_OPTS="-Dbasicauth=solr:SolrRocks"

    Errors Shown under logging in the Solr UI

    The errors are basically the same but now they say

    Unauthorized

    for the same paths.

    So the Apache Solr Server I set up under Search API is still unavailable.

    Is there something I'm missing.

  • Status changed to Closed: works as designed over 1 year ago
  • Comment over 1 year ago
    🇩🇪Germany mkalkbrenner 🇩🇪

    I recommend that you read the solr docuementation.
    But because security.json has nothing to do with this module directly, I'll close the issue.

  • Comment about 1 month ago
    brevilo

    security.json has nothing to do with this module directly

    Well, you might be right about authentication, but for authorization there are always two parties involved - one of them being this module (as the client). It's this module which defines how it accesses the Solr backend, right? This is where the current documentation lacks, since the README currently only mentions authentication but not authorization.

    What would be very helpful to know is which of the predefined permissions this module requires for which parts of its features. Knowing that would allow us to define a role for the solr user with just the necessary permissions instead of simply assigning it the blanket admin role. Doing that kind of defeats the entire purpose of protecting Solr in the first place, doesn't it?

    Thank you

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024