Permission Attributes (permission attribute)
Each user is composed of one or more permissions, each of which consists of several attributes that define what can be done. There are some predefined permissions that cannot be modified: Pre-defined permissions has some pre-defined permissions. These fixed default values cannot be modified and new properties cannot be added. To use these properties, you simply define a role, including this permission, and assign a role to a user.Security-edit:The license allows editing of the security configuration, which means that any updated action modified by Security.json via the API will be allowed.Security-read:The license allows reading the security configuration, which means that any action to read Security.json through the API will be allowed. Schema-edit: The license allows the schema API to be used to edit the schemas of the collection. Note that this schema edit permission applies to all collections. If you want to edit only the schema of the specified collection, you should create a custom permission.Schema-read:The license allows reading the schema of the collection to use the schema API. Note that this schema edit permission is applicable to all collections. If you want to read only the schema of the specified collection, you should create a custom permission.Config-edit:This permission allows you to edit the configuration information for the collection using the Config API, the request Parameters API, or any other API that can modify the Configoverlay.json. Note that This permission allows you to modify the configuration information for all collections. If you want to edit only the configuration information for the specified collection, you should create a new permission.Config-read:This permission allows you to view the configuration information for the collection using the Config API, the request Parameters API, or any other API that can modify the Configoverlay.json. Note that This permission allows you to view the configuration information for all the collections. If you want to view only the configuration information for the specified collection, you should create a new permission.Collection-admin-edit:The license allows you to modify the configuration of the collection using the collections API. Note that this permission allows you to edit all collections. If you want to edit only the specified collection, you should create a custom permission. Specifically, the following collection APIs will be allowed: Createreloadsplitshardcreatesharddeleteshardcreatealiasdeletealiasdeletedeletereplicaaddreplicaclusterpropmigrateaddroler Emoveroleaddreplicapropdeletereplicapropbalancesharduniquerebalanceleaders
Collection-admin-read:The license allows you to view the configuration of the collection using the collections API. Note that this permission allows you to view all collections. If you want to view only the specified collection, you should create a custom permission. Specifically, the following collection APIs are allowed: Listoverseerstatusclusterstatusrequeststatus
Update:This permission allows to perform any update operation for all collections. Contains the Send document index (using an update request handler)
read:This permission allows you to perform any read operation for all collections containing queries using the search processor (using request handlers) like/select,/get,/browse,/tvrh,/terms,/clusteRing,/elevate,/export,/spell,/clustering,/sql.All :Any request by SOLR
Authorization API (Permission action API)
API endpoint/admin/authorization: Requires a set of commands to create permissions, map permissions to roles, map roles to users
Manage Permissions (Rights Management) three commands for Rights management: Set-permission: Create a new permission, overwrite the existing permission definition, or assign a predefined permission to the role update-permission: Update some properties of an existing permission definition delete-permission: Remove a permission
=====If you do not use the predefined permissions above, then you need to create a permission. The following properties can be used for your custom permissions. Name: The names of the permissions. This name will be used to update or delete permissions. Collection: This permission will be applied to the collection or to all collections. When this path is allowed for a particular collection, like when setting permissions to allow the schema API to be used, omitting the collection's properties will allow to define the path to the and/or method for all collections. However, When the path is non-collection-specific, like this collection API the value of this collection must be null
Path: The name of the request processor, such as/update Or/select. Wildcard characters are supported, to allow all paths (think/update/*)
Method: This parameter is used to control HTTP request methods. You can only allow get requests, or have a role that allows put and post requests. This method allows the value of this property to get, POST, PUT, delete, and head.
Params: the name and value of the request parameter. If all the request parameters are allowed,This attribute can be omitted.if defined,Only the values provided for access are restricted. For example, this property can be used to limit the action to allow only the collection API to be executed. If this role should only be allowed to perform list or Clusterstatus listing requests, you will define the following
"params": {"action": [LIST, Clusterstatus]}
Before: This property allows permissions to be sorted. The value of this property should be placed in Security.json for this new permission.
Role: The name of the character (s) gives this permission. This name will be used for user ID mappings to the roles granted by these permissions. This means that the wildcard character (*) can be used, meaning that any user is available, but no user is not good.
The following creates a new permission named Collection-mgr that allows you to create a collection and view a list of collections. The license will be placed in the "read license." Also note that we have defined the "set as NULL, because the request collections API will never be related to a particular collection."
Curl--user solr:solrrocks-h ' Content-type:application/json '-d ' {"set-permission": {"name": "Collection-mgr", " Collection ": null," path ":"/admin/collections "," params ": {" action ": [LIST, CREATE]}," before ":" read "," role ":" Admin "} } ' Http://localhost:8983/solr/admin/authorization
Map Roles to Users
A single command allows roles to being mapped to the users line allows the mapping of roles to user set-user-role:mapping a user to a permissionTo remove the user's permissions, you should set the role to NULL. There is no command to delete a user role.This command provides only the user ID and the user should have one or more roles. For example, the following will give the user the role of "SOLR" "admin" and "Dev",and remove all roles user ID "Harry":
Enabling SSL (enable SSL)Solrcloud and single-node SOLR can encrypt communications for connections, and Solrcloud nodes, using SSL. This section describes an example of enabling SSL jetty server to use a self-signed certificate.
See http://www.tldp.org/HOWTO/SSL-Certificates-HOWTO/for an introduction to SSL certificates and keys.
Mainly includes the following and some content
Basic SSL settings generate a self-signed certificate and a key●generate a self-signed certificate and a key ●Certificates and keys converted to PEM format using curl●Setting properties for a generic SSL-related system●Single node run SOLR using SslsolrcloudConfigure Zookeeper
●Use SSL to run the Solrcloud client operation example to create aSolrcloud CollectionUse BIN/SOLR to view Solrcloud cluster state using Post.jar to build a document index using a Curl query to index a document using Cloudsolrclient
Basic SSL setupgenerate A self-signed certificate and a key
Generate a self-signed certificate and a key for authentication,between the server and the connection, we will use the JDK keytool command and create a separate key repository. This keystore will also be used as the following trust repository. You can use the key repository for the purpose of the JDK, and use a separate trust store, but these options are not overwritten.
Run the following command in the binary SOLR distribution in the SERVER/ETC/directory. Suppose you have the JDK Keytool tool in your path, and OpenSSL is also in your path. See Https://www.openssl.org/related/binaries.
The "-ext san= ..." keytool option allows you to specify that all DNS names and/or IP addresses are allowed in Host name authentication (as shown below how to skip host name verification between SOLR nodes, you do not need to specify all hosts here). In addition to the local host 127.0.0.1, this example includes the LAN IP address 192.168.1.3 SOLR's machine node running:
Keytool-genkeypair-alias solr-ssl-keyalg rsa-keysize 2048-keypass secret-storepass secret-validity 9999-keystore so Lr-ssl.keystore.jks-extsan=dns:localhost,ip:192.168.1.3,ip:127.0.0.1-dname "Cn=localhost,ou=organizational Unit, O=organization, L=location, St=state, C=country "
The above command will create a KeyStore file named Solr-ssl.keystore.jks in the current directory.
Convert the certificate and key to PEM format for use with CURL
Curl is not able to use the JKS formatted KeyStore, so the JKs KeyStore needs to be converted to PEM format so that Curl understands it.
First, you will use the Keytool jks keystore to PKCS12 format
Keytool-importkeystore-srckeystore Solr-ssl.keystore.jks-destkeystoresolr-ssl.keystore.p12-srcstoretype JKs- Deststoretype PKCS12
The Keytool application will prompt you to create a destination keystore password and key vault password, set when creating the KeyStore ("Secret"In the example above).
Next, the PKCS12 format key repository, including certificates and keys, is converted to PEM format using the OpenSSL command
OpenSSL pkcs12-in solr-ssl.keystore.p12-out Solr-ssl.pem
If you want to use Curl in OS XYosemite(10.10),You need to create a certificate-only version of the PEM format, as follows: OpenSSL pkcs12-nokeys-in solr-ssl.keystore.p12-out Solr-ssl.cacert.pem
Set common SSL Related System properties
SOLR start script has been set ssl-related Java System Properties passed to the JVM. In order to activate SSL settings, cancel and update this set of properties starting at bin/solr.in.sh Solr_ssl_ *. (or Bin\solr.in.cmd in Windows). Note that if you set up SOLR as a service in Linux using this overview in taking SOLR to Production, make these changes in/var/solr/solr.in.sh
bin/solr.in.sh Example solr_ssl_* configuration
solr_ssl_key_store=etc/solr-ssl.keystore.jkssolr_ssl_key_store_password=secretsolr_ssl_trust_store=etc/ solr-ssl.keystore.jkssolr_ssl_trust_store_password=secret# Require clients to Authenticatesolr_ssl_need_client_ auth=false# Enable clients to authenticate (but not require) Solr_ssl_want_client_auth=false
When you start SOLR, the BIN/SOLR script includes the settings in bin/solr.in.sh and would pass thesessl-related System Properties to the JVM.
When you start the SOLR,BIN/SOLR script includes the settings in the bin/solr.in.sh. and pass these ssl-related system attributes to the JVM.
Note The connection settings:
Make Solr_ssl_need_client_auth or Solr_ssl_want_client_auth but not at the same time. They are mutually exclusive, and jetty will choose one, which may not be what you want.
The same,When you start the Solr,bin/solr.cmd script includes the settings in the Bin/solr.in.sh.cmd. and pass these ssl-related system attributes to the JVM.
Bin\solr.in.cmd Example solr_ssl_* configuration
Set Solr_ssl_key_store=etc/solr-ssl.keystore.jksset Solr_ssl_key_store_password=secretset SOLR_SSL_TRUST_STORE= Etc/solr-ssl.keystore.jksset solr_ssl_trust_store_password=secretrem Require clients to Authenticateset SOLR_SSL_ Need_client_auth=falserem Enable clients to authenticate (but not require) set Solr_ssl_want_client_auth=false
Run single Node SOLR using SSL
Start SOLR with a command like the following: The connection does not require authentication by default
*nix commandbin/solr-p 8984
Windows commandbin\solr.cmd-p 8984
Solrcloud
This section describes how to run a two-node cluster solrcloud, without initializing the collection and a single-node out-of-zookeeper. The following command assumes that you have created a keystore.
Configure ZooKeeper
Before you start any Solrcloud node, you must configure your SOLR cluster properties in zookeeper so that the SOLR node knows to communicate over SSL.
This section assumes that you have created an external zookeeper that starts a single node on localhost port 2181-See Setting up an External ZooKeeper Ensemble
Urlscheme the entire cluster-wide attribute needs to be set to HTTPS before any SOLR node is started. The following example uses the ZKCLI tool binary SOLR distribution:
*nix commandserver/scripts/cloud-scripts/zkcli.sh-zkhost Localhost:2181-cmd Clusterprop-nameurlscheme-val HTTPS
Windows commandserver\scripts\cloud-scripts\zkcli.bat-zkhost Localhost:2181-cmd Clusterprop-nameurlscheme-val HTTPS
If you have set up cluster zookeeper using chroot SOLR, make sure that yourzkcliUse the correct zkhost string, such as-zkhost LOCALHOST:2181/SOLR.
Run Solrcloud with Sslcreate SOLR home directories for both nodes
The SERVER/SOLR/directory that created the two replicas will act as the SOLR home directory for two Solrcloud nodes:
*nix commandsmkdir cloudcp-r server/solr cloud/node1cp-r SERVER/SOLR cloud/node2
Windows commands
mkdir cloudxcopy/e SERVER\SOLR cloud\node1\xcopy/e SERVER\SOLR cloud\node2\
Start The first SOLR node
Next, start the first SOLR node on port 8984. First of all , be sure to stop the stand-alone service if you start working through a section on this page.
*nix command
Bin/solr-cloud-s cloud/node1-z localhost:2181-p 8984
Windows command
Bin\solr.cmd-cloud-s cloud\node1-z localhost:2181-p 8984
Note Use the-S option to set the location of the SOLR home directory to Node1.
If you create an SSL key without a DNS name/IP address, on the SOLR node that will run, you can tell SOLR to skip the host name check for Inter-solr-node (Inter-node) communication, set the Solr.ssl.checkPeerName system property to False ;
*nix command
Bin/solr-cloud-s cloud/node1-z localhost:2181-p 8984-dsolr.ssl.checkpeername=false
Windows command
Bin\solr.cmd-cloud-s cloud\node1-z localhost:2181-p 8984-dsolr.ssl.checkpeername=false
Start the second SOLR node
Finally, start the second SOLR node on port 7574--again, skip the hostname validation, add-dsolr.ssl.checkpeername = false;
*nix command
Bin/solr-cloud-s cloud/node2-z localhost:2181-p 7574
Windows command
Bin\solr.cmd-cloud-s cloud\node2-z localhost:2181-p 7574
Example Client Actions
Create a Solrcloud collection using BIN/SOLR
Create a 2-shard,replicationfactor = 1 named mycollection using the default configuration file (Data_driven_schema_configs):
*nix command
BIN/SOLR create-c mycollection-shards 2
Windows command
Bin\solr.cmd create-c mycollection-shards 2
The create operation will start with the Solr_ssl_ * property of the file you contain to SOLRJ code use to create this collection.
Retrieve solrcloud cluster status using CURL
The cluster status that can be obtained (if you do not enable client authentication, remove the-e solr-ssl.pem:secret option):
CURL-E solr-ssl.pem:secret--cacert Solr-ssl.pem "https://localhost:8984/solr/admin/collections?action= Clusterstatus&wt=json&indent=oN "You should get a response like this: {"Responseheader": {"status": 0, "Qtime": 2041}, "cluster": {"collections": {"mycollection": {"shards": {" Shard1 ": {" range ":" 80000000-ffffffff "," state ":" Active "," replicas ": {" Core_node1 ": {" state ":" Active "," Base_url ":" HTTPS://127.0.0.1:8984/SOLR "," core ":" MYCOLLECTION_SHARD1_REPLICA1 "," Node_name ":" 127.0.0.1:8984_SOLR "," leader ": "True"}}, "Shard2": {"range": "0-7fffffff", "state": "Active", "replicas": {"Core_node2": {"state": "Active", "Base_url ":" HTTPS://127.0.0.1:7574/SOLR "," core ":" MYCOLLECTION_SHARD2_REPLICA1 "," Node_name ":" 127.0.0.1:7574_SOLR "," Leader ":" True "}}}," Maxshardspernode ":" 1 "," router ": {" name ":" Compositeid "}," Replicationfactor ":" 1 "}}," Properties ": {" urlscheme ":" HTTPS "}}}
Index documents using Post.jar
Use Post.jar to index some instance documents to the Solrcloud collection created above
CD example/exampledocsjava-djavax.net.ssl.keystorepassword=secret-djavax.net.ssl.keystore=. /.. /server/etc/solr-ssl.keystore.jks-djavax.net.ssl.truststore=. /.. /server/etc/solr-ssl.keystore.jks-djavax.net.ssl.truststorepassword=secret-durl=https://localhost:8984/solr/ Mycollection/update-jar Post.jar *.xml
Query using CURL
Use Curl to query the Solrcloud collection created above, create a certificate and key from a directory containing PEM format (such as example/etc/)--If you do not enable client authentication ( System parameter-djetty.ssl.clientauth = True), then you can remove the-e solr-ss.pem:secret option:
CURL-E solr-ssl.pem:secret--cacert Solr-ssl.pem "https://localhost:8984/solr/mycollection/select?q=*:* &wt= Json&indent=on "
Index a document using Cloudsolrclient
For connecting using SOLRJ, create a document index. In the following code, the javax.net.ssl.* system parameter is set in the program. But you can use the Java command line instead of the Post.jar example.
System.setproperty ("Javax.net.ssl.keyStore", "/path/to/solr-ssl.keystore.jks"); System.setproperty ("Javax.net.ssl.keyStorePassword", "secret"); System.setproperty ("Javax.net.ssl.trustStore", "/path/to/solr-ssl.keystore.jks"); System.setproperty ("Javax.net.ssl.trustStorePassword", "secret"); String zkhost = "127.0.0.1:2181"; Cloudsolrclient Server = new Cloudsolrclient (zkhost); Server.setdefaultcollection ("mycollection"); Solrinputdocument doc = new solrinputdocument ();d Oc.addfield ("id", "1234");d Oc.addfield ("name", "A lovely Summer Holiday "); Server.add (doc); Server.commit ();
Research and practice on safety control of SOLR's Primer (II.)
