用KeyCloak确保Solr Admin仪表板作为IDP
我们正在尝试保护Solr 8.11仪表板。在这种情况下,KeyCloak用作IDP。所有查询(选择,更新等)都应在没有任何登录屏幕的情况下访问。
solr Security.xml看起来像这样:
{
"authentication":{
"class": "solr.JWTAuthPlugin",
"blockUnknown": false,
"scope": "openid",
"wellKnownUrl": "http://keycloak.fqdn.com:8080/auth/realms/My-Realm/.well-known/openid-configuration",
"clientId": "Solr-auth",
"rolesClaim": "roles"
},
"authorization":{
"class":"solr.ExternalRoleRuleBasedAuthorizationPlugin",
"permissions":[{"name":"core-admin-read",
"role":"profile"}]
}
}
这是迄今为止的工作,但似乎还不太正确。请注意我必须如何将“配置文件”指定为角色。如果我将“ solr-admin”作为角色,我在登录时从solr中获得以下错误消息:
The principal JWTPrincipalWithUserRoles{username='******************************', token='*****', claims={exp=1651702368, iat=1651680768, auth_time=1651680768, jti=************************************, iss=http://keycloak.fqdn.com:8080/auth/realms/My-Realm, aud=account, sub=********************************, typ=Bearer, azp=Solr-auth, nonce==************************************,, session_state==************************************,, acr=1, allowed-origins=[http://solr.fqdn.com:9991], realm_access={roles=[MyCustomRole1,MyCustomRole2, MyCustomRole3, solr-admin, MyCustomRole4]}, resource_access={account={roles=[manage-account, manage-account-links, view-profile]}}, scope=openid profile email, email_verified=false, preferred_username=testuser, [email protected]}, roles=[profile, email]} does not have the right role
我的用户(Testuser)已将其分配给一些不同的角色。 (就像mycustomrole1一样)我还创建了角色“ solr-admin”,并将我的用户分配给了这个角色。但是以某种方式,JWT令牌中有“角色= [profile,email]”。因此,我必须将配置文件或电子邮件发送到Solr Security.xml中。每个KeyCloak用户都是两个角色的成员。
是否有一种方法,如果Security.xml具有solr-admin而不是配置文件作为角色名称,solr允许登录?
We're trying to secure the Solr 8.11 Dashboard. KeyCloak serves as an IDP in this case. All Querys (SELECT, UPDATE, etc.) should be accessible without any Login screen.
The Solr Security.xml looks like this:
{
"authentication":{
"class": "solr.JWTAuthPlugin",
"blockUnknown": false,
"scope": "openid",
"wellKnownUrl": "http://keycloak.fqdn.com:8080/auth/realms/My-Realm/.well-known/openid-configuration",
"clientId": "Solr-auth",
"rolesClaim": "roles"
},
"authorization":{
"class":"solr.ExternalRoleRuleBasedAuthorizationPlugin",
"permissions":[{"name":"core-admin-read",
"role":"profile"}]
}
}
This works so far but does not seem quite right. Notice how I had to specify "profile" as a Role. If I put "solr-admin" as a Role I get the following Error Message from Solr when logging in:
The principal JWTPrincipalWithUserRoles{username='******************************', token='*****', claims={exp=1651702368, iat=1651680768, auth_time=1651680768, jti=************************************, iss=http://keycloak.fqdn.com:8080/auth/realms/My-Realm, aud=account, sub=********************************, typ=Bearer, azp=Solr-auth, nonce==************************************,, session_state==************************************,, acr=1, allowed-origins=[http://solr.fqdn.com:9991], realm_access={roles=[MyCustomRole1,MyCustomRole2, MyCustomRole3, solr-admin, MyCustomRole4]}, resource_access={account={roles=[manage-account, manage-account-links, view-profile]}}, scope=openid profile email, email_verified=false, preferred_username=testuser, [email protected]}, roles=[profile, email]} does not have the right role
My User (testuser) has been assigned to a few different Roles. (Like MyCustomRole1) I've also created the Role "solr-admin" and assigned my User to this role. But somehow the JWT Token has "roles=[profile, email]" in it. So I have to put profile or email into the Solr security.xml. Every KeyCloak User is a Member of both Roles.
Is there a way so that Solr allows a Login if the Security.xml has solr-admin instead of profile as the Role name?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论