lucene-solr-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From a...@sigil.red
Subject Re: solr 7.7+ admin ui inaccessible with BasicAuthPlugin+RuleBasedAuthorizationPlugin
Date Sun, 24 Mar 2019 11:06:01 GMT
Thanks for investigating! I really appreciate the quick response.

I've created the jiras:

* https://issues.apache.org/jira/browse/SOLR-13344 for the AdminGui issue
* https://issues.apache.org/jira/browse/SOLR-13345 for the empty passwords

> if we allow creation of user with empty pw
I'd note that the user was not created via any API. Our CI basically 
dumps the pre-generated security config into the server/solr folder. 
This configuration option is very convenient and I hope this will remain 
supported :)

Best regards


On 24/03/2019 12:24, Jan Høydahl wrote:
> Thanks. Lions like the «all» permission actually blocks access to the 
> AdminGui servlet so we won’t even serve the static UI files :)
>
> Please open a JIRA issue for this.
>
> You can open another JIRA for the “empty password” issue. We should be 
> consistent so if we allow creation of user with empty pw then it 
> should be possible to enter it. Or we could disallow empty pw in the 
> API :)
>
> Jan Høydahl
>
>> 23. mar. 2019 kl. 18:37 skrev anon@sigil.red:
>>
>> Hi
>>
>> Here is the curl:
>>> $ curl -I http://localhost:8080/solr/
>>> HTTP/1.1 401 Unauthorized request, Response code: 401
>>> Cache-Control: must-revalidate,no-cache,no-store
>>> Content-Type: text/html;charset=iso-8859-1
>>> Content-Length: 299
>> And the screenshot: https://i.imgur.com/PMTE3nR.png
>>
>> I'll also note that it's wonderfully easy to reproduce:
>> 1. unpack solr-8.0.0.zip
>> 2. copy the security.json example from 
>> https://lucene.apache.org/solr/guide/7_7/basic-authentication-plugin.html 
>> into server/solr/ and replace "name":"security-edit" with "name":"all"
>> 3. start with bin/solr -f -p 8080
>> 4. open http://localhost:8080/
>>
>> Thanks for looking into it!
>>
>> Best regards
>>
>>
>>> On 23/03/2019 19:03, Jan Høydahl wrote:
>>> Hi
>>>
>>> Can you take a screenshot of the 401 error page you see (without 
>>> login form)?
>>>
>>> Also, perhaps you could do a curl -I (show headers) request to your 
>>> Solr and show what headers that Solr returns instead of the 
>>> www-authenticate header?
>>>
>>> Jan
>>>
>>>> 23. mar. 2019 kl. 15:34 skrev anon@sigil.red:
>>>>
>>>> Hi
>>>>
>>>> SOLR-7896 made some changes to the admin ui login. After the 
>>>> changes I can no longer log in at all.
>>>>
>>>> I'm running standalone solr 7.7 (same with 8.0) with the following 
>>>> security.json:
>>>>
>>>>> {
>>>>> "authentication": {
>>>>> "class": "solr.BasicAuthPlugin",
>>>>> "blockUnknown": true,
>>>>> "credentials": {
>>>>> "solr": "<hash for empty password string>"
>>>>> },
>>>>> },
>>>>> "authorization": {
>>>>> "class": "solr.RuleBasedAuthorizationPlugin",
>>>>> "permissions": [
>>>>> {
>>>>> "name": "all",
>>>>> "role": "admin"
>>>>> }
>>>>> ],
>>>>> "user-role": {
>>>>> "solr": "admin"
>>>>> }
>>>>> }
>>>>> }
>>>> Opening the UI at http://localhost:8080/solr/ shows an error page 
>>>> with 401. The login page is not displayed because of the "all" 
>>>> permission being required. The browser's basic auth popup is not 
>>>> shown because the WWW-Authenticate header is not present. Changing 
>>>> the RuleBasedAuthorizationPlugin required permission from "all" to 
>>>> "security-edit" makes the login page appear.
>>>>
>>>> The above basic auth + "all" permission was working ok with solr 
>>>> 7.5, but no longer works with 7.7+. Is this behaviour intended 
>>>> and/or documented?
>>>>
>>>> Another issue is with using empty password strings. This used to 
>>>> work with the browser's native basic auth, but not by the login 
>>>> page ("Password is required" error). Is there some way to use an 
>>>> empty password with the login page? If not, is there a way to 
>>>> continue using the browser's native basic auth?
>>>>
>>>> Best regards
>>>>

Mime
View raw message