lucene-solr-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jan Høydahl <jan....@cominvent.com>
Subject Re: solr 7.7+ admin ui inaccessible with BasicAuthPlugin+RuleBasedAuthorizationPlugin
Date Sun, 24 Mar 2019 10:24:04 GMT
Thanks. Lions like the «all» permission actually blocks access to the AdminGui servlet so
we won’t even serve the static UI files :)

Please open a JIRA issue for this.

You can open another JIRA for the “empty password” issue. We should be consistent so if
we allow creation of user with empty pw then it should be possible to enter it. Or we could
disallow empty pw in the API :)

Jan Høydahl

> 23. mar. 2019 kl. 18:37 skrev anon@sigil.red:
> 
> Hi
> 
> Here is the curl:
>> $ curl -I http://localhost:8080/solr/
>> HTTP/1.1 401 Unauthorized request, Response code: 401
>> Cache-Control: must-revalidate,no-cache,no-store
>> Content-Type: text/html;charset=iso-8859-1
>> Content-Length: 299
> And the screenshot: https://i.imgur.com/PMTE3nR.png
> 
> I'll also note that it's wonderfully easy to reproduce:
> 1. unpack solr-8.0.0.zip
> 2. copy the security.json example from https://lucene.apache.org/solr/guide/7_7/basic-authentication-plugin.html
into server/solr/ and replace "name":"security-edit" with "name":"all"
> 3. start with bin/solr -f -p 8080
> 4. open http://localhost:8080/
> 
> Thanks for looking into it!
> 
> Best regards
> 
> 
>> On 23/03/2019 19:03, Jan Høydahl wrote:
>> Hi
>> 
>> Can you take a screenshot of the 401 error page you see (without login form)?
>> 
>> Also, perhaps you could do a curl -I (show headers) request to your Solr and show
what headers that Solr returns instead of the www-authenticate header?
>> 
>> Jan
>> 
>>> 23. mar. 2019 kl. 15:34 skrev anon@sigil.red:
>>> 
>>> Hi
>>> 
>>> SOLR-7896 made some changes to the admin ui login. After the changes I can no
longer log in at all.
>>> 
>>> I'm running standalone solr 7.7 (same with 8.0) with the following security.json:
>>> 
>>>> {
>>>> "authentication": {
>>>> "class": "solr.BasicAuthPlugin",
>>>> "blockUnknown": true,
>>>> "credentials": {
>>>> "solr": "<hash for empty password string>"
>>>> },
>>>> },
>>>> "authorization": {
>>>> "class": "solr.RuleBasedAuthorizationPlugin",
>>>> "permissions": [
>>>> {
>>>> "name": "all",
>>>> "role": "admin"
>>>> }
>>>> ],
>>>> "user-role": {
>>>> "solr": "admin"
>>>> }
>>>> }
>>>> }
>>> Opening the UI at http://localhost:8080/solr/ shows an error page with 401. The
login page is not displayed because of the "all" permission being required. The browser's
basic auth popup is not shown because the WWW-Authenticate header is not present. Changing
the RuleBasedAuthorizationPlugin required permission from "all" to "security-edit" makes the
login page appear.
>>> 
>>> The above basic auth + "all" permission was working ok with solr 7.5, but no
longer works with 7.7+. Is this behaviour intended and/or documented?
>>> 
>>> Another issue is with using empty password strings. This used to work with the
browser's native basic auth, but not by the login page ("Password is required" error). Is
there some way to use an empty password with the login page? If not, is there a way to continue
using the browser's native basic auth?
>>> 
>>> Best regards
>>> 

Mime
View raw message