[
https://issues.apache.org/jira/browse/SOLR-13344?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16806019#comment-16806019
]
Jan Høydahl commented on SOLR-13344:
------------------------------------
For sure we have special handling for admin, see
[https://github.com/apache/lucene-solr/blob/6222abf4480ee15bad2e67942263f563ce5ee434/solr/core/src/java/org/apache/solr/servlet/SolrDispatchFilter.java#L468]
but that is only for auth. What we lacked is the same exception for authz. See
[GitHub Pull Request #630|https://github.com/apache/lucene-solr/pull/630] for a
simple fix.
Perhaps it could have been handled another place in the code, but this is
exactly how it is done to expose /admin/info/key.
Appreciate your review [~gerlowskija]. I have tested locally and with the patch
the Admin loads and presents the login dialogue.
> Admin UI inaccessible with RuleBasedAuthorizationPlugin
> -------------------------------------------------------
>
> Key: SOLR-13344
> URL: https://issues.apache.org/jira/browse/SOLR-13344
> Project: Solr
> Issue Type: Bug
> Security Level: Public(Default Security Level. Issues are Public)
> Components: Admin UI, Authentication
> Affects Versions: 7.7, 8.0
> Reporter: Märt
> Priority: Major
> Time Spent: 10m
> Remaining Estimate: 0h
>
> SOLR-7896 made some changes to the admin ui login. After the changes I can no
> longer log in at all.
> I'm running standalone solr 7.7 (same with 8.0) with the following
> security.json:
> {code}
> {
> "authentication": {
> "class": "solr.BasicAuthPlugin",
> "blockUnknown": true,
> "credentials": {
> "solr": "IV0EHq1OnNrj6gvRCwvFwTrZ1+z1oBbnQdiVC3otuq0=
> Ndd7LKvVBAaZIF0QAVi1ekCfAJXr1GGfLtRUXhgrF8c="
> },
> },
> "authorization": {
> "class": "solr.RuleBasedAuthorizationPlugin",
> "permissions": [
> {
> "name": "all",
> "role": "admin"
> }
> ],
> "user-role": {
> "solr": "admin"
> }
> }
> }
> {code}
> Opening the UI at http://localhost:8080/solr/ shows an error page with 401.
> The login page is not displayed because of the "all" permission being
> required. The browser's basic auth popup is not shown because the
> WWW-Authenticate header is not present. Changing the
> RuleBasedAuthorizationPlugin required permission from "all" to
> "security-edit" makes the login page appear.
> The bug can be reproduced as follows:
> # unpack solr-8.0.0.zip
> # copy the security.json example from
> https://lucene.apache.org/solr/guide/7_7/basic-authentication-plugin.html
> into server/solr/ and replace "name":"security-edit" with "name":"all"
> # start with bin/solr -f -p 8080
> # open http://localhost:8080/
> The bug was discussed on solr-user list
> http://mail-archives.apache.org/mod_mbox/lucene-solr-user/201903.mbox/%3C7629BDDD-3D22-4203-9188-0E0A8DCF2FEE%40cominvent.com%3E
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
