[
https://issues.apache.org/jira/browse/SOLR-17659?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17925323#comment-17925323
]
Jan Høydahl commented on SOLR-17659:
------------------------------------
This is an exciting part of the UI, and I see where you're coming from Gus. But
before we dive deep into your proposals, let's make clear the scope of the
first version of the new UI.
The new UI is a client side application which hits Solr's normal REST APIs.
There is not dedicated admin-UI backend component/servlet, thus any
authentication that can be done on top of existing Solr backend must use Solr's
existing auth capabilities, and each and every call from the UI app must carry
the "Authorization" header. There is really not "login" or "logout" or session.
Thus I think the scope of supporting BasicAuth only from the get-go is a good
one.
I feel your pain Gus about Solr's home-made auth framework. It would be nice to
have a better version, but it's a totally separate effort.
Wrt the JWT and OIDC auth, it is currently implemented on the client side (JS)
and the browser keeps a long-lived bearer token. It is not the best solution,
and we should really not go that direction with the new UI. Ideally we should
have a new ui-backend servlet that takes care of code-flow with client-secret,
session handling, issuing cookie to the new UI etc. Such a servlet should
ideally take all UI traffic and proxy it to the Solr APIs, and it should be
deploable either on a normal Solr node or on a dedicated UI backend node (using
node roles). Such a UI backend could then de-couple human auth methods from the
auth necessary to impelement on solr backends, and even if a user loggs in with
OIDC to the UI backend, the requests sent to the solr nodes could use a
different auth, such as mTLS or basicAuth.
> Implement basic authentication in Admin UI
> ------------------------------------------
>
> Key: SOLR-17659
> URL: https://issues.apache.org/jira/browse/SOLR-17659
> Project: Solr
> Issue Type: New Feature
> Components: Admin UI
> Reporter: Christos Malliaridis
> Priority: Major
> Labels: new-ui, ui
>
> In the new UI one of the key features that is not implemented yet is user
> authentication. In order to secure and securily access Solr, the user should
> be able to authenticate against a Solr instance with basic credentials.
> h2. Task
> Implement basic user authentication (with credentials) according to the [new
> designs|https://www.figma.com/design/VdbEfcWQ8mirFNquBzbPk2/Apache-Solr-Admin-UI-v2-Concept?node-id=1190-388&t=vMgOa9QlzQZSdjLf-1].
> h2. Acceptance Criteria
> - The user can access a Solr instance that has user authentication enabled
> - The user can at least authenticate with credentials (basic auth)
> - The credentials form is displayed after the user has established a
> connection with a Solr instance, that is, after a Solr instance was found
> - The user can return to the start screen where the Solr URL was provided, if
> he decides to abort the authentication step
> - The user is no longer redirected to the dashboard or any other screen if
> user authentication is required
> - The credentials are used for any subsequent request
> h2. Additional Information
> The support for additional authentication options does not have to be
> addressed in this issue. If it proves to be straight-forward, feel free to
> implement additional auth options as well.
> The credentials do not have to survive an application restart (desktop).
> Storing credentials securely will be addressed in a separate issue.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org
For additional commands, e-mail: issues-h...@solr.apache.org
