[
https://issues.apache.org/jira/browse/SOLR-17659?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17925377#comment-17925377
]
Gus Heck commented on SOLR-17659:
---------------------------------
What I'm advocating is that unauthenticated users cannot load the browser based
client (application, aka ui) and use it to look for ways we have accidentally
exposed information or features that are not properly protected. The login page
should be a separate app (installed at the root context so it can set
cookies/Authorization/etc that the browser will happily send to /solr /api
etc.).
I'm happy to agree that this ticket only handles Basic Auth but we should do so
in a structure suitable for all [use
cases|https://solr.apache.org/guide/solr/latest/deployment-guide/authentication-and-authorization-plugins.html#enabling-an-authentication-plugin].
That means we need to identify the flows for all use cases and understand how
this form will satisfy them even if we don't create the plumbing to actually do
so. Otherwise we likely wind up with three login forms that have to be
enabled/disabled depending on what's being done, or a spiderweb of code
dispatching on auth type that makes it very difficult to add new auth types
when they come along.
An independent app that establishes auth (either with a form or by redirecting
to an external provider) and then redirects to the /ui context (or provides
that redirect url to the external provider) to load the browser based ui
application hopefully is reusable in all cases (if not I'm of course open to
other solutions).
Friendly 503 pages etc should just use the jetty error page functionality.
Also I think it's fine for this ticket to only cover the UI side of it,
anything that needs to change in core Solr to allow for sanity here can be a
linked ticket.
As a side note I'd expect that if we build it this way it would be easy for the
same login form to
* redirect to the old UI
* redirect to the new UI (config option)
* redirect to a custom UI written by a third party and added in to solr
* redirect to a custom UI written by a third party hosted elsewhere (perhaps
requires some as yet undeveloped proxy magic in cases that rely on basic or
schemes involving cookies?)
> Implement basic authentication in Admin UI
> ------------------------------------------
>
> Key: SOLR-17659
> URL: https://issues.apache.org/jira/browse/SOLR-17659
> Project: Solr
> Issue Type: New Feature
> Components: Admin UI
> Reporter: Christos Malliaridis
> Priority: Major
> Labels: new-ui, ui
>
> In the new UI one of the key features that is not implemented yet is user
> authentication. In order to secure and securily access Solr, the user should
> be able to authenticate against a Solr instance with basic credentials.
> h2. Task
> Implement basic user authentication (with credentials) according to the [new
> designs|https://www.figma.com/design/VdbEfcWQ8mirFNquBzbPk2/Apache-Solr-Admin-UI-v2-Concept?node-id=1190-388&t=vMgOa9QlzQZSdjLf-1].
> h2. Acceptance Criteria
> - The user can access a Solr instance that has user authentication enabled
> - The user can at least authenticate with credentials (basic auth)
> - The credentials form is displayed after the user has established a
> connection with a Solr instance, that is, after a Solr instance was found
> - The user can return to the start screen where the Solr URL was provided, if
> he decides to abort the authentication step
> - The user is no longer redirected to the dashboard or any other screen if
> user authentication is required
> - The credentials are used for any subsequent request
> h2. Additional Information
> The support for additional authentication options does not have to be
> addressed in this issue. If it proves to be straight-forward, feel free to
> implement additional auth options as well.
> The credentials do not have to survive an application restart (desktop).
> Storing credentials securely will be addressed in a separate issue.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org
For additional commands, e-mail: issues-h...@solr.apache.org
