[
https://issues.apache.org/jira/browse/SOLR-17659?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17925765#comment-17925765
]
Jan Høydahl commented on SOLR-17659:
------------------------------------
I think this discussion is de-railing the progress for simple BasicAuth support
in new UI.
Let's keep Solr backend out of this in this phase. This Jira won't change
anything about the security stance for Solr. The APIs are as secure as they
always were, and I see no reason whatsoever to try to obscure what APIs a solr
server has available. We must assume both users and attackers how what Solr is
and what APIs it has. The Solr backend won't be less secure by adding another
UI frontend, and it won't be more secure by trying to hide APIs or version info.
Btw - the Solr APIs *do* implement fairly standard auth headers. If you hit any
Solr endpoint without auth, the server will respond with 401 along with the
WWW-Authenticate header, which tells the client what auth(s) is enabled on the
server. And the old UI parses the WWW-Authenticate header to choose what login
form to display.
In case of JWT auth enabled, Solr *also* emits [a custom header
"X-Solr-AuthData"|https://github.com/apache/solr/blob/main/solr/modules/jwt-auth/src/java/org/apache/solr/security/jwt/JWTAuthPlugin.java#L850-L862]
that the UI parses to have enough data for it to handle the OIDC auth flow.
Since the Admin UI is 100% static it needs to get this from the server.
> Implement basic authentication in Admin UI
> ------------------------------------------
>
> Key: SOLR-17659
> URL: https://issues.apache.org/jira/browse/SOLR-17659
> Project: Solr
> Issue Type: New Feature
> Components: Admin UI
> Reporter: Christos Malliaridis
> Priority: Major
> Labels: new-ui, ui
>
> In the new UI one of the key features that is not implemented yet is user
> authentication. In order to secure and securily access Solr, the user should
> be able to authenticate against a Solr instance with basic credentials.
> h2. Task
> Implement basic user authentication (with credentials) according to the [new
> designs|https://www.figma.com/design/VdbEfcWQ8mirFNquBzbPk2/Apache-Solr-Admin-UI-v2-Concept?node-id=1190-388&t=vMgOa9QlzQZSdjLf-1].
> h2. Acceptance Criteria
> - The user can access a Solr instance that has user authentication enabled
> - The user can at least authenticate with credentials (basic auth)
> - The credentials form is displayed after the user has established a
> connection with a Solr instance, that is, after a Solr instance was found
> - The user can return to the start screen where the Solr URL was provided,
> if he decides to abort the authentication step
> - The user is no longer redirected to the dashboard or any other screen if
> user authentication is required
> - The credentials are used for any subsequent request
> h2. Additional Information
> The support for additional authentication options does not have to be
> addressed in this issue. If it proves to be straight-forward, feel free to
> implement additional auth options as well. Note that additional
> authentication options will be added later, and therefore, the implementation
> should be expandable.
> The credentials do not have to survive an application restart (desktop).
> Storing credentials securely will be addressed in a separate issue.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org
For additional commands, e-mail: issues-h...@solr.apache.org
