[jira] [Updated] (SOLR-17977) Admin UI incorrectly shows 'Security not enabled' in SolrCloud with reverse proxies

Thu, 23 Oct 2025 16:57:19 -0700 


     [ 
https://issues.apache.org/jira/browse/SOLR-17977?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Jess Sullivan updated SOLR-17977:
---------------------------------
    Environment: Rancher / RKE2 on Solr 10 in Cloud mode.    (was: Rancher / 
RKE2 on Solr 10 in Cloud mode.  Tested )

>  Admin UI incorrectly shows 'Security not enabled' in SolrCloud with reverse 
> proxies
> ------------------------------------------------------------------------------------
>
>                 Key: SOLR-17977
>                 URL: https://issues.apache.org/jira/browse/SOLR-17977
>             Project: Solr
>          Issue Type: Improvement
>      Security Level: Public(Default Security Level. Issues are Public) 
>          Components: Admin UI
>    Affects Versions: 10.0, 10.1
>         Environment: Rancher / RKE2 on Solr 10 in Cloud mode.  
>            Reporter: Jess Sullivan
>            Priority: Trivial
>              Labels: newbie
>
> Hi All,
>  
> I'd like to address / consider if there is additional clarity to be added 
> around BasicAuth detection behind proxies and/or complex k8s ingress service 
> chains in SolrCloud mode for Solr 10 onward.  I've hummed and hawed about 
> trying to open a ticket with this, but I figure as more SolrCloud instances 
> land in kuberentes behind various proxies and ingresses, assumption is it'd 
> be preferable to handle this slightly more gracefully from the admin UI.   
> My first pass as this can be found here:  
> [https://github.com/apache/solr/compare/main...Jesssullivan:solr:main]
>  
> Admin UI shows 'Security not enabled' when BasicAuth is configured behind 
> reverse proxies because proxy injects auth headers, making System API return 
> 200 OK instead of 401.  This makes for inaccurate reporting in the UI in 
> CloudMode when basic Auth *is* enabled with common k8s ingress patterns.  
> I think one way to address this would be to add fallback detection methods in 
> security.js for BasicAuth detection: 
>   1.  System API check (existing sole Admin UI behavior)
>   2. Security API endpoint check for auth data/WWW-Authenticate headers
>   3. Direct ZooKeeper /security.json verification (cloudmode-specific)



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to