Jesssullivan opened a new pull request, #3807:
URL: https://github.com/apache/solr/pull/3807
Hi There,
I'd like to address / consider if there is additional clarity to be added
around BasicAuth detection behind proxies and/or complex k8s ingress service
chains in SolrCloud mode for Solr 10 onward. I've hummed and hawed about
opening a ticket with this, but I figure as more SolrCloud instances land in
kuberentes behind various proxies and ingresses, the general assumption is it'd
be preferable to handle this gracefully from the admin UI.
### Description
Admin UI shows 'Security not enabled' when BasicAuth is configured behind
reverse proxies because proxy injects auth headers, making System API return
200 OK instead of 401. This makes for inaccurate reporting in the UI in
CloudMode when basic Auth is enabled with common k8s ingress patterns.
### Solution
I think one way to address this would be to add fallback detection methods
in security.js for BasicAuth detection:
1. System API check (existing sole Admin UI behavior)
2. Security API endpoint check for auth data/WWW-Authenticate headers
3. Direct ZooKeeper /security.json verification (cloudmode-specific)
### Tests
Please describe the tests you've developed or run to confirm this patch
implements the feature or solves the problem.
- [ ] I am game to add a test or two; while this deals with the security
functionality of solr in CloudMode, it is primarily cosmetic. going to think
on how best to programmatically additional test for each of the two fail over
modes without a full blown e2e test.
### Checklist
Please review the following and check all that apply:
- [x] I have reviewed the guidelines for [How to
Contribute](https://github.com/apache/solr/blob/main/CONTRIBUTING.md) and my
code conforms to the standards described there to the best of my ability.
- [x] I have created a Jira issue and added the issue ID to my pull request
title.
- [x] I have developed this patch against the `main` branch.
- [x] I have run `./gradlew check`.
- [x] I have given Solr maintainers
[access](https://help.github.com/en/articles/allowing-changes-to-a-pull-request-branch-created-from-a-fork)
to contribute to my PR branch. (optional but recommended, not available for
branches on forks living under an organisation)
- [ ] I have added tests for my changes.
- [ ] I have added documentation for the [Reference
Guide](https://github.com/apache/solr/tree/main/solr/solr-ref-guide)
- [x] I have added a [changelog
entry](https://github.com/apache/solr/blob/main/dev-docs/changelog.adoc) for my
change
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
