janhoy opened a new pull request, #4534: URL: https://github.com/apache/solr/pull/4534
This is take2, the first PR (#4477) was merged and then reverted. This time around we also modify some tests and add an escape hatch. ### What changed Four related hardening changes to Solr's Basic Authentication: 1. **Password ≠ username enforcement** (`Sha256AuthenticationProvider`): both at login time and when setting a user via `set-user` (API, Admin UI, CLI), Solr now rejects any credential where the password equals the username. This closes the most common weak-credential pattern where operators set up accounts like `admin`/`admin`. 2. **`bin/solr auth enable` template hardening** (`security.json`, `AuthTool`): the template shipped with `bin/solr auth enable` no longer contains pre-hashed passwords for the template users (`admin`, `index`, `search`). Those accounts are created with empty credentials (cannot log in until explicitly assigned a password). The `superadmin` user and its pre-hashed password are removed entirely. The CLI now prints an explicit reminder after enabling auth that passwords must be set. 3. **Escape hatch for upgrades**: a new system property `solr.security.auth.basicauth.allowuseraspassword` (env `SOLR_SECURITY_AUTH_BASICAUTH_ALLOWUSERASPASSWORD`) temporarily allows username==password — both at login and user-management time — for operators who need to keep existing user account provisioning working while migrating, such as in test environments. 4. **Security API now returns HTTP 400 on command errors** (`SecurityConfHandler`): a pre-existing bug caused failed `set-user` (and other security command) operations to return `HTTP 200 / status:0` with errors buried in an `errorMessages` body field, rather than a proper `HTTP 400`. `SecurityConfHandler` now throws `SolrErrorWrappingException(BAD_REQUEST)` on command errors, matching the pattern already used by `SchemaHandler` and `SolrConfigHandler`. ### Why Followup to plug the root cause of CVE-2026-44825 and further harden and document the CLI bootstrapping of basic auth. ### Docs - `solr-control-script-reference.adoc`: expanded `bin/solr auth enable` section explaining the template users, their roles, and the `--block-unknown` default. - `basic-authentication-plugin.adoc`: updated intro and added note that `set-user` rejects username==password. - `major-changes-in-solr-10.adoc`: upgrade note describing the new password policy and the escape hatch. ### How to review - **Core logic**: `Sha256AuthenticationProvider.java` — two small guard blocks (one in `authenticate()`, one in the `set-user` command handler). Both gate on `SOLR_SECURITY_AUTH_BASICAUTH_ALLOWUSERASPASSWORD`. - **CLI**: `AuthTool.java` — one new guard before writing `security.json`, and changed `blockUnknown` handling to only override the template value when explicitly passed. - **Template**: `security.json` — credentials for `admin`, `index`, `search` are now empty strings; `superadmin` removed. Make sure it is impossible to log in to these accounts withuot first setting a password. - **Tests**: `TestSha256AuthenticationProvider` has new tests. Various integration tests updated to use passwords ≠ username. ### How to test manually ```bash bin/solr start # User creation with username==password -> REJECTED bin/solr auth enable --credentials solr:solr # Enable auth with a strong password -> OK bin/solr auth enable --credentials solr:SolrRocks # Verify set-user rejects username==password via API curl -u solr:SolrRocks -X POST http://localhost:8983/solr/admin/authentication \ -H 'Content-Type: application/json' -d '{"set-user": {"bob": "bob"}}' # → error # Verify escape hatch works -> allowed to create username==password and to authenticate bin/solr auth disable --credentials solr:SolrRocks export SOLR_SECURITY_AUTH_BASICAUTH_ALLOWUSERASPASSWORD=true bin/solr restart bin/solr auth enable --credentials solr:solr curl -I -u solr:solr http://localhost:8983/solr/admin/info/system # → 200 # Verify that existing user cannot login with username==password without the escape hatch export SOLR_SECURITY_AUTH_BASICAUTH_ALLOWUSERASPASSWORD=false bin/solr restart curl -I -u solr:solr http://localhost:8983/solr/admin/info/system # → 401 ``` https://issues.apache.org/jira/browse/SOLR-18233 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
