lucene-solr-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jan Høydahl <jan....@cominvent.com>
Subject Re: Solr8 changes how security.json restricts access to GUI
Date Thu, 12 Dec 2019 22:49:33 GMT
Attachments are stripped from list, can you post a link to the screenshot of the UI when you
first visit?

Jan

> 12. des. 2019 kl. 17:27 skrev Oakley, Craig (NIH/NLM/NCBI) [C] <craig.oakley@nih.gov.INVALID>:
> 
> Below is the security.json (with password hashes redacted): in Solr7.4 it prompts for
a password and (if you get it right) lets you into the whole GUI; But in Solr8.1.1 and in
Solr 8.3, it does not prompt for a password before letting you into a crippled version of
the GUI (as depicted in the attachment)
> 
> {
>  "authentication":{
>    "class":"solr.BasicAuthPlugin",
>    "credentials":{
>      "solradmin":"[redacted]",
>      "pysolrmon":"[redacted]",
>      "solrtrg":"[redacted]"},
>    "":{"v":2}},
>  "authorization":{
>    "class":"solr.RuleBasedAuthorizationPlugin",
>    "user-role":{
>      "solradmin":[
>        "admin",
>        "allgen",
>        "trgadmin",
>        "genadmin"],
>      "solrtrg":[
>        "trgadmin",
>        "allgen"],
>      "pysolrmon":["clustatus_role"]},
>    "permissions":[
>      {
>        "name":"gen_admin",
>        "collection":"NULL",
>        "path":"/admin/cores",
>        "params":{"action":[
>            "REGEX:(?i)CREATE",
>            "REGEX:(?i)RENAME",
>            "REGEX:(?i)SWAP",
>            "REGEX:(?i)UNLOAD",
>            "REGEX:(?i)SPLIT"]},
>        "role":"genadmin"},
>      {
>        "name":"col_admin",
>        "collection":null,
>        "path":"/admin/collections",
>        "params":{"action":[
>            "REGEX:(?i)CREATE",
>            "REGEX:(?i)MODIFYCOLLECTION",
>            "REGEX:(?i)SPLITSHARD",
>            "REGEX:(?i)CREATESHARD",
>            "REGEX:(?i)DELETESHARD",
>            "REGEX:(?i)CREATEALIAS",
>            "REGEX:(?i)DELETEALIAS",
>            "REGEX:(?i)DELETE",
>            "REGEX:(?i)DELETEREPLICA",
>            "REGEX:(?i)ADDREPLICA",
>            "REGEX:(?i)CLUSTERPROP",
>            "REGEX:(?i)MIGRATE",
>            "REGEX:(?i)ADDROLE",
>            "REGEX:(?i)REMOVEROLE",
>            "REGEX:(?i)ADDREPLICAPROP",
>            "REGEX:(?i)DELETEREPLICAPROP",
>            "REGEX:(?i)BALANCESHARDUNIQUE",
>            "REGEX:(?i)REBALANCELEADERS",
>            "REGEX:(?i)FORCELEADER",
>            "REGEX:(?i)MIGRATESTATEFORMAT"]},
>        "role":"genadmin"},
>      {
>        "name":"security-edit",
>        "role":"admin"},
>      {
>        "name":"clustatus",
>        "path":"/admin/collections",
>        "params":{"action":["REGEX:(?i)CLUSTERSTATUS"]},
>        "role":[
>          "clustatus_role",
>          "allgen"],
>        "collection":null},
>      {
>        "name":"corestatus",
>        "path":"/admin/cores",
>        "params":{"action":["REGEX:(?i)STATUS"]},
>        "role":[
>          "allgen",
>          "clustatus_role"],
>        "collection":null},
>      {
>        "name":"trgadmin",
>        "collection":"trg_col",
>        "path":"/admin/*",
>        "role":"trgadmin"},
>      {
>        "name":"open_select",
>        "path":"/select/*",
>        "role":null},
>      {
>        "name":"open_search",
>        "path":"/search/*",
>        "role":null},
>      {
>        "name":"catch-all-nocollection",
>        "collection":null,
>        "path":"/*",
>        "role":"allgen"},
>      {
>        "name":"catch-all-collection",
>        "path":"/*",
>        "role":"allgen"},
>      {
>        "name":"all-admincol",
>        "collection":null,
>        "path":"/admin/collections",
>        "role":"allgen"},
>      {
>        "name":"all-admincores",
>        "collection":null,
>        "path":"/admin/cores",
>        "role":"allgen"}],
>    "":{"v":5}}}
> 
> -----Original Message-----
> From: Jan Høydahl <jan.asf@cominvent.com> 
> Sent: Wednesday, December 11, 2019 7:35 PM
> To: solr-user@lucene.apache.org
> Subject: Re: Solr8 changes how security.json restricts access to GUI
> 
> Please show your complete Security.json so we know how auth is configured. Which 8.x
version are you trying? There should be a login screen shown in admin UI now.
> 
> Jan Høydahl
> 
>> 11. des. 2019 kl. 22:40 skrev Oakley, Craig (NIH/NLM/NCBI) [C] <craig.oakley@nih.gov.invalid>:
>> 
>> In Solr 7, we had clauses in our security.json saying
>> 
>>     {
>>       "name":"all-admin",
>>       "collection":null,
>>       "path":"/*",
>>       "role":"allgen",
>>       "index":15},
>>     {
>>       "name":"all-core-handlers",
>>       "path":"/*",
>>       "role":"allgen",
>>       "index":16},
>> 
>> We granted the role allgen to all users; but this kept our security folk happy in
that no one could even get to the top level of the Solr GUI without a password.
>> 
>> Now under Solr 8, the GUI does not prompt for a password. It just brings you into
the GUI (albeit a stripped down version, saying such things as "No cores available"). By what
means can we require a password to get this far? And by what means can we prompt for a password
in order to get further?


Mime
View raw message