lucene-solr-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jan Høydahl <jan....@cominvent.com>
Subject Re: Solr8 changes how security.json restricts access to GUI
Date Fri, 13 Dec 2019 19:14:42 GMT
I got your screenshot (https://www.dropbox.com/s/7tbn7gx3uag6jcg/crippledSolrGUI.jpg?dl=0 <https://www.dropbox.com/s/7tbn7gx3uag6jcg/crippledSolrGUI.jpg?dl=0>)

This is quite uncommon. You should see a loging screen if you have basicAuth enabled.
Have you tried a different browser?

What do you get if you run this command

curl -i http://your-solr-url/solr/admin/info/system

Or if you use your browser’s developer tools to inspect network traffic?

Jan

> 12. des. 2019 kl. 23:49 skrev Jan Høydahl <jan.asf@cominvent.com>:
> 
> Attachments are stripped from list, can you post a link to the screenshot of the UI when
you first visit?
> 
> Jan
> 
>> 12. des. 2019 kl. 17:27 skrev Oakley, Craig (NIH/NLM/NCBI) [C] <craig.oakley@nih.gov.INVALID>:
>> 
>> Below is the security.json (with password hashes redacted): in Solr7.4 it prompts
for a password and (if you get it right) lets you into the whole GUI; But in Solr8.1.1 and
in Solr 8.3, it does not prompt for a password before letting you into a crippled version
of the GUI (as depicted in the attachment)
>> 
>> {
>> "authentication":{
>>   "class":"solr.BasicAuthPlugin",
>>   "credentials":{
>>     "solradmin":"[redacted]",
>>     "pysolrmon":"[redacted]",
>>     "solrtrg":"[redacted]"},
>>   "":{"v":2}},
>> "authorization":{
>>   "class":"solr.RuleBasedAuthorizationPlugin",
>>   "user-role":{
>>     "solradmin":[
>>       "admin",
>>       "allgen",
>>       "trgadmin",
>>       "genadmin"],
>>     "solrtrg":[
>>       "trgadmin",
>>       "allgen"],
>>     "pysolrmon":["clustatus_role"]},
>>   "permissions":[
>>     {
>>       "name":"gen_admin",
>>       "collection":"NULL",
>>       "path":"/admin/cores",
>>       "params":{"action":[
>>           "REGEX:(?i)CREATE",
>>           "REGEX:(?i)RENAME",
>>           "REGEX:(?i)SWAP",
>>           "REGEX:(?i)UNLOAD",
>>           "REGEX:(?i)SPLIT"]},
>>       "role":"genadmin"},
>>     {
>>       "name":"col_admin",
>>       "collection":null,
>>       "path":"/admin/collections",
>>       "params":{"action":[
>>           "REGEX:(?i)CREATE",
>>           "REGEX:(?i)MODIFYCOLLECTION",
>>           "REGEX:(?i)SPLITSHARD",
>>           "REGEX:(?i)CREATESHARD",
>>           "REGEX:(?i)DELETESHARD",
>>           "REGEX:(?i)CREATEALIAS",
>>           "REGEX:(?i)DELETEALIAS",
>>           "REGEX:(?i)DELETE",
>>           "REGEX:(?i)DELETEREPLICA",
>>           "REGEX:(?i)ADDREPLICA",
>>           "REGEX:(?i)CLUSTERPROP",
>>           "REGEX:(?i)MIGRATE",
>>           "REGEX:(?i)ADDROLE",
>>           "REGEX:(?i)REMOVEROLE",
>>           "REGEX:(?i)ADDREPLICAPROP",
>>           "REGEX:(?i)DELETEREPLICAPROP",
>>           "REGEX:(?i)BALANCESHARDUNIQUE",
>>           "REGEX:(?i)REBALANCELEADERS",
>>           "REGEX:(?i)FORCELEADER",
>>           "REGEX:(?i)MIGRATESTATEFORMAT"]},
>>       "role":"genadmin"},
>>     {
>>       "name":"security-edit",
>>       "role":"admin"},
>>     {
>>       "name":"clustatus",
>>       "path":"/admin/collections",
>>       "params":{"action":["REGEX:(?i)CLUSTERSTATUS"]},
>>       "role":[
>>         "clustatus_role",
>>         "allgen"],
>>       "collection":null},
>>     {
>>       "name":"corestatus",
>>       "path":"/admin/cores",
>>       "params":{"action":["REGEX:(?i)STATUS"]},
>>       "role":[
>>         "allgen",
>>         "clustatus_role"],
>>       "collection":null},
>>     {
>>       "name":"trgadmin",
>>       "collection":"trg_col",
>>       "path":"/admin/*",
>>       "role":"trgadmin"},
>>     {
>>       "name":"open_select",
>>       "path":"/select/*",
>>       "role":null},
>>     {
>>       "name":"open_search",
>>       "path":"/search/*",
>>       "role":null},
>>     {
>>       "name":"catch-all-nocollection",
>>       "collection":null,
>>       "path":"/*",
>>       "role":"allgen"},
>>     {
>>       "name":"catch-all-collection",
>>       "path":"/*",
>>       "role":"allgen"},
>>     {
>>       "name":"all-admincol",
>>       "collection":null,
>>       "path":"/admin/collections",
>>       "role":"allgen"},
>>     {
>>       "name":"all-admincores",
>>       "collection":null,
>>       "path":"/admin/cores",
>>       "role":"allgen"}],
>>   "":{"v":5}}}
>> 
>> -----Original Message-----
>> From: Jan Høydahl <jan.asf@cominvent.com> 
>> Sent: Wednesday, December 11, 2019 7:35 PM
>> To: solr-user@lucene.apache.org
>> Subject: Re: Solr8 changes how security.json restricts access to GUI
>> 
>> Please show your complete Security.json so we know how auth is configured. Which
8.x version are you trying? There should be a login screen shown in admin UI now.
>> 
>> Jan Høydahl
>> 
>>> 11. des. 2019 kl. 22:40 skrev Oakley, Craig (NIH/NLM/NCBI) [C] <craig.oakley@nih.gov.invalid>:
>>> 
>>> In Solr 7, we had clauses in our security.json saying
>>> 
>>>    {
>>>      "name":"all-admin",
>>>      "collection":null,
>>>      "path":"/*",
>>>      "role":"allgen",
>>>      "index":15},
>>>    {
>>>      "name":"all-core-handlers",
>>>      "path":"/*",
>>>      "role":"allgen",
>>>      "index":16},
>>> 
>>> We granted the role allgen to all users; but this kept our security folk happy
in that no one could even get to the top level of the Solr GUI without a password.
>>> 
>>> Now under Solr 8, the GUI does not prompt for a password. It just brings you
into the GUI (albeit a stripped down version, saying such things as "No cores available").
By what means can we require a password to get this far? And by what means can we prompt for
a password in order to get further?
> 


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message