lucene-solr-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Oakley, Craig (NIH/NLM/NCBI) [C]" <craig.oak...@nih.gov.INVALID>
Subject RE: Solr8 changes how security.json restricts access to GUI
Date Thu, 12 Dec 2019 16:27:58 GMT
Below is the security.json (with password hashes redacted): in Solr7.4 it prompts for a password
and (if you get it right) lets you into the whole GUI; But in Solr8.1.1 and in Solr 8.3, it
does not prompt for a password before letting you into a crippled version of the GUI (as depicted
in the attachment)

{
  "authentication":{
    "class":"solr.BasicAuthPlugin",
    "credentials":{
      "solradmin":"[redacted]",
      "pysolrmon":"[redacted]",
      "solrtrg":"[redacted]"},
    "":{"v":2}},
  "authorization":{
    "class":"solr.RuleBasedAuthorizationPlugin",
    "user-role":{
      "solradmin":[
        "admin",
        "allgen",
        "trgadmin",
        "genadmin"],
      "solrtrg":[
        "trgadmin",
        "allgen"],
      "pysolrmon":["clustatus_role"]},
    "permissions":[
      {
        "name":"gen_admin",
        "collection":"NULL",
        "path":"/admin/cores",
        "params":{"action":[
            "REGEX:(?i)CREATE",
            "REGEX:(?i)RENAME",
            "REGEX:(?i)SWAP",
            "REGEX:(?i)UNLOAD",
            "REGEX:(?i)SPLIT"]},
        "role":"genadmin"},
      {
        "name":"col_admin",
        "collection":null,
        "path":"/admin/collections",
        "params":{"action":[
            "REGEX:(?i)CREATE",
            "REGEX:(?i)MODIFYCOLLECTION",
            "REGEX:(?i)SPLITSHARD",
            "REGEX:(?i)CREATESHARD",
            "REGEX:(?i)DELETESHARD",
            "REGEX:(?i)CREATEALIAS",
            "REGEX:(?i)DELETEALIAS",
            "REGEX:(?i)DELETE",
            "REGEX:(?i)DELETEREPLICA",
            "REGEX:(?i)ADDREPLICA",
            "REGEX:(?i)CLUSTERPROP",
            "REGEX:(?i)MIGRATE",
            "REGEX:(?i)ADDROLE",
            "REGEX:(?i)REMOVEROLE",
            "REGEX:(?i)ADDREPLICAPROP",
            "REGEX:(?i)DELETEREPLICAPROP",
            "REGEX:(?i)BALANCESHARDUNIQUE",
            "REGEX:(?i)REBALANCELEADERS",
            "REGEX:(?i)FORCELEADER",
            "REGEX:(?i)MIGRATESTATEFORMAT"]},
        "role":"genadmin"},
      {
        "name":"security-edit",
        "role":"admin"},
      {
        "name":"clustatus",
        "path":"/admin/collections",
        "params":{"action":["REGEX:(?i)CLUSTERSTATUS"]},
        "role":[
          "clustatus_role",
          "allgen"],
        "collection":null},
      {
        "name":"corestatus",
        "path":"/admin/cores",
        "params":{"action":["REGEX:(?i)STATUS"]},
        "role":[
          "allgen",
          "clustatus_role"],
        "collection":null},
      {
        "name":"trgadmin",
        "collection":"trg_col",
        "path":"/admin/*",
        "role":"trgadmin"},
      {
        "name":"open_select",
        "path":"/select/*",
        "role":null},
      {
        "name":"open_search",
        "path":"/search/*",
        "role":null},
      {
        "name":"catch-all-nocollection",
        "collection":null,
        "path":"/*",
        "role":"allgen"},
      {
        "name":"catch-all-collection",
        "path":"/*",
        "role":"allgen"},
      {
        "name":"all-admincol",
        "collection":null,
        "path":"/admin/collections",
        "role":"allgen"},
      {
        "name":"all-admincores",
        "collection":null,
        "path":"/admin/cores",
        "role":"allgen"}],
    "":{"v":5}}}

-----Original Message-----
From: Jan Høydahl <jan.asf@cominvent.com> 
Sent: Wednesday, December 11, 2019 7:35 PM
To: solr-user@lucene.apache.org
Subject: Re: Solr8 changes how security.json restricts access to GUI

Please show your complete Security.json so we know how auth is configured. Which 8.x version
are you trying? There should be a login screen shown in admin UI now.

Jan Høydahl

> 11. des. 2019 kl. 22:40 skrev Oakley, Craig (NIH/NLM/NCBI) [C] <craig.oakley@nih.gov.invalid>:
> 
> In Solr 7, we had clauses in our security.json saying
> 
>      {
>        "name":"all-admin",
>        "collection":null,
>        "path":"/*",
>        "role":"allgen",
>        "index":15},
>      {
>        "name":"all-core-handlers",
>        "path":"/*",
>        "role":"allgen",
>        "index":16},
> 
> We granted the role allgen to all users; but this kept our security folk happy in that
no one could even get to the top level of the Solr GUI without a password.
> 
> Now under Solr 8, the GUI does not prompt for a password. It just brings you into the
GUI (albeit a stripped down version, saying such things as "No cores available"). By what
means can we require a password to get this far? And by what means can we prompt for a password
in order to get further?
Mime
  • Unnamed multipart/mixed (inline, None, 0 bytes)
View raw message