This is an automated email from the ASF dual-hosted git repository.
janhoy pushed a commit to branch branch_10x
in repository https://gitbox.apache.org/repos/asf/solr.git
The following commit(s) were added to refs/heads/branch_10x by this push:
new b7bc567224a Revert "SOLR-18233 Strengthen Basic Authentication
password policy and harden template users created by bin/solr auth enable
(#4477)"
b7bc567224a is described below
commit b7bc567224acde0b6d0019a9be28347f04370ca8
Author: Jan Høydahl <[email protected]>
AuthorDate: Wed Jun 10 12:29:28 2026 +0200
Revert "SOLR-18233 Strengthen Basic Authentication password policy and
harden template users created by bin/solr auth enable (#4477)"
This reverts commit 20c0a6cd389e58d8f69a41b940af1ef0262cc99a.
---
...ngthen-Basic-Authentication-password-policy.yml | 7 -----
.../src/java/org/apache/solr/cli/AuthTool.java | 24 +++--------------
.../security/Sha256AuthenticationProvider.java | 5 ----
solr/core/src/resources/security.json | 10 +++++---
.../security/TestSha256AuthenticationProvider.java | 27 -------------------
.../pages/basic-authentication-plugin.adoc | 8 +++---
.../pages/solr-control-script-reference.adoc | 30 ++++------------------
solr/webapp/web/js/angular/controllers/security.js | 6 -----
8 files changed, 17 insertions(+), 100 deletions(-)
diff --git
a/changelog/unreleased/SOLR-18233-Strengthen-Basic-Authentication-password-policy.yml
b/changelog/unreleased/SOLR-18233-Strengthen-Basic-Authentication-password-policy.yml
deleted file mode 100644
index 3c06a95dfe6..00000000000
---
a/changelog/unreleased/SOLR-18233-Strengthen-Basic-Authentication-password-policy.yml
+++ /dev/null
@@ -1,7 +0,0 @@
-title: Strengthen Basic Authentication password policy and harden template
users created by bin/solr auth enable
-type: fixed
-authors:
- - name: Jan Høydahl
-links:
- - name: SOLR-18233
- url: https://issues.apache.org/jira/browse/SOLR-18233
diff --git a/solr/core/src/java/org/apache/solr/cli/AuthTool.java
b/solr/core/src/java/org/apache/solr/cli/AuthTool.java
index 3487787684d..5c19ac300d7 100644
--- a/solr/core/src/java/org/apache/solr/cli/AuthTool.java
+++ b/solr/core/src/java/org/apache/solr/cli/AuthTool.java
@@ -227,12 +227,8 @@ public class AuthTool extends ToolBase {
} while (password.isEmpty());
}
- if (username.equals(password)) {
- CLIO.err(
- "Error: username and password must not be identical."
- + " This credential would never authenticate.");
- runtime.exit(1);
- }
+ boolean blockUnknown =
+ Boolean.parseBoolean(cli.getOptionValue(BLOCK_UNKNOWN_OPTION,
"true"));
String resourceName = "security.json";
final URL resource =
SolrCore.class.getClassLoader().getResource(resourceName);
@@ -242,11 +238,7 @@ public class AuthTool extends ToolBase {
ObjectMapper mapper = new ObjectMapper();
JsonNode securityJson1 = mapper.readTree(resource.openStream());
- // Only override blockUnknown if explicitly passed; otherwise let
the template decide
- if (cli.hasOption(BLOCK_UNKNOWN_OPTION)) {
- boolean blockUnknown =
Boolean.parseBoolean(cli.getOptionValue(BLOCK_UNKNOWN_OPTION));
- ((ObjectNode)
securityJson1.get("authentication")).put("blockUnknown", blockUnknown);
- }
+ ((ObjectNode) securityJson1).put("blockUnknown", blockUnknown);
JsonNode credentialsNode =
securityJson1.get("authentication").get("credentials");
((ObjectNode) credentialsNode)
.put(username,
Sha256AuthenticationProvider.getSaltedHashedValue(password));
@@ -294,16 +286,6 @@ public class AuthTool extends ToolBase {
String.format(
Locale.ROOT, "Successfully enabled basic auth with username
[%s].", username);
echo(successMessage);
- if (!updateIncludeFileOnly) {
- CLIO.out(
- "\nIMPORTANT: The following template users have been created
with NO password set"
- + " and cannot log in until passwords are assigned:");
- CLIO.out(" - admin (roles: admin, index, search)");
- CLIO.out(" - index (roles: index, search)");
- CLIO.out(" - search (roles: search)");
- CLIO.out(
- "Set their passwords using the Admin UI Security page or the
authentication API.");
- }
return;
}
case "disable":
diff --git
a/solr/core/src/java/org/apache/solr/security/Sha256AuthenticationProvider.java
b/solr/core/src/java/org/apache/solr/security/Sha256AuthenticationProvider.java
index 6e1646a5666..31c38537f69 100644
---
a/solr/core/src/java/org/apache/solr/security/Sha256AuthenticationProvider.java
+++
b/solr/core/src/java/org/apache/solr/security/Sha256AuthenticationProvider.java
@@ -93,7 +93,6 @@ public class Sha256AuthenticationProvider
@Override
public boolean authenticate(String username, String password) {
- if (username != null && username.equals(password)) return false;
String cred = credentials.get(username);
if (cred == null || cred.isEmpty()) return false;
cred = cred.trim();
@@ -166,10 +165,6 @@ public class Sha256AuthenticationProvider
cmd.addError("name and password must be non-null");
return null;
}
- if (e.getKey().equals(String.valueOf(e.getValue()))) {
- cmd.addError("Password must not be the same as the username");
- return null;
- }
putUser(e.getKey(), String.valueOf(e.getValue()), map);
}
}
diff --git a/solr/core/src/resources/security.json
b/solr/core/src/resources/security.json
index 4406cf52a1b..f503f7c4e30 100644
--- a/solr/core/src/resources/security.json
+++ b/solr/core/src/resources/security.json
@@ -3,9 +3,10 @@
"blockUnknown": false,
"class": "solr.BasicAuthPlugin",
"credentials": {
- "search": "",
- "index": "",
- "admin": ""
+ "search": "9ch2qWOmNSeGpfcgLRXafhm5z3KeRti5qCNLn7SmK1I=
aXNjZWd4YW9mMzZ0cjE1Nw==",
+ "index": "of9xlSadImtR0MH4obzJvKSZkuE5DIJh5NOui2hWDeA=
dTRuYzU4Y3F4N2hxd2sxeA==",
+ "admin": "6clS8rTEj1x1LP/uRCxOZsLdps7Sovokru09WdJX+7A=
NGMyZGFhN2lrNHFsdXZybA==",
+ "superadmin": "9wzPajmLBIIi8BmToy8lxveDxfL6Vl/BX/Ss3xrs3XQ=
OWZna2hwendocXFnODU5ZQ=="
}
},
"authorization": {
@@ -66,7 +67,8 @@
"user-role": {
"search": ["search"],
"index": ["index", "search"],
- "admin": ["admin", "index", "search"]
+ "admin": ["admin", "index", "search"],
+ "superadmin": ["superadmin", "admin", "index", "search"]
}
}
}
diff --git
a/solr/core/src/test/org/apache/solr/security/TestSha256AuthenticationProvider.java
b/solr/core/src/test/org/apache/solr/security/TestSha256AuthenticationProvider.java
index 5bc84e2284a..632fd16b35a 100644
---
a/solr/core/src/test/org/apache/solr/security/TestSha256AuthenticationProvider.java
+++
b/solr/core/src/test/org/apache/solr/security/TestSha256AuthenticationProvider.java
@@ -104,33 +104,6 @@ public class TestSha256AuthenticationProvider extends
SolrTestCaseJ4 {
}
}
- public void testAuthenticateRejectsUsernameEqualPassword() {
- // Simulate a credential store that has the username's own hash as the
password
- // (e.g. set up before this policy was in effect) and verify
authenticate() still rejects it.
- String user = "alice";
- String hashedValue =
Sha256AuthenticationProvider.getSaltedHashedValue(user);
- Map<String, Object> config = new HashMap<>();
- Map<String, String> credentials = new HashMap<>();
- credentials.put(user, hashedValue);
- config.put("credentials", credentials);
-
- Sha256AuthenticationProvider provider = new Sha256AuthenticationProvider();
- provider.init(config);
- assertFalse(
- "authenticate() must reject username==password even when hash matches",
- provider.authenticate(user, user));
- }
-
- public void testSetUserRejectsUsernameEqualPassword() {
- Sha256AuthenticationProvider provider = new Sha256AuthenticationProvider();
- provider.init(createConfigMap("ignore", "me"));
- Map<String, Object> latestConf = createConfigMap("ignore", "me");
- String user = "bob";
- CommandOperation cmd = new CommandOperation("set-user", Map.of(user,
user));
- provider.edit(latestConf, List.of(cmd));
- assertTrue("set-user should report an error when username==password",
cmd.hasError());
- }
-
private Map<String, Object> createConfigMap(String user, String pw) {
Map<String, Object> config = new HashMap<>();
Map<String, String> credentials = new HashMap<>();
diff --git
a/solr/solr-ref-guide/modules/deployment-guide/pages/basic-authentication-plugin.adoc
b/solr/solr-ref-guide/modules/deployment-guide/pages/basic-authentication-plugin.adoc
index 9f1a062feb6..19536088939 100644
---
a/solr/solr-ref-guide/modules/deployment-guide/pages/basic-authentication-plugin.adoc
+++
b/solr/solr-ref-guide/modules/deployment-guide/pages/basic-authentication-plugin.adoc
@@ -24,12 +24,11 @@ To control user permissions, you may need to configure an
authorization plugin a
== Enable Basic Authentication
-When running in cloud mode, Basic authentication can be enabled from the
command line using the `bin/solr auth enable` command, which applies a
best-practice security template with pre-configured roles and permissions.
-See
xref:solr-control-script-reference.adoc#enabling-basic-authentication[Enabling
Basic Authentication] in the Solr Control Script Reference for details.
-
-Alternatively, you can create the `security.json` file manually.
+To use Basic authentication, you must first create a `security.json` file.
This file and where to put it is described in detail in the section
xref:authentication-and-authorization-plugins.adoc#configuring-security-json[Configuring
security.json].
+If running in cloud mode, you can use the `bin/solr auth` command-line utility
to enable security for a new installation, see: `bin/solr auth --help` for more
details.
+
For Basic authentication, `security.json` must have an `authentication` block
which defines the class being used for authentication.
Usernames and passwords could be added when the file is created, or can be
added later with the Authentication API, described below.
@@ -186,7 +185,6 @@ If users need to be restricted to a specific collection,
that can be done with t
=== Add a User or Edit a Password
The `set-user` command allows you to add users and change their passwords.
-Passwords must not be identical to the username.
For example, the following defines two users and their passwords:
[tabs#set-user]
diff --git
a/solr/solr-ref-guide/modules/deployment-guide/pages/solr-control-script-reference.adoc
b/solr/solr-ref-guide/modules/deployment-guide/pages/solr-control-script-reference.adoc
index aae46c7c6cc..f507216396b 100644
---
a/solr/solr-ref-guide/modules/deployment-guide/pages/solr-control-script-reference.adoc
+++
b/solr/solr-ref-guide/modules/deployment-guide/pages/solr-control-script-reference.adoc
@@ -916,23 +916,19 @@ The `bin/solr` script allows enabling or disabling
Authentication, allowing you
Currently this command is only available when using SolrCloud mode and must be
run on the machine hosting Solr.
-For Basic Authentication the script provides
https://github.com/apache/solr/blob/main/solr/core/src/resources/security.json[user
roles and permission mappings], and maps the created user to all roles
(`superadmin`, `admin`, `index`, `search`).
+For Basic Authentication the script provides
https://github.com/apache/solr/blob/main/solr/core/src/resources/security.json[user
roles and permission mappings], and maps the created user to the `superadmin`
role.
=== Enabling Basic Authentication
The command `bin/solr auth enable` configures Solr to use Basic Authentication
when accessing the User Interface, using `bin/solr` and any API requests.
-NOTE: This command currently requires SolrCloud mode — it uploads the
generated `security.json` to ZooKeeper so that all nodes pick it up
automatically.
-For user-managed (standalone) clusters, you must create the `security.json`
file manually and place it in each node's Solr home directory.
-See xref:basic-authentication-plugin.adoc[] for details.
-
TIP: For more information about Solr's authentication plugins, see the section
xref:securing-solr.adoc[].
For more information on Basic Authentication support specifically, see the
section xref:basic-authentication-plugin.adoc[].
The `bin/solr auth enable` command makes several changes to enable Basic
Authentication:
-* Takes the base
https://github.com/apache/solr/blob/main/solr/core/src/resources/security.json[security.json]
template with best-practice roles and permissions, applies `auth` command
parameters, and uploads the result to ZooKeeper.
+* Take the base
https://github.com/apache/solr/blob/main/solr/core/resources/security.json[security.json]
file, evolves it using `auth` command parameters, and uploads the new file to
ZooKeeper.
+
* Adds two lines to `bin/solr.in.sh` or `bin\solr.in.cmd` to set the
authentication type, and the path to `basicAuth.conf`:
+
@@ -944,19 +940,6 @@
SOLR_AUTHENTICATION_OPTS="-Dsolr.httpclient.config=/path/to/solr-{solr-full-vers
----
* Creates the file `server/solr/basicAuth.conf` to store the credential
information that is used with `bin/solr` commands.
-In addition to the operator-created user, the command also creates three
template users with predefined role assignments.
-These users have no password set and cannot log in until passwords are
explicitly assigned:
-
-[cols="1,2",options="header"]
-|===
-|Username |Roles
-|`admin` |admin, index, search
-|`index` |index, search
-|`search` |search
-|===
-
-After enabling Basic Authentication, set passwords for these template users
using the Admin UI Security page or the
xref:basic-authentication-plugin.adoc#add-a-user-or-edit-a-password[authentication
API].
-
Here are some example usages:
[source,plain]
@@ -998,14 +981,11 @@ Either `--credentials` or `--prompt` *must* be specified.
+
[%autowidth,frame=none]
|===
-|Optional |Default: use value from `security.json` template (`false`)
+|Optional |Default: `true`
|===
+
-Controls whether unauthenticated requests are blocked.
-The default `security.json` template sets `blockUnknown` to `false` because it
includes a `RuleBasedAuthorizationPlugin` with fine-grained permissions —
unauthenticated users can only access endpoints explicitly granted to the
`null` role (by default *health* and *metrics-read*, left open so that load
balancers and monitoring tools can operate without credentials).
-All other operations require an authenticated user with the appropriate role.
-+
-If you want to require authentication for _all_ requests (including health
checks and metrics), pass `--block-unknown true` explicitly.
+When `true`, this blocks out access to unauthenticated users from accessing
Solr.
+When `false`, unauthenticated users will still be able to access Solr, but
only for operations not explicitly requiring a user role in the Authorization
plugin configuration.
`--solr-include-file <includeFilePath>`::
+
diff --git a/solr/webapp/web/js/angular/controllers/security.js
b/solr/webapp/web/js/angular/controllers/security.js
index 1ffdf85460a..fd65a289988 100644
--- a/solr/webapp/web/js/angular/controllers/security.js
+++ b/solr/webapp/web/js/angular/controllers/security.js
@@ -412,12 +412,6 @@ solrAdminApp.controller('SecurityController', function
($scope, $timeout, $cooki
return false;
}
- var username = $scope.upsertUser.username ?
$scope.upsertUser.username.trim() : "";
- if (password === username) {
- $scope.validationError = "Password must not be the same as the username";
- return false;
- }
-
return true;
};
