[ https://issues.apache.org/jira/browse/SOLR-13344?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16805112#comment-16805112 ]
Jason Gerlowski commented on SOLR-13344: ---------------------------------------- Yeah, putting in some sort of special case like that might make sense, but it's definitely not there now. Are the admin UI files served up by a particular request handler that we could add a check for? It's ugly, but there are already instanceof checks in there on the request handler... Alternatively we might be able to put in a special case based on the path of the request, but that seems potentially dangerous... I'd worry about that allowing other things through unless we test it very well. > Admin UI inaccessible with RuleBasedAuthorizationPlugin > ------------------------------------------------------- > > Key: SOLR-13344 > URL: https://issues.apache.org/jira/browse/SOLR-13344 > Project: Solr > Issue Type: Bug > Security Level: Public(Default Security Level. Issues are Public) > Components: Admin UI, Authentication > Affects Versions: 7.7, 8.0 > Reporter: Märt > Priority: Major > > SOLR-7896 made some changes to the admin ui login. After the changes I can no > longer log in at all. > I'm running standalone solr 7.7 (same with 8.0) with the following > security.json: > {code} > { > "authentication": { > "class": "solr.BasicAuthPlugin", > "blockUnknown": true, > "credentials": { > "solr": "IV0EHq1OnNrj6gvRCwvFwTrZ1+z1oBbnQdiVC3otuq0= > Ndd7LKvVBAaZIF0QAVi1ekCfAJXr1GGfLtRUXhgrF8c=" > }, > }, > "authorization": { > "class": "solr.RuleBasedAuthorizationPlugin", > "permissions": [ > { > "name": "all", > "role": "admin" > } > ], > "user-role": { > "solr": "admin" > } > } > } > {code} > Opening the UI at http://localhost:8080/solr/ shows an error page with 401. > The login page is not displayed because of the "all" permission being > required. The browser's basic auth popup is not shown because the > WWW-Authenticate header is not present. Changing the > RuleBasedAuthorizationPlugin required permission from "all" to > "security-edit" makes the login page appear. > The bug can be reproduced as follows: > # unpack solr-8.0.0.zip > # copy the security.json example from > https://lucene.apache.org/solr/guide/7_7/basic-authentication-plugin.html > into server/solr/ and replace "name":"security-edit" with "name":"all" > # start with bin/solr -f -p 8080 > # open http://localhost:8080/ > The bug was discussed on solr-user list > http://mail-archives.apache.org/mod_mbox/lucene-solr-user/201903.mbox/%3C7629BDDD-3D22-4203-9188-0E0A8DCF2FEE%40cominvent.com%3E -- This message was sent by Atlassian JIRA (v7.6.3#76005) --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org