[
https://issues.apache.org/jira/browse/SOLR-13344?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16808472#comment-16808472
]
Jan Høydahl commented on SOLR-13344:
------------------------------------
Great. I added this slightly re-worded CAUTION block to
{{rule-based-authorization-plugin.adoc}}:
{quote}Solr's Admin UI interacts with Solr using its regular APIs. When
rule-based authorization is in use, logged-in users not authorized to access
the full range of these APIs may see some sections of the UI that appear blank
or "broken". For best results, the Admin UI should only be accessed by users
with full API access.
{quote}
I'll merge this issue tomorrow if no further comments.
See new issue SOLR-13364 for an idea of how to fix this in the UI
> Admin UI inaccessible with RuleBasedAuthorizationPlugin
> -------------------------------------------------------
>
> Key: SOLR-13344
> URL: https://issues.apache.org/jira/browse/SOLR-13344
> Project: Solr
> Issue Type: Bug
> Security Level: Public(Default Security Level. Issues are Public)
> Components: Admin UI, Authentication
> Affects Versions: 7.7, 8.0
> Reporter: Märt
> Assignee: Jan Høydahl
> Priority: Major
> Fix For: 8.1
>
> Time Spent: 0.5h
> Remaining Estimate: 0h
>
> SOLR-7896 made some changes to the admin ui login. After the changes I can no
> longer log in at all.
> I'm running standalone solr 7.7 (same with 8.0) with the following
> security.json:
> {code}
> {
> "authentication": {
> "class": "solr.BasicAuthPlugin",
> "blockUnknown": true,
> "credentials": {
> "solr": "IV0EHq1OnNrj6gvRCwvFwTrZ1+z1oBbnQdiVC3otuq0=
> Ndd7LKvVBAaZIF0QAVi1ekCfAJXr1GGfLtRUXhgrF8c="
> },
> },
> "authorization": {
> "class": "solr.RuleBasedAuthorizationPlugin",
> "permissions": [
> {
> "name": "all",
> "role": "admin"
> }
> ],
> "user-role": {
> "solr": "admin"
> }
> }
> }
> {code}
> Opening the UI at http://localhost:8080/solr/ shows an error page with 401.
> The login page is not displayed because of the "all" permission being
> required. The browser's basic auth popup is not shown because the
> WWW-Authenticate header is not present. Changing the
> RuleBasedAuthorizationPlugin required permission from "all" to
> "security-edit" makes the login page appear.
> The bug can be reproduced as follows:
> # unpack solr-8.0.0.zip
> # copy the security.json example from
> https://lucene.apache.org/solr/guide/7_7/basic-authentication-plugin.html
> into server/solr/ and replace "name":"security-edit" with "name":"all"
> # start with bin/solr -f -p 8080
> # open http://localhost:8080/
> The bug was discussed on solr-user list
> http://mail-archives.apache.org/mod_mbox/lucene-solr-user/201903.mbox/%3C7629BDDD-3D22-4203-9188-0E0A8DCF2FEE%40cominvent.com%3E
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
