[
https://issues.apache.org/jira/browse/SOLR-15573?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Timothy Potter updated SOLR-15573:
----------------------------------
Description:
I ran the following command to enable basic auth for my Solr installation:
{code}
bin/solr auth enable -type basicAuth -prompt true -z localhost:2181
-blockUnknown true
{code}
It created the security policy with {{blockUnknown=false}}. That's an issue ...
the bigger issue is the Admin UI relies on getting a 401 from the backend to
show login / logout but with blockUnknown=false, this never shows. I'm not
seeing this behavior on main, only 8x, so I suspect it's been fixed and just
not backported?!? Need to research.
was:
These env vars get set in {{solr.in.sh}}
{code}
# The following lines added by ./solr for enabling BasicAuth
SOLR_AUTH_TYPE="basic"
SOLR_AUTHENTICATION_OPTS="-Dsolr.httpclient.config=/Users/tjp/dev/oss/lucene-solr-8x/solr/server/solr/basicAuth.conf"
{code}
When you visit the Admin UI, there's no login / logout (b/c the UI relies on
seeing a 401 from the server when auth is enabled but since basicAuth.conf
supplies the credentials, requests pass through?). This also confuses the new
Security UI b/c it depends on having a username.
The security section that comes back from {{admin/system/info}} doesn't have a
username, which means the {{req.getUserPrincipal()}} is null?
I didn't catch this initially when testing the new security UI against 8x as I
supplied my own security.json with a different realm name.
> Basic auth must set blockUnknown=true for Admin UI to force login, with
> blockUnknown=false there's no way to login to the admin UI to do privileged
> actions
> -----------------------------------------------------------------------------------------------------------------------------------------------------------
>
> Key: SOLR-15573
> URL: https://issues.apache.org/jira/browse/SOLR-15573
> Project: Solr
> Issue Type: Bug
> Security Level: Public(Default Security Level. Issues are Public)
> Reporter: Timothy Potter
> Assignee: Timothy Potter
> Priority: Major
> Fix For: 8.10
>
> Attachments: no-username-but-basic-auth-enabled.png
>
>
> I ran the following command to enable basic auth for my Solr installation:
> {code}
> bin/solr auth enable -type basicAuth -prompt true -z localhost:2181
> -blockUnknown true
> {code}
> It created the security policy with {{blockUnknown=false}}. That's an issue
> ... the bigger issue is the Admin UI relies on getting a 401 from the backend
> to show login / logout but with blockUnknown=false, this never shows. I'm not
> seeing this behavior on main, only 8x, so I suspect it's been fixed and just
> not backported?!? Need to research.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
