Jess Sullivan created SOLR-17977:
------------------------------------
Summary: Admin UI incorrectly shows 'Security not enabled' in
SolrCloud with reverse proxies
Key: SOLR-17977
URL: https://issues.apache.org/jira/browse/SOLR-17977
Project: Solr
Issue Type: Improvement
Security Level: Public (Default Security Level. Issues are Public)
Components: Admin UI
Affects Versions: 10.0, 10.1
Environment: Rancher / RKE2 on Solr 10 in Cloud mode. Tested
Reporter: Jess Sullivan
Hi All,
I'd like to address / consider if there is additional clarity to be added
around BasicAuth detection behind proxies and/or complex k8s ingress service
chains in SolrCloud mode for Solr 10 onward. I've hummed and hawed about
trying to open a ticket with this, but I figure as more SolrCloud instances
land in kuberentes behind various proxies and ingresses, assumption is it'd be
preferable to handle this slightly more gracefully from the admin UI.
My first pass as this can be found here:
[https://github.com/apache/solr/compare/main...Jesssullivan:solr:main]
Admin UI shows 'Security not enabled' when BasicAuth is configured behind
reverse proxies because proxy injects auth headers, making System API return
200 OK instead of 401. This makes for inaccurate reporting in the UI in
CloudMode when basic Auth *is* enabled with common k8s ingress patterns.
I think one way to address this would be to add fallback detection methods in
security.js for BasicAuth detection:
1. System API check (existing sole Admin UI behavior)
2. Security API endpoint check for auth data/WWW-Authenticate headers
3. Direct ZooKeeper /security.json verification (cloudmode-specific)
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
