Below is the security.json (with password hashes redacted): in Solr7.4 it
prompts for a password and (if you get it right) lets you into the whole GUI;
But in Solr8.1.1 and in Solr 8.3, it does not prompt for a password before
letting you into a crippled version of the GUI (as depicted in the attachment)
{
"authentication":{
"class":"solr.BasicAuthPlugin",
"credentials":{
"solradmin":"[redacted]",
"pysolrmon":"[redacted]",
"solrtrg":"[redacted]"},
"":{"v":2}},
"authorization":{
"class":"solr.RuleBasedAuthorizationPlugin",
"user-role":{
"solradmin":[
"admin",
"allgen",
"trgadmin",
"genadmin"],
"solrtrg":[
"trgadmin",
"allgen"],
"pysolrmon":["clustatus_role"]},
"permissions":[
{
"name":"gen_admin",
"collection":"NULL",
"path":"/admin/cores",
"params":{"action":[
"REGEX:(?i)CREATE",
"REGEX:(?i)RENAME",
"REGEX:(?i)SWAP",
"REGEX:(?i)UNLOAD",
"REGEX:(?i)SPLIT"]},
"role":"genadmin"},
{
"name":"col_admin",
"collection":null,
"path":"/admin/collections",
"params":{"action":[
"REGEX:(?i)CREATE",
"REGEX:(?i)MODIFYCOLLECTION",
"REGEX:(?i)SPLITSHARD",
"REGEX:(?i)CREATESHARD",
"REGEX:(?i)DELETESHARD",
"REGEX:(?i)CREATEALIAS",
"REGEX:(?i)DELETEALIAS",
"REGEX:(?i)DELETE",
"REGEX:(?i)DELETEREPLICA",
"REGEX:(?i)ADDREPLICA",
"REGEX:(?i)CLUSTERPROP",
"REGEX:(?i)MIGRATE",
"REGEX:(?i)ADDROLE",
"REGEX:(?i)REMOVEROLE",
"REGEX:(?i)ADDREPLICAPROP",
"REGEX:(?i)DELETEREPLICAPROP",
"REGEX:(?i)BALANCESHARDUNIQUE",
"REGEX:(?i)REBALANCELEADERS",
"REGEX:(?i)FORCELEADER",
"REGEX:(?i)MIGRATESTATEFORMAT"]},
"role":"genadmin"},
{
"name":"security-edit",
"role":"admin"},
{
"name":"clustatus",
"path":"/admin/collections",
"params":{"action":["REGEX:(?i)CLUSTERSTATUS"]},
"role":[
"clustatus_role",
"allgen"],
"collection":null},
{
"name":"corestatus",
"path":"/admin/cores",
"params":{"action":["REGEX:(?i)STATUS"]},
"role":[
"allgen",
"clustatus_role"],
"collection":null},
{
"name":"trgadmin",
"collection":"trg_col",
"path":"/admin/*",
"role":"trgadmin"},
{
"name":"open_select",
"path":"/select/*",
"role":null},
{
"name":"open_search",
"path":"/search/*",
"role":null},
{
"name":"catch-all-nocollection",
"collection":null,
"path":"/*",
"role":"allgen"},
{
"name":"catch-all-collection",
"path":"/*",
"role":"allgen"},
{
"name":"all-admincol",
"collection":null,
"path":"/admin/collections",
"role":"allgen"},
{
"name":"all-admincores",
"collection":null,
"path":"/admin/cores",
"role":"allgen"}],
"":{"v":5}}}
-----Original Message-----
From: Jan Høydahl <jan....@cominvent.com>
Sent: Wednesday, December 11, 2019 7:35 PM
To: solr-user@lucene.apache.org
Subject: Re: Solr8 changes how security.json restricts access to GUI
Please show your complete Security.json so we know how auth is configured.
Which 8.x version are you trying? There should be a login screen shown in admin
UI now.
Jan Høydahl
> 11. des. 2019 kl. 22:40 skrev Oakley, Craig (NIH/NLM/NCBI) [C]
> <craig.oak...@nih.gov.invalid>:
>
> In Solr 7, we had clauses in our security.json saying
>
> {
> "name":"all-admin",
> "collection":null,
> "path":"/*",
> "role":"allgen",
> "index":15},
> {
> "name":"all-core-handlers",
> "path":"/*",
> "role":"allgen",
> "index":16},
>
> We granted the role allgen to all users; but this kept our security folk
> happy in that no one could even get to the top level of the Solr GUI without
> a password.
>
> Now under Solr 8, the GUI does not prompt for a password. It just brings you
> into the GUI (albeit a stripped down version, saying such things as "No cores
> available"). By what means can we require a password to get this far? And by
> what means can we prompt for a password in order to get further?
