It looks as though I do not have an option under issues.apache.org/jira/projects/SOLR/issues by which to create an issue. Could you create one (and let me know its number)?
Thanks -----Original Message----- From: Jan Høydahl <jan....@cominvent.com> Sent: Friday, December 13, 2019 3:52 PM To: solr-user@lucene.apache.org Subject: Re: Solr8 changes how security.json restricts access to GUI Ok, se should perhaps print a warning somewhere that IE is not supported. Can you file a JIRA issue? Jan Høydahl > 13. des. 2019 kl. 21:43 skrev Oakley, Craig (NIH/NLM/NCBI) [C] > <craig.oak...@nih.gov.invalid>: > > Well that is progress: indeed Firefox and Chrome and Edge do indeed prompt > for login and password (as desired). It is Internet Explorer which does not, > nor does curl (that is to say, if you ask curl only to go to the top level: > host:port/solr -- going any further it will complain, such as your > /solr/admin/info/system example gets Error 401 Authentication failed, > Response code: 401) > > > > -----Original Message----- > From: Jan Høydahl <jan....@cominvent.com> > Sent: Friday, December 13, 2019 2:15 PM > To: solr-user <solr-user@lucene.apache.org> > Subject: Re: Solr8 changes how security.json restricts access to GUI > > I got your screenshot > (https://www.dropbox.com/s/7tbn7gx3uag6jcg/crippledSolrGUI.jpg?dl=0 > <https://www.dropbox.com/s/7tbn7gx3uag6jcg/crippledSolrGUI.jpg?dl=0>) > > This is quite uncommon. You should see a loging screen if you have basicAuth > enabled. > Have you tried a different browser? > > What do you get if you run this command > > curl -i http://your-solr-url/solr/admin/info/system > > Or if you use your browser’s developer tools to inspect network traffic? > > Jan > >> 12. des. 2019 kl. 23:49 skrev Jan Høydahl <jan....@cominvent.com>: >> >> Attachments are stripped from list, can you post a link to the screenshot of >> the UI when you first visit? >> >> Jan >> >>>> 12. des. 2019 kl. 17:27 skrev Oakley, Craig (NIH/NLM/NCBI) [C] >>>> <craig.oak...@nih.gov.INVALID>: >>> >>> Below is the security.json (with password hashes redacted): in Solr7.4 it >>> prompts for a password and (if you get it right) lets you into the whole >>> GUI; But in Solr8.1.1 and in Solr 8.3, it does not prompt for a password >>> before letting you into a crippled version of the GUI (as depicted in the >>> attachment) >>> >>> { >>> "authentication":{ >>> "class":"solr.BasicAuthPlugin", >>> "credentials":{ >>> "solradmin":"[redacted]", >>> "pysolrmon":"[redacted]", >>> "solrtrg":"[redacted]"}, >>> "":{"v":2}}, >>> "authorization":{ >>> "class":"solr.RuleBasedAuthorizationPlugin", >>> "user-role":{ >>> "solradmin":[ >>> "admin", >>> "allgen", >>> "trgadmin", >>> "genadmin"], >>> "solrtrg":[ >>> "trgadmin", >>> "allgen"], >>> "pysolrmon":["clustatus_role"]}, >>> "permissions":[ >>> { >>> "name":"gen_admin", >>> "collection":"NULL", >>> "path":"/admin/cores", >>> "params":{"action":[ >>> "REGEX:(?i)CREATE", >>> "REGEX:(?i)RENAME", >>> "REGEX:(?i)SWAP", >>> "REGEX:(?i)UNLOAD", >>> "REGEX:(?i)SPLIT"]}, >>> "role":"genadmin"}, >>> { >>> "name":"col_admin", >>> "collection":null, >>> "path":"/admin/collections", >>> "params":{"action":[ >>> "REGEX:(?i)CREATE", >>> "REGEX:(?i)MODIFYCOLLECTION", >>> "REGEX:(?i)SPLITSHARD", >>> "REGEX:(?i)CREATESHARD", >>> "REGEX:(?i)DELETESHARD", >>> "REGEX:(?i)CREATEALIAS", >>> "REGEX:(?i)DELETEALIAS", >>> "REGEX:(?i)DELETE", >>> "REGEX:(?i)DELETEREPLICA", >>> "REGEX:(?i)ADDREPLICA", >>> "REGEX:(?i)CLUSTERPROP", >>> "REGEX:(?i)MIGRATE", >>> "REGEX:(?i)ADDROLE", >>> "REGEX:(?i)REMOVEROLE", >>> "REGEX:(?i)ADDREPLICAPROP", >>> "REGEX:(?i)DELETEREPLICAPROP", >>> "REGEX:(?i)BALANCESHARDUNIQUE", >>> "REGEX:(?i)REBALANCELEADERS", >>> "REGEX:(?i)FORCELEADER", >>> "REGEX:(?i)MIGRATESTATEFORMAT"]}, >>> "role":"genadmin"}, >>> { >>> "name":"security-edit", >>> "role":"admin"}, >>> { >>> "name":"clustatus", >>> "path":"/admin/collections", >>> "params":{"action":["REGEX:(?i)CLUSTERSTATUS"]}, >>> "role":[ >>> "clustatus_role", >>> "allgen"], >>> "collection":null}, >>> { >>> "name":"corestatus", >>> "path":"/admin/cores", >>> "params":{"action":["REGEX:(?i)STATUS"]}, >>> "role":[ >>> "allgen", >>> "clustatus_role"], >>> "collection":null}, >>> { >>> "name":"trgadmin", >>> "collection":"trg_col", >>> "path":"/admin/*", >>> "role":"trgadmin"}, >>> { >>> "name":"open_select", >>> "path":"/select/*", >>> "role":null}, >>> { >>> "name":"open_search", >>> "path":"/search/*", >>> "role":null}, >>> { >>> "name":"catch-all-nocollection", >>> "collection":null, >>> "path":"/*", >>> "role":"allgen"}, >>> { >>> "name":"catch-all-collection", >>> "path":"/*", >>> "role":"allgen"}, >>> { >>> "name":"all-admincol", >>> "collection":null, >>> "path":"/admin/collections", >>> "role":"allgen"}, >>> { >>> "name":"all-admincores", >>> "collection":null, >>> "path":"/admin/cores", >>> "role":"allgen"}], >>> "":{"v":5}}} >>> >>> -----Original Message----- >>> From: Jan Høydahl <jan....@cominvent.com> >>> Sent: Wednesday, December 11, 2019 7:35 PM >>> To: solr-user@lucene.apache.org >>> Subject: Re: Solr8 changes how security.json restricts access to GUI >>> >>> Please show your complete Security.json so we know how auth is configured. >>> Which 8.x version are you trying? There should be a login screen shown in >>> admin UI now. >>> >>> Jan Høydahl >>> >>>> 11. des. 2019 kl. 22:40 skrev Oakley, Craig (NIH/NLM/NCBI) [C] >>>> <craig.oak...@nih.gov.invalid>: >>>> >>>> In Solr 7, we had clauses in our security.json saying >>>> >>>> { >>>> "name":"all-admin", >>>> "collection":null, >>>> "path":"/*", >>>> "role":"allgen", >>>> "index":15}, >>>> { >>>> "name":"all-core-handlers", >>>> "path":"/*", >>>> "role":"allgen", >>>> "index":16}, >>>> >>>> We granted the role allgen to all users; but this kept our security folk >>>> happy in that no one could even get to the top level of the Solr GUI >>>> without a password. >>>> >>>> Now under Solr 8, the GUI does not prompt for a password. It just brings >>>> you into the GUI (albeit a stripped down version, saying such things as >>>> "No cores available"). By what means can we require a password to get this >>>> far? And by what means can we prompt for a password in order to get >>>> further? >> >
