Thanks for raising the JIRA, I always think it best for the person closest to the problem to raise the JIRA, it’s usually more accurate ;)
> On Dec 13, 2019, at 8:49 PM, Oakley, Craig (NIH/NLM/NCBI) [C] > <craig.oak...@nih.gov.INVALID> wrote: > > Thanks for the clarification > > Created SOLR-14083 > > > -----Original Message----- > From: Erick Erickson <erickerick...@gmail.com> > Sent: Friday, December 13, 2019 6:26 PM > To: solr-user@lucene.apache.org > Subject: Re: Solr8 changes how security.json restricts access to GUI > > Anyone who has an account can open a JIRA, have you created one? > >> On Dec 13, 2019, at 5:10 PM, Oakley, Craig (NIH/NLM/NCBI) [C] >> <craig.oak...@nih.gov.INVALID> wrote: >> >> It looks as though I do not have an option under >> issues.apache.org/jira/projects/SOLR/issues by which to create an issue. >> Could you create one (and let me know its number)? >> >> Thanks >> >> -----Original Message----- >> From: Jan Høydahl <jan....@cominvent.com> >> Sent: Friday, December 13, 2019 3:52 PM >> To: solr-user@lucene.apache.org >> Subject: Re: Solr8 changes how security.json restricts access to GUI >> >> Ok, se should perhaps print a warning somewhere that IE is not supported. >> Can you file a JIRA issue? >> >> Jan Høydahl >> >>> 13. des. 2019 kl. 21:43 skrev Oakley, Craig (NIH/NLM/NCBI) [C] >>> <craig.oak...@nih.gov.invalid>: >>> >>> Well that is progress: indeed Firefox and Chrome and Edge do indeed prompt >>> for login and password (as desired). It is Internet Explorer which does >>> not, nor does curl (that is to say, if you ask curl only to go to the top >>> level: host:port/solr -- going any further it will complain, such as your >>> /solr/admin/info/system example gets Error 401 Authentication failed, >>> Response code: 401) >>> >>> >>> >>> -----Original Message----- >>> From: Jan Høydahl <jan....@cominvent.com> >>> Sent: Friday, December 13, 2019 2:15 PM >>> To: solr-user <solr-user@lucene.apache.org> >>> Subject: Re: Solr8 changes how security.json restricts access to GUI >>> >>> I got your screenshot >>> (https://www.dropbox.com/s/7tbn7gx3uag6jcg/crippledSolrGUI.jpg?dl=0 >>> <https://www.dropbox.com/s/7tbn7gx3uag6jcg/crippledSolrGUI.jpg?dl=0>) >>> >>> This is quite uncommon. You should see a loging screen if you have >>> basicAuth enabled. >>> Have you tried a different browser? >>> >>> What do you get if you run this command >>> >>> curl -i http://your-solr-url/solr/admin/info/system >>> >>> Or if you use your browser’s developer tools to inspect network traffic? >>> >>> Jan >>> >>>> 12. des. 2019 kl. 23:49 skrev Jan Høydahl <jan....@cominvent.com>: >>>> >>>> Attachments are stripped from list, can you post a link to the screenshot >>>> of the UI when you first visit? >>>> >>>> Jan >>>> >>>>>> 12. des. 2019 kl. 17:27 skrev Oakley, Craig (NIH/NLM/NCBI) [C] >>>>>> <craig.oak...@nih.gov.INVALID>: >>>>> >>>>> Below is the security.json (with password hashes redacted): in Solr7.4 it >>>>> prompts for a password and (if you get it right) lets you into the whole >>>>> GUI; But in Solr8.1.1 and in Solr 8.3, it does not prompt for a password >>>>> before letting you into a crippled version of the GUI (as depicted in the >>>>> attachment) >>>>> >>>>> { >>>>> "authentication":{ >>>>> "class":"solr.BasicAuthPlugin", >>>>> "credentials":{ >>>>> "solradmin":"[redacted]", >>>>> "pysolrmon":"[redacted]", >>>>> "solrtrg":"[redacted]"}, >>>>> "":{"v":2}}, >>>>> "authorization":{ >>>>> "class":"solr.RuleBasedAuthorizationPlugin", >>>>> "user-role":{ >>>>> "solradmin":[ >>>>> "admin", >>>>> "allgen", >>>>> "trgadmin", >>>>> "genadmin"], >>>>> "solrtrg":[ >>>>> "trgadmin", >>>>> "allgen"], >>>>> "pysolrmon":["clustatus_role"]}, >>>>> "permissions":[ >>>>> { >>>>> "name":"gen_admin", >>>>> "collection":"NULL", >>>>> "path":"/admin/cores", >>>>> "params":{"action":[ >>>>> "REGEX:(?i)CREATE", >>>>> "REGEX:(?i)RENAME", >>>>> "REGEX:(?i)SWAP", >>>>> "REGEX:(?i)UNLOAD", >>>>> "REGEX:(?i)SPLIT"]}, >>>>> "role":"genadmin"}, >>>>> { >>>>> "name":"col_admin", >>>>> "collection":null, >>>>> "path":"/admin/collections", >>>>> "params":{"action":[ >>>>> "REGEX:(?i)CREATE", >>>>> "REGEX:(?i)MODIFYCOLLECTION", >>>>> "REGEX:(?i)SPLITSHARD", >>>>> "REGEX:(?i)CREATESHARD", >>>>> "REGEX:(?i)DELETESHARD", >>>>> "REGEX:(?i)CREATEALIAS", >>>>> "REGEX:(?i)DELETEALIAS", >>>>> "REGEX:(?i)DELETE", >>>>> "REGEX:(?i)DELETEREPLICA", >>>>> "REGEX:(?i)ADDREPLICA", >>>>> "REGEX:(?i)CLUSTERPROP", >>>>> "REGEX:(?i)MIGRATE", >>>>> "REGEX:(?i)ADDROLE", >>>>> "REGEX:(?i)REMOVEROLE", >>>>> "REGEX:(?i)ADDREPLICAPROP", >>>>> "REGEX:(?i)DELETEREPLICAPROP", >>>>> "REGEX:(?i)BALANCESHARDUNIQUE", >>>>> "REGEX:(?i)REBALANCELEADERS", >>>>> "REGEX:(?i)FORCELEADER", >>>>> "REGEX:(?i)MIGRATESTATEFORMAT"]}, >>>>> "role":"genadmin"}, >>>>> { >>>>> "name":"security-edit", >>>>> "role":"admin"}, >>>>> { >>>>> "name":"clustatus", >>>>> "path":"/admin/collections", >>>>> "params":{"action":["REGEX:(?i)CLUSTERSTATUS"]}, >>>>> "role":[ >>>>> "clustatus_role", >>>>> "allgen"], >>>>> "collection":null}, >>>>> { >>>>> "name":"corestatus", >>>>> "path":"/admin/cores", >>>>> "params":{"action":["REGEX:(?i)STATUS"]}, >>>>> "role":[ >>>>> "allgen", >>>>> "clustatus_role"], >>>>> "collection":null}, >>>>> { >>>>> "name":"trgadmin", >>>>> "collection":"trg_col", >>>>> "path":"/admin/*", >>>>> "role":"trgadmin"}, >>>>> { >>>>> "name":"open_select", >>>>> "path":"/select/*", >>>>> "role":null}, >>>>> { >>>>> "name":"open_search", >>>>> "path":"/search/*", >>>>> "role":null}, >>>>> { >>>>> "name":"catch-all-nocollection", >>>>> "collection":null, >>>>> "path":"/*", >>>>> "role":"allgen"}, >>>>> { >>>>> "name":"catch-all-collection", >>>>> "path":"/*", >>>>> "role":"allgen"}, >>>>> { >>>>> "name":"all-admincol", >>>>> "collection":null, >>>>> "path":"/admin/collections", >>>>> "role":"allgen"}, >>>>> { >>>>> "name":"all-admincores", >>>>> "collection":null, >>>>> "path":"/admin/cores", >>>>> "role":"allgen"}], >>>>> "":{"v":5}}} >>>>> >>>>> -----Original Message----- >>>>> From: Jan Høydahl <jan....@cominvent.com> >>>>> Sent: Wednesday, December 11, 2019 7:35 PM >>>>> To: solr-user@lucene.apache.org >>>>> Subject: Re: Solr8 changes how security.json restricts access to GUI >>>>> >>>>> Please show your complete Security.json so we know how auth is >>>>> configured. Which 8.x version are you trying? There should be a login >>>>> screen shown in admin UI now. >>>>> >>>>> Jan Høydahl >>>>> >>>>>> 11. des. 2019 kl. 22:40 skrev Oakley, Craig (NIH/NLM/NCBI) [C] >>>>>> <craig.oak...@nih.gov.invalid>: >>>>>> >>>>>> In Solr 7, we had clauses in our security.json saying >>>>>> >>>>>> { >>>>>> "name":"all-admin", >>>>>> "collection":null, >>>>>> "path":"/*", >>>>>> "role":"allgen", >>>>>> "index":15}, >>>>>> { >>>>>> "name":"all-core-handlers", >>>>>> "path":"/*", >>>>>> "role":"allgen", >>>>>> "index":16}, >>>>>> >>>>>> We granted the role allgen to all users; but this kept our security folk >>>>>> happy in that no one could even get to the top level of the Solr GUI >>>>>> without a password. >>>>>> >>>>>> Now under Solr 8, the GUI does not prompt for a password. It just brings >>>>>> you into the GUI (albeit a stripped down version, saying such things as >>>>>> "No cores available"). By what means can we require a password to get >>>>>> this far? And by what means can we prompt for a password in order to get >>>>>> further? >>>> >>> >
