solr 7.7+ admin ui inaccessible with BasicAuthPlugin+RuleBasedAuthorizationPlugin

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

solr 7.7+ admin ui inaccessible with BasicAuthPlugin+RuleBasedAuthorizationPlugin

anon
Hi

SOLR-7896 made some changes to the admin ui login. After the changes I
can no longer log in at all.

I'm running standalone solr 7.7 (same with 8.0) with the following
security.json:

> {
>   "authentication": {
>     "class": "solr.BasicAuthPlugin",
>     "blockUnknown": true,
>     "credentials": {
>       "solr": "<hash for empty password string>"
>     },
>   },
>   "authorization": {
>     "class": "solr.RuleBasedAuthorizationPlugin",
>     "permissions": [
>       {
>         "name": "all",
>         "role": "admin"
>       }
>     ],
>     "user-role": {
>       "solr": "admin"
>     }
>   }
> }

Opening the UI at http://localhost:8080/solr/ shows an error page with
401. The login page is not displayed because of the "all" permission
being required. The browser's basic auth popup is not shown because the
WWW-Authenticate header is not present. Changing the
RuleBasedAuthorizationPlugin required permission from "all" to
"security-edit" makes the login page appear.

The above basic auth + "all" permission was working ok with solr 7.5,
but no longer works with 7.7+. Is this behaviour intended and/or documented?

Another issue is with using empty password strings. This used to work
with the browser's native basic auth, but not by the login page
("Password is required" error). Is there some way to use an empty
password with the login page? If not, is there a way to continue using
the browser's native basic auth?

Best regards

Reply | Threaded
Open this post in threaded view
|

Re: solr 7.7+ admin ui inaccessible with BasicAuthPlugin+RuleBasedAuthorizationPlugin

Jan Høydahl / Cominvent
Hi

Can you take a screenshot of the 401 error page you see (without login form)?

Also, perhaps you could do a curl -I (show headers) request to your Solr and show what headers that Solr returns instead of the www-authenticate header?

Jan

> 23. mar. 2019 kl. 15:34 skrev [hidden email]:
>
> Hi
>
> SOLR-7896 made some changes to the admin ui login. After the changes I can no longer log in at all.
>
> I'm running standalone solr 7.7 (same with 8.0) with the following security.json:
>
>> {
>>   "authentication": {
>>     "class": "solr.BasicAuthPlugin",
>>     "blockUnknown": true,
>>     "credentials": {
>>       "solr": "<hash for empty password string>"
>>     },
>>   },
>>   "authorization": {
>>     "class": "solr.RuleBasedAuthorizationPlugin",
>>     "permissions": [
>>       {
>>         "name": "all",
>>         "role": "admin"
>>       }
>>     ],
>>     "user-role": {
>>       "solr": "admin"
>>     }
>>   }
>> }
>
> Opening the UI at http://localhost:8080/solr/ shows an error page with 401. The login page is not displayed because of the "all" permission being required. The browser's basic auth popup is not shown because the WWW-Authenticate header is not present. Changing the RuleBasedAuthorizationPlugin required permission from "all" to "security-edit" makes the login page appear.
>
> The above basic auth + "all" permission was working ok with solr 7.5, but no longer works with 7.7+. Is this behaviour intended and/or documented?
>
> Another issue is with using empty password strings. This used to work with the browser's native basic auth, but not by the login page ("Password is required" error). Is there some way to use an empty password with the login page? If not, is there a way to continue using the browser's native basic auth?
>
> Best regards
>
Reply | Threaded
Open this post in threaded view
|

Re: solr 7.7+ admin ui inaccessible with BasicAuthPlugin+RuleBasedAuthorizationPlugin

anon
Hi

Here is the curl:
> $ curl -I http://localhost:8080/solr/
> HTTP/1.1 401 Unauthorized request, Response code: 401
> Cache-Control: must-revalidate,no-cache,no-store
> Content-Type: text/html;charset=iso-8859-1
> Content-Length: 299
And the screenshot: https://i.imgur.com/PMTE3nR.png

I'll also note that it's wonderfully easy to reproduce:
1. unpack solr-8.0.0.zip
2. copy the security.json example from
https://lucene.apache.org/solr/guide/7_7/basic-authentication-plugin.html 
into server/solr/ and replace "name":"security-edit" with "name":"all"
3. start with bin/solr -f -p 8080
4. open http://localhost:8080/

Thanks for looking into it!

Best regards


On 23/03/2019 19:03, Jan Høydahl wrote:

> Hi
>
> Can you take a screenshot of the 401 error page you see (without login
> form)?
>
> Also, perhaps you could do a curl -I (show headers) request to your
> Solr and show what headers that Solr returns instead of the
> www-authenticate header?
>
> Jan
>
>> 23. mar. 2019 kl. 15:34 skrev [hidden email]:
>>
>> Hi
>>
>> SOLR-7896 made some changes to the admin ui login. After the changes
>> I can no longer log in at all.
>>
>> I'm running standalone solr 7.7 (same with 8.0) with the following
>> security.json:
>>
>>> {
>>> "authentication": {
>>> "class": "solr.BasicAuthPlugin",
>>> "blockUnknown": true,
>>> "credentials": {
>>> "solr": "<hash for empty password string>"
>>> },
>>> },
>>> "authorization": {
>>> "class": "solr.RuleBasedAuthorizationPlugin",
>>> "permissions": [
>>> {
>>> "name": "all",
>>> "role": "admin"
>>> }
>>> ],
>>> "user-role": {
>>> "solr": "admin"
>>> }
>>> }
>>> }
>> Opening the UI at http://localhost:8080/solr/ shows an error page
>> with 401. The login page is not displayed because of the "all"
>> permission being required. The browser's basic auth popup is not
>> shown because the WWW-Authenticate header is not present. Changing
>> the RuleBasedAuthorizationPlugin required permission from "all" to
>> "security-edit" makes the login page appear.
>>
>> The above basic auth + "all" permission was working ok with solr 7.5,
>> but no longer works with 7.7+. Is this behaviour intended and/or
>> documented?
>>
>> Another issue is with using empty password strings. This used to work
>> with the browser's native basic auth, but not by the login page
>> ("Password is required" error). Is there some way to use an empty
>> password with the login page? If not, is there a way to continue
>> using the browser's native basic auth?
>>
>> Best regards
>>
Reply | Threaded
Open this post in threaded view
|

Re: solr 7.7+ admin ui inaccessible with BasicAuthPlugin+RuleBasedAuthorizationPlugin

Jan Høydahl / Cominvent
Thanks. Lions like the «all» permission actually blocks access to the AdminGui servlet so we won’t even serve the static UI files :)

Please open a JIRA issue for this.

You can open another JIRA for the “empty password” issue. We should be consistent so if we allow creation of user with empty pw then it should be possible to enter it. Or we could disallow empty pw in the API :)

Jan Høydahl

> 23. mar. 2019 kl. 18:37 skrev [hidden email]:
>
> Hi
>
> Here is the curl:
>> $ curl -I http://localhost:8080/solr/
>> HTTP/1.1 401 Unauthorized request, Response code: 401
>> Cache-Control: must-revalidate,no-cache,no-store
>> Content-Type: text/html;charset=iso-8859-1
>> Content-Length: 299
> And the screenshot: https://i.imgur.com/PMTE3nR.png
>
> I'll also note that it's wonderfully easy to reproduce:
> 1. unpack solr-8.0.0.zip
> 2. copy the security.json example from https://lucene.apache.org/solr/guide/7_7/basic-authentication-plugin.html into server/solr/ and replace "name":"security-edit" with "name":"all"
> 3. start with bin/solr -f -p 8080
> 4. open http://localhost:8080/
>
> Thanks for looking into it!
>
> Best regards
>
>
>> On 23/03/2019 19:03, Jan Høydahl wrote:
>> Hi
>>
>> Can you take a screenshot of the 401 error page you see (without login form)?
>>
>> Also, perhaps you could do a curl -I (show headers) request to your Solr and show what headers that Solr returns instead of the www-authenticate header?
>>
>> Jan
>>
>>> 23. mar. 2019 kl. 15:34 skrev [hidden email]:
>>>
>>> Hi
>>>
>>> SOLR-7896 made some changes to the admin ui login. After the changes I can no longer log in at all.
>>>
>>> I'm running standalone solr 7.7 (same with 8.0) with the following security.json:
>>>
>>>> {
>>>> "authentication": {
>>>> "class": "solr.BasicAuthPlugin",
>>>> "blockUnknown": true,
>>>> "credentials": {
>>>> "solr": "<hash for empty password string>"
>>>> },
>>>> },
>>>> "authorization": {
>>>> "class": "solr.RuleBasedAuthorizationPlugin",
>>>> "permissions": [
>>>> {
>>>> "name": "all",
>>>> "role": "admin"
>>>> }
>>>> ],
>>>> "user-role": {
>>>> "solr": "admin"
>>>> }
>>>> }
>>>> }
>>> Opening the UI at http://localhost:8080/solr/ shows an error page with 401. The login page is not displayed because of the "all" permission being required. The browser's basic auth popup is not shown because the WWW-Authenticate header is not present. Changing the RuleBasedAuthorizationPlugin required permission from "all" to "security-edit" makes the login page appear.
>>>
>>> The above basic auth + "all" permission was working ok with solr 7.5, but no longer works with 7.7+. Is this behaviour intended and/or documented?
>>>
>>> Another issue is with using empty password strings. This used to work with the browser's native basic auth, but not by the login page ("Password is required" error). Is there some way to use an empty password with the login page? If not, is there a way to continue using the browser's native basic auth?
>>>
>>> Best regards
>>>
Reply | Threaded
Open this post in threaded view
|

Re: solr 7.7+ admin ui inaccessible with BasicAuthPlugin+RuleBasedAuthorizationPlugin

anon
Thanks for investigating! I really appreciate the quick response.

I've created the jiras:

* https://issues.apache.org/jira/browse/SOLR-13344 for the AdminGui issue
* https://issues.apache.org/jira/browse/SOLR-13345 for the empty passwords

> if we allow creation of user with empty pw
I'd note that the user was not created via any API. Our CI basically
dumps the pre-generated security config into the server/solr folder.
This configuration option is very convenient and I hope this will remain
supported :)

Best regards


On 24/03/2019 12:24, Jan Høydahl wrote:

> Thanks. Lions like the «all» permission actually blocks access to the
> AdminGui servlet so we won’t even serve the static UI files :)
>
> Please open a JIRA issue for this.
>
> You can open another JIRA for the “empty password” issue. We should be
> consistent so if we allow creation of user with empty pw then it
> should be possible to enter it. Or we could disallow empty pw in the
> API :)
>
> Jan Høydahl
>
>> 23. mar. 2019 kl. 18:37 skrev [hidden email]:
>>
>> Hi
>>
>> Here is the curl:
>>> $ curl -I http://localhost:8080/solr/
>>> HTTP/1.1 401 Unauthorized request, Response code: 401
>>> Cache-Control: must-revalidate,no-cache,no-store
>>> Content-Type: text/html;charset=iso-8859-1
>>> Content-Length: 299
>> And the screenshot: https://i.imgur.com/PMTE3nR.png
>>
>> I'll also note that it's wonderfully easy to reproduce:
>> 1. unpack solr-8.0.0.zip
>> 2. copy the security.json example from
>> https://lucene.apache.org/solr/guide/7_7/basic-authentication-plugin.html 
>> into server/solr/ and replace "name":"security-edit" with "name":"all"
>> 3. start with bin/solr -f -p 8080
>> 4. open http://localhost:8080/
>>
>> Thanks for looking into it!
>>
>> Best regards
>>
>>
>>> On 23/03/2019 19:03, Jan Høydahl wrote:
>>> Hi
>>>
>>> Can you take a screenshot of the 401 error page you see (without
>>> login form)?
>>>
>>> Also, perhaps you could do a curl -I (show headers) request to your
>>> Solr and show what headers that Solr returns instead of the
>>> www-authenticate header?
>>>
>>> Jan
>>>
>>>> 23. mar. 2019 kl. 15:34 skrev [hidden email]:
>>>>
>>>> Hi
>>>>
>>>> SOLR-7896 made some changes to the admin ui login. After the
>>>> changes I can no longer log in at all.
>>>>
>>>> I'm running standalone solr 7.7 (same with 8.0) with the following
>>>> security.json:
>>>>
>>>>> {
>>>>> "authentication": {
>>>>> "class": "solr.BasicAuthPlugin",
>>>>> "blockUnknown": true,
>>>>> "credentials": {
>>>>> "solr": "<hash for empty password string>"
>>>>> },
>>>>> },
>>>>> "authorization": {
>>>>> "class": "solr.RuleBasedAuthorizationPlugin",
>>>>> "permissions": [
>>>>> {
>>>>> "name": "all",
>>>>> "role": "admin"
>>>>> }
>>>>> ],
>>>>> "user-role": {
>>>>> "solr": "admin"
>>>>> }
>>>>> }
>>>>> }
>>>> Opening the UI at http://localhost:8080/solr/ shows an error page
>>>> with 401. The login page is not displayed because of the "all"
>>>> permission being required. The browser's basic auth popup is not
>>>> shown because the WWW-Authenticate header is not present. Changing
>>>> the RuleBasedAuthorizationPlugin required permission from "all" to
>>>> "security-edit" makes the login page appear.
>>>>
>>>> The above basic auth + "all" permission was working ok with solr
>>>> 7.5, but no longer works with 7.7+. Is this behaviour intended
>>>> and/or documented?
>>>>
>>>> Another issue is with using empty password strings. This used to
>>>> work with the browser's native basic auth, but not by the login
>>>> page ("Password is required" error). Is there some way to use an
>>>> empty password with the login page? If not, is there a way to
>>>> continue using the browser's native basic auth?
>>>>
>>>> Best regards
>>>>