Solr8 changes how security.json restricts access to GUI

classic Classic list List threaded Threaded
12 messages Options
Reply | Threaded
Open this post in threaded view
|

Solr8 changes how security.json restricts access to GUI

Oakley, Craig (NIH/NLM/NCBI) [C]-2
In Solr 7, we had clauses in our security.json saying

      {
        "name":"all-admin",
        "collection":null,
        "path":"/*",
        "role":"allgen",
        "index":15},
      {
        "name":"all-core-handlers",
        "path":"/*",
        "role":"allgen",
        "index":16},

We granted the role allgen to all users; but this kept our security folk happy in that no one could even get to the top level of the Solr GUI without a password.

Now under Solr 8, the GUI does not prompt for a password. It just brings you into the GUI (albeit a stripped down version, saying such things as "No cores available"). By what means can we require a password to get this far? And by what means can we prompt for a password in order to get further?
Reply | Threaded
Open this post in threaded view
|

Re: Solr8 changes how security.json restricts access to GUI

Jan Høydahl / Cominvent
Please show your complete Security.json so we know how auth is configured. Which 8.x version are you trying? There should be a login screen shown in admin UI now.

Jan Høydahl

> 11. des. 2019 kl. 22:40 skrev Oakley, Craig (NIH/NLM/NCBI) [C] <[hidden email]>:
>
> In Solr 7, we had clauses in our security.json saying
>
>      {
>        "name":"all-admin",
>        "collection":null,
>        "path":"/*",
>        "role":"allgen",
>        "index":15},
>      {
>        "name":"all-core-handlers",
>        "path":"/*",
>        "role":"allgen",
>        "index":16},
>
> We granted the role allgen to all users; but this kept our security folk happy in that no one could even get to the top level of the Solr GUI without a password.
>
> Now under Solr 8, the GUI does not prompt for a password. It just brings you into the GUI (albeit a stripped down version, saying such things as "No cores available"). By what means can we require a password to get this far? And by what means can we prompt for a password in order to get further?
Reply | Threaded
Open this post in threaded view
|

RE: Solr8 changes how security.json restricts access to GUI

Oakley, Craig (NIH/NLM/NCBI) [C]-2
Below is the security.json (with password hashes redacted): in Solr7.4 it prompts for a password and (if you get it right) lets you into the whole GUI; But in Solr8.1.1 and in Solr 8.3, it does not prompt for a password before letting you into a crippled version of the GUI (as depicted in the attachment)

{
  "authentication":{
    "class":"solr.BasicAuthPlugin",
    "credentials":{
      "solradmin":"[redacted]",
      "pysolrmon":"[redacted]",
      "solrtrg":"[redacted]"},
    "":{"v":2}},
  "authorization":{
    "class":"solr.RuleBasedAuthorizationPlugin",
    "user-role":{
      "solradmin":[
        "admin",
        "allgen",
        "trgadmin",
        "genadmin"],
      "solrtrg":[
        "trgadmin",
        "allgen"],
      "pysolrmon":["clustatus_role"]},
    "permissions":[
      {
        "name":"gen_admin",
        "collection":"NULL",
        "path":"/admin/cores",
        "params":{"action":[
            "REGEX:(?i)CREATE",
            "REGEX:(?i)RENAME",
            "REGEX:(?i)SWAP",
            "REGEX:(?i)UNLOAD",
            "REGEX:(?i)SPLIT"]},
        "role":"genadmin"},
      {
        "name":"col_admin",
        "collection":null,
        "path":"/admin/collections",
        "params":{"action":[
            "REGEX:(?i)CREATE",
            "REGEX:(?i)MODIFYCOLLECTION",
            "REGEX:(?i)SPLITSHARD",
            "REGEX:(?i)CREATESHARD",
            "REGEX:(?i)DELETESHARD",
            "REGEX:(?i)CREATEALIAS",
            "REGEX:(?i)DELETEALIAS",
            "REGEX:(?i)DELETE",
            "REGEX:(?i)DELETEREPLICA",
            "REGEX:(?i)ADDREPLICA",
            "REGEX:(?i)CLUSTERPROP",
            "REGEX:(?i)MIGRATE",
            "REGEX:(?i)ADDROLE",
            "REGEX:(?i)REMOVEROLE",
            "REGEX:(?i)ADDREPLICAPROP",
            "REGEX:(?i)DELETEREPLICAPROP",
            "REGEX:(?i)BALANCESHARDUNIQUE",
            "REGEX:(?i)REBALANCELEADERS",
            "REGEX:(?i)FORCELEADER",
            "REGEX:(?i)MIGRATESTATEFORMAT"]},
        "role":"genadmin"},
      {
        "name":"security-edit",
        "role":"admin"},
      {
        "name":"clustatus",
        "path":"/admin/collections",
        "params":{"action":["REGEX:(?i)CLUSTERSTATUS"]},
        "role":[
          "clustatus_role",
          "allgen"],
        "collection":null},
      {
        "name":"corestatus",
        "path":"/admin/cores",
        "params":{"action":["REGEX:(?i)STATUS"]},
        "role":[
          "allgen",
          "clustatus_role"],
        "collection":null},
      {
        "name":"trgadmin",
        "collection":"trg_col",
        "path":"/admin/*",
        "role":"trgadmin"},
      {
        "name":"open_select",
        "path":"/select/*",
        "role":null},
      {
        "name":"open_search",
        "path":"/search/*",
        "role":null},
      {
        "name":"catch-all-nocollection",
        "collection":null,
        "path":"/*",
        "role":"allgen"},
      {
        "name":"catch-all-collection",
        "path":"/*",
        "role":"allgen"},
      {
        "name":"all-admincol",
        "collection":null,
        "path":"/admin/collections",
        "role":"allgen"},
      {
        "name":"all-admincores",
        "collection":null,
        "path":"/admin/cores",
        "role":"allgen"}],
    "":{"v":5}}}

-----Original Message-----
From: Jan Høydahl <[hidden email]>
Sent: Wednesday, December 11, 2019 7:35 PM
To: [hidden email]
Subject: Re: Solr8 changes how security.json restricts access to GUI

Please show your complete Security.json so we know how auth is configured. Which 8.x version are you trying? There should be a login screen shown in admin UI now.

Jan Høydahl

> 11. des. 2019 kl. 22:40 skrev Oakley, Craig (NIH/NLM/NCBI) [C] <[hidden email]>:
>
> In Solr 7, we had clauses in our security.json saying
>
>      {
>        "name":"all-admin",
>        "collection":null,
>        "path":"/*",
>        "role":"allgen",
>        "index":15},
>      {
>        "name":"all-core-handlers",
>        "path":"/*",
>        "role":"allgen",
>        "index":16},
>
> We granted the role allgen to all users; but this kept our security folk happy in that no one could even get to the top level of the Solr GUI without a password.
>
> Now under Solr 8, the GUI does not prompt for a password. It just brings you into the GUI (albeit a stripped down version, saying such things as "No cores available"). By what means can we require a password to get this far? And by what means can we prompt for a password in order to get further?
Reply | Threaded
Open this post in threaded view
|

Re: Solr8 changes how security.json restricts access to GUI

Jan Høydahl / Cominvent
Attachments are stripped from list, can you post a link to the screenshot of the UI when you first visit?

Jan

> 12. des. 2019 kl. 17:27 skrev Oakley, Craig (NIH/NLM/NCBI) [C] <[hidden email]>:
>
> Below is the security.json (with password hashes redacted): in Solr7.4 it prompts for a password and (if you get it right) lets you into the whole GUI; But in Solr8.1.1 and in Solr 8.3, it does not prompt for a password before letting you into a crippled version of the GUI (as depicted in the attachment)
>
> {
>  "authentication":{
>    "class":"solr.BasicAuthPlugin",
>    "credentials":{
>      "solradmin":"[redacted]",
>      "pysolrmon":"[redacted]",
>      "solrtrg":"[redacted]"},
>    "":{"v":2}},
>  "authorization":{
>    "class":"solr.RuleBasedAuthorizationPlugin",
>    "user-role":{
>      "solradmin":[
>        "admin",
>        "allgen",
>        "trgadmin",
>        "genadmin"],
>      "solrtrg":[
>        "trgadmin",
>        "allgen"],
>      "pysolrmon":["clustatus_role"]},
>    "permissions":[
>      {
>        "name":"gen_admin",
>        "collection":"NULL",
>        "path":"/admin/cores",
>        "params":{"action":[
>            "REGEX:(?i)CREATE",
>            "REGEX:(?i)RENAME",
>            "REGEX:(?i)SWAP",
>            "REGEX:(?i)UNLOAD",
>            "REGEX:(?i)SPLIT"]},
>        "role":"genadmin"},
>      {
>        "name":"col_admin",
>        "collection":null,
>        "path":"/admin/collections",
>        "params":{"action":[
>            "REGEX:(?i)CREATE",
>            "REGEX:(?i)MODIFYCOLLECTION",
>            "REGEX:(?i)SPLITSHARD",
>            "REGEX:(?i)CREATESHARD",
>            "REGEX:(?i)DELETESHARD",
>            "REGEX:(?i)CREATEALIAS",
>            "REGEX:(?i)DELETEALIAS",
>            "REGEX:(?i)DELETE",
>            "REGEX:(?i)DELETEREPLICA",
>            "REGEX:(?i)ADDREPLICA",
>            "REGEX:(?i)CLUSTERPROP",
>            "REGEX:(?i)MIGRATE",
>            "REGEX:(?i)ADDROLE",
>            "REGEX:(?i)REMOVEROLE",
>            "REGEX:(?i)ADDREPLICAPROP",
>            "REGEX:(?i)DELETEREPLICAPROP",
>            "REGEX:(?i)BALANCESHARDUNIQUE",
>            "REGEX:(?i)REBALANCELEADERS",
>            "REGEX:(?i)FORCELEADER",
>            "REGEX:(?i)MIGRATESTATEFORMAT"]},
>        "role":"genadmin"},
>      {
>        "name":"security-edit",
>        "role":"admin"},
>      {
>        "name":"clustatus",
>        "path":"/admin/collections",
>        "params":{"action":["REGEX:(?i)CLUSTERSTATUS"]},
>        "role":[
>          "clustatus_role",
>          "allgen"],
>        "collection":null},
>      {
>        "name":"corestatus",
>        "path":"/admin/cores",
>        "params":{"action":["REGEX:(?i)STATUS"]},
>        "role":[
>          "allgen",
>          "clustatus_role"],
>        "collection":null},
>      {
>        "name":"trgadmin",
>        "collection":"trg_col",
>        "path":"/admin/*",
>        "role":"trgadmin"},
>      {
>        "name":"open_select",
>        "path":"/select/*",
>        "role":null},
>      {
>        "name":"open_search",
>        "path":"/search/*",
>        "role":null},
>      {
>        "name":"catch-all-nocollection",
>        "collection":null,
>        "path":"/*",
>        "role":"allgen"},
>      {
>        "name":"catch-all-collection",
>        "path":"/*",
>        "role":"allgen"},
>      {
>        "name":"all-admincol",
>        "collection":null,
>        "path":"/admin/collections",
>        "role":"allgen"},
>      {
>        "name":"all-admincores",
>        "collection":null,
>        "path":"/admin/cores",
>        "role":"allgen"}],
>    "":{"v":5}}}
>
> -----Original Message-----
> From: Jan Høydahl <[hidden email]>
> Sent: Wednesday, December 11, 2019 7:35 PM
> To: [hidden email]
> Subject: Re: Solr8 changes how security.json restricts access to GUI
>
> Please show your complete Security.json so we know how auth is configured. Which 8.x version are you trying? There should be a login screen shown in admin UI now.
>
> Jan Høydahl
>
>> 11. des. 2019 kl. 22:40 skrev Oakley, Craig (NIH/NLM/NCBI) [C] <[hidden email]>:
>>
>> In Solr 7, we had clauses in our security.json saying
>>
>>     {
>>       "name":"all-admin",
>>       "collection":null,
>>       "path":"/*",
>>       "role":"allgen",
>>       "index":15},
>>     {
>>       "name":"all-core-handlers",
>>       "path":"/*",
>>       "role":"allgen",
>>       "index":16},
>>
>> We granted the role allgen to all users; but this kept our security folk happy in that no one could even get to the top level of the Solr GUI without a password.
>>
>> Now under Solr 8, the GUI does not prompt for a password. It just brings you into the GUI (albeit a stripped down version, saying such things as "No cores available"). By what means can we require a password to get this far? And by what means can we prompt for a password in order to get further?

Reply | Threaded
Open this post in threaded view
|

Re: Solr8 changes how security.json restricts access to GUI

Jan Høydahl / Cominvent
I got your screenshot (https://www.dropbox.com/s/7tbn7gx3uag6jcg/crippledSolrGUI.jpg?dl=0 <https://www.dropbox.com/s/7tbn7gx3uag6jcg/crippledSolrGUI.jpg?dl=0>)

This is quite uncommon. You should see a loging screen if you have basicAuth enabled.
Have you tried a different browser?

What do you get if you run this command

curl -i http://your-solr-url/solr/admin/info/system

Or if you use your browser’s developer tools to inspect network traffic?

Jan

> 12. des. 2019 kl. 23:49 skrev Jan Høydahl <[hidden email]>:
>
> Attachments are stripped from list, can you post a link to the screenshot of the UI when you first visit?
>
> Jan
>
>> 12. des. 2019 kl. 17:27 skrev Oakley, Craig (NIH/NLM/NCBI) [C] <[hidden email]>:
>>
>> Below is the security.json (with password hashes redacted): in Solr7.4 it prompts for a password and (if you get it right) lets you into the whole GUI; But in Solr8.1.1 and in Solr 8.3, it does not prompt for a password before letting you into a crippled version of the GUI (as depicted in the attachment)
>>
>> {
>> "authentication":{
>>   "class":"solr.BasicAuthPlugin",
>>   "credentials":{
>>     "solradmin":"[redacted]",
>>     "pysolrmon":"[redacted]",
>>     "solrtrg":"[redacted]"},
>>   "":{"v":2}},
>> "authorization":{
>>   "class":"solr.RuleBasedAuthorizationPlugin",
>>   "user-role":{
>>     "solradmin":[
>>       "admin",
>>       "allgen",
>>       "trgadmin",
>>       "genadmin"],
>>     "solrtrg":[
>>       "trgadmin",
>>       "allgen"],
>>     "pysolrmon":["clustatus_role"]},
>>   "permissions":[
>>     {
>>       "name":"gen_admin",
>>       "collection":"NULL",
>>       "path":"/admin/cores",
>>       "params":{"action":[
>>           "REGEX:(?i)CREATE",
>>           "REGEX:(?i)RENAME",
>>           "REGEX:(?i)SWAP",
>>           "REGEX:(?i)UNLOAD",
>>           "REGEX:(?i)SPLIT"]},
>>       "role":"genadmin"},
>>     {
>>       "name":"col_admin",
>>       "collection":null,
>>       "path":"/admin/collections",
>>       "params":{"action":[
>>           "REGEX:(?i)CREATE",
>>           "REGEX:(?i)MODIFYCOLLECTION",
>>           "REGEX:(?i)SPLITSHARD",
>>           "REGEX:(?i)CREATESHARD",
>>           "REGEX:(?i)DELETESHARD",
>>           "REGEX:(?i)CREATEALIAS",
>>           "REGEX:(?i)DELETEALIAS",
>>           "REGEX:(?i)DELETE",
>>           "REGEX:(?i)DELETEREPLICA",
>>           "REGEX:(?i)ADDREPLICA",
>>           "REGEX:(?i)CLUSTERPROP",
>>           "REGEX:(?i)MIGRATE",
>>           "REGEX:(?i)ADDROLE",
>>           "REGEX:(?i)REMOVEROLE",
>>           "REGEX:(?i)ADDREPLICAPROP",
>>           "REGEX:(?i)DELETEREPLICAPROP",
>>           "REGEX:(?i)BALANCESHARDUNIQUE",
>>           "REGEX:(?i)REBALANCELEADERS",
>>           "REGEX:(?i)FORCELEADER",
>>           "REGEX:(?i)MIGRATESTATEFORMAT"]},
>>       "role":"genadmin"},
>>     {
>>       "name":"security-edit",
>>       "role":"admin"},
>>     {
>>       "name":"clustatus",
>>       "path":"/admin/collections",
>>       "params":{"action":["REGEX:(?i)CLUSTERSTATUS"]},
>>       "role":[
>>         "clustatus_role",
>>         "allgen"],
>>       "collection":null},
>>     {
>>       "name":"corestatus",
>>       "path":"/admin/cores",
>>       "params":{"action":["REGEX:(?i)STATUS"]},
>>       "role":[
>>         "allgen",
>>         "clustatus_role"],
>>       "collection":null},
>>     {
>>       "name":"trgadmin",
>>       "collection":"trg_col",
>>       "path":"/admin/*",
>>       "role":"trgadmin"},
>>     {
>>       "name":"open_select",
>>       "path":"/select/*",
>>       "role":null},
>>     {
>>       "name":"open_search",
>>       "path":"/search/*",
>>       "role":null},
>>     {
>>       "name":"catch-all-nocollection",
>>       "collection":null,
>>       "path":"/*",
>>       "role":"allgen"},
>>     {
>>       "name":"catch-all-collection",
>>       "path":"/*",
>>       "role":"allgen"},
>>     {
>>       "name":"all-admincol",
>>       "collection":null,
>>       "path":"/admin/collections",
>>       "role":"allgen"},
>>     {
>>       "name":"all-admincores",
>>       "collection":null,
>>       "path":"/admin/cores",
>>       "role":"allgen"}],
>>   "":{"v":5}}}
>>
>> -----Original Message-----
>> From: Jan Høydahl <[hidden email]>
>> Sent: Wednesday, December 11, 2019 7:35 PM
>> To: [hidden email]
>> Subject: Re: Solr8 changes how security.json restricts access to GUI
>>
>> Please show your complete Security.json so we know how auth is configured. Which 8.x version are you trying? There should be a login screen shown in admin UI now.
>>
>> Jan Høydahl
>>
>>> 11. des. 2019 kl. 22:40 skrev Oakley, Craig (NIH/NLM/NCBI) [C] <[hidden email]>:
>>>
>>> In Solr 7, we had clauses in our security.json saying
>>>
>>>    {
>>>      "name":"all-admin",
>>>      "collection":null,
>>>      "path":"/*",
>>>      "role":"allgen",
>>>      "index":15},
>>>    {
>>>      "name":"all-core-handlers",
>>>      "path":"/*",
>>>      "role":"allgen",
>>>      "index":16},
>>>
>>> We granted the role allgen to all users; but this kept our security folk happy in that no one could even get to the top level of the Solr GUI without a password.
>>>
>>> Now under Solr 8, the GUI does not prompt for a password. It just brings you into the GUI (albeit a stripped down version, saying such things as "No cores available"). By what means can we require a password to get this far? And by what means can we prompt for a password in order to get further?
>

Reply | Threaded
Open this post in threaded view
|

RE: Solr8 changes how security.json restricts access to GUI

Oakley, Craig (NIH/NLM/NCBI) [C]-2
Well that is progress: indeed Firefox and Chrome and Edge do indeed prompt for login and password (as desired). It is Internet Explorer which does not, nor does curl (that is to say, if you ask curl only to go to the top level: host:port/solr -- going any further it will complain, such as your /solr/admin/info/system example gets Error 401 Authentication failed, Response code: 401)



-----Original Message-----
From: Jan Høydahl <[hidden email]>
Sent: Friday, December 13, 2019 2:15 PM
To: solr-user <[hidden email]>
Subject: Re: Solr8 changes how security.json restricts access to GUI

I got your screenshot (https://www.dropbox.com/s/7tbn7gx3uag6jcg/crippledSolrGUI.jpg?dl=0 <https://www.dropbox.com/s/7tbn7gx3uag6jcg/crippledSolrGUI.jpg?dl=0>)

This is quite uncommon. You should see a loging screen if you have basicAuth enabled.
Have you tried a different browser?

What do you get if you run this command

curl -i http://your-solr-url/solr/admin/info/system

Or if you use your browser’s developer tools to inspect network traffic?

Jan

> 12. des. 2019 kl. 23:49 skrev Jan Høydahl <[hidden email]>:
>
> Attachments are stripped from list, can you post a link to the screenshot of the UI when you first visit?
>
> Jan
>
>> 12. des. 2019 kl. 17:27 skrev Oakley, Craig (NIH/NLM/NCBI) [C] <[hidden email]>:
>>
>> Below is the security.json (with password hashes redacted): in Solr7.4 it prompts for a password and (if you get it right) lets you into the whole GUI; But in Solr8.1.1 and in Solr 8.3, it does not prompt for a password before letting you into a crippled version of the GUI (as depicted in the attachment)
>>
>> {
>> "authentication":{
>>   "class":"solr.BasicAuthPlugin",
>>   "credentials":{
>>     "solradmin":"[redacted]",
>>     "pysolrmon":"[redacted]",
>>     "solrtrg":"[redacted]"},
>>   "":{"v":2}},
>> "authorization":{
>>   "class":"solr.RuleBasedAuthorizationPlugin",
>>   "user-role":{
>>     "solradmin":[
>>       "admin",
>>       "allgen",
>>       "trgadmin",
>>       "genadmin"],
>>     "solrtrg":[
>>       "trgadmin",
>>       "allgen"],
>>     "pysolrmon":["clustatus_role"]},
>>   "permissions":[
>>     {
>>       "name":"gen_admin",
>>       "collection":"NULL",
>>       "path":"/admin/cores",
>>       "params":{"action":[
>>           "REGEX:(?i)CREATE",
>>           "REGEX:(?i)RENAME",
>>           "REGEX:(?i)SWAP",
>>           "REGEX:(?i)UNLOAD",
>>           "REGEX:(?i)SPLIT"]},
>>       "role":"genadmin"},
>>     {
>>       "name":"col_admin",
>>       "collection":null,
>>       "path":"/admin/collections",
>>       "params":{"action":[
>>           "REGEX:(?i)CREATE",
>>           "REGEX:(?i)MODIFYCOLLECTION",
>>           "REGEX:(?i)SPLITSHARD",
>>           "REGEX:(?i)CREATESHARD",
>>           "REGEX:(?i)DELETESHARD",
>>           "REGEX:(?i)CREATEALIAS",
>>           "REGEX:(?i)DELETEALIAS",
>>           "REGEX:(?i)DELETE",
>>           "REGEX:(?i)DELETEREPLICA",
>>           "REGEX:(?i)ADDREPLICA",
>>           "REGEX:(?i)CLUSTERPROP",
>>           "REGEX:(?i)MIGRATE",
>>           "REGEX:(?i)ADDROLE",
>>           "REGEX:(?i)REMOVEROLE",
>>           "REGEX:(?i)ADDREPLICAPROP",
>>           "REGEX:(?i)DELETEREPLICAPROP",
>>           "REGEX:(?i)BALANCESHARDUNIQUE",
>>           "REGEX:(?i)REBALANCELEADERS",
>>           "REGEX:(?i)FORCELEADER",
>>           "REGEX:(?i)MIGRATESTATEFORMAT"]},
>>       "role":"genadmin"},
>>     {
>>       "name":"security-edit",
>>       "role":"admin"},
>>     {
>>       "name":"clustatus",
>>       "path":"/admin/collections",
>>       "params":{"action":["REGEX:(?i)CLUSTERSTATUS"]},
>>       "role":[
>>         "clustatus_role",
>>         "allgen"],
>>       "collection":null},
>>     {
>>       "name":"corestatus",
>>       "path":"/admin/cores",
>>       "params":{"action":["REGEX:(?i)STATUS"]},
>>       "role":[
>>         "allgen",
>>         "clustatus_role"],
>>       "collection":null},
>>     {
>>       "name":"trgadmin",
>>       "collection":"trg_col",
>>       "path":"/admin/*",
>>       "role":"trgadmin"},
>>     {
>>       "name":"open_select",
>>       "path":"/select/*",
>>       "role":null},
>>     {
>>       "name":"open_search",
>>       "path":"/search/*",
>>       "role":null},
>>     {
>>       "name":"catch-all-nocollection",
>>       "collection":null,
>>       "path":"/*",
>>       "role":"allgen"},
>>     {
>>       "name":"catch-all-collection",
>>       "path":"/*",
>>       "role":"allgen"},
>>     {
>>       "name":"all-admincol",
>>       "collection":null,
>>       "path":"/admin/collections",
>>       "role":"allgen"},
>>     {
>>       "name":"all-admincores",
>>       "collection":null,
>>       "path":"/admin/cores",
>>       "role":"allgen"}],
>>   "":{"v":5}}}
>>
>> -----Original Message-----
>> From: Jan Høydahl <[hidden email]>
>> Sent: Wednesday, December 11, 2019 7:35 PM
>> To: [hidden email]
>> Subject: Re: Solr8 changes how security.json restricts access to GUI
>>
>> Please show your complete Security.json so we know how auth is configured. Which 8.x version are you trying? There should be a login screen shown in admin UI now.
>>
>> Jan Høydahl
>>
>>> 11. des. 2019 kl. 22:40 skrev Oakley, Craig (NIH/NLM/NCBI) [C] <[hidden email]>:
>>>
>>> In Solr 7, we had clauses in our security.json saying
>>>
>>>    {
>>>      "name":"all-admin",
>>>      "collection":null,
>>>      "path":"/*",
>>>      "role":"allgen",
>>>      "index":15},
>>>    {
>>>      "name":"all-core-handlers",
>>>      "path":"/*",
>>>      "role":"allgen",
>>>      "index":16},
>>>
>>> We granted the role allgen to all users; but this kept our security folk happy in that no one could even get to the top level of the Solr GUI without a password.
>>>
>>> Now under Solr 8, the GUI does not prompt for a password. It just brings you into the GUI (albeit a stripped down version, saying such things as "No cores available"). By what means can we require a password to get this far? And by what means can we prompt for a password in order to get further?
>

Reply | Threaded
Open this post in threaded view
|

Re: Solr8 changes how security.json restricts access to GUI

Jan Høydahl / Cominvent
Ok, se should perhaps print a warning somewhere that IE is not supported. Can you file a JIRA issue?

Jan Høydahl

> 13. des. 2019 kl. 21:43 skrev Oakley, Craig (NIH/NLM/NCBI) [C] <[hidden email]>:
>
> Well that is progress: indeed Firefox and Chrome and Edge do indeed prompt for login and password (as desired). It is Internet Explorer which does not, nor does curl (that is to say, if you ask curl only to go to the top level: host:port/solr -- going any further it will complain, such as your /solr/admin/info/system example gets Error 401 Authentication failed, Response code: 401)
>
>
>
> -----Original Message-----
> From: Jan Høydahl <[hidden email]>
> Sent: Friday, December 13, 2019 2:15 PM
> To: solr-user <[hidden email]>
> Subject: Re: Solr8 changes how security.json restricts access to GUI
>
> I got your screenshot (https://www.dropbox.com/s/7tbn7gx3uag6jcg/crippledSolrGUI.jpg?dl=0 <https://www.dropbox.com/s/7tbn7gx3uag6jcg/crippledSolrGUI.jpg?dl=0>)
>
> This is quite uncommon. You should see a loging screen if you have basicAuth enabled.
> Have you tried a different browser?
>
> What do you get if you run this command
>
> curl -i http://your-solr-url/solr/admin/info/system
>
> Or if you use your browser’s developer tools to inspect network traffic?
>
> Jan
>
>> 12. des. 2019 kl. 23:49 skrev Jan Høydahl <[hidden email]>:
>>
>> Attachments are stripped from list, can you post a link to the screenshot of the UI when you first visit?
>>
>> Jan
>>
>>>> 12. des. 2019 kl. 17:27 skrev Oakley, Craig (NIH/NLM/NCBI) [C] <[hidden email]>:
>>>
>>> Below is the security.json (with password hashes redacted): in Solr7.4 it prompts for a password and (if you get it right) lets you into the whole GUI; But in Solr8.1.1 and in Solr 8.3, it does not prompt for a password before letting you into a crippled version of the GUI (as depicted in the attachment)
>>>
>>> {
>>> "authentication":{
>>>  "class":"solr.BasicAuthPlugin",
>>>  "credentials":{
>>>    "solradmin":"[redacted]",
>>>    "pysolrmon":"[redacted]",
>>>    "solrtrg":"[redacted]"},
>>>  "":{"v":2}},
>>> "authorization":{
>>>  "class":"solr.RuleBasedAuthorizationPlugin",
>>>  "user-role":{
>>>    "solradmin":[
>>>      "admin",
>>>      "allgen",
>>>      "trgadmin",
>>>      "genadmin"],
>>>    "solrtrg":[
>>>      "trgadmin",
>>>      "allgen"],
>>>    "pysolrmon":["clustatus_role"]},
>>>  "permissions":[
>>>    {
>>>      "name":"gen_admin",
>>>      "collection":"NULL",
>>>      "path":"/admin/cores",
>>>      "params":{"action":[
>>>          "REGEX:(?i)CREATE",
>>>          "REGEX:(?i)RENAME",
>>>          "REGEX:(?i)SWAP",
>>>          "REGEX:(?i)UNLOAD",
>>>          "REGEX:(?i)SPLIT"]},
>>>      "role":"genadmin"},
>>>    {
>>>      "name":"col_admin",
>>>      "collection":null,
>>>      "path":"/admin/collections",
>>>      "params":{"action":[
>>>          "REGEX:(?i)CREATE",
>>>          "REGEX:(?i)MODIFYCOLLECTION",
>>>          "REGEX:(?i)SPLITSHARD",
>>>          "REGEX:(?i)CREATESHARD",
>>>          "REGEX:(?i)DELETESHARD",
>>>          "REGEX:(?i)CREATEALIAS",
>>>          "REGEX:(?i)DELETEALIAS",
>>>          "REGEX:(?i)DELETE",
>>>          "REGEX:(?i)DELETEREPLICA",
>>>          "REGEX:(?i)ADDREPLICA",
>>>          "REGEX:(?i)CLUSTERPROP",
>>>          "REGEX:(?i)MIGRATE",
>>>          "REGEX:(?i)ADDROLE",
>>>          "REGEX:(?i)REMOVEROLE",
>>>          "REGEX:(?i)ADDREPLICAPROP",
>>>          "REGEX:(?i)DELETEREPLICAPROP",
>>>          "REGEX:(?i)BALANCESHARDUNIQUE",
>>>          "REGEX:(?i)REBALANCELEADERS",
>>>          "REGEX:(?i)FORCELEADER",
>>>          "REGEX:(?i)MIGRATESTATEFORMAT"]},
>>>      "role":"genadmin"},
>>>    {
>>>      "name":"security-edit",
>>>      "role":"admin"},
>>>    {
>>>      "name":"clustatus",
>>>      "path":"/admin/collections",
>>>      "params":{"action":["REGEX:(?i)CLUSTERSTATUS"]},
>>>      "role":[
>>>        "clustatus_role",
>>>        "allgen"],
>>>      "collection":null},
>>>    {
>>>      "name":"corestatus",
>>>      "path":"/admin/cores",
>>>      "params":{"action":["REGEX:(?i)STATUS"]},
>>>      "role":[
>>>        "allgen",
>>>        "clustatus_role"],
>>>      "collection":null},
>>>    {
>>>      "name":"trgadmin",
>>>      "collection":"trg_col",
>>>      "path":"/admin/*",
>>>      "role":"trgadmin"},
>>>    {
>>>      "name":"open_select",
>>>      "path":"/select/*",
>>>      "role":null},
>>>    {
>>>      "name":"open_search",
>>>      "path":"/search/*",
>>>      "role":null},
>>>    {
>>>      "name":"catch-all-nocollection",
>>>      "collection":null,
>>>      "path":"/*",
>>>      "role":"allgen"},
>>>    {
>>>      "name":"catch-all-collection",
>>>      "path":"/*",
>>>      "role":"allgen"},
>>>    {
>>>      "name":"all-admincol",
>>>      "collection":null,
>>>      "path":"/admin/collections",
>>>      "role":"allgen"},
>>>    {
>>>      "name":"all-admincores",
>>>      "collection":null,
>>>      "path":"/admin/cores",
>>>      "role":"allgen"}],
>>>  "":{"v":5}}}
>>>
>>> -----Original Message-----
>>> From: Jan Høydahl <[hidden email]>
>>> Sent: Wednesday, December 11, 2019 7:35 PM
>>> To: [hidden email]
>>> Subject: Re: Solr8 changes how security.json restricts access to GUI
>>>
>>> Please show your complete Security.json so we know how auth is configured. Which 8.x version are you trying? There should be a login screen shown in admin UI now.
>>>
>>> Jan Høydahl
>>>
>>>> 11. des. 2019 kl. 22:40 skrev Oakley, Craig (NIH/NLM/NCBI) [C] <[hidden email]>:
>>>>
>>>> In Solr 7, we had clauses in our security.json saying
>>>>
>>>>   {
>>>>     "name":"all-admin",
>>>>     "collection":null,
>>>>     "path":"/*",
>>>>     "role":"allgen",
>>>>     "index":15},
>>>>   {
>>>>     "name":"all-core-handlers",
>>>>     "path":"/*",
>>>>     "role":"allgen",
>>>>     "index":16},
>>>>
>>>> We granted the role allgen to all users; but this kept our security folk happy in that no one could even get to the top level of the Solr GUI without a password.
>>>>
>>>> Now under Solr 8, the GUI does not prompt for a password. It just brings you into the GUI (albeit a stripped down version, saying such things as "No cores available"). By what means can we require a password to get this far? And by what means can we prompt for a password in order to get further?
>>
>
Reply | Threaded
Open this post in threaded view
|

RE: Solr8 changes how security.json restricts access to GUI

Oakley, Craig (NIH/NLM/NCBI) [C]-2
It looks as though I do not have an option under issues.apache.org/jira/projects/SOLR/issues by which to create an issue. Could you create one (and let me know its number)?

Thanks

-----Original Message-----
From: Jan Høydahl <[hidden email]>
Sent: Friday, December 13, 2019 3:52 PM
To: [hidden email]
Subject: Re: Solr8 changes how security.json restricts access to GUI

Ok, se should perhaps print a warning somewhere that IE is not supported. Can you file a JIRA issue?

Jan Høydahl

> 13. des. 2019 kl. 21:43 skrev Oakley, Craig (NIH/NLM/NCBI) [C] <[hidden email]>:
>
> Well that is progress: indeed Firefox and Chrome and Edge do indeed prompt for login and password (as desired). It is Internet Explorer which does not, nor does curl (that is to say, if you ask curl only to go to the top level: host:port/solr -- going any further it will complain, such as your /solr/admin/info/system example gets Error 401 Authentication failed, Response code: 401)
>
>
>
> -----Original Message-----
> From: Jan Høydahl <[hidden email]>
> Sent: Friday, December 13, 2019 2:15 PM
> To: solr-user <[hidden email]>
> Subject: Re: Solr8 changes how security.json restricts access to GUI
>
> I got your screenshot (https://www.dropbox.com/s/7tbn7gx3uag6jcg/crippledSolrGUI.jpg?dl=0 <https://www.dropbox.com/s/7tbn7gx3uag6jcg/crippledSolrGUI.jpg?dl=0>)
>
> This is quite uncommon. You should see a loging screen if you have basicAuth enabled.
> Have you tried a different browser?
>
> What do you get if you run this command
>
> curl -i http://your-solr-url/solr/admin/info/system
>
> Or if you use your browser’s developer tools to inspect network traffic?
>
> Jan
>
>> 12. des. 2019 kl. 23:49 skrev Jan Høydahl <[hidden email]>:
>>
>> Attachments are stripped from list, can you post a link to the screenshot of the UI when you first visit?
>>
>> Jan
>>
>>>> 12. des. 2019 kl. 17:27 skrev Oakley, Craig (NIH/NLM/NCBI) [C] <[hidden email]>:
>>>
>>> Below is the security.json (with password hashes redacted): in Solr7.4 it prompts for a password and (if you get it right) lets you into the whole GUI; But in Solr8.1.1 and in Solr 8.3, it does not prompt for a password before letting you into a crippled version of the GUI (as depicted in the attachment)
>>>
>>> {
>>> "authentication":{
>>>  "class":"solr.BasicAuthPlugin",
>>>  "credentials":{
>>>    "solradmin":"[redacted]",
>>>    "pysolrmon":"[redacted]",
>>>    "solrtrg":"[redacted]"},
>>>  "":{"v":2}},
>>> "authorization":{
>>>  "class":"solr.RuleBasedAuthorizationPlugin",
>>>  "user-role":{
>>>    "solradmin":[
>>>      "admin",
>>>      "allgen",
>>>      "trgadmin",
>>>      "genadmin"],
>>>    "solrtrg":[
>>>      "trgadmin",
>>>      "allgen"],
>>>    "pysolrmon":["clustatus_role"]},
>>>  "permissions":[
>>>    {
>>>      "name":"gen_admin",
>>>      "collection":"NULL",
>>>      "path":"/admin/cores",
>>>      "params":{"action":[
>>>          "REGEX:(?i)CREATE",
>>>          "REGEX:(?i)RENAME",
>>>          "REGEX:(?i)SWAP",
>>>          "REGEX:(?i)UNLOAD",
>>>          "REGEX:(?i)SPLIT"]},
>>>      "role":"genadmin"},
>>>    {
>>>      "name":"col_admin",
>>>      "collection":null,
>>>      "path":"/admin/collections",
>>>      "params":{"action":[
>>>          "REGEX:(?i)CREATE",
>>>          "REGEX:(?i)MODIFYCOLLECTION",
>>>          "REGEX:(?i)SPLITSHARD",
>>>          "REGEX:(?i)CREATESHARD",
>>>          "REGEX:(?i)DELETESHARD",
>>>          "REGEX:(?i)CREATEALIAS",
>>>          "REGEX:(?i)DELETEALIAS",
>>>          "REGEX:(?i)DELETE",
>>>          "REGEX:(?i)DELETEREPLICA",
>>>          "REGEX:(?i)ADDREPLICA",
>>>          "REGEX:(?i)CLUSTERPROP",
>>>          "REGEX:(?i)MIGRATE",
>>>          "REGEX:(?i)ADDROLE",
>>>          "REGEX:(?i)REMOVEROLE",
>>>          "REGEX:(?i)ADDREPLICAPROP",
>>>          "REGEX:(?i)DELETEREPLICAPROP",
>>>          "REGEX:(?i)BALANCESHARDUNIQUE",
>>>          "REGEX:(?i)REBALANCELEADERS",
>>>          "REGEX:(?i)FORCELEADER",
>>>          "REGEX:(?i)MIGRATESTATEFORMAT"]},
>>>      "role":"genadmin"},
>>>    {
>>>      "name":"security-edit",
>>>      "role":"admin"},
>>>    {
>>>      "name":"clustatus",
>>>      "path":"/admin/collections",
>>>      "params":{"action":["REGEX:(?i)CLUSTERSTATUS"]},
>>>      "role":[
>>>        "clustatus_role",
>>>        "allgen"],
>>>      "collection":null},
>>>    {
>>>      "name":"corestatus",
>>>      "path":"/admin/cores",
>>>      "params":{"action":["REGEX:(?i)STATUS"]},
>>>      "role":[
>>>        "allgen",
>>>        "clustatus_role"],
>>>      "collection":null},
>>>    {
>>>      "name":"trgadmin",
>>>      "collection":"trg_col",
>>>      "path":"/admin/*",
>>>      "role":"trgadmin"},
>>>    {
>>>      "name":"open_select",
>>>      "path":"/select/*",
>>>      "role":null},
>>>    {
>>>      "name":"open_search",
>>>      "path":"/search/*",
>>>      "role":null},
>>>    {
>>>      "name":"catch-all-nocollection",
>>>      "collection":null,
>>>      "path":"/*",
>>>      "role":"allgen"},
>>>    {
>>>      "name":"catch-all-collection",
>>>      "path":"/*",
>>>      "role":"allgen"},
>>>    {
>>>      "name":"all-admincol",
>>>      "collection":null,
>>>      "path":"/admin/collections",
>>>      "role":"allgen"},
>>>    {
>>>      "name":"all-admincores",
>>>      "collection":null,
>>>      "path":"/admin/cores",
>>>      "role":"allgen"}],
>>>  "":{"v":5}}}
>>>
>>> -----Original Message-----
>>> From: Jan Høydahl <[hidden email]>
>>> Sent: Wednesday, December 11, 2019 7:35 PM
>>> To: [hidden email]
>>> Subject: Re: Solr8 changes how security.json restricts access to GUI
>>>
>>> Please show your complete Security.json so we know how auth is configured. Which 8.x version are you trying? There should be a login screen shown in admin UI now.
>>>
>>> Jan Høydahl
>>>
>>>> 11. des. 2019 kl. 22:40 skrev Oakley, Craig (NIH/NLM/NCBI) [C] <[hidden email]>:
>>>>
>>>> In Solr 7, we had clauses in our security.json saying
>>>>
>>>>   {
>>>>     "name":"all-admin",
>>>>     "collection":null,
>>>>     "path":"/*",
>>>>     "role":"allgen",
>>>>     "index":15},
>>>>   {
>>>>     "name":"all-core-handlers",
>>>>     "path":"/*",
>>>>     "role":"allgen",
>>>>     "index":16},
>>>>
>>>> We granted the role allgen to all users; but this kept our security folk happy in that no one could even get to the top level of the Solr GUI without a password.
>>>>
>>>> Now under Solr 8, the GUI does not prompt for a password. It just brings you into the GUI (albeit a stripped down version, saying such things as "No cores available"). By what means can we require a password to get this far? And by what means can we prompt for a password in order to get further?
>>
>
Reply | Threaded
Open this post in threaded view
|

Re: Solr8 changes how security.json restricts access to GUI

Erick Erickson
Anyone who has an account can open a JIRA, have you created one?

> On Dec 13, 2019, at 5:10 PM, Oakley, Craig (NIH/NLM/NCBI) [C] <[hidden email]> wrote:
>
> It looks as though I do not have an option under issues.apache.org/jira/projects/SOLR/issues by which to create an issue. Could you create one (and let me know its number)?
>
> Thanks
>
> -----Original Message-----
> From: Jan Høydahl <[hidden email]>
> Sent: Friday, December 13, 2019 3:52 PM
> To: [hidden email]
> Subject: Re: Solr8 changes how security.json restricts access to GUI
>
> Ok, se should perhaps print a warning somewhere that IE is not supported. Can you file a JIRA issue?
>
> Jan Høydahl
>
>> 13. des. 2019 kl. 21:43 skrev Oakley, Craig (NIH/NLM/NCBI) [C] <[hidden email]>:
>>
>> Well that is progress: indeed Firefox and Chrome and Edge do indeed prompt for login and password (as desired). It is Internet Explorer which does not, nor does curl (that is to say, if you ask curl only to go to the top level: host:port/solr -- going any further it will complain, such as your /solr/admin/info/system example gets Error 401 Authentication failed, Response code: 401)
>>
>>
>>
>> -----Original Message-----
>> From: Jan Høydahl <[hidden email]>
>> Sent: Friday, December 13, 2019 2:15 PM
>> To: solr-user <[hidden email]>
>> Subject: Re: Solr8 changes how security.json restricts access to GUI
>>
>> I got your screenshot (https://www.dropbox.com/s/7tbn7gx3uag6jcg/crippledSolrGUI.jpg?dl=0 <https://www.dropbox.com/s/7tbn7gx3uag6jcg/crippledSolrGUI.jpg?dl=0>)
>>
>> This is quite uncommon. You should see a loging screen if you have basicAuth enabled.
>> Have you tried a different browser?
>>
>> What do you get if you run this command
>>
>> curl -i http://your-solr-url/solr/admin/info/system
>>
>> Or if you use your browser’s developer tools to inspect network traffic?
>>
>> Jan
>>
>>> 12. des. 2019 kl. 23:49 skrev Jan Høydahl <[hidden email]>:
>>>
>>> Attachments are stripped from list, can you post a link to the screenshot of the UI when you first visit?
>>>
>>> Jan
>>>
>>>>> 12. des. 2019 kl. 17:27 skrev Oakley, Craig (NIH/NLM/NCBI) [C] <[hidden email]>:
>>>>
>>>> Below is the security.json (with password hashes redacted): in Solr7.4 it prompts for a password and (if you get it right) lets you into the whole GUI; But in Solr8.1.1 and in Solr 8.3, it does not prompt for a password before letting you into a crippled version of the GUI (as depicted in the attachment)
>>>>
>>>> {
>>>> "authentication":{
>>>> "class":"solr.BasicAuthPlugin",
>>>> "credentials":{
>>>>   "solradmin":"[redacted]",
>>>>   "pysolrmon":"[redacted]",
>>>>   "solrtrg":"[redacted]"},
>>>> "":{"v":2}},
>>>> "authorization":{
>>>> "class":"solr.RuleBasedAuthorizationPlugin",
>>>> "user-role":{
>>>>   "solradmin":[
>>>>     "admin",
>>>>     "allgen",
>>>>     "trgadmin",
>>>>     "genadmin"],
>>>>   "solrtrg":[
>>>>     "trgadmin",
>>>>     "allgen"],
>>>>   "pysolrmon":["clustatus_role"]},
>>>> "permissions":[
>>>>   {
>>>>     "name":"gen_admin",
>>>>     "collection":"NULL",
>>>>     "path":"/admin/cores",
>>>>     "params":{"action":[
>>>>         "REGEX:(?i)CREATE",
>>>>         "REGEX:(?i)RENAME",
>>>>         "REGEX:(?i)SWAP",
>>>>         "REGEX:(?i)UNLOAD",
>>>>         "REGEX:(?i)SPLIT"]},
>>>>     "role":"genadmin"},
>>>>   {
>>>>     "name":"col_admin",
>>>>     "collection":null,
>>>>     "path":"/admin/collections",
>>>>     "params":{"action":[
>>>>         "REGEX:(?i)CREATE",
>>>>         "REGEX:(?i)MODIFYCOLLECTION",
>>>>         "REGEX:(?i)SPLITSHARD",
>>>>         "REGEX:(?i)CREATESHARD",
>>>>         "REGEX:(?i)DELETESHARD",
>>>>         "REGEX:(?i)CREATEALIAS",
>>>>         "REGEX:(?i)DELETEALIAS",
>>>>         "REGEX:(?i)DELETE",
>>>>         "REGEX:(?i)DELETEREPLICA",
>>>>         "REGEX:(?i)ADDREPLICA",
>>>>         "REGEX:(?i)CLUSTERPROP",
>>>>         "REGEX:(?i)MIGRATE",
>>>>         "REGEX:(?i)ADDROLE",
>>>>         "REGEX:(?i)REMOVEROLE",
>>>>         "REGEX:(?i)ADDREPLICAPROP",
>>>>         "REGEX:(?i)DELETEREPLICAPROP",
>>>>         "REGEX:(?i)BALANCESHARDUNIQUE",
>>>>         "REGEX:(?i)REBALANCELEADERS",
>>>>         "REGEX:(?i)FORCELEADER",
>>>>         "REGEX:(?i)MIGRATESTATEFORMAT"]},
>>>>     "role":"genadmin"},
>>>>   {
>>>>     "name":"security-edit",
>>>>     "role":"admin"},
>>>>   {
>>>>     "name":"clustatus",
>>>>     "path":"/admin/collections",
>>>>     "params":{"action":["REGEX:(?i)CLUSTERSTATUS"]},
>>>>     "role":[
>>>>       "clustatus_role",
>>>>       "allgen"],
>>>>     "collection":null},
>>>>   {
>>>>     "name":"corestatus",
>>>>     "path":"/admin/cores",
>>>>     "params":{"action":["REGEX:(?i)STATUS"]},
>>>>     "role":[
>>>>       "allgen",
>>>>       "clustatus_role"],
>>>>     "collection":null},
>>>>   {
>>>>     "name":"trgadmin",
>>>>     "collection":"trg_col",
>>>>     "path":"/admin/*",
>>>>     "role":"trgadmin"},
>>>>   {
>>>>     "name":"open_select",
>>>>     "path":"/select/*",
>>>>     "role":null},
>>>>   {
>>>>     "name":"open_search",
>>>>     "path":"/search/*",
>>>>     "role":null},
>>>>   {
>>>>     "name":"catch-all-nocollection",
>>>>     "collection":null,
>>>>     "path":"/*",
>>>>     "role":"allgen"},
>>>>   {
>>>>     "name":"catch-all-collection",
>>>>     "path":"/*",
>>>>     "role":"allgen"},
>>>>   {
>>>>     "name":"all-admincol",
>>>>     "collection":null,
>>>>     "path":"/admin/collections",
>>>>     "role":"allgen"},
>>>>   {
>>>>     "name":"all-admincores",
>>>>     "collection":null,
>>>>     "path":"/admin/cores",
>>>>     "role":"allgen"}],
>>>> "":{"v":5}}}
>>>>
>>>> -----Original Message-----
>>>> From: Jan Høydahl <[hidden email]>
>>>> Sent: Wednesday, December 11, 2019 7:35 PM
>>>> To: [hidden email]
>>>> Subject: Re: Solr8 changes how security.json restricts access to GUI
>>>>
>>>> Please show your complete Security.json so we know how auth is configured. Which 8.x version are you trying? There should be a login screen shown in admin UI now.
>>>>
>>>> Jan Høydahl
>>>>
>>>>> 11. des. 2019 kl. 22:40 skrev Oakley, Craig (NIH/NLM/NCBI) [C] <[hidden email]>:
>>>>>
>>>>> In Solr 7, we had clauses in our security.json saying
>>>>>
>>>>>  {
>>>>>    "name":"all-admin",
>>>>>    "collection":null,
>>>>>    "path":"/*",
>>>>>    "role":"allgen",
>>>>>    "index":15},
>>>>>  {
>>>>>    "name":"all-core-handlers",
>>>>>    "path":"/*",
>>>>>    "role":"allgen",
>>>>>    "index":16},
>>>>>
>>>>> We granted the role allgen to all users; but this kept our security folk happy in that no one could even get to the top level of the Solr GUI without a password.
>>>>>
>>>>> Now under Solr 8, the GUI does not prompt for a password. It just brings you into the GUI (albeit a stripped down version, saying such things as "No cores available"). By what means can we require a password to get this far? And by what means can we prompt for a password in order to get further?
>>>
>>

Reply | Threaded
Open this post in threaded view
|

RE: Solr8 changes how security.json restricts access to GUI

Oakley, Craig (NIH/NLM/NCBI) [C]-2
Thanks for the clarification

Created SOLR-14083


-----Original Message-----
From: Erick Erickson <[hidden email]>
Sent: Friday, December 13, 2019 6:26 PM
To: [hidden email]
Subject: Re: Solr8 changes how security.json restricts access to GUI

Anyone who has an account can open a JIRA, have you created one?

> On Dec 13, 2019, at 5:10 PM, Oakley, Craig (NIH/NLM/NCBI) [C] <[hidden email]> wrote:
>
> It looks as though I do not have an option under issues.apache.org/jira/projects/SOLR/issues by which to create an issue. Could you create one (and let me know its number)?
>
> Thanks
>
> -----Original Message-----
> From: Jan Høydahl <[hidden email]>
> Sent: Friday, December 13, 2019 3:52 PM
> To: [hidden email]
> Subject: Re: Solr8 changes how security.json restricts access to GUI
>
> Ok, se should perhaps print a warning somewhere that IE is not supported. Can you file a JIRA issue?
>
> Jan Høydahl
>
>> 13. des. 2019 kl. 21:43 skrev Oakley, Craig (NIH/NLM/NCBI) [C] <[hidden email]>:
>>
>> Well that is progress: indeed Firefox and Chrome and Edge do indeed prompt for login and password (as desired). It is Internet Explorer which does not, nor does curl (that is to say, if you ask curl only to go to the top level: host:port/solr -- going any further it will complain, such as your /solr/admin/info/system example gets Error 401 Authentication failed, Response code: 401)
>>
>>
>>
>> -----Original Message-----
>> From: Jan Høydahl <[hidden email]>
>> Sent: Friday, December 13, 2019 2:15 PM
>> To: solr-user <[hidden email]>
>> Subject: Re: Solr8 changes how security.json restricts access to GUI
>>
>> I got your screenshot (https://www.dropbox.com/s/7tbn7gx3uag6jcg/crippledSolrGUI.jpg?dl=0 <https://www.dropbox.com/s/7tbn7gx3uag6jcg/crippledSolrGUI.jpg?dl=0>)
>>
>> This is quite uncommon. You should see a loging screen if you have basicAuth enabled.
>> Have you tried a different browser?
>>
>> What do you get if you run this command
>>
>> curl -i http://your-solr-url/solr/admin/info/system
>>
>> Or if you use your browser’s developer tools to inspect network traffic?
>>
>> Jan
>>
>>> 12. des. 2019 kl. 23:49 skrev Jan Høydahl <[hidden email]>:
>>>
>>> Attachments are stripped from list, can you post a link to the screenshot of the UI when you first visit?
>>>
>>> Jan
>>>
>>>>> 12. des. 2019 kl. 17:27 skrev Oakley, Craig (NIH/NLM/NCBI) [C] <[hidden email]>:
>>>>
>>>> Below is the security.json (with password hashes redacted): in Solr7.4 it prompts for a password and (if you get it right) lets you into the whole GUI; But in Solr8.1.1 and in Solr 8.3, it does not prompt for a password before letting you into a crippled version of the GUI (as depicted in the attachment)
>>>>
>>>> {
>>>> "authentication":{
>>>> "class":"solr.BasicAuthPlugin",
>>>> "credentials":{
>>>>   "solradmin":"[redacted]",
>>>>   "pysolrmon":"[redacted]",
>>>>   "solrtrg":"[redacted]"},
>>>> "":{"v":2}},
>>>> "authorization":{
>>>> "class":"solr.RuleBasedAuthorizationPlugin",
>>>> "user-role":{
>>>>   "solradmin":[
>>>>     "admin",
>>>>     "allgen",
>>>>     "trgadmin",
>>>>     "genadmin"],
>>>>   "solrtrg":[
>>>>     "trgadmin",
>>>>     "allgen"],
>>>>   "pysolrmon":["clustatus_role"]},
>>>> "permissions":[
>>>>   {
>>>>     "name":"gen_admin",
>>>>     "collection":"NULL",
>>>>     "path":"/admin/cores",
>>>>     "params":{"action":[
>>>>         "REGEX:(?i)CREATE",
>>>>         "REGEX:(?i)RENAME",
>>>>         "REGEX:(?i)SWAP",
>>>>         "REGEX:(?i)UNLOAD",
>>>>         "REGEX:(?i)SPLIT"]},
>>>>     "role":"genadmin"},
>>>>   {
>>>>     "name":"col_admin",
>>>>     "collection":null,
>>>>     "path":"/admin/collections",
>>>>     "params":{"action":[
>>>>         "REGEX:(?i)CREATE",
>>>>         "REGEX:(?i)MODIFYCOLLECTION",
>>>>         "REGEX:(?i)SPLITSHARD",
>>>>         "REGEX:(?i)CREATESHARD",
>>>>         "REGEX:(?i)DELETESHARD",
>>>>         "REGEX:(?i)CREATEALIAS",
>>>>         "REGEX:(?i)DELETEALIAS",
>>>>         "REGEX:(?i)DELETE",
>>>>         "REGEX:(?i)DELETEREPLICA",
>>>>         "REGEX:(?i)ADDREPLICA",
>>>>         "REGEX:(?i)CLUSTERPROP",
>>>>         "REGEX:(?i)MIGRATE",
>>>>         "REGEX:(?i)ADDROLE",
>>>>         "REGEX:(?i)REMOVEROLE",
>>>>         "REGEX:(?i)ADDREPLICAPROP",
>>>>         "REGEX:(?i)DELETEREPLICAPROP",
>>>>         "REGEX:(?i)BALANCESHARDUNIQUE",
>>>>         "REGEX:(?i)REBALANCELEADERS",
>>>>         "REGEX:(?i)FORCELEADER",
>>>>         "REGEX:(?i)MIGRATESTATEFORMAT"]},
>>>>     "role":"genadmin"},
>>>>   {
>>>>     "name":"security-edit",
>>>>     "role":"admin"},
>>>>   {
>>>>     "name":"clustatus",
>>>>     "path":"/admin/collections",
>>>>     "params":{"action":["REGEX:(?i)CLUSTERSTATUS"]},
>>>>     "role":[
>>>>       "clustatus_role",
>>>>       "allgen"],
>>>>     "collection":null},
>>>>   {
>>>>     "name":"corestatus",
>>>>     "path":"/admin/cores",
>>>>     "params":{"action":["REGEX:(?i)STATUS"]},
>>>>     "role":[
>>>>       "allgen",
>>>>       "clustatus_role"],
>>>>     "collection":null},
>>>>   {
>>>>     "name":"trgadmin",
>>>>     "collection":"trg_col",
>>>>     "path":"/admin/*",
>>>>     "role":"trgadmin"},
>>>>   {
>>>>     "name":"open_select",
>>>>     "path":"/select/*",
>>>>     "role":null},
>>>>   {
>>>>     "name":"open_search",
>>>>     "path":"/search/*",
>>>>     "role":null},
>>>>   {
>>>>     "name":"catch-all-nocollection",
>>>>     "collection":null,
>>>>     "path":"/*",
>>>>     "role":"allgen"},
>>>>   {
>>>>     "name":"catch-all-collection",
>>>>     "path":"/*",
>>>>     "role":"allgen"},
>>>>   {
>>>>     "name":"all-admincol",
>>>>     "collection":null,
>>>>     "path":"/admin/collections",
>>>>     "role":"allgen"},
>>>>   {
>>>>     "name":"all-admincores",
>>>>     "collection":null,
>>>>     "path":"/admin/cores",
>>>>     "role":"allgen"}],
>>>> "":{"v":5}}}
>>>>
>>>> -----Original Message-----
>>>> From: Jan Høydahl <[hidden email]>
>>>> Sent: Wednesday, December 11, 2019 7:35 PM
>>>> To: [hidden email]
>>>> Subject: Re: Solr8 changes how security.json restricts access to GUI
>>>>
>>>> Please show your complete Security.json so we know how auth is configured. Which 8.x version are you trying? There should be a login screen shown in admin UI now.
>>>>
>>>> Jan Høydahl
>>>>
>>>>> 11. des. 2019 kl. 22:40 skrev Oakley, Craig (NIH/NLM/NCBI) [C] <[hidden email]>:
>>>>>
>>>>> In Solr 7, we had clauses in our security.json saying
>>>>>
>>>>>  {
>>>>>    "name":"all-admin",
>>>>>    "collection":null,
>>>>>    "path":"/*",
>>>>>    "role":"allgen",
>>>>>    "index":15},
>>>>>  {
>>>>>    "name":"all-core-handlers",
>>>>>    "path":"/*",
>>>>>    "role":"allgen",
>>>>>    "index":16},
>>>>>
>>>>> We granted the role allgen to all users; but this kept our security folk happy in that no one could even get to the top level of the Solr GUI without a password.
>>>>>
>>>>> Now under Solr 8, the GUI does not prompt for a password. It just brings you into the GUI (albeit a stripped down version, saying such things as "No cores available"). By what means can we require a password to get this far? And by what means can we prompt for a password in order to get further?
>>>
>>

Reply | Threaded
Open this post in threaded view
|

Re: Solr8 changes how security.json restricts access to GUI

Erick Erickson
Thanks for raising the JIRA, I always think it best for the person closest to the problem to raise the JIRA, it’s usually more accurate ;)

> On Dec 13, 2019, at 8:49 PM, Oakley, Craig (NIH/NLM/NCBI) [C] <[hidden email]> wrote:
>
> Thanks for the clarification
>
> Created SOLR-14083
>
>
> -----Original Message-----
> From: Erick Erickson <[hidden email]>
> Sent: Friday, December 13, 2019 6:26 PM
> To: [hidden email]
> Subject: Re: Solr8 changes how security.json restricts access to GUI
>
> Anyone who has an account can open a JIRA, have you created one?
>
>> On Dec 13, 2019, at 5:10 PM, Oakley, Craig (NIH/NLM/NCBI) [C] <[hidden email]> wrote:
>>
>> It looks as though I do not have an option under issues.apache.org/jira/projects/SOLR/issues by which to create an issue. Could you create one (and let me know its number)?
>>
>> Thanks
>>
>> -----Original Message-----
>> From: Jan Høydahl <[hidden email]>
>> Sent: Friday, December 13, 2019 3:52 PM
>> To: [hidden email]
>> Subject: Re: Solr8 changes how security.json restricts access to GUI
>>
>> Ok, se should perhaps print a warning somewhere that IE is not supported. Can you file a JIRA issue?
>>
>> Jan Høydahl
>>
>>> 13. des. 2019 kl. 21:43 skrev Oakley, Craig (NIH/NLM/NCBI) [C] <[hidden email]>:
>>>
>>> Well that is progress: indeed Firefox and Chrome and Edge do indeed prompt for login and password (as desired). It is Internet Explorer which does not, nor does curl (that is to say, if you ask curl only to go to the top level: host:port/solr -- going any further it will complain, such as your /solr/admin/info/system example gets Error 401 Authentication failed, Response code: 401)
>>>
>>>
>>>
>>> -----Original Message-----
>>> From: Jan Høydahl <[hidden email]>
>>> Sent: Friday, December 13, 2019 2:15 PM
>>> To: solr-user <[hidden email]>
>>> Subject: Re: Solr8 changes how security.json restricts access to GUI
>>>
>>> I got your screenshot (https://www.dropbox.com/s/7tbn7gx3uag6jcg/crippledSolrGUI.jpg?dl=0 <https://www.dropbox.com/s/7tbn7gx3uag6jcg/crippledSolrGUI.jpg?dl=0>)
>>>
>>> This is quite uncommon. You should see a loging screen if you have basicAuth enabled.
>>> Have you tried a different browser?
>>>
>>> What do you get if you run this command
>>>
>>> curl -i http://your-solr-url/solr/admin/info/system
>>>
>>> Or if you use your browser’s developer tools to inspect network traffic?
>>>
>>> Jan
>>>
>>>> 12. des. 2019 kl. 23:49 skrev Jan Høydahl <[hidden email]>:
>>>>
>>>> Attachments are stripped from list, can you post a link to the screenshot of the UI when you first visit?
>>>>
>>>> Jan
>>>>
>>>>>> 12. des. 2019 kl. 17:27 skrev Oakley, Craig (NIH/NLM/NCBI) [C] <[hidden email]>:
>>>>>
>>>>> Below is the security.json (with password hashes redacted): in Solr7.4 it prompts for a password and (if you get it right) lets you into the whole GUI; But in Solr8.1.1 and in Solr 8.3, it does not prompt for a password before letting you into a crippled version of the GUI (as depicted in the attachment)
>>>>>
>>>>> {
>>>>> "authentication":{
>>>>> "class":"solr.BasicAuthPlugin",
>>>>> "credentials":{
>>>>>  "solradmin":"[redacted]",
>>>>>  "pysolrmon":"[redacted]",
>>>>>  "solrtrg":"[redacted]"},
>>>>> "":{"v":2}},
>>>>> "authorization":{
>>>>> "class":"solr.RuleBasedAuthorizationPlugin",
>>>>> "user-role":{
>>>>>  "solradmin":[
>>>>>    "admin",
>>>>>    "allgen",
>>>>>    "trgadmin",
>>>>>    "genadmin"],
>>>>>  "solrtrg":[
>>>>>    "trgadmin",
>>>>>    "allgen"],
>>>>>  "pysolrmon":["clustatus_role"]},
>>>>> "permissions":[
>>>>>  {
>>>>>    "name":"gen_admin",
>>>>>    "collection":"NULL",
>>>>>    "path":"/admin/cores",
>>>>>    "params":{"action":[
>>>>>        "REGEX:(?i)CREATE",
>>>>>        "REGEX:(?i)RENAME",
>>>>>        "REGEX:(?i)SWAP",
>>>>>        "REGEX:(?i)UNLOAD",
>>>>>        "REGEX:(?i)SPLIT"]},
>>>>>    "role":"genadmin"},
>>>>>  {
>>>>>    "name":"col_admin",
>>>>>    "collection":null,
>>>>>    "path":"/admin/collections",
>>>>>    "params":{"action":[
>>>>>        "REGEX:(?i)CREATE",
>>>>>        "REGEX:(?i)MODIFYCOLLECTION",
>>>>>        "REGEX:(?i)SPLITSHARD",
>>>>>        "REGEX:(?i)CREATESHARD",
>>>>>        "REGEX:(?i)DELETESHARD",
>>>>>        "REGEX:(?i)CREATEALIAS",
>>>>>        "REGEX:(?i)DELETEALIAS",
>>>>>        "REGEX:(?i)DELETE",
>>>>>        "REGEX:(?i)DELETEREPLICA",
>>>>>        "REGEX:(?i)ADDREPLICA",
>>>>>        "REGEX:(?i)CLUSTERPROP",
>>>>>        "REGEX:(?i)MIGRATE",
>>>>>        "REGEX:(?i)ADDROLE",
>>>>>        "REGEX:(?i)REMOVEROLE",
>>>>>        "REGEX:(?i)ADDREPLICAPROP",
>>>>>        "REGEX:(?i)DELETEREPLICAPROP",
>>>>>        "REGEX:(?i)BALANCESHARDUNIQUE",
>>>>>        "REGEX:(?i)REBALANCELEADERS",
>>>>>        "REGEX:(?i)FORCELEADER",
>>>>>        "REGEX:(?i)MIGRATESTATEFORMAT"]},
>>>>>    "role":"genadmin"},
>>>>>  {
>>>>>    "name":"security-edit",
>>>>>    "role":"admin"},
>>>>>  {
>>>>>    "name":"clustatus",
>>>>>    "path":"/admin/collections",
>>>>>    "params":{"action":["REGEX:(?i)CLUSTERSTATUS"]},
>>>>>    "role":[
>>>>>      "clustatus_role",
>>>>>      "allgen"],
>>>>>    "collection":null},
>>>>>  {
>>>>>    "name":"corestatus",
>>>>>    "path":"/admin/cores",
>>>>>    "params":{"action":["REGEX:(?i)STATUS"]},
>>>>>    "role":[
>>>>>      "allgen",
>>>>>      "clustatus_role"],
>>>>>    "collection":null},
>>>>>  {
>>>>>    "name":"trgadmin",
>>>>>    "collection":"trg_col",
>>>>>    "path":"/admin/*",
>>>>>    "role":"trgadmin"},
>>>>>  {
>>>>>    "name":"open_select",
>>>>>    "path":"/select/*",
>>>>>    "role":null},
>>>>>  {
>>>>>    "name":"open_search",
>>>>>    "path":"/search/*",
>>>>>    "role":null},
>>>>>  {
>>>>>    "name":"catch-all-nocollection",
>>>>>    "collection":null,
>>>>>    "path":"/*",
>>>>>    "role":"allgen"},
>>>>>  {
>>>>>    "name":"catch-all-collection",
>>>>>    "path":"/*",
>>>>>    "role":"allgen"},
>>>>>  {
>>>>>    "name":"all-admincol",
>>>>>    "collection":null,
>>>>>    "path":"/admin/collections",
>>>>>    "role":"allgen"},
>>>>>  {
>>>>>    "name":"all-admincores",
>>>>>    "collection":null,
>>>>>    "path":"/admin/cores",
>>>>>    "role":"allgen"}],
>>>>> "":{"v":5}}}
>>>>>
>>>>> -----Original Message-----
>>>>> From: Jan Høydahl <[hidden email]>
>>>>> Sent: Wednesday, December 11, 2019 7:35 PM
>>>>> To: [hidden email]
>>>>> Subject: Re: Solr8 changes how security.json restricts access to GUI
>>>>>
>>>>> Please show your complete Security.json so we know how auth is configured. Which 8.x version are you trying? There should be a login screen shown in admin UI now.
>>>>>
>>>>> Jan Høydahl
>>>>>
>>>>>> 11. des. 2019 kl. 22:40 skrev Oakley, Craig (NIH/NLM/NCBI) [C] <[hidden email]>:
>>>>>>
>>>>>> In Solr 7, we had clauses in our security.json saying
>>>>>>
>>>>>> {
>>>>>>   "name":"all-admin",
>>>>>>   "collection":null,
>>>>>>   "path":"/*",
>>>>>>   "role":"allgen",
>>>>>>   "index":15},
>>>>>> {
>>>>>>   "name":"all-core-handlers",
>>>>>>   "path":"/*",
>>>>>>   "role":"allgen",
>>>>>>   "index":16},
>>>>>>
>>>>>> We granted the role allgen to all users; but this kept our security folk happy in that no one could even get to the top level of the Solr GUI without a password.
>>>>>>
>>>>>> Now under Solr 8, the GUI does not prompt for a password. It just brings you into the GUI (albeit a stripped down version, saying such things as "No cores available"). By what means can we require a password to get this far? And by what means can we prompt for a password in order to get further?
>>>>
>>>
>

Reply | Threaded
Open this post in threaded view
|

SOLR: when trying to delete all documents, error response body is a html string. How can I get json instead?

Leon Talbot
In reply to this post by Oakley, Craig (NIH/NLM/NCBI) [C]-2