It works as designed. Protect the read path using the following command curl http://localhost:8983/solr/admin/authorization -H 'Content-type:application/json' -d '{ set-permission : {name : read, role : admin}}' Then, you will have the right experience
In this case /select is not protected. So an unauthenticated request must be able to access /select path. authentication layer has no idea whether it is a protected resource or not. So, when no credentials headers are sent it sets the user principal as null and lets the request go through. Whereas in the case of wrong credentials, the choices are 1) fail the request or 2) forward the request as if the principal is null . #2 would be bad user experience because the Authorization layer would say principal is null (unauthenicated) and the user would not know that the credentials were wrong. On Sat, Dec 12, 2015 at 5:14 AM, Chris Hostetter <hossman_luc...@fucit.org> wrote: > > Ugh ... no sure WTF is going on here, but that's for reporting it with > clear steps to reproduce... > > https://issues.apache.org/jira/browse/SOLR-8408 > > : Date: Fri, 11 Dec 2015 20:43:46 +0100 > : From: Kristine Jetzke <kristine.jet...@gmx.de> > : Reply-To: solr-user@lucene.apache.org > : To: solr-user@lucene.apache.org > : Subject: API accessible without authentication even though Basic Auth Plugin > : is enabled > : > : Hi, > : > : I noticed that it is possible to access the API even if the Basic Auth > plugin is enabled. Is that a known issue/done on purpose? I didn’t find > anything in JIRA or the docs. > : > : What I did: > : - Started zookeeper on port 2181 and uploaded security.json from > https://cwiki.apache.org/confluence/display/solr/Basic+Authentication+Plugin > <https://cwiki.apache.org/confluence/display/solr/Basic+Authentication+Plugin> > : - Started Solr cluster using cloud example: bin/solr start -e cloud -c -z > localhost:2181 > : - Executed the following commands: > : - curl -u solr:SolrRocks > 'http://localhost:8983/solr/gettingstarted_shard1_replica1/select?q=*%3A*&wt=json&indent=true': > Returns 200 as expected > : - curl -u solr:wrongPassword > 'http://localhost:8983/solr/gettingstarted_shard1_replica1/select?q=*%3A*&wt=json&indent=true': > Returns 401 as expected > : - curl > 'http://localhost:8983/solr/gettingstarted_shard1_replica1/select?q=*%3A*&wt=json&indent=true': > Returns 200 even though no Authorization header is set. > : > : I don’t understand why the last part works like it does. If I don’t give > credentials, I would expect that the behavior is the same as with invalid > credentials. Is there a special reason why it behaves like this? I’m > wondering because I’m working on a custom authentication plugin and was > looking into the existing ones to understand how they work. > : > : Thanks, > : > : tine > > -Hoss > http://www.lucidworks.com/ -- ----------------------------------------------------- Noble Paul
