Hi

SOLR-7896 made some changes to the admin ui login. After the changes I can no longer log in at all.
I'm running standalone solr 7.7 (same with 8.0) with the following 
security.json:
{
  "authentication": {
    "class": "solr.BasicAuthPlugin",
    "blockUnknown": true,
    "credentials": {
      "solr": "<hash for empty password string>"
    },
  },
  "authorization": {
    "class": "solr.RuleBasedAuthorizationPlugin",
    "permissions": [
      {
        "name": "all",
        "role": "admin"
      }
    ],
    "user-role": {
      "solr": "admin"
    }
  }
}
Opening the UI at http://localhost:8080/solr/ shows an error page with 
401. The login page is not displayed because of the "all" permission 
being required. The browser's basic auth popup is not shown because the 
WWW-Authenticate header is not present. Changing the 
RuleBasedAuthorizationPlugin required permission from "all" to 
"security-edit" makes the login page appear.
The above basic auth + "all" permission was working ok with solr 7.5, 
but no longer works with 7.7+. Is this behaviour intended and/or documented?
Another issue is with using empty password strings. This used to work 
with the browser's native basic auth, but not by the login page 
("Password is required" error). Is there some way to use an empty 
password with the login page? If not, is there a way to continue using 
the browser's native basic auth?
Best regards

Reply via email to