Hi
SOLR-7896 made some changes to the admin ui login. After the changes I
can no longer log in at all.
I'm running standalone solr 7.7 (same with 8.0) with the following
security.json:
{
"authentication": {
"class": "solr.BasicAuthPlugin",
"blockUnknown": true,
"credentials": {
"solr": "<hash for empty password string>"
},
},
"authorization": {
"class": "solr.RuleBasedAuthorizationPlugin",
"permissions": [
{
"name": "all",
"role": "admin"
}
],
"user-role": {
"solr": "admin"
}
}
}
Opening the UI at http://localhost:8080/solr/ shows an error page with
401. The login page is not displayed because of the "all" permission
being required. The browser's basic auth popup is not shown because the
WWW-Authenticate header is not present. Changing the
RuleBasedAuthorizationPlugin required permission from "all" to
"security-edit" makes the login page appear.
The above basic auth + "all" permission was working ok with solr 7.5,
but no longer works with 7.7+. Is this behaviour intended and/or documented?
Another issue is with using empty password strings. This used to work
with the browser's native basic auth, but not by the login page
("Password is required" error). Is there some way to use an empty
password with the login page? If not, is there a way to continue using
the browser's native basic auth?
Best regards