Thanks for investigating! I really appreciate the quick response.
I've created the jiras:
* https://issues.apache.org/jira/browse/SOLR-13344 for the AdminGui issue
* https://issues.apache.org/jira/browse/SOLR-13345 for the empty passwords
if we allow creation of user with empty pw
I'd note that the user was not created via any API. Our CI basically
dumps the pre-generated security config into the server/solr folder.
This configuration option is very convenient and I hope this will remain
supported :)
Best regards
On 24/03/2019 12:24, Jan Høydahl wrote:
Thanks. Lions like the «all» permission actually blocks access to the
AdminGui servlet so we won’t even serve the static UI files :)
Please open a JIRA issue for this.
You can open another JIRA for the “empty password” issue. We should be
consistent so if we allow creation of user with empty pw then it
should be possible to enter it. Or we could disallow empty pw in the
API :)
Jan Høydahl
23. mar. 2019 kl. 18:37 skrev a...@sigil.red:
Hi
Here is the curl:
$ curl -I http://localhost:8080/solr/
HTTP/1.1 401 Unauthorized request, Response code: 401
Cache-Control: must-revalidate,no-cache,no-store
Content-Type: text/html;charset=iso-8859-1
Content-Length: 299
And the screenshot: https://i.imgur.com/PMTE3nR.png
I'll also note that it's wonderfully easy to reproduce:
1. unpack solr-8.0.0.zip
2. copy the security.json example from
https://lucene.apache.org/solr/guide/7_7/basic-authentication-plugin.html
into server/solr/ and replace "name":"security-edit" with "name":"all"
3. start with bin/solr -f -p 8080
4. open http://localhost:8080/
Thanks for looking into it!
Best regards
On 23/03/2019 19:03, Jan Høydahl wrote:
Hi
Can you take a screenshot of the 401 error page you see (without
login form)?
Also, perhaps you could do a curl -I (show headers) request to your
Solr and show what headers that Solr returns instead of the
www-authenticate header?
Jan
23. mar. 2019 kl. 15:34 skrev a...@sigil.red:
Hi
SOLR-7896 made some changes to the admin ui login. After the
changes I can no longer log in at all.
I'm running standalone solr 7.7 (same with 8.0) with the following
security.json:
{
"authentication": {
"class": "solr.BasicAuthPlugin",
"blockUnknown": true,
"credentials": {
"solr": "<hash for empty password string>"
},
},
"authorization": {
"class": "solr.RuleBasedAuthorizationPlugin",
"permissions": [
{
"name": "all",
"role": "admin"
}
],
"user-role": {
"solr": "admin"
}
}
}
Opening the UI at http://localhost:8080/solr/ shows an error page
with 401. The login page is not displayed because of the "all"
permission being required. The browser's basic auth popup is not
shown because the WWW-Authenticate header is not present. Changing
the RuleBasedAuthorizationPlugin required permission from "all" to
"security-edit" makes the login page appear.
The above basic auth + "all" permission was working ok with solr
7.5, but no longer works with 7.7+. Is this behaviour intended
and/or documented?
Another issue is with using empty password strings. This used to
work with the browser's native basic auth, but not by the login
page ("Password is required" error). Is there some way to use an
empty password with the login page? If not, is there a way to
continue using the browser's native basic auth?
Best regards
