Uploaded image for project: 'Solr'
  1. Solr
  2. SOLR-15573

Basic auth must set blockUnknown=true for Admin UI to force login, with blockUnknown=false there's no way to login to the admin UI to do privileged actions

Attach filesAttach ScreenshotVotersWatch issueWatchersCreate sub-taskLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Fixed
    • None
    • 9.0, 8.10
    • None
    • None

    Description

      I ran the following command to enable basic auth for my Solr installation:

      bin/solr auth enable -type basicAuth -prompt true -z localhost:2181 -blockUnknown true
      

      It created the security policy with blockUnknown=false. That's an issue with arg parsing in BASH (easy to fix) ... the bigger issue is the Admin UI relies on getting a 401 from the backend to show login / logout but with blockUnknown=false, this never shows.

      The auth utility only creates role bindings for the following predefined permissions:

        {"name":"security-edit", "role":"admin"},
        {"name":"collection-admin-edit", "role":"admin"},
        {"name":"core-admin-edit", "role":"admin"}
      

      The problem is when blockUnknown=false, the UI doesn't hit any endpoints that trigger a 401 to cause the Admin UI to prompt for a login. I think the initial security.json created by the auth tool should also include:

        {"name":"security-read", "role":"admin"},
        {"name":"config-edit", "role":"admin"},
      

      The config-edit is needed for the new Schema Designer UI and we shouldn't allow un-authenticated users to edit configs anyway.

      With these two new permissions in place, when an un-authenticated user navigates to the new Security screen, they will be redirected to login.

      Attachments

        Activity

          This comment will be Viewable by All Users Viewable by All Users
          Cancel

          People

            thelabdude Timothy Potter
            thelabdude Timothy Potter
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Time Tracking

                Estimated:
                Original Estimate - Not Specified
                Not Specified
                Remaining:
                Remaining Estimate - 0h
                0h
                Logged:
                Time Spent - 1h
                1h

                Slack

                  Issue deployment