This is an automated email from the ASF dual-hosted git repository.
thelabdude pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/solr.git
The following commit(s) were added to refs/heads/main by this push:
new be8ccfb SOLR-15573: bin/solr auth tool should provide role bindings
for security-read and config-edit by default (#245)
be8ccfb is described below
commit be8ccfbfaf48454074322135918d63bd772480e4
Author: Timothy Potter <[email protected]>
AuthorDate: Tue Aug 3 09:43:04 2021 -0600
SOLR-15573: bin/solr auth tool should provide role bindings for
security-read and config-edit by default (#245)
---
solr/CHANGES.txt | 3 +++
solr/bin/solr | 8 +++-----
solr/core/src/java/org/apache/solr/util/SolrCLI.java | 2 ++
solr/solr-ref-guide/src/basic-authentication-plugin.adoc | 8 ++++++++
solr/solr-ref-guide/src/security-ui.adoc | 1 +
solr/webapp/web/js/angular/app.js | 8 +++++---
solr/webapp/web/js/angular/controllers/schema-designer.js | 2 +-
solr/webapp/web/js/angular/controllers/security.js | 3 +--
solr/webapp/web/partials/security.html | 4 ++--
9 files changed, 26 insertions(+), 13 deletions(-)
diff --git a/solr/CHANGES.txt b/solr/CHANGES.txt
index b53fee9..d13ceed 100644
--- a/solr/CHANGES.txt
+++ b/solr/CHANGES.txt
@@ -408,6 +408,9 @@ Other Changes
---------------------
* SOLR-15566: Clarify ref guide documentation about SQL queries with `SELECT
*` requiring a `LIMIT` clause (Timothy Potter)
+* SOLR-15573: bin/solr auth utility should provide role bindings for
`security-read` and `config-edit` by default
+ to protect the security and schema designer screens in the Admin UI (Timothy
Potter)
+
================== 8.9.0 ==================
Consult the LUCENE_CHANGES.txt file for additional, low level, changes in this
release.
diff --git a/solr/bin/solr b/solr/bin/solr
index 86d911d..be84209 100755
--- a/solr/bin/solr
+++ b/solr/bin/solr
@@ -1473,17 +1473,15 @@ if [[ "$SCRIPT_CMD" == "auth" ]]; then
;;
-prompt)
AUTH_PARAMS=("${AUTH_PARAMS[@]}" "-prompt" "$2")
- shift
+ shift 2
;;
-blockUnknown)
AUTH_PARAMS=("${AUTH_PARAMS[@]}" "-blockUnknown" "$2")
- shift
- break
+ shift 2
;;
-updateIncludeFileOnly)
AUTH_PARAMS=("${AUTH_PARAMS[@]}" "-updateIncludeFileOnly" "$2")
- shift
- break
+ shift 2
;;
-V|--verbose)
VERBOSE="-verbose"
diff --git a/solr/core/src/java/org/apache/solr/util/SolrCLI.java
b/solr/core/src/java/org/apache/solr/util/SolrCLI.java
index 63fb737..ef91d7a 100755
--- a/solr/core/src/java/org/apache/solr/util/SolrCLI.java
+++ b/solr/core/src/java/org/apache/solr/util/SolrCLI.java
@@ -4000,6 +4000,8 @@ public class SolrCLI implements CLIO {
"\n \"class\":\"solr.RuleBasedAuthorizationPlugin\"," +
"\n \"permissions\":[" +
"\n {\"name\":\"security-edit\", \"role\":\"admin\"}," +
+ "\n {\"name\":\"security-read\", \"role\":\"admin\"}," +
+ "\n {\"name\":\"config-edit\", \"role\":\"admin\"}," +
"\n {\"name\":\"collection-admin-edit\", \"role\":\"admin\"}," +
"\n {\"name\":\"core-admin-edit\", \"role\":\"admin\"}" +
"\n ]," +
diff --git a/solr/solr-ref-guide/src/basic-authentication-plugin.adoc
b/solr/solr-ref-guide/src/basic-authentication-plugin.adoc
index e3ba25e..7ef50ba 100644
--- a/solr/solr-ref-guide/src/basic-authentication-plugin.adoc
+++ b/solr/solr-ref-guide/src/basic-authentication-plugin.adoc
@@ -67,6 +67,14 @@ This has the effect of requiring authentication for HTTP
access to Solr.
In some cases, you may not want authentication after enabling the plugin; for
example, if you want to have `security.json` in place but aren't ready to
enable authentication.
However, you will want to ensure that `blockUnknown` is set to `true` or
omitted entirely in order for authentication to be enforced for all requests to
your system.
+[WARNING]
+====
+If you set `blockUnknown` to `false`, then *any* request that is not
explicitly protected by a permission will be accessible by anonymous users!
+Consequently, you should define a role binding for every
<<rule-based-authorization-plugin.adoc#permissions,predefined>> permission you
want to protect.
+You can assign the special `role: null` binding for requests that you want to
allow anonymous users to access. To protect all endpoints except those with
`role:null`,
+you can add a role binding for the `all` permission and place it in the last
position in `security.json`.
+====
+
If `realm` is not defined, it will default to `solr`.
If you are using SolrCloud, you must upload `security.json` to ZooKeeper.
diff --git a/solr/solr-ref-guide/src/security-ui.adoc
b/solr/solr-ref-guide/src/security-ui.adoc
index 1f8363b..472237b 100644
--- a/solr/solr-ref-guide/src/security-ui.adoc
+++ b/solr/solr-ref-guide/src/security-ui.adoc
@@ -103,6 +103,7 @@ However, if *Block anonymous requests*
(`blockUnknown=true`) is checked, then an
To edit a permission, simply click on the corresponding row in the table. When
editing a permission, the current index of the permission in the list of
permissions is editable.
This allows you to re-order permissions if needed; see
<<rule-based-authorization-plugin.adoc#permission-ordering-and-resolution,Permission
Ordering>>.
+In general, you want to permissions listed from most specific to least
specific in `security.json`.
diff --git a/solr/webapp/web/js/angular/app.js
b/solr/webapp/web/js/angular/app.js
index 28ba743..1d04f97 100644
--- a/solr/webapp/web/js/angular/app.js
+++ b/solr/webapp/web/js/angular/app.js
@@ -411,6 +411,9 @@ solrAdminApp.config([
if (rejection.config.headers.doNotIntercept) {
return rejection;
}
+
+ // Schema Designer handles errors internally to provide a better user
experience than the global error handler
+ var isHandledBySchemaDesigner = rejection.config.url &&
rejection.config.url.startsWith("/api/schema-designer/");
if (rejection.status === 0) {
$rootScope.$broadcast('connectionStatusActive');
if (!$rootScope.retryCount) $rootScope.retryCount=0;
@@ -418,7 +421,7 @@ solrAdminApp.config([
var $http = $injector.get('$http');
var result = $http(rejection.config);
return result;
- } else if (rejection.status === 401) {
+ } else if (rejection.status === 401 && !isHandledBySchemaDesigner) {
// Authentication redirect
var headers = rejection.headers();
var wwwAuthHeader = headers['www-authenticate'];
@@ -441,7 +444,6 @@ solrAdminApp.config([
}
} else {
// schema designer prefers to handle errors itself
- var isHandledBySchemaDesigner = rejection.config.url &&
rejection.config.url.startsWith("/api/schema-designer/");
if (!isHandledBySchemaDesigner) {
$rootScope.exceptions[rejection.config.url] = rejection.data.error;
}
@@ -548,7 +550,7 @@ solrAdminApp.controller('MainController', function($scope,
$route, $rootScope, $
SchemaDesigner.get({path: "configs"}, function (ignore) {
// no-op, just checking if we have access to this path
}, function(e) {
- if (e.status === 403) {
+ if (e.status === 401 || e.status === 403) {
$scope.isSchemaDesignerEnabled = false;
}
});
diff --git a/solr/webapp/web/js/angular/controllers/schema-designer.js
b/solr/webapp/web/js/angular/controllers/schema-designer.js
index a9c2e16..7b0204b 100644
--- a/solr/webapp/web/js/angular/controllers/schema-designer.js
+++ b/solr/webapp/web/js/angular/controllers/schema-designer.js
@@ -168,7 +168,7 @@ solrAdminApp.controller('SchemaDesignerController',
function ($scope, $timeout,
$scope.showNewSchemaDialog();
}
}, function(e) {
- if (e.status === 403) {
+ if (e.status === 401 || e.status === 403) {
$scope.isSchemaDesignerEnabled = false;
$scope.hideAll();
}
diff --git a/solr/webapp/web/js/angular/controllers/security.js
b/solr/webapp/web/js/angular/controllers/security.js
index 93a120e..aa7ecd9 100644
--- a/solr/webapp/web/js/angular/controllers/security.js
+++ b/solr/webapp/web/js/angular/controllers/security.js
@@ -186,7 +186,6 @@ solrAdminApp.controller('SecurityController', function
($scope, $timeout, $cooki
$scope.permFilterTypes = ["", "name", "role", "path", "collection"];
System.get(function(data) {
- // console.log(">> system: "+JSON.stringify(data));
$scope.authenticationPlugin = data.security ?
data.security["authenticationPlugin"] : null;
$scope.authorizationPlugin = data.security ?
data.security["authorizationPlugin"] : null;
$scope.myRoles = data.security ? data.security["roles"] : [];
@@ -196,7 +195,7 @@ solrAdminApp.controller('SecurityController', function
($scope, $timeout, $cooki
$scope.solrHome = data["solr_home"];
$scope.refreshSecurityPanel();
}, function(e) {
- if (e.status === 403) {
+ if (e.status === 401 || e.status === 403) {
$scope.isSecurityAdminEnabled = true;
$scope.hasSecurityEditPerm = false;
$scope.hideAll();
diff --git a/solr/webapp/web/partials/security.html
b/solr/webapp/web/partials/security.html
index b3b7b8a..d777df9 100644
--- a/solr/webapp/web/partials/security.html
+++ b/solr/webapp/web/partials/security.html
@@ -51,10 +51,10 @@ limitations under the License.
<span ng-show="manageUsersEnabled" id="realm-field">
<label for="realmName">Realm: </label><input disabled
class="input-text" type="text" id="realmName" ng-model="realmName">
</span>
- <span id="block-field"><label for="block_unknown">Block anonymous
requests?</label><input class="input-check" type="checkbox" id="block_unknown"
ng-model="blockUnknown" ng-change="onBlockUnknownChange()"
ng-true-value="'true'" ng-false-value="'false'"/><a
ng-click="showHelp('blockUnknownHelp')"><img class="help-ico"
src="img/ico/question-white.png"/></a>
+ <span id="block-field" ng-show="manageUsersEnabled"><label
for="block_unknown">Block anonymous requests?</label><input class="input-check"
type="checkbox" id="block_unknown" ng-model="blockUnknown"
ng-change="onBlockUnknownChange()" ng-true-value="'true'"
ng-false-value="'false'"/><a ng-click="showHelp('blockUnknownHelp')"><img
class="help-ico" src="img/ico/question-white.png"/></a>
<div id="blockUnknownHelp" class="help" ng-show="helpId ===
'blockUnknownHelp'">
<div class="help-top">
- <p>If checked, un-authenticated requests to any Solr
endpoint are blocked. If un-checked, then any endpoint that is not protected
with a permission will be accessible by anonymous users. Only disable this
check if you want to allow un-authenticated access to specific endpoints that
are configured with <b>role: null</b>. For more information, see:
+ <p>If checked, un-authenticated requests to any Solr
endpoint are blocked. If un-checked, then any endpoint that is not protected
with a permission will be accessible by anonymous users. Only disable this
check if you want to allow un-authenticated access to specific endpoints that
are configured with <b>role: null</b>. All other endpoints should be protected
with explicit role bindings that require authentication. For more information,
see:
<div class="help-anchor"><a target="_blank"
href="https://solr.apache.org/guide/basic-authentication-plugin.html#enable-basic-authentication";>Basic
Authentication</a></div></p>
</div>
</div>
