[jira] [Commented] (SOLR-7896) Add a login page for Solr Administrative Interface
[ https://issues.apache.org/jira/browse/SOLR-7896?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16738709#comment-16738709 ] ASF subversion and git services commented on SOLR-7896: --- Commit ccfe5d3dc25acd4ff93ec7c9378d9c15a4fdbdd2 in lucene-solr's branch refs/heads/branch_8x from Cassandra Targett [ https://gitbox.apache.org/repos/asf?p=lucene-solr.git;h=ccfe5d3 ] SOLR-7896: add login screen info & screenshot to overview-of-the-solr-admin-ui; remove getting-assistance.adoc and move its content to same overview page > Add a login page for Solr Administrative Interface > -- > > Key: SOLR-7896 > URL: https://issues.apache.org/jira/browse/SOLR-7896 > Project: Solr > Issue Type: New Feature > Components: Admin UI, Authentication, security >Affects Versions: 5.2.1 >Reporter: Aaron Greenspan >Assignee: Jan Høydahl >Priority: Major > Labels: authentication, login, password > Fix For: 8.0, 7.7 > > Attachments: SOLR-7896-bugfix-7jan.patch, > SOLR-7896-bugfix-7jan.patch, dispatchfilter-code.png, eventual_auth.png, > login-page.png, login-screen-2.png, logout.png, unknown_scheme.png > > Time Spent: 1h 20m > Remaining Estimate: 0h > > Now that Solr supports Authentication plugins, the missing piece is to be > allowed access from Admin UI when authentication is enabled. For this we need > * Some plumbing in Admin UI that allows the UI to detect 401 responses and > redirect to login page > * Possibility to have multiple login pages depending on auth method and > redirect to the correct one > * [AngularJS HTTP > interceptors|https://docs.angularjs.org/api/ng/service/$http#interceptors] to > add correct HTTP headers on all requests when user is logged in > This issue should aim to implement some of the plumbing mentioned above, and > make it work with Basic Auth. -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Commented] (SOLR-7896) Add a login page for Solr Administrative Interface
[ https://issues.apache.org/jira/browse/SOLR-7896?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16738713#comment-16738713 ] Cassandra Targett commented on SOLR-7896: - I added what I wanted to add to the Overview of the Solr Admin UI page about the login screen. I can never just edit one thing, so while I was there I decided it was a good idea to consolidate the content in the getting-assistance.adoc file into the same Overview page. > Add a login page for Solr Administrative Interface > -- > > Key: SOLR-7896 > URL: https://issues.apache.org/jira/browse/SOLR-7896 > Project: Solr > Issue Type: New Feature > Components: Admin UI, Authentication, security >Affects Versions: 5.2.1 >Reporter: Aaron Greenspan >Assignee: Jan Høydahl >Priority: Major > Labels: authentication, login, password > Fix For: 8.0, 7.7 > > Attachments: SOLR-7896-bugfix-7jan.patch, > SOLR-7896-bugfix-7jan.patch, dispatchfilter-code.png, eventual_auth.png, > login-page.png, login-screen-2.png, logout.png, unknown_scheme.png > > Time Spent: 1h 20m > Remaining Estimate: 0h > > Now that Solr supports Authentication plugins, the missing piece is to be > allowed access from Admin UI when authentication is enabled. For this we need > * Some plumbing in Admin UI that allows the UI to detect 401 responses and > redirect to login page > * Possibility to have multiple login pages depending on auth method and > redirect to the correct one > * [AngularJS HTTP > interceptors|https://docs.angularjs.org/api/ng/service/$http#interceptors] to > add correct HTTP headers on all requests when user is logged in > This issue should aim to implement some of the plumbing mentioned above, and > make it work with Basic Auth. -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Commented] (SOLR-7896) Add a login page for Solr Administrative Interface
[ https://issues.apache.org/jira/browse/SOLR-7896?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16738710#comment-16738710 ] ASF subversion and git services commented on SOLR-7896: --- Commit ce8f7f9dba3424a385b49524a9c21e8ba2f468be in lucene-solr's branch refs/heads/branch_7x from Cassandra Targett [ https://gitbox.apache.org/repos/asf?p=lucene-solr.git;h=ce8f7f9 ] SOLR-7896: add login screen info & screenshot to overview-of-the-solr-admin-ui; remove getting-assistance.adoc and move its content to same overview page > Add a login page for Solr Administrative Interface > -- > > Key: SOLR-7896 > URL: https://issues.apache.org/jira/browse/SOLR-7896 > Project: Solr > Issue Type: New Feature > Components: Admin UI, Authentication, security >Affects Versions: 5.2.1 >Reporter: Aaron Greenspan >Assignee: Jan Høydahl >Priority: Major > Labels: authentication, login, password > Fix For: 8.0, 7.7 > > Attachments: SOLR-7896-bugfix-7jan.patch, > SOLR-7896-bugfix-7jan.patch, dispatchfilter-code.png, eventual_auth.png, > login-page.png, login-screen-2.png, logout.png, unknown_scheme.png > > Time Spent: 1h 20m > Remaining Estimate: 0h > > Now that Solr supports Authentication plugins, the missing piece is to be > allowed access from Admin UI when authentication is enabled. For this we need > * Some plumbing in Admin UI that allows the UI to detect 401 responses and > redirect to login page > * Possibility to have multiple login pages depending on auth method and > redirect to the correct one > * [AngularJS HTTP > interceptors|https://docs.angularjs.org/api/ng/service/$http#interceptors] to > add correct HTTP headers on all requests when user is logged in > This issue should aim to implement some of the plumbing mentioned above, and > make it work with Basic Auth. -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Commented] (SOLR-7896) Add a login page for Solr Administrative Interface
[ https://issues.apache.org/jira/browse/SOLR-7896?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16738705#comment-16738705 ] ASF subversion and git services commented on SOLR-7896: --- Commit a5403a33825404893d07270d59c608340f15beca in lucene-solr's branch refs/heads/master from Cassandra Targett [ https://gitbox.apache.org/repos/asf?p=lucene-solr.git;h=a5403a3 ] SOLR-7896: add login screen info & screenshot to overview-of-the-solr-admin-ui; remove getting-assistance.adoc and move its content to same overview page > Add a login page for Solr Administrative Interface > -- > > Key: SOLR-7896 > URL: https://issues.apache.org/jira/browse/SOLR-7896 > Project: Solr > Issue Type: New Feature > Components: Admin UI, Authentication, security >Affects Versions: 5.2.1 >Reporter: Aaron Greenspan >Assignee: Jan Høydahl >Priority: Major > Labels: authentication, login, password > Fix For: 8.0, 7.7 > > Attachments: SOLR-7896-bugfix-7jan.patch, > SOLR-7896-bugfix-7jan.patch, dispatchfilter-code.png, eventual_auth.png, > login-page.png, login-screen-2.png, logout.png, unknown_scheme.png > > Time Spent: 1h 20m > Remaining Estimate: 0h > > Now that Solr supports Authentication plugins, the missing piece is to be > allowed access from Admin UI when authentication is enabled. For this we need > * Some plumbing in Admin UI that allows the UI to detect 401 responses and > redirect to login page > * Possibility to have multiple login pages depending on auth method and > redirect to the correct one > * [AngularJS HTTP > interceptors|https://docs.angularjs.org/api/ng/service/$http#interceptors] to > add correct HTTP headers on all requests when user is logged in > This issue should aim to implement some of the plumbing mentioned above, and > make it work with Basic Auth. -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Commented] (SOLR-7896) Add a login page for Solr Administrative Interface
[ https://issues.apache.org/jira/browse/SOLR-7896?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16736400#comment-16736400 ] Jan Høydahl commented on SOLR-7896: --- Thanks Cassandra > Add a login page for Solr Administrative Interface > -- > > Key: SOLR-7896 > URL: https://issues.apache.org/jira/browse/SOLR-7896 > Project: Solr > Issue Type: New Feature > Components: Admin UI, Authentication, security >Affects Versions: 5.2.1 >Reporter: Aaron Greenspan >Assignee: Jan Høydahl >Priority: Major > Labels: authentication, login, password > Fix For: master (9.0), 7.7, 8.0 > > Attachments: SOLR-7896-bugfix-7jan.patch, > SOLR-7896-bugfix-7jan.patch, dispatchfilter-code.png, eventual_auth.png, > login-page.png, login-screen-2.png, logout.png, unknown_scheme.png > > Time Spent: 1h 20m > Remaining Estimate: 0h > > Now that Solr supports Authentication plugins, the missing piece is to be > allowed access from Admin UI when authentication is enabled. For this we need > * Some plumbing in Admin UI that allows the UI to detect 401 responses and > redirect to login page > * Possibility to have multiple login pages depending on auth method and > redirect to the correct one > * [AngularJS HTTP > interceptors|https://docs.angularjs.org/api/ng/service/$http#interceptors] to > add correct HTTP headers on all requests when user is logged in > This issue should aim to implement some of the plumbing mentioned above, and > make it work with Basic Auth. -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Commented] (SOLR-7896) Add a login page for Solr Administrative Interface
[ https://issues.apache.org/jira/browse/SOLR-7896?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16736041#comment-16736041 ] Cassandra Targett commented on SOLR-7896: - Thanks Jan, your additions help for sure, but what I was thinking about was adding some text to the Admin UI docs (someone who isn't sure why they are seeing a login screen may start there when looking for reasons why). Since SOLR-13116 isn't as urgent as I thought it would be, I'll take care of it. > Add a login page for Solr Administrative Interface > -- > > Key: SOLR-7896 > URL: https://issues.apache.org/jira/browse/SOLR-7896 > Project: Solr > Issue Type: New Feature > Components: Admin UI, Authentication, security >Affects Versions: 5.2.1 >Reporter: Aaron Greenspan >Assignee: Jan Høydahl >Priority: Major > Labels: authentication, login, password > Fix For: master (9.0), 7.7 > > Attachments: SOLR-7896-bugfix-7jan.patch, > SOLR-7896-bugfix-7jan.patch, dispatchfilter-code.png, eventual_auth.png, > login-page.png, login-screen-2.png, logout.png, unknown_scheme.png > > Time Spent: 1h 20m > Remaining Estimate: 0h > > Now that Solr supports Authentication plugins, the missing piece is to be > allowed access from Admin UI when authentication is enabled. For this we need > * Some plumbing in Admin UI that allows the UI to detect 401 responses and > redirect to login page > * Possibility to have multiple login pages depending on auth method and > redirect to the correct one > * [AngularJS HTTP > interceptors|https://docs.angularjs.org/api/ng/service/$http#interceptors] to > add correct HTTP headers on all requests when user is logged in > This issue should aim to implement some of the plumbing mentioned above, and > make it work with Basic Auth. -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Commented] (SOLR-7896) Add a login page for Solr Administrative Interface
[ https://issues.apache.org/jira/browse/SOLR-7896?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16735746#comment-16735746 ] ASF subversion and git services commented on SOLR-7896: --- Commit 5c813f37d34c0e8dc4037ec47db86e795df778cd in lucene-solr's branch refs/heads/branch_7x from Jan Høydahl [ https://git-wip-us.apache.org/repos/asf?p=lucene-solr.git;h=5c813f3 ] SOLR-7896: Avoid browser basicAuth dialogue when blockUnknown=false. Always show Dashboard menu. Clarify refGuide (cherry picked from commit 0b6ea3f1087c2d981052880dbdd54a0eec08bff5) > Add a login page for Solr Administrative Interface > -- > > Key: SOLR-7896 > URL: https://issues.apache.org/jira/browse/SOLR-7896 > Project: Solr > Issue Type: New Feature > Components: Admin UI, Authentication, security >Affects Versions: 5.2.1 >Reporter: Aaron Greenspan >Assignee: Jan Høydahl >Priority: Major > Labels: authentication, login, password > Fix For: master (8.0), 7.7 > > Attachments: SOLR-7896-bugfix-7jan.patch, > SOLR-7896-bugfix-7jan.patch, dispatchfilter-code.png, login-page.png, > login-screen-2.png, logout.png, unknown_scheme.png > > Time Spent: 1h 20m > Remaining Estimate: 0h > > Now that Solr supports Authentication plugins, the missing piece is to be > allowed access from Admin UI when authentication is enabled. For this we need > * Some plumbing in Admin UI that allows the UI to detect 401 responses and > redirect to login page > * Possibility to have multiple login pages depending on auth method and > redirect to the correct one > * [AngularJS HTTP > interceptors|https://docs.angularjs.org/api/ng/service/$http#interceptors] to > add correct HTTP headers on all requests when user is logged in > This issue should aim to implement some of the plumbing mentioned above, and > make it work with Basic Auth. -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Commented] (SOLR-7896) Add a login page for Solr Administrative Interface
[ https://issues.apache.org/jira/browse/SOLR-7896?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16735737#comment-16735737 ] ASF subversion and git services commented on SOLR-7896: --- Commit 6db1f4eb733d91cbac2ca22ee5c4a58e15e88d2c in lucene-solr's branch refs/heads/branch_8x from Jan Høydahl [ https://git-wip-us.apache.org/repos/asf?p=lucene-solr.git;h=6db1f4e ] SOLR-7896: Avoid browser basicAuth dialogue when blockUnknown=false. Always show Dashboard menu. Clarify refGuide (cherry picked from commit 0b6ea3f1087c2d981052880dbdd54a0eec08bff5) > Add a login page for Solr Administrative Interface > -- > > Key: SOLR-7896 > URL: https://issues.apache.org/jira/browse/SOLR-7896 > Project: Solr > Issue Type: New Feature > Components: Admin UI, Authentication, security >Affects Versions: 5.2.1 >Reporter: Aaron Greenspan >Assignee: Jan Høydahl >Priority: Major > Labels: authentication, login, password > Fix For: master (8.0), 7.7 > > Attachments: SOLR-7896-bugfix-7jan.patch, > SOLR-7896-bugfix-7jan.patch, dispatchfilter-code.png, login-page.png, > login-screen-2.png, logout.png, unknown_scheme.png > > Time Spent: 1h 20m > Remaining Estimate: 0h > > Now that Solr supports Authentication plugins, the missing piece is to be > allowed access from Admin UI when authentication is enabled. For this we need > * Some plumbing in Admin UI that allows the UI to detect 401 responses and > redirect to login page > * Possibility to have multiple login pages depending on auth method and > redirect to the correct one > * [AngularJS HTTP > interceptors|https://docs.angularjs.org/api/ng/service/$http#interceptors] to > add correct HTTP headers on all requests when user is logged in > This issue should aim to implement some of the plumbing mentioned above, and > make it work with Basic Auth. -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Commented] (SOLR-7896) Add a login page for Solr Administrative Interface
[ https://issues.apache.org/jira/browse/SOLR-7896?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16735735#comment-16735735 ] ASF subversion and git services commented on SOLR-7896: --- Commit 0b6ea3f1087c2d981052880dbdd54a0eec08bff5 in lucene-solr's branch refs/heads/master from Jan Høydahl [ https://git-wip-us.apache.org/repos/asf?p=lucene-solr.git;h=0b6ea3f ] SOLR-7896: Avoid browser basicAuth dialogue when blockUnknown=false. Always show Dashboard menu. Clarify refGuide > Add a login page for Solr Administrative Interface > -- > > Key: SOLR-7896 > URL: https://issues.apache.org/jira/browse/SOLR-7896 > Project: Solr > Issue Type: New Feature > Components: Admin UI, Authentication, security >Affects Versions: 5.2.1 >Reporter: Aaron Greenspan >Assignee: Jan Høydahl >Priority: Major > Labels: authentication, login, password > Fix For: master (8.0), 7.7 > > Attachments: SOLR-7896-bugfix-7jan.patch, > SOLR-7896-bugfix-7jan.patch, dispatchfilter-code.png, login-page.png, > login-screen-2.png, logout.png, unknown_scheme.png > > Time Spent: 1h 20m > Remaining Estimate: 0h > > Now that Solr supports Authentication plugins, the missing piece is to be > allowed access from Admin UI when authentication is enabled. For this we need > * Some plumbing in Admin UI that allows the UI to detect 401 responses and > redirect to login page > * Possibility to have multiple login pages depending on auth method and > redirect to the correct one > * [AngularJS HTTP > interceptors|https://docs.angularjs.org/api/ng/service/$http#interceptors] to > add correct HTTP headers on all requests when user is logged in > This issue should aim to implement some of the plumbing mentioned above, and > make it work with Basic Auth. -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Commented] (SOLR-7896) Add a login page for Solr Administrative Interface
[ https://issues.apache.org/jira/browse/SOLR-7896?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16735712#comment-16735712 ] Jan Høydahl commented on SOLR-7896: --- Uploaded a patch [^SOLR-7896-bugfix-7jan.patch] * Never hide the Dashboard menu. Clicking it will take you out of any Login screen dead-end * Use {{xBasic}} trick also for Authorization header stored on the request, and picked up by Authz plugin > Add a login page for Solr Administrative Interface > -- > > Key: SOLR-7896 > URL: https://issues.apache.org/jira/browse/SOLR-7896 > Project: Solr > Issue Type: New Feature > Components: Admin UI, Authentication, security >Affects Versions: 5.2.1 >Reporter: Aaron Greenspan >Assignee: Jan Høydahl >Priority: Major > Labels: authentication, login, password > Fix For: master (8.0), 7.7 > > Attachments: SOLR-7896-bugfix-7jan.patch, dispatchfilter-code.png, > login-page.png, login-screen-2.png, logout.png, unknown_scheme.png > > Time Spent: 1h 20m > Remaining Estimate: 0h > > Now that Solr supports Authentication plugins, the missing piece is to be > allowed access from Admin UI when authentication is enabled. For this we need > * Some plumbing in Admin UI that allows the UI to detect 401 responses and > redirect to login page > * Possibility to have multiple login pages depending on auth method and > redirect to the correct one > * [AngularJS HTTP > interceptors|https://docs.angularjs.org/api/ng/service/$http#interceptors] to > add correct HTTP headers on all requests when user is logged in > This issue should aim to implement some of the plumbing mentioned above, and > make it work with Basic Auth. -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Commented] (SOLR-7896) Add a login page for Solr Administrative Interface
[ https://issues.apache.org/jira/browse/SOLR-7896?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16734209#comment-16734209 ] Cassandra Targett commented on SOLR-7896: - bq. If the user opens a page or attempts an action that requires authentication, then the login screen is presented with a message from whatever Auth plugin is active. I guess this will look like a dead end, as the only menu option will be "Login" at this point. But opening a new browser tab will bring back the full UI. But opening a new browser tab will bring back the full UI. I'm confused about the last sentence there. I don't quite understand how opening a new browser tab bypasses the login screen? > Add a login page for Solr Administrative Interface > -- > > Key: SOLR-7896 > URL: https://issues.apache.org/jira/browse/SOLR-7896 > Project: Solr > Issue Type: New Feature > Components: Admin UI, Authentication, security >Affects Versions: 5.2.1 >Reporter: Aaron Greenspan >Assignee: Jan Høydahl >Priority: Major > Labels: authentication, login, password > Fix For: master (8.0), 7.7 > > Attachments: dispatchfilter-code.png, login-page.png, > login-screen-2.png, logout.png, unknown_scheme.png > > Time Spent: 1h 20m > Remaining Estimate: 0h > > Now that Solr supports Authentication plugins, the missing piece is to be > allowed access from Admin UI when authentication is enabled. For this we need > * Some plumbing in Admin UI that allows the UI to detect 401 responses and > redirect to login page > * Possibility to have multiple login pages depending on auth method and > redirect to the correct one > * [AngularJS HTTP > interceptors|https://docs.angularjs.org/api/ng/service/$http#interceptors] to > add correct HTTP headers on all requests when user is logged in > This issue should aim to implement some of the plumbing mentioned above, and > make it work with Basic Auth. -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Commented] (SOLR-7896) Add a login page for Solr Administrative Interface
[ https://issues.apache.org/jira/browse/SOLR-7896?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16734221#comment-16734221 ] Jan Høydahl commented on SOLR-7896: --- {quote}I'm confused about the last sentence there. I don't quite understand how opening a new browser tab bypasses the login screen? {quote} Well, technically, the UI is fully functional until the first time an Ajax request to Solr results in a HTTP 401 response. Once that happens, it brings up the "Login" menu option and gets stuck in login mode, and there is no way to get back without logging in. But the 401 state is kept in a SessionStore variable, so once you try in a new browser tab, it won't remember the 401 state until you attempt some restricted operation again. An improvement could be to always display the "Dashboard" menu option and when clicking it we'd automatically reset the http401 flag. That would give you an exit from the login screen. But of course, if your auth protects even the /admin/info/system call then you'd just be thrown right back to the login panel every time... > Add a login page for Solr Administrative Interface > -- > > Key: SOLR-7896 > URL: https://issues.apache.org/jira/browse/SOLR-7896 > Project: Solr > Issue Type: New Feature > Components: Admin UI, Authentication, security >Affects Versions: 5.2.1 >Reporter: Aaron Greenspan >Assignee: Jan Høydahl >Priority: Major > Labels: authentication, login, password > Fix For: master (8.0), 7.7 > > Attachments: dispatchfilter-code.png, login-page.png, > login-screen-2.png, logout.png, unknown_scheme.png > > Time Spent: 1h 20m > Remaining Estimate: 0h > > Now that Solr supports Authentication plugins, the missing piece is to be > allowed access from Admin UI when authentication is enabled. For this we need > * Some plumbing in Admin UI that allows the UI to detect 401 responses and > redirect to login page > * Possibility to have multiple login pages depending on auth method and > redirect to the correct one > * [AngularJS HTTP > interceptors|https://docs.angularjs.org/api/ng/service/$http#interceptors] to > add correct HTTP headers on all requests when user is logged in > This issue should aim to implement some of the plumbing mentioned above, and > make it work with Basic Auth. -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Commented] (SOLR-7896) Add a login page for Solr Administrative Interface
[ https://issues.apache.org/jira/browse/SOLR-7896?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16733613#comment-16733613 ] Jan Høydahl commented on SOLR-7896: --- I suppose the RefGuide text could be clarified from {quote}When authentication is required the Admin UI will presented you with a login dialogue. {quote} to something like: "The Admin UI will allow anonymous use for any page or action not requiring login, however, when authentication is required, the Admin UI will presented you with a login dialogue." > Add a login page for Solr Administrative Interface > -- > > Key: SOLR-7896 > URL: https://issues.apache.org/jira/browse/SOLR-7896 > Project: Solr > Issue Type: New Feature > Components: Admin UI, Authentication, security >Affects Versions: 5.2.1 >Reporter: Aaron Greenspan >Assignee: Jan Høydahl >Priority: Major > Labels: authentication, login, password > Fix For: master (8.0), 7.7 > > Attachments: dispatchfilter-code.png, login-page.png, > login-screen-2.png, logout.png, unknown_scheme.png > > Time Spent: 1h 20m > Remaining Estimate: 0h > > Now that Solr supports Authentication plugins, the missing piece is to be > allowed access from Admin UI when authentication is enabled. For this we need > * Some plumbing in Admin UI that allows the UI to detect 401 responses and > redirect to login page > * Possibility to have multiple login pages depending on auth method and > redirect to the correct one > * [AngularJS HTTP > interceptors|https://docs.angularjs.org/api/ng/service/$http#interceptors] to > add correct HTTP headers on all requests when user is logged in > This issue should aim to implement some of the plumbing mentioned above, and > make it work with Basic Auth. -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Commented] (SOLR-7896) Add a login page for Solr Administrative Interface
[ https://issues.apache.org/jira/browse/SOLR-7896?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16733608#comment-16733608 ] Jan Høydahl commented on SOLR-7896: --- {quote}since it seems from reading the docs that if I use any other auth other than Basic (such as Kerberos) I can then no longer ever access the UI at all after this change, is that true? {quote} Not exactly, the UI will start as normal and allow doing any action that is permitted without authentication. If the user opens a page or attempts an action that requires authentication, then the login screen is presented with a message from whatever Auth plugin is active. I guess this will look like a dead end, as the only menu option will be "Login" at this point. But opening a new browser tab will bring back the full UI. Ideally the UI should be security aware and hide or grey out options that are not available without login. The situation before was a bunch of errors in the UI and possibly a totally defunct user experience. At least now you will be told that the UI does not work with the chosen Auth. I opened SOLR-13116 to add login support for Kerberos. > Add a login page for Solr Administrative Interface > -- > > Key: SOLR-7896 > URL: https://issues.apache.org/jira/browse/SOLR-7896 > Project: Solr > Issue Type: New Feature > Components: Admin UI, Authentication, security >Affects Versions: 5.2.1 >Reporter: Aaron Greenspan >Assignee: Jan Høydahl >Priority: Major > Labels: authentication, login, password > Fix For: master (8.0), 7.7 > > Attachments: dispatchfilter-code.png, login-page.png, > login-screen-2.png, logout.png, unknown_scheme.png > > Time Spent: 1h 20m > Remaining Estimate: 0h > > Now that Solr supports Authentication plugins, the missing piece is to be > allowed access from Admin UI when authentication is enabled. For this we need > * Some plumbing in Admin UI that allows the UI to detect 401 responses and > redirect to login page > * Possibility to have multiple login pages depending on auth method and > redirect to the correct one > * [AngularJS HTTP > interceptors|https://docs.angularjs.org/api/ng/service/$http#interceptors] to > add correct HTTP headers on all requests when user is logged in > This issue should aim to implement some of the plumbing mentioned above, and > make it work with Basic Auth. -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Commented] (SOLR-7896) Add a login page for Solr Administrative Interface
[ https://issues.apache.org/jira/browse/SOLR-7896?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16733508#comment-16733508 ] Cassandra Targett commented on SOLR-7896: - I was looking at some commits to the Ref Guide for copy-editing, and came across the edits for this. I really should have paid a bit more attention earlier, since it seems from reading the docs that if I use any other auth other than Basic (such as Kerberos) I can then no longer ever access the UI at all after this change, is that true? This is a step back in functionality, since today I can enable Kerberos auth and I don't need to access the login page; if my browser has been properly configured I can access the Admin UI using my valid ticket. If that's the case, and we can't figure out anything else, the Ref Guide is going to need to be a lot more vocal about this limitation in places other than just the auth pages. > Add a login page for Solr Administrative Interface > -- > > Key: SOLR-7896 > URL: https://issues.apache.org/jira/browse/SOLR-7896 > Project: Solr > Issue Type: New Feature > Components: Admin UI, Authentication, security >Affects Versions: 5.2.1 >Reporter: Aaron Greenspan >Assignee: Jan Høydahl >Priority: Major > Labels: authentication, login, password > Fix For: master (8.0), 7.7 > > Attachments: dispatchfilter-code.png, login-page.png, > login-screen-2.png, logout.png, unknown_scheme.png > > Time Spent: 1h 20m > Remaining Estimate: 0h > > Now that Solr supports Authentication plugins, the missing piece is to be > allowed access from Admin UI when authentication is enabled. For this we need > * Some plumbing in Admin UI that allows the UI to detect 401 responses and > redirect to login page > * Possibility to have multiple login pages depending on auth method and > redirect to the correct one > * [AngularJS HTTP > interceptors|https://docs.angularjs.org/api/ng/service/$http#interceptors] to > add correct HTTP headers on all requests when user is logged in > This issue should aim to implement some of the plumbing mentioned above, and > make it work with Basic Auth. -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Commented] (SOLR-7896) Add a login page for Solr Administrative Interface
[ https://issues.apache.org/jira/browse/SOLR-7896?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16721413#comment-16721413 ] ASF subversion and git services commented on SOLR-7896: --- Commit dead389dd95a41184320a5949e695840bdbe41bd in lucene-solr's branch refs/heads/branch_7x from [~janhoy] [ https://git-wip-us.apache.org/repos/asf?p=lucene-solr.git;h=dead389 ] SOLR-7896: Followup fix to non-working core dropdown (cherry picked from commit 04e05782a37004a501a2c84477d1121b75cace03) > Add a login page for Solr Administrative Interface > -- > > Key: SOLR-7896 > URL: https://issues.apache.org/jira/browse/SOLR-7896 > Project: Solr > Issue Type: New Feature > Components: Admin UI, Authentication, security >Affects Versions: 5.2.1 >Reporter: Aaron Greenspan >Assignee: Jan Høydahl >Priority: Major > Labels: authentication, login, password > Fix For: master (8.0), 7.7 > > Attachments: dispatchfilter-code.png, login-page.png, > login-screen-2.png, logout.png, unknown_scheme.png > > Time Spent: 1h 20m > Remaining Estimate: 0h > > Now that Solr supports Authentication plugins, the missing piece is to be > allowed access from Admin UI when authentication is enabled. For this we need > * Some plumbing in Admin UI that allows the UI to detect 401 responses and > redirect to login page > * Possibility to have multiple login pages depending on auth method and > redirect to the correct one > * [AngularJS HTTP > interceptors|https://docs.angularjs.org/api/ng/service/$http#interceptors] to > add correct HTTP headers on all requests when user is logged in > This issue should aim to implement some of the plumbing mentioned above, and > make it work with Basic Auth. -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Commented] (SOLR-7896) Add a login page for Solr Administrative Interface
[ https://issues.apache.org/jira/browse/SOLR-7896?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16721412#comment-16721412 ] ASF subversion and git services commented on SOLR-7896: --- Commit 04e05782a37004a501a2c84477d1121b75cace03 in lucene-solr's branch refs/heads/master from [~janhoy] [ https://git-wip-us.apache.org/repos/asf?p=lucene-solr.git;h=04e0578 ] SOLR-7896: Followup fix to non-working core dropdown > Add a login page for Solr Administrative Interface > -- > > Key: SOLR-7896 > URL: https://issues.apache.org/jira/browse/SOLR-7896 > Project: Solr > Issue Type: New Feature > Components: Admin UI, Authentication, security >Affects Versions: 5.2.1 >Reporter: Aaron Greenspan >Assignee: Jan Høydahl >Priority: Major > Labels: authentication, login, password > Fix For: master (8.0), 7.7 > > Attachments: dispatchfilter-code.png, login-page.png, > login-screen-2.png, logout.png, unknown_scheme.png > > Time Spent: 1h 20m > Remaining Estimate: 0h > > Now that Solr supports Authentication plugins, the missing piece is to be > allowed access from Admin UI when authentication is enabled. For this we need > * Some plumbing in Admin UI that allows the UI to detect 401 responses and > redirect to login page > * Possibility to have multiple login pages depending on auth method and > redirect to the correct one > * [AngularJS HTTP > interceptors|https://docs.angularjs.org/api/ng/service/$http#interceptors] to > add correct HTTP headers on all requests when user is logged in > This issue should aim to implement some of the plumbing mentioned above, and > make it work with Basic Auth. -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Commented] (SOLR-7896) Add a login page for Solr Administrative Interface
[ https://issues.apache.org/jira/browse/SOLR-7896?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16718734#comment-16718734 ] ASF subversion and git services commented on SOLR-7896: --- Commit a3c0def5269b3b4ba4ab81931d2a0ed610237ca6 in lucene-solr's branch refs/heads/branch_7x from [~janhoy] [ https://git-wip-us.apache.org/repos/asf?p=lucene-solr.git;h=a3c0def ] SOLR-7896: Add a login page to Admin UI, with initial support for Basic Auth (cherry picked from commit 280f67927e7590c40b1d5f2960b9c6c7d21d6b5c) > Add a login page for Solr Administrative Interface > -- > > Key: SOLR-7896 > URL: https://issues.apache.org/jira/browse/SOLR-7896 > Project: Solr > Issue Type: New Feature > Components: Admin UI, Authentication, security >Affects Versions: 5.2.1 >Reporter: Aaron Greenspan >Assignee: Jan Høydahl >Priority: Major > Labels: authentication, login, password > Fix For: master (8.0), 7.7 > > Attachments: dispatchfilter-code.png, login-page.png, > login-screen-2.png, logout.png, unknown_scheme.png > > Time Spent: 1h 10m > Remaining Estimate: 0h > > Now that Solr supports Authentication plugins, the missing piece is to be > allowed access from Admin UI when authentication is enabled. For this we need > * Some plumbing in Admin UI that allows the UI to detect 401 responses and > redirect to login page > * Possibility to have multiple login pages depending on auth method and > redirect to the correct one > * [AngularJS HTTP > interceptors|https://docs.angularjs.org/api/ng/service/$http#interceptors] to > add correct HTTP headers on all requests when user is logged in > This issue should aim to implement some of the plumbing mentioned above, and > make it work with Basic Auth. -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Commented] (SOLR-7896) Add a login page for Solr Administrative Interface
[ https://issues.apache.org/jira/browse/SOLR-7896?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16718716#comment-16718716 ] ASF subversion and git services commented on SOLR-7896: --- Commit 280f67927e7590c40b1d5f2960b9c6c7d21d6b5c in lucene-solr's branch refs/heads/jira/http2 from [~janhoy] [ https://git-wip-us.apache.org/repos/asf?p=lucene-solr.git;h=280f679 ] SOLR-7896: Add a login page to Admin UI, with initial support for Basic Auth > Add a login page for Solr Administrative Interface > -- > > Key: SOLR-7896 > URL: https://issues.apache.org/jira/browse/SOLR-7896 > Project: Solr > Issue Type: New Feature > Components: Admin UI, Authentication, security >Affects Versions: 5.2.1 >Reporter: Aaron Greenspan >Assignee: Jan Høydahl >Priority: Major > Labels: authentication, login, password > Fix For: master (8.0), 7.7 > > Attachments: dispatchfilter-code.png, login-page.png, > login-screen-2.png, logout.png, unknown_scheme.png > > Time Spent: 1h 10m > Remaining Estimate: 0h > > Now that Solr supports Authentication plugins, the missing piece is to be > allowed access from Admin UI when authentication is enabled. For this we need > * Some plumbing in Admin UI that allows the UI to detect 401 responses and > redirect to login page > * Possibility to have multiple login pages depending on auth method and > redirect to the correct one > * [AngularJS HTTP > interceptors|https://docs.angularjs.org/api/ng/service/$http#interceptors] to > add correct HTTP headers on all requests when user is logged in > This issue should aim to implement some of the plumbing mentioned above, and > make it work with Basic Auth. -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Commented] (SOLR-7896) Add a login page for Solr Administrative Interface
[ https://issues.apache.org/jira/browse/SOLR-7896?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16718698#comment-16718698 ] ASF subversion and git services commented on SOLR-7896: --- Commit 280f67927e7590c40b1d5f2960b9c6c7d21d6b5c in lucene-solr's branch refs/heads/master from [~janhoy] [ https://git-wip-us.apache.org/repos/asf?p=lucene-solr.git;h=280f679 ] SOLR-7896: Add a login page to Admin UI, with initial support for Basic Auth > Add a login page for Solr Administrative Interface > -- > > Key: SOLR-7896 > URL: https://issues.apache.org/jira/browse/SOLR-7896 > Project: Solr > Issue Type: New Feature > Components: Admin UI, Authentication, security >Affects Versions: 5.2.1 >Reporter: Aaron Greenspan >Assignee: Jan Høydahl >Priority: Major > Labels: authentication, login, password > Fix For: master (8.0), 7.7 > > Attachments: dispatchfilter-code.png, login-page.png, > login-screen-2.png, logout.png, unknown_scheme.png > > Time Spent: 1h 10m > Remaining Estimate: 0h > > Now that Solr supports Authentication plugins, the missing piece is to be > allowed access from Admin UI when authentication is enabled. For this we need > * Some plumbing in Admin UI that allows the UI to detect 401 responses and > redirect to login page > * Possibility to have multiple login pages depending on auth method and > redirect to the correct one > * [AngularJS HTTP > interceptors|https://docs.angularjs.org/api/ng/service/$http#interceptors] to > add correct HTTP headers on all requests when user is logged in > This issue should aim to implement some of the plumbing mentioned above, and > make it work with Basic Auth. -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Commented] (SOLR-7896) Add a login page for Solr Administrative Interface
[ https://issues.apache.org/jira/browse/SOLR-7896?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16714434#comment-16714434 ] Jan Høydahl commented on SOLR-7896: --- [Pull Request #465|https://github.com/apache/lucene-solr/pull/465] is updated again. Changes include * Hide menus when displaying login screen after a 401, since the UI would not know if we're in cloud or m/s mode * Moved interceptor code into existing httpInterceptor * Fixed some bugs in login.js and better messages output in login.html I think I'm done with this part now. *Plan to commit on Wednesday*. Would appreciate some more feedback though [~gus_heck], [~elyograg], [~shalinmangar]. I have added some comments myself to the GitHub PR and you're free to add your own. The graphical design is terrible but that's what you get when a backend guy touches CSS :) !login-screen-2.png|width=800! > Add a login page for Solr Administrative Interface > -- > > Key: SOLR-7896 > URL: https://issues.apache.org/jira/browse/SOLR-7896 > Project: Solr > Issue Type: New Feature > Components: Admin UI, Authentication, security >Affects Versions: 5.2.1 >Reporter: Aaron Greenspan >Assignee: Jan Høydahl >Priority: Major > Labels: authentication, login, password > Fix For: master (8.0) > > Attachments: dispatchfilter-code.png, login-page.png, > login-screen-2.png, logout.png, unknown_scheme.png > > Time Spent: 1h 10m > Remaining Estimate: 0h > > Now that Solr supports Authentication plugins, the missing piece is to be > allowed access from Admin UI when authentication is enabled. For this we need > * Some plumbing in Admin UI that allows the UI to detect 401 responses and > redirect to login page > * Possibility to have multiple login pages depending on auth method and > redirect to the correct one > * [AngularJS HTTP > interceptors|https://docs.angularjs.org/api/ng/service/$http#interceptors] to > add correct HTTP headers on all requests when user is logged in > This issue should aim to implement some of the plumbing mentioned above, and > make it work with Basic Auth. -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Commented] (SOLR-7896) Add a login page for Solr Administrative Interface
[ https://issues.apache.org/jira/browse/SOLR-7896?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16643457#comment-16643457 ] Jan Høydahl commented on SOLR-7896: --- See [GitHub Pull Request #465|https://github.com/apache/lucene-solr/pull/465] for my first iteration of my above plan. Features: * UI behaves exactly the same if no auth is enabled * On first HTTP 401 response from Solr (may come when e.g. attempting to delete a collection), login page shows up !login-page.png|width=500! * Once logged in, the browser stores HTTP header in session storage and displays who is logged in. Clicking that meny brings you to the login page but with a Logout button: !logout.png|width=300! * If some other auth plugin than Basic is enabled, you get an error msg !unknown_scheme.png|width=500! Appreciate review comments. Feel free to check out my branch and test locally. You can enable auth by cmd line {code:java} bin/solr auth enable -credentials solr:solr -blockUnknown true{code} > Add a login page for Solr Administrative Interface > -- > > Key: SOLR-7896 > URL: https://issues.apache.org/jira/browse/SOLR-7896 > Project: Solr > Issue Type: New Feature > Components: Admin UI, security >Affects Versions: 5.2.1 >Reporter: Aaron Greenspan >Assignee: Jan Høydahl >Priority: Major > Labels: authentication, login, password > Fix For: master (8.0) > > Attachments: dispatchfilter-code.png, login-page.png, logout.png, > unknown_scheme.png > > Time Spent: 10m > Remaining Estimate: 0h > > Now that Solr supports Authentication plugins, the missing piece is to be > allowed access from Admin UI when authentication is enabled. For this we need > * Some plumbing in Admin UI that allows the UI to detect 401 responses and > redirect to login page > * Possibility to have multiple login pages depending on auth method and > redirect to the correct one > * [AngularJS HTTP > interceptors|https://docs.angularjs.org/api/ng/service/$http#interceptors] to > add correct HTTP headers on all requests when user is logged in > This issue should aim to implement some of the plumbing mentioned above, and > make it work with Basic Auth. -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Commented] (SOLR-7896) Add a login page for Solr Administrative Interface
[ https://issues.apache.org/jira/browse/SOLR-7896?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16445606#comment-16445606 ] Jan Høydahl commented on SOLR-7896: --- {quote}I do think it would be good to have Solr password protected by default, with command line switch to start it in legacy "open" mode {quote} Please open another Jira if you want to work on capabilities of making some auth being enabled by "default" (whatever that means), I think there is a similar Jira about making SSL enabled by default. For the sake of this login page feature, it is already quite simple to enable auth as the first thing you do after installation: {code} bin/solr auth enable -credentials solr:solrRocks -blockUnknown true {code} After this Jira is completed, this is all you need to do - the next time you open the Admin UI it will redirect to the new login page :) > Add a login page for Solr Administrative Interface > -- > > Key: SOLR-7896 > URL: https://issues.apache.org/jira/browse/SOLR-7896 > Project: Solr > Issue Type: New Feature > Components: Admin UI, security >Affects Versions: 5.2.1 >Reporter: Aaron Greenspan >Assignee: Jan Høydahl >Priority: Major > Labels: authentication, login, password > Fix For: master (8.0) > > Attachments: dispatchfilter-code.png > > > Now that Solr supports Authentication plugins, the missing piece is to be > allowed access from Admin UI when authentication is enabled. For this we need > * Some plumbing in Admin UI that allows the UI to detect 401 responses and > redirect to login page > * Possibility to have multiple login pages depending on auth method and > redirect to the correct one > * [AngularJS HTTP > interceptors|https://docs.angularjs.org/api/ng/service/$http#interceptors] to > add correct HTTP headers on all requests when user is logged in > This issue should aim to implement some of the plumbing mentioned above, and > make it work with Basic Auth. -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Commented] (SOLR-7896) Add a login page for Solr Administrative Interface
[ https://issues.apache.org/jira/browse/SOLR-7896?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16444877#comment-16444877 ] Jan Høydahl commented on SOLR-7896: --- {quote}What I do advocate is that the html pages (except maybe a special login page?) be similarly protected, not because they require protection for security reasons, but because a set of non-functional html pages that don't work properly without login can only confuse the user if rendered. We should only show the user pages that can provide full functionality. {quote} Exactly. What I'm currently about to do in this issue is to add that login page. But since it is fully legal to configure Solr's authentication such that you only protect e.g. {{security-edit}} or some admin resources, while the rest of the system can be used anonymously, the UI should not request login until it is actually required. That's what the {{WWW-Authenticate}} headers are all about. Solr auth plugins will already today send such headers to the client if one tries to access a protected resource. I have implemented an [AngularJS http interceptor|https://docs.angularjs.org/api/ng/service/$http#interceptors] that looks for code 401 and this header. The idea is that if an Ajax call results in 401 then we'll redirect user to the login page. And we'll choose the login page based on the header, i.e. {{Authorization: Basic xxx}} header will cause the login page for basic auth etc. Actually it turned out not to be as straight-forward, since the browser actually throws up its login dialogue before our Angular app even gets the chance to look at the HTTP response. The solution is outlined in [this blog post|http://olefriis.blogspot.no/2014/01/http-basic-authentication-in-angularjs.html] and involves sending the {{X-Requested-With: XMLHttpRequest}} header from Admin UI and conditionally changing the {{WWW-Authenticate}} header for BasicAuth from {{Basic xxx}} to e.g. {{xBasic xxx}} so that our Angular intercept code understands it but not the browser. For non-Ajax clients you stil get the ordinary header. > Add a login page for Solr Administrative Interface > -- > > Key: SOLR-7896 > URL: https://issues.apache.org/jira/browse/SOLR-7896 > Project: Solr > Issue Type: New Feature > Components: Admin UI, security >Affects Versions: 5.2.1 >Reporter: Aaron Greenspan >Assignee: Jan Høydahl >Priority: Major > Labels: authentication, login, password > Attachments: dispatchfilter-code.png > > > Now that Solr supports Authentication plugins, the missing piece is to be > allowed access from Admin UI when authentication is enabled. For this we need > * Some plumbing in Admin UI that allows the UI to detect 401 responses and > redirect to login page > * Possibility to have multiple login pages depending on auth method and > redirect to the correct one > * [AngularJS HTTP > interceptors|https://docs.angularjs.org/api/ng/service/$http#interceptors] to > add correct HTTP headers on all requests when user is logged in > This issue should aim to implement some of the plumbing mentioned above, and > make it work with Basic Auth. -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Commented] (SOLR-7896) Add a login page for Solr Administrative Interface
[ https://issues.apache.org/jira/browse/SOLR-7896?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16444859#comment-16444859 ] Jan Høydahl commented on SOLR-7896: --- {quote}But now when I test I get the browser prompt on every single load of the Admin UI front page, triggered by the browser trying to load a static file. {quote} Found it. In {{web.xml}} we have an {{excludePatterns}} list that tries to short circuit SolrDispatchFilter/HttpSolrCall for static files: {quote}Exclude patterns is a list of directories that would be short circuited by the SolrDispatchFilter. It includes all Admin UI related static content. NOTE: It is NOT a pattern but only matches the start of the HTTP ServletPath. {quote} However, after the introduction of Authentication (committed four days after the excludePatterns actually, at 2015-05-19), the authentication logic is ran *before* the _excludePatterns_ check, causing e.g. BasicAuthPlugin to request authentication through {{WWW-Authenticate}} headers. See relevant code in screenshot below: !dispatchfilter-code.png|width=550! Moving the short circuit logic before {{authenticateRequest()}} fixed this part. Now the browser is allowed to load all static resources even if BasicAuth with blockUnknown=true is enabled. But the "/" and "/solr/" endpoints would still trigger authentication so I added an exclusion rule in {{authenticateRequest()}} right after the check for PKI path exclusion. > Add a login page for Solr Administrative Interface > -- > > Key: SOLR-7896 > URL: https://issues.apache.org/jira/browse/SOLR-7896 > Project: Solr > Issue Type: New Feature > Components: Admin UI, security >Affects Versions: 5.2.1 >Reporter: Aaron Greenspan >Assignee: Jan Høydahl >Priority: Major > Labels: authentication, login, password > Attachments: dispatchfilter-code.png > > > Now that Solr supports Authentication plugins, the missing piece is to be > allowed access from Admin UI when authentication is enabled. For this we need > * Some plumbing in Admin UI that allows the UI to detect 401 responses and > redirect to login page > * Possibility to have multiple login pages depending on auth method and > redirect to the correct one > * [AngularJS HTTP > interceptors|https://docs.angularjs.org/api/ng/service/$http#interceptors] to > add correct HTTP headers on all requests when user is logged in > This issue should aim to implement some of the plumbing mentioned above, and > make it work with Basic Auth. -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Commented] (SOLR-7896) Add a login page for Solr Administrative Interface
[ https://issues.apache.org/jira/browse/SOLR-7896?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16444820#comment-16444820 ] Gus Heck commented on SOLR-7896: {quote}Authenticating the admin UI while leaving the API unprotected is only an illusion of security. Everything the admin UI does can be done directly, using the API. {quote} [~elyograg] We are on the same page, and if you took anything I said to be recommending such a configuration, then my prose was unclear :). What I do advocate is that the html pages (except maybe a special login page?) be similarly protected, not because they require protection for security reasons, but because a set of non-functional html pages that don't work properly without login can only confuse the user if rendered. We should only show the user pages that can provide full functionality. A login/landing page is much more friendly than the standard browser basic auth pop-up so I'd say there's some value in that too, and it would potentially allow for a consistent experience across any auth mechanism that didn't fundamentally require a redirect to an external auth provider login. I do think it would be good to have Solr password protected by default, with command line switch to start it in legacy "open" mode if the server has not previously protected by authentication. The "please set a password" dance on first startup would also be user friendly, and this should set the password for both the UI files and the API. If solr has been configured to run it's auth vs Kerberos, LDAP, SiteMinder or a database etc, the config for that should specify if solr has write access to that backend and skip the the set password dance if access is read-only. {quote}By the time Solr starts, all interface binding is already done by the servlet container. {quote} As far as things happening during startup of "the web container" that should be entirely under our control now since we now supply the jetty container. Running as a war file in arbitrary containers is not supported anymore. > Add a login page for Solr Administrative Interface > -- > > Key: SOLR-7896 > URL: https://issues.apache.org/jira/browse/SOLR-7896 > Project: Solr > Issue Type: New Feature > Components: Admin UI, security >Affects Versions: 5.2.1 >Reporter: Aaron Greenspan >Assignee: Jan Høydahl >Priority: Major > Labels: authentication, login, password > > Now that Solr supports Authentication plugins, the missing piece is to be > allowed access from Admin UI when authentication is enabled. For this we need > * Some plumbing in Admin UI that allows the UI to detect 401 responses and > redirect to login page > * Possibility to have multiple login pages depending on auth method and > redirect to the correct one > * [AngularJS HTTP > interceptors|https://docs.angularjs.org/api/ng/service/$http#interceptors] to > add correct HTTP headers on all requests when user is logged in > This issue should aim to implement some of the plumbing mentioned above, and > make it work with Basic Auth. -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Commented] (SOLR-7896) Add a login page for Solr Administrative Interface
[ https://issues.apache.org/jira/browse/SOLR-7896?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16444088#comment-16444088 ] Jan Høydahl commented on SOLR-7896: --- I was certain that Solr used to be able to load the (static) Admin UI files, such as {{/solr/libs/angular-resource.min.js.map }}without the browser prompting for authentication, if Basic Auth is enabled. But now when I test I get the browser prompt on every single load of the Admin UI front page, triggered by the browser trying to load a static file. I tried with master, 7.x, 6.x and even 5.5.5 and same results. Please refresh my memory. For this feature to work we need all static resources to be served (by Jetty or by Solr) to the browser without auth, and only enforce authentication on the Solr APIs which are called with Ajax calls from Angular. Else we'll not be able to throw up the nice login page before the browser throws up its ugly one :) > Add a login page for Solr Administrative Interface > -- > > Key: SOLR-7896 > URL: https://issues.apache.org/jira/browse/SOLR-7896 > Project: Solr > Issue Type: New Feature > Components: Admin UI, security >Affects Versions: 5.2.1 >Reporter: Aaron Greenspan >Assignee: Jan Høydahl >Priority: Major > Labels: authentication, login, password > > Now that Solr supports Authentication plugins, the missing piece is to be > allowed access from Admin UI when authentication is enabled. For this we need > * Some plumbing in Admin UI that allows the UI to detect 401 responses and > redirect to login page > * Possibility to have multiple login pages depending on auth method and > redirect to the correct one > * [AngularJS HTTP > interceptors|https://docs.angularjs.org/api/ng/service/$http#interceptors] to > add correct HTTP headers on all requests when user is logged in > This issue should aim to implement some of the plumbing mentioned above, and > make it work with Basic Auth. -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Commented] (SOLR-7896) Add a login page for Solr Administrative Interface
[ https://issues.apache.org/jira/browse/SOLR-7896?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16425721#comment-16425721 ] Jan Høydahl commented on SOLR-7896: --- {quote}If you enable authentication (and require it for everything), running the admin UI actually does prompt for authentication. But it's not the UI *itself* that needs it – when it asks for username/password, it is actually requests to Solr's API (being made by your browser – not the Solr server) that are being authenticated. {quote} Your statement may be true for Basic Authentication since most browsers have ootb support for that scheme. But for Auth plugin X which may not even use username/passwd at all but some other scheme, your browser will simply display the 401 error message or some exception or whatever. And this will happen only once you click something in the UI that triggers a request to Solr, which is not a very good user experience. But since Solr allows for e.g. wide open search while admin or write requests require authentication, the UI should probably display the login box on demand whenever it gets a 401 from the server. The HTTP 401 response when user tries to access a protected path will also include a {{WWW-Authenticate}} header which tells the client (AdminUI) what type of auth plugin is used. If we later on add support for more than one auth scheme at the same time, then Solr can output a list of supported ones: {code:java} WWW-Authenticate: Basic realm="solr" WWW-Authenticate: Bearer realm="solr" WWW-Authenticate: OAuth realm="solr" {code} I think the first phase of Admin UI login/auth support will be # Add a widget to the top/bottom of Admin UI screen that shows auth state, e.g.: {{User: George}} # Add interceptor for AJAX responses from Solr, identifying {{WWW-Autenticate}} header. If no header, just continue as before # Add parsing of WWW-Authenticate header: If header(s) exist, check whether Admin UI supports one of the auth schemes, if not display error message that Admin UI is not compatible with Auth XX, otherwise trigger login screen for given scheme # Implement login screen for Basic Auth (simple login form) along with an AngularJS request interceptor that adds the {{Authorization: Basic ...}} header on all requests # Implement caching of user credentials in the Webapp # Try to make it possible for Auth plugins to provide AdminUI login screens and request interceptor implementations, as some sort of HTML5 plugins living inside the jar file?? > Add a login page for Solr Administrative Interface > -- > > Key: SOLR-7896 > URL: https://issues.apache.org/jira/browse/SOLR-7896 > Project: Solr > Issue Type: New Feature > Components: Admin UI, security >Affects Versions: 5.2.1 >Reporter: Aaron Greenspan >Priority: Major > Labels: authentication, login, password > > Out of the box, the Solr Administrative interface should require a password > that the user is required to set. -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Commented] (SOLR-7896) Add a login page for Solr Administrative Interface
[ https://issues.apache.org/jira/browse/SOLR-7896?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16420488#comment-16420488 ] Shawn Heisey commented on SOLR-7896: Something said a REALLY long time ago: bq. Also, I would love for Solr to just be exposed exclusively on my server's internal IP address(es)--but I have no idea how to do that. All operating systems these days come with a host firewall, and most of them have that firewall turned on by default. Organizations also usually have firewalls and other routing equipment that can filter traffic. Controlling which interfaces Solr binds to actually cannot be done by Solr itself. By the time Solr starts, all interface binding is already done by the servlet container. I do not know if there are sysprops that can be passed in the Solr startup config to tell Jetty how to do network binding. For what [~gus_heck]'s has asked about: The admin UI doesn't get protected when authentication is turned on. The actual files making up the admin UI don't NEED protection -- there's absolutely nothing in them related to your Solr config or data. It's completely static html/css/javascript/images, data that is identical on every Solr install using that version. The UI is retrieved and then runs in your browser, and makes requests to Solr's API to get information and perform actions. If you enable authentication (and require it for everything), running the admin UI actually does prompt for authentication. But it's not the UI *itself* that needs it -- when it asks for username/password, it is actually requests to Solr's API (being made by your browser -- not the Solr server) that are being authenticated. Authenticating the admin UI while leaving the API unprotected is only an illusion of security. Everything the admin UI does can be done directly, using the API. > Add a login page for Solr Administrative Interface > -- > > Key: SOLR-7896 > URL: https://issues.apache.org/jira/browse/SOLR-7896 > Project: Solr > Issue Type: New Feature > Components: Admin UI, security >Affects Versions: 5.2.1 >Reporter: Aaron Greenspan >Priority: Major > Labels: authentication, login, password > > Out of the box, the Solr Administrative interface should require a password > that the user is required to set. -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Commented] (SOLR-7896) Add a login page for Solr Administrative Interface
[ https://issues.apache.org/jira/browse/SOLR-7896?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16419594#comment-16419594 ] Jan Høydahl commented on SOLR-7896: --- Let’s keep this issue for adding a login screen and handling initial authentication if such a plugin is enabled in Solr. I agree Aaron that next step could be to simplify initial bootstrap of authentication, but we have already a solution for that with a simple {{bin/solr auth}} command. But feel free to open another Jira about Admin UI support for enabling and managing security. As Upayavira says, the Admin UI must handle authentication just as any other Solr client, we cannot have some “backdoor” for the UI only. But we could potentially allow two or more auth plugins active at the same time, so the Admin UI can always be used even if user has configured an auth plugin that the UI does not support. We already have implicit support for PKI auth at all times. > Add a login page for Solr Administrative Interface > -- > > Key: SOLR-7896 > URL: https://issues.apache.org/jira/browse/SOLR-7896 > Project: Solr > Issue Type: New Feature > Components: Admin UI, security >Affects Versions: 5.2.1 >Reporter: Aaron Greenspan >Priority: Major > Labels: authentication, login, password > > Out of the box, the Solr Administrative interface should require a password > that the user is required to set. -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Commented] (SOLR-7896) Add a login page for Solr Administrative Interface
[ https://issues.apache.org/jira/browse/SOLR-7896?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16419536#comment-16419536 ] Aaron Greenspan commented on SOLR-7896: --- I agree with Gus that the primary issue here is just getting some kind of simple protection for the admin UI in place. Maybe there's a better solution than the key I've proposed, but I would note that the worst-case scenario of the server being "forever compromised" is already the default way Solr works now. Everything is open and effectively pre-compromised. If browser development tools can see requests to a Solr back-end to discover my hypothetical key, they can already see requests to the server and can discover everything in the store, so something is wrong with how the developer built their site. (I'd think Solr requests should be going on in the background, not in some client-side JavaScript call.) Furthermore, all of the general arguments as to why a key would be insecure could be made for any password authentication scheme (someone could discover it, it should be changed regularly, etc.). My point was that users should not be sending their admin passwords in a HTTP GET string. So a randomly-generated key would be preferable given that Solr works that way. > Add a login page for Solr Administrative Interface > -- > > Key: SOLR-7896 > URL: https://issues.apache.org/jira/browse/SOLR-7896 > Project: Solr > Issue Type: New Feature > Components: Admin UI, security >Affects Versions: 5.2.1 >Reporter: Aaron Greenspan >Priority: Major > Labels: authentication, login, password > > Out of the box, the Solr Administrative interface should require a password > that the user is required to set. -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Commented] (SOLR-7896) Add a login page for Solr Administrative Interface
[ https://issues.apache.org/jira/browse/SOLR-7896?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16419519#comment-16419519 ] Gus Heck commented on SOLR-7896: [~thinkcomp] While this could be implemented, permanent key systems are not very secure. If they key is lifted (i.e. from browser dev tools) by someone nefarious (think disgruntled employee for example, or code bug exposing the key on a request), your server is forever compromised. Unless you have some protocol for regenerating the key regularly, and then getting that out to the clients that *should* have it, you're hosed. I for one wouldn't want to invest time in building something like that as it will be eschewed by anyone truly serious about security. Also as you point out roles are likely to be desirable. But I think we are in danger of mixing two things here... Authentication and Authorization. My read of the original ticket is that this was about adding an Authentication check only, and only for a single admin user. A separate issue designing a fine grained permission-role-user mapping system should be filed if authorization beyond all or nothing is desired. The initial password setting routine however sounds good. Perhaps all requests to api or UI should get redirected to the password setting page when solr is started with passworded admin enabled. > Add a login page for Solr Administrative Interface > -- > > Key: SOLR-7896 > URL: https://issues.apache.org/jira/browse/SOLR-7896 > Project: Solr > Issue Type: New Feature > Components: Admin UI, security >Affects Versions: 5.2.1 >Reporter: Aaron Greenspan >Priority: Major > Labels: authentication, login, password > > Out of the box, the Solr Administrative interface should require a password > that the user is required to set. -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Commented] (SOLR-7896) Add a login page for Solr Administrative Interface
[ https://issues.apache.org/jira/browse/SOLR-7896?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16419378#comment-16419378 ] Aaron Greenspan commented on SOLR-7896: --- Here's how I'd like Solr to work. When installing it fresh (no content), the first thing you have to do is go to the UI and set an admin password. Once you've done that, you should be given a choice to leave your API wide open (how it works now, firewalls aside), or generate a security key that in the future gets passed to every API request as an HTTP GET variable. If you don't pass the key and it's set to be required, the API request fails. If you pass the wrong key and it's required, the API request fails. If you pass the right key and it's required, or if no key is required, you get results back. You can change the security key settings in the admin UI by signing in with your username and password. Potentially, you could have different security keys for different use cases, and track their usage. I have no experience as a Solr Java developer so maybe doing this is impossible or just merely difficult. But it would bring Solr in line with almost every other enterprise software product I've ever used. > Add a login page for Solr Administrative Interface > -- > > Key: SOLR-7896 > URL: https://issues.apache.org/jira/browse/SOLR-7896 > Project: Solr > Issue Type: New Feature > Components: Admin UI, security >Affects Versions: 5.2.1 >Reporter: Aaron Greenspan >Priority: Major > Labels: authentication, login, password > > Out of the box, the Solr Administrative interface should require a password > that the user is required to set. -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Commented] (SOLR-7896) Add a login page for Solr Administrative Interface
[ https://issues.apache.org/jira/browse/SOLR-7896?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16419281#comment-16419281 ] Upayavira commented on SOLR-7896: - Let's just be clear what we are talking about here. The Admin UI is a set of HTML and JS files. It makes use of a set of APIs, that are typically JSON over HTTP: the same APIs as end users use. So talking about one auth for the UI and one for the API doesn't entirely make sense. Serving the UI files up over a different auth scheme may be possible, but without the APIs they are pretty darn useless, no? So what are we actually talking about here? > Add a login page for Solr Administrative Interface > -- > > Key: SOLR-7896 > URL: https://issues.apache.org/jira/browse/SOLR-7896 > Project: Solr > Issue Type: New Feature > Components: Admin UI, security >Affects Versions: 5.2.1 >Reporter: Aaron Greenspan >Priority: Major > Labels: authentication, login, password > > Out of the box, the Solr Administrative interface should require a password > that the user is required to set. -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Commented] (SOLR-7896) Add a login page for Solr Administrative Interface
[ https://issues.apache.org/jira/browse/SOLR-7896?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16419250#comment-16419250 ] Shalin Shekhar Mangar commented on SOLR-7896: - I agree with Gus here. Ideally, whatever security scheme is enabled for Solr APIs, the same should be enabled for the Admin UI. It is a bad idea to have a different scheme that is used only by the Admin UI. > Add a login page for Solr Administrative Interface > -- > > Key: SOLR-7896 > URL: https://issues.apache.org/jira/browse/SOLR-7896 > Project: Solr > Issue Type: New Feature > Components: Admin UI, security >Affects Versions: 5.2.1 >Reporter: Aaron Greenspan >Priority: Major > Labels: authentication, login, password > > Out of the box, the Solr Administrative interface should require a password > that the user is required to set. -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Commented] (SOLR-7896) Add a login page for Solr Administrative Interface
[ https://issues.apache.org/jira/browse/SOLR-7896?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16419227#comment-16419227 ] Jan Høydahl commented on SOLR-7896: --- Ok, so some kind of fallback Auth that is disabled by default but can be turned on if you need to use a primary Auth not yet natively supported by the AdminUI. Another option is to allow more than one Auth plugin to be enabled at the same time, and let the framework resolve which one to use for each request. > Add a login page for Solr Administrative Interface > -- > > Key: SOLR-7896 > URL: https://issues.apache.org/jira/browse/SOLR-7896 > Project: Solr > Issue Type: New Feature > Components: Admin UI, security >Affects Versions: 5.2.1 >Reporter: Aaron Greenspan >Priority: Major > Labels: authentication, login, password > > Out of the box, the Solr Administrative interface should require a password > that the user is required to set. -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Commented] (SOLR-7896) Add a login page for Solr Administrative Interface
[ https://issues.apache.org/jira/browse/SOLR-7896?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16419090#comment-16419090 ] Gus Heck commented on SOLR-7896: {quote}but that risks adding a security risk. {quote} Yes that's my point I would think that whatever protects the admin UI should also protect the API's by default. More schemes creates more attack surface, noting that if (as you suggested above) basic auth allows admin UI access, then either that UI is completely functionless without additional Kerberos auth as well (your example) or the Basic Auth is sufficient for requests from the UI to access the api's (the UI accesses the api's via javascript Ajax requests, I believe)... I don't really like the idea of allowing 2 ways (one for admin and one for api), but if it's needed for some use case, my point is such a configuration should not be default. > Add a login page for Solr Administrative Interface > -- > > Key: SOLR-7896 > URL: https://issues.apache.org/jira/browse/SOLR-7896 > Project: Solr > Issue Type: New Feature > Components: Admin UI, security >Affects Versions: 5.2.1 >Reporter: Aaron Greenspan >Priority: Major > Labels: authentication, login, password > > Out of the box, the Solr Administrative interface should require a password > that the user is required to set. -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Commented] (SOLR-7896) Add a login page for Solr Administrative Interface
[ https://issues.apache.org/jira/browse/SOLR-7896?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16418698#comment-16418698 ] Jan Høydahl commented on SOLR-7896: --- Can you elaborate? I was thinking that Admin UI is just some other client, like SolrJ, and thus it should handle passing correct credentials to the Solr APIs whether that is username/pass, some http header or redirecting user to external login page. The alternative I guess is some custom login mechanism just for Admin, but that risks adding a security risk. > Add a login page for Solr Administrative Interface > -- > > Key: SOLR-7896 > URL: https://issues.apache.org/jira/browse/SOLR-7896 > Project: Solr > Issue Type: New Feature > Components: Admin UI, security >Affects Versions: 5.2.1 >Reporter: Aaron Greenspan >Priority: Major > Labels: authentication, login, password > > Out of the box, the Solr Administrative interface should require a password > that the user is required to set. -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Commented] (SOLR-7896) Add a login page for Solr Administrative Interface
[ https://issues.apache.org/jira/browse/SOLR-7896?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16393600#comment-16393600 ] Gus Heck commented on SOLR-7896: It should take special configuration to make the auth schemes diverge I think. That seems like the corner case and unified auth management would be the core use case IMHO. By default all one scheme for all urls, if further configured secondary schemes per URL path... > Add a login page for Solr Administrative Interface > -- > > Key: SOLR-7896 > URL: https://issues.apache.org/jira/browse/SOLR-7896 > Project: Solr > Issue Type: New Feature > Components: Admin UI, security >Affects Versions: 5.2.1 >Reporter: Aaron Greenspan >Priority: Major > Labels: authentication, login, password > > Out of the box, the Solr Administrative interface should require a password > that the user is required to set. -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Commented] (SOLR-7896) Add a login page for Solr Administrative Interface
[ https://issues.apache.org/jira/browse/SOLR-7896?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16392566#comment-16392566 ] Jan Høydahl commented on SOLR-7896: --- It would also be nice to allow a different Auth method for Admin UI users than for API users, e.g. allow API clients to use Kerberos while AdminUI users can login with BasicAuth and local users. Currently you must choose between the two, but {{security.json}} cold be made to accept a list of auth plugins, try each one and only fail if all return false? That way the Admin UI could support e.g. BasicAuth login at first and there would always be a way to allow superusers to log in to Admin even if they use some custom AuthPlugin that the admin does not understand. > Add a login page for Solr Administrative Interface > -- > > Key: SOLR-7896 > URL: https://issues.apache.org/jira/browse/SOLR-7896 > Project: Solr > Issue Type: New Feature > Components: Admin UI, security >Affects Versions: 5.2.1 >Reporter: Aaron Greenspan >Priority: Major > Labels: authentication, login, password > > Out of the box, the Solr Administrative interface should require a password > that the user is required to set. -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Commented] (SOLR-7896) Add a login page for Solr Administrative Interface
[ https://issues.apache.org/jira/browse/SOLR-7896?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16390925#comment-16390925 ] Jan Høydahl commented on SOLR-7896: --- Reviving this. {quote}Requiring authentication out of the box for the admin UI, probably with cookies, doesn't seem quite so insane, though. It might be the sort of thing where no password exists initially, but the first time you access the UI, it forces you to set one {quote} What good does it do to authenticate with Admin UI if the Solr APIs are not protected? You can't do a thing in Admin that you cannot do with curl :) So the login feature must somehow relate to all the auth plugins available in Solr. Many plugins will require username/password input and can probably use the same login form in AdminUI, but let the Java plugin validate pw in a different way. Other methods may require custom JS code in the UI. So the UI must probably be pluggable in this area. > Add a login page for Solr Administrative Interface > -- > > Key: SOLR-7896 > URL: https://issues.apache.org/jira/browse/SOLR-7896 > Project: Solr > Issue Type: New Feature > Components: Admin UI, security >Affects Versions: 5.2.1 >Reporter: Aaron Greenspan >Priority: Major > Labels: authentication, login, password > > Out of the box, the Solr Administrative interface should require a password > that the user is required to set. -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Commented] (SOLR-7896) Add a login page for Solr Administrative Interface
[ https://issues.apache.org/jira/browse/SOLR-7896?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15932884#comment-15932884 ] Shawn Heisey commented on SOLR-7896: Been a while since I said anything on this issue. I have skimmed the newest comments, but haven't read them in-depth. For security on the admin UI, do we want basic authentication, or do we want to use a form-and-cookie approach like the vast majority of web applications? HTTP basic authentication is probably the only sane choice for the API, though. Enabling SSL out of the box still seems like a bad idea, and enabling authentication on the API by default also seems like a bad idea. Requiring authentication out of the box for the admin UI, probably with cookies, doesn't seem quite so insane, though. It might be the sort of thing where no password exists initially, but the first time you access the UI, it forces you to set one. In cloud mode, that would probably update zookeeper, affecting all Solr instances. What would be really nice to have is the ability to enable/disable and configure API authentication within the admin UI. > Add a login page for Solr Administrative Interface > -- > > Key: SOLR-7896 > URL: https://issues.apache.org/jira/browse/SOLR-7896 > Project: Solr > Issue Type: New Feature > Components: Admin UI, security >Affects Versions: 5.2.1 >Reporter: Aaron Greenspan > Labels: authentication, login, password > > Out of the box, the Solr Administrative interface should require a password > that the user is required to set. -- This message was sent by Atlassian JIRA (v6.3.15#6346) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Commented] (SOLR-7896) Add a login page for Solr Administrative Interface
[ https://issues.apache.org/jira/browse/SOLR-7896?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15932776#comment-15932776 ] Jan Høydahl commented on SOLR-7896: --- Solr may be protected by any AuthPlugin, not only BasicAuth, so we need something that is future proof too. Of course if we limit this to only supporting BasicAuthPlugin we could let the UI add user:pass for all requests directly. However, I was hoping to have something generic. So for the BasicAuth case I think we could be using the email/password flow: https://github.com/sahat/satellizer#-login-with-email-and-password and let Solr backend validate the user/pass? > Add a login page for Solr Administrative Interface > -- > > Key: SOLR-7896 > URL: https://issues.apache.org/jira/browse/SOLR-7896 > Project: Solr > Issue Type: New Feature > Components: Admin UI, security >Affects Versions: 5.2.1 >Reporter: Aaron Greenspan > Labels: authentication, login, password > > Out of the box, the Solr Administrative interface should require a password > that the user is required to set. -- This message was sent by Atlassian JIRA (v6.3.15#6346) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Commented] (SOLR-7896) Add a login page for Solr Administrative Interface
[ https://issues.apache.org/jira/browse/SOLR-7896?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15932737#comment-15932737 ] Alexandre Rafalovitch commented on SOLR-7896: - I think Satellizer is for 3rd party authentication. So, with user authenticating to Google/Twitter and Solr using that for internal access. That feels like a different thing from what I understand us having - which is basic authentication with passwords stored internally. > Add a login page for Solr Administrative Interface > -- > > Key: SOLR-7896 > URL: https://issues.apache.org/jira/browse/SOLR-7896 > Project: Solr > Issue Type: New Feature > Components: Admin UI, security >Affects Versions: 5.2.1 >Reporter: Aaron Greenspan > Labels: authentication, login, password > > Out of the box, the Solr Administrative interface should require a password > that the user is required to set. -- This message was sent by Atlassian JIRA (v6.3.15#6346) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Commented] (SOLR-7896) Add a login page for Solr Administrative Interface
[ https://issues.apache.org/jira/browse/SOLR-7896?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15932690#comment-15932690 ] Jan Høydahl commented on SOLR-7896: --- Guess we could use this AngularJS module https://github.com/sahat/satellizer for the frontend. It uses JWT On the Solr end we'd need to add e.g. {{/auth/login/}} endpoint to validate the login. On the Admin UI end we'd need to add the login controller and a login screen/dialogue. Guess we'd also need to add some kind of {{TokenAuthenticationPlugin}} which validates the {{Authorization: Bearer }} header much in the same way that we have a special path to validate the {{SolrAuth}} header for PKI auth. This fellow could also take care of Single Sign on (to support user browsing away to another solr node) by securely asking the original Solr node if the token is valid. Further, the Admin UI will on first load make a request to Solr to ask wether login will be required, and if so, pop up the dialogue immediately. Do I miss anything here? Anyone who have experience in these things? How do the {{/auth/login}} endpoint validate a user login in case of Kerberos/Hadoop auth? Perhaps by forwarding user with OAuth2 to some other server in the network? I'm quite blank on this.. > Add a login page for Solr Administrative Interface > -- > > Key: SOLR-7896 > URL: https://issues.apache.org/jira/browse/SOLR-7896 > Project: Solr > Issue Type: New Feature > Components: Admin UI, security >Affects Versions: 5.2.1 >Reporter: Aaron Greenspan > Labels: authentication, login, password > > Out of the box, the Solr Administrative interface should require a password > that the user is required to set. -- This message was sent by Atlassian JIRA (v6.3.15#6346) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Commented] (SOLR-7896) Add a login page for Solr Administrative Interface
[ https://issues.apache.org/jira/browse/SOLR-7896?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14711034#comment-14711034 ] Jan Høydahl commented on SOLR-7896: --- Let's keep this issue focused on loggin in to the Admin UI.. Some questions regarding a possible Solr Admin Login: * Should it be SolrCloud only? * Should it require an Authentication Plugin to be configured or be separate? Can the login screen support any and all Auth methods? How? * What about Single Sign on? Cookies? ** If you log in to one Solr node, should we require another login if you navigate to another node? * If SSL is configured, can we treat SSL client certificate based auth as a valid login, independent of what AuthPlugin is configured? Once the Admin UI has a login, we have the framework for adapting the UI depending on what roles the logged-in user has, i.e. create collection etc, that would be a bunch of new JIRAs. > Add a login page for Solr Administrative Interface > -- > > Key: SOLR-7896 > URL: https://issues.apache.org/jira/browse/SOLR-7896 > Project: Solr > Issue Type: New Feature > Components: security, web gui >Affects Versions: 5.2.1 >Reporter: Aaron Greenspan > Labels: authentication, login, password > > Out of the box, the Solr Administrative interface should require a password > that the user is required to set. -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org