Thanks for the clarification Created SOLR-14083
-----Original Message----- From: Erick Erickson <erickerick...@gmail.com> Sent: Friday, December 13, 2019 6:26 PM To: solr-user@lucene.apache.org Subject: Re: Solr8 changes how security.json restricts access to GUI Anyone who has an account can open a JIRA, have you created one? > On Dec 13, 2019, at 5:10 PM, Oakley, Craig (NIH/NLM/NCBI) [C] > <craig.oak...@nih.gov.INVALID> wrote: > > It looks as though I do not have an option under > issues.apache.org/jira/projects/SOLR/issues by which to create an issue. > Could you create one (and let me know its number)? > > Thanks > > -----Original Message----- > From: Jan Høydahl <jan....@cominvent.com> > Sent: Friday, December 13, 2019 3:52 PM > To: solr-user@lucene.apache.org > Subject: Re: Solr8 changes how security.json restricts access to GUI > > Ok, se should perhaps print a warning somewhere that IE is not supported. Can > you file a JIRA issue? > > Jan Høydahl > >> 13. des. 2019 kl. 21:43 skrev Oakley, Craig (NIH/NLM/NCBI) [C] >> <craig.oak...@nih.gov.invalid>: >> >> Well that is progress: indeed Firefox and Chrome and Edge do indeed prompt >> for login and password (as desired). It is Internet Explorer which does not, >> nor does curl (that is to say, if you ask curl only to go to the top level: >> host:port/solr -- going any further it will complain, such as your >> /solr/admin/info/system example gets Error 401 Authentication failed, >> Response code: 401) >> >> >> >> -----Original Message----- >> From: Jan Høydahl <jan....@cominvent.com> >> Sent: Friday, December 13, 2019 2:15 PM >> To: solr-user <solr-user@lucene.apache.org> >> Subject: Re: Solr8 changes how security.json restricts access to GUI >> >> I got your screenshot >> (https://www.dropbox.com/s/7tbn7gx3uag6jcg/crippledSolrGUI.jpg?dl=0 >> <https://www.dropbox.com/s/7tbn7gx3uag6jcg/crippledSolrGUI.jpg?dl=0>) >> >> This is quite uncommon. You should see a loging screen if you have basicAuth >> enabled. >> Have you tried a different browser? >> >> What do you get if you run this command >> >> curl -i http://your-solr-url/solr/admin/info/system >> >> Or if you use your browser’s developer tools to inspect network traffic? >> >> Jan >> >>> 12. des. 2019 kl. 23:49 skrev Jan Høydahl <jan....@cominvent.com>: >>> >>> Attachments are stripped from list, can you post a link to the screenshot >>> of the UI when you first visit? >>> >>> Jan >>> >>>>> 12. des. 2019 kl. 17:27 skrev Oakley, Craig (NIH/NLM/NCBI) [C] >>>>> <craig.oak...@nih.gov.INVALID>: >>>> >>>> Below is the security.json (with password hashes redacted): in Solr7.4 it >>>> prompts for a password and (if you get it right) lets you into the whole >>>> GUI; But in Solr8.1.1 and in Solr 8.3, it does not prompt for a password >>>> before letting you into a crippled version of the GUI (as depicted in the >>>> attachment) >>>> >>>> { >>>> "authentication":{ >>>> "class":"solr.BasicAuthPlugin", >>>> "credentials":{ >>>> "solradmin":"[redacted]", >>>> "pysolrmon":"[redacted]", >>>> "solrtrg":"[redacted]"}, >>>> "":{"v":2}}, >>>> "authorization":{ >>>> "class":"solr.RuleBasedAuthorizationPlugin", >>>> "user-role":{ >>>> "solradmin":[ >>>> "admin", >>>> "allgen", >>>> "trgadmin", >>>> "genadmin"], >>>> "solrtrg":[ >>>> "trgadmin", >>>> "allgen"], >>>> "pysolrmon":["clustatus_role"]}, >>>> "permissions":[ >>>> { >>>> "name":"gen_admin", >>>> "collection":"NULL", >>>> "path":"/admin/cores", >>>> "params":{"action":[ >>>> "REGEX:(?i)CREATE", >>>> "REGEX:(?i)RENAME", >>>> "REGEX:(?i)SWAP", >>>> "REGEX:(?i)UNLOAD", >>>> "REGEX:(?i)SPLIT"]}, >>>> "role":"genadmin"}, >>>> { >>>> "name":"col_admin", >>>> "collection":null, >>>> "path":"/admin/collections", >>>> "params":{"action":[ >>>> "REGEX:(?i)CREATE", >>>> "REGEX:(?i)MODIFYCOLLECTION", >>>> "REGEX:(?i)SPLITSHARD", >>>> "REGEX:(?i)CREATESHARD", >>>> "REGEX:(?i)DELETESHARD", >>>> "REGEX:(?i)CREATEALIAS", >>>> "REGEX:(?i)DELETEALIAS", >>>> "REGEX:(?i)DELETE", >>>> "REGEX:(?i)DELETEREPLICA", >>>> "REGEX:(?i)ADDREPLICA", >>>> "REGEX:(?i)CLUSTERPROP", >>>> "REGEX:(?i)MIGRATE", >>>> "REGEX:(?i)ADDROLE", >>>> "REGEX:(?i)REMOVEROLE", >>>> "REGEX:(?i)ADDREPLICAPROP", >>>> "REGEX:(?i)DELETEREPLICAPROP", >>>> "REGEX:(?i)BALANCESHARDUNIQUE", >>>> "REGEX:(?i)REBALANCELEADERS", >>>> "REGEX:(?i)FORCELEADER", >>>> "REGEX:(?i)MIGRATESTATEFORMAT"]}, >>>> "role":"genadmin"}, >>>> { >>>> "name":"security-edit", >>>> "role":"admin"}, >>>> { >>>> "name":"clustatus", >>>> "path":"/admin/collections", >>>> "params":{"action":["REGEX:(?i)CLUSTERSTATUS"]}, >>>> "role":[ >>>> "clustatus_role", >>>> "allgen"], >>>> "collection":null}, >>>> { >>>> "name":"corestatus", >>>> "path":"/admin/cores", >>>> "params":{"action":["REGEX:(?i)STATUS"]}, >>>> "role":[ >>>> "allgen", >>>> "clustatus_role"], >>>> "collection":null}, >>>> { >>>> "name":"trgadmin", >>>> "collection":"trg_col", >>>> "path":"/admin/*", >>>> "role":"trgadmin"}, >>>> { >>>> "name":"open_select", >>>> "path":"/select/*", >>>> "role":null}, >>>> { >>>> "name":"open_search", >>>> "path":"/search/*", >>>> "role":null}, >>>> { >>>> "name":"catch-all-nocollection", >>>> "collection":null, >>>> "path":"/*", >>>> "role":"allgen"}, >>>> { >>>> "name":"catch-all-collection", >>>> "path":"/*", >>>> "role":"allgen"}, >>>> { >>>> "name":"all-admincol", >>>> "collection":null, >>>> "path":"/admin/collections", >>>> "role":"allgen"}, >>>> { >>>> "name":"all-admincores", >>>> "collection":null, >>>> "path":"/admin/cores", >>>> "role":"allgen"}], >>>> "":{"v":5}}} >>>> >>>> -----Original Message----- >>>> From: Jan Høydahl <jan....@cominvent.com> >>>> Sent: Wednesday, December 11, 2019 7:35 PM >>>> To: solr-user@lucene.apache.org >>>> Subject: Re: Solr8 changes how security.json restricts access to GUI >>>> >>>> Please show your complete Security.json so we know how auth is configured. >>>> Which 8.x version are you trying? There should be a login screen shown in >>>> admin UI now. >>>> >>>> Jan Høydahl >>>> >>>>> 11. des. 2019 kl. 22:40 skrev Oakley, Craig (NIH/NLM/NCBI) [C] >>>>> <craig.oak...@nih.gov.invalid>: >>>>> >>>>> In Solr 7, we had clauses in our security.json saying >>>>> >>>>> { >>>>> "name":"all-admin", >>>>> "collection":null, >>>>> "path":"/*", >>>>> "role":"allgen", >>>>> "index":15}, >>>>> { >>>>> "name":"all-core-handlers", >>>>> "path":"/*", >>>>> "role":"allgen", >>>>> "index":16}, >>>>> >>>>> We granted the role allgen to all users; but this kept our security folk >>>>> happy in that no one could even get to the top level of the Solr GUI >>>>> without a password. >>>>> >>>>> Now under Solr 8, the GUI does not prompt for a password. It just brings >>>>> you into the GUI (albeit a stripped down version, saying such things as >>>>> "No cores available"). By what means can we require a password to get >>>>> this far? And by what means can we prompt for a password in order to get >>>>> further? >>> >>