You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@lucene.apache.org by ja...@apache.org on 2019/04/04 14:26:27 UTC
[lucene-solr] branch branch_8x updated: SOLR-13344: Admin UI
inaccessible with RuleBasedAuthorizationPlugin
This is an automated email from the ASF dual-hosted git repository.
janhoy pushed a commit to branch branch_8x
in repository https://gitbox.apache.org/repos/asf/lucene-solr.git
The following commit(s) were added to refs/heads/branch_8x by this push:
new 9dd5191 SOLR-13344: Admin UI inaccessible with RuleBasedAuthorizationPlugin
9dd5191 is described below
commit 9dd51915fa3c118156cf59e9432b6c85d4933e1c
Author: Jan Høydahl <ja...@apache.org>
AuthorDate: Thu Apr 4 16:07:23 2019 +0200
SOLR-13344: Admin UI inaccessible with RuleBasedAuthorizationPlugin
(cherry picked from commit 96ef35cd2cac71b8cc282e85419ca9846f3580e3)
---
solr/CHANGES.txt | 2 ++
solr/core/src/java/org/apache/solr/servlet/HttpSolrCall.java | 1 +
solr/solr-ref-guide/src/rule-based-authorization-plugin.adoc | 5 +++++
3 files changed, 8 insertions(+)
diff --git a/solr/CHANGES.txt b/solr/CHANGES.txt
index 52d3530..092e0c5 100644
--- a/solr/CHANGES.txt
+++ b/solr/CHANGES.txt
@@ -118,6 +118,8 @@ Bug Fixes
* SOLR-13349: High CPU usage in Solr due to Java 8 bug (Erick Erickson)
+* SOLR-13344: Admin UI inaccessible with RuleBasedAuthorizationPlugin (janhoy, Jason Gerlowski)
+
* SOLR-13352: Remove risk of deadlock/threadleak when shutting down an Overseer(TriggerThread). (hossman)
* SOLR-13362: Add 'includeIndexFieldFlags' support to SolrJ LukeRequest (Jason Gerlowski)
diff --git a/solr/core/src/java/org/apache/solr/servlet/HttpSolrCall.java b/solr/core/src/java/org/apache/solr/servlet/HttpSolrCall.java
index 38145f3..e4f0af9 100644
--- a/solr/core/src/java/org/apache/solr/servlet/HttpSolrCall.java
+++ b/solr/core/src/java/org/apache/solr/servlet/HttpSolrCall.java
@@ -550,6 +550,7 @@ public class HttpSolrCall {
private boolean shouldAuthorize() {
if(PublicKeyHandler.PATH.equals(path)) return false;
//admin/info/key is the path where public key is exposed . it is always unsecured
+ if ("/".equals(path) || "/solr/".equals(path)) return false; // Static Admin UI files must always be served
if (cores.getPkiAuthenticationPlugin() != null && req.getUserPrincipal() != null) {
boolean b = cores.getPkiAuthenticationPlugin().needsAuthorization(req);
log.debug("PkiAuthenticationPlugin says authorization required : {} ", b);
diff --git a/solr/solr-ref-guide/src/rule-based-authorization-plugin.adoc b/solr/solr-ref-guide/src/rule-based-authorization-plugin.adoc
index d86097a..eccc7ec 100644
--- a/solr/solr-ref-guide/src/rule-based-authorization-plugin.adoc
+++ b/solr/solr-ref-guide/src/rule-based-authorization-plugin.adoc
@@ -24,6 +24,11 @@ The roles can be used with any of the authentication plugins or with a custom au
Once defined through the API, roles are stored in `security.json`.
+[CAUTION]
+====
+Solr's Admin UI interacts with Solr using its regular APIs. When rule-based authorization is in use, logged-in users not authorized to access the full range of these APIs may see some sections of the UI that appear blank or "broken". For best results, the Admin UI should only be accessed by users with full API access.
+====
+
== Enable the Authorization Plugin
The plugin must be enabled in `security.json`. This file and where to put it in your system is described in detail in the section <<authentication-and-authorization-plugins.adoc#enable-plugins-with-security-json,Enable Plugins with security.json>>.