You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@lucene.apache.org by ja...@apache.org on 2019/04/04 14:25:28 UTC
[lucene-solr] branch master updated: SOLR-13344: Admin UI
inaccessible with RuleBasedAuthorizationPlugin
This is an automated email from the ASF dual-hosted git repository.
janhoy pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/lucene-solr.git
The following commit(s) were added to refs/heads/master by this push:
new 96ef35c SOLR-13344: Admin UI inaccessible with RuleBasedAuthorizationPlugin
96ef35c is described below
commit 96ef35cd2cac71b8cc282e85419ca9846f3580e3
Author: Jan Høydahl <ja...@apache.org>
AuthorDate: Thu Apr 4 16:07:23 2019 +0200
SOLR-13344: Admin UI inaccessible with RuleBasedAuthorizationPlugin
---
solr/CHANGES.txt | 2 ++
solr/core/src/java/org/apache/solr/servlet/HttpSolrCall.java | 1 +
solr/solr-ref-guide/src/rule-based-authorization-plugin.adoc | 5 +++++
3 files changed, 8 insertions(+)
diff --git a/solr/CHANGES.txt b/solr/CHANGES.txt
index b6e1413..51d61aa 100644
--- a/solr/CHANGES.txt
+++ b/solr/CHANGES.txt
@@ -150,6 +150,8 @@ Bug Fixes
* SOLR-13349: High CPU usage in Solr due to Java 8 bug (Erick Erickson)
+* SOLR-13344: Admin UI inaccessible with RuleBasedAuthorizationPlugin (janhoy, Jason Gerlowski)
+
* SOLR-13352: Remove risk of deadlock/threadleak when shutting down an Overseer(TriggerThread). (hossman)
* SOLR-13362: Add 'includeIndexFieldFlags' support to SolrJ LukeRequest (Jason Gerlowski)
diff --git a/solr/core/src/java/org/apache/solr/servlet/HttpSolrCall.java b/solr/core/src/java/org/apache/solr/servlet/HttpSolrCall.java
index 5f3c4c7..350f99c 100644
--- a/solr/core/src/java/org/apache/solr/servlet/HttpSolrCall.java
+++ b/solr/core/src/java/org/apache/solr/servlet/HttpSolrCall.java
@@ -582,6 +582,7 @@ public class HttpSolrCall {
private boolean shouldAuthorize() {
if(PublicKeyHandler.PATH.equals(path)) return false;
//admin/info/key is the path where public key is exposed . it is always unsecured
+ if ("/".equals(path) || "/solr/".equals(path)) return false; // Static Admin UI files must always be served
if (cores.getPkiAuthenticationPlugin() != null && req.getUserPrincipal() != null) {
boolean b = cores.getPkiAuthenticationPlugin().needsAuthorization(req);
log.debug("PkiAuthenticationPlugin says authorization required : {} ", b);
diff --git a/solr/solr-ref-guide/src/rule-based-authorization-plugin.adoc b/solr/solr-ref-guide/src/rule-based-authorization-plugin.adoc
index d86097a..eccc7ec 100644
--- a/solr/solr-ref-guide/src/rule-based-authorization-plugin.adoc
+++ b/solr/solr-ref-guide/src/rule-based-authorization-plugin.adoc
@@ -24,6 +24,11 @@ The roles can be used with any of the authentication plugins or with a custom au
Once defined through the API, roles are stored in `security.json`.
+[CAUTION]
+====
+Solr's Admin UI interacts with Solr using its regular APIs. When rule-based authorization is in use, logged-in users not authorized to access the full range of these APIs may see some sections of the UI that appear blank or "broken". For best results, the Admin UI should only be accessed by users with full API access.
+====
+
== Enable the Authorization Plugin
The plugin must be enabled in `security.json`. This file and where to put it in your system is described in detail in the section <<authentication-and-authorization-plugins.adoc#enable-plugins-with-security-json,Enable Plugins with security.json>>.