You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@solr.apache.org by "Timothy Potter (Jira)" <ji...@apache.org> on 2021/07/30 21:31:00 UTC

[jira] [Updated] (SOLR-15573) The `bin/solr auth` utility updates `solr.in.sh` to set `solr.httpclient.config` to point to `basicAuth.conf` which allows access to the UI without logging in

     [ https://issues.apache.org/jira/browse/SOLR-15573?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Timothy Potter updated SOLR-15573:
----------------------------------
    Fix Version/s: 8.10

> The `bin/solr auth` utility updates `solr.in.sh` to set `solr.httpclient.config` to point to `basicAuth.conf` which allows access to the UI without logging in
> --------------------------------------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: SOLR-15573
>                 URL: https://issues.apache.org/jira/browse/SOLR-15573
>             Project: Solr
>          Issue Type: Bug
>      Security Level: Public(Default Security Level. Issues are Public) 
>            Reporter: Timothy Potter
>            Assignee: Timothy Potter
>            Priority: Blocker
>             Fix For: 8.10
>
>
> These env vars get set in {{solr.in.sh}}
> {code}
> # The following lines added by ./solr for enabling BasicAuth
> SOLR_AUTH_TYPE="basic"
> SOLR_AUTHENTICATION_OPTS="-Dsolr.httpclient.config=/Users/tjp/dev/oss/lucene-solr-8x/solr/server/solr/basicAuth.conf"
> {code}
> When you visit the Admin UI, there's no login / logout (b/c the UI relies on seeing a 401 from the server when auth is enabled but since basicAuth.conf supplies the credentials, requests pass through?). This also confuses the new Security UI b/c it depends on having a username.
> The security section that comes back from {{admin/system/info}} doesn't have a username, which means the {{req.getUserPrincipal()}} is null?
> I didn't catch this initially when testing the new security UI against 8x as I supplied my own security.json with a different realm name.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org
For additional commands, e-mail: issues-help@solr.apache.org