You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@lucene.apache.org by th...@apache.org on 2021/08/03 17:16:11 UTC
[lucene-solr] branch branch_8x updated: SOLR-15573: bin/solr auth
tool should provide role bindings for security-read and config-edit by
default (#2546)
This is an automated email from the ASF dual-hosted git repository.
thelabdude pushed a commit to branch branch_8x
in repository https://gitbox.apache.org/repos/asf/lucene-solr.git
The following commit(s) were added to refs/heads/branch_8x by this push:
new 2156893 SOLR-15573: bin/solr auth tool should provide role bindings for security-read and config-edit by default (#2546)
2156893 is described below
commit 2156893b0ab0fe839e7cc81d6b48c6b2e69e7e7e
Author: Timothy Potter <th...@gmail.com>
AuthorDate: Tue Aug 3 11:15:56 2021 -0600
SOLR-15573: bin/solr auth tool should provide role bindings for security-read and config-edit by default (#2546)
---
solr/CHANGES.txt | 3 +++
solr/bin/solr | 8 +++-----
.../core/src/java/org/apache/solr/util/SolrCLI.java | 2 ++
.../src/basic-authentication-plugin.adoc | 8 ++++++++
solr/solr-ref-guide/src/security-ui.adoc | 3 ++-
solr/webapp/web/js/angular/app.js | 21 +++++++++++++++------
.../web/js/angular/controllers/schema-designer.js | 2 +-
solr/webapp/web/js/angular/controllers/security.js | 3 +--
solr/webapp/web/partials/security.html | 6 +++---
9 files changed, 38 insertions(+), 18 deletions(-)
diff --git a/solr/CHANGES.txt b/solr/CHANGES.txt
index 94ec159..0980a54 100644
--- a/solr/CHANGES.txt
+++ b/solr/CHANGES.txt
@@ -68,6 +68,9 @@ Other Changes
* SOLR-15566: Clarify ref guide documentation about SQL queries with `SELECT *` requiring a `LIMIT` clause (Timothy Potter)
+* SOLR-15573: bin/solr auth utility should provide role bindings for `security-read` and `config-edit` by default
+ to protect the security and schema designer screens in the Admin UI (Timothy Potter)
+
================== 8.9.0 ==================
Consult the LUCENE_CHANGES.txt file for additional, low level, changes in this release.
diff --git a/solr/bin/solr b/solr/bin/solr
index 0fabcd1..b8f8b6f 100755
--- a/solr/bin/solr
+++ b/solr/bin/solr
@@ -1477,17 +1477,15 @@ if [[ "$SCRIPT_CMD" == "auth" ]]; then
;;
-prompt)
AUTH_PARAMS=("${AUTH_PARAMS[@]}" "-prompt" "$2")
- shift
+ shift 2
;;
-blockUnknown)
AUTH_PARAMS=("${AUTH_PARAMS[@]}" "-blockUnknown" "$2")
- shift
- break
+ shift 2
;;
-updateIncludeFileOnly)
AUTH_PARAMS=("${AUTH_PARAMS[@]}" "-updateIncludeFileOnly" "$2")
- shift
- break
+ shift 2
;;
-V|--verbose)
VERBOSE="-verbose"
diff --git a/solr/core/src/java/org/apache/solr/util/SolrCLI.java b/solr/core/src/java/org/apache/solr/util/SolrCLI.java
index 837c22b..3e54d3e 100755
--- a/solr/core/src/java/org/apache/solr/util/SolrCLI.java
+++ b/solr/core/src/java/org/apache/solr/util/SolrCLI.java
@@ -4420,6 +4420,8 @@ public class SolrCLI {
"\n \"class\":\"solr.RuleBasedAuthorizationPlugin\"," +
"\n \"permissions\":[" +
"\n {\"name\":\"security-edit\", \"role\":\"admin\"}," +
+ "\n {\"name\":\"security-read\", \"role\":\"admin\"}," +
+ "\n {\"name\":\"config-edit\", \"role\":\"admin\"}," +
"\n {\"name\":\"collection-admin-edit\", \"role\":\"admin\"}," +
"\n {\"name\":\"core-admin-edit\", \"role\":\"admin\"}" +
"\n ]," +
diff --git a/solr/solr-ref-guide/src/basic-authentication-plugin.adoc b/solr/solr-ref-guide/src/basic-authentication-plugin.adoc
index b68dad0..7b399ce 100644
--- a/solr/solr-ref-guide/src/basic-authentication-plugin.adoc
+++ b/solr/solr-ref-guide/src/basic-authentication-plugin.adoc
@@ -65,6 +65,14 @@ Save your settings to a file called `security.json` locally. If you are using So
If `blockUnknown` does not appear in the `security.json` file, it will default to `false`. This has the effect of not requiring authentication at all. In some cases, you may want this; for example, if you want to have `security.json` in place but aren't ready to enable authentication. However, you will want to ensure that this parameter is set to `true` in order for authentication to be truly enabled in your system.
+[WARNING]
+====
+If you set `blockUnknown` to `false`, then *any* request that is not explicitly protected by a permission will be accessible by anonymous users!
+Consequently, you should define a role binding for every <<rule-based-authorization-plugin.adoc#permissions,predefined>> permission you want to protect.
+You can assign the special `role: null` binding for requests that you want to allow anonymous users to access. To protect all endpoints except those with `role:null`,
+you can add a role binding for the `all` permission and place it in the last position in `security.json`.
+====
+
If `realm` is not defined, it will default to `solr`.
If you are using SolrCloud, you must upload `security.json` to ZooKeeper. An example command and more information about securing your setup can be found at <<authentication-and-authorization-plugins#in-solrcloud-mode,Authentication and Authorization Plugins In SolrCloud Mode>>.
diff --git a/solr/solr-ref-guide/src/security-ui.adoc b/solr/solr-ref-guide/src/security-ui.adoc
index 48bf3a6..4293b06 100644
--- a/solr/solr-ref-guide/src/security-ui.adoc
+++ b/solr/solr-ref-guide/src/security-ui.adoc
@@ -33,7 +33,7 @@ When first getting started with Solr, use the `bin/solr auth` command-line utili
For example, the following command will enable *basic authentication* and prompt you for the username and password for the initial user with administrative access:
[source,bash]
----
- bin/solr auth enable -type basicAuth -prompt true -z localhost:2181
+ bin/solr auth enable -type basicAuth -prompt true -z localhost:2181 -blockUnknown true
----
_Note: The `auth` utility only works with Solr running in cloud mode and thus requires a Zookeeper connection string passed via the `-z` option._
@@ -103,6 +103,7 @@ However, if *Block anonymous requests* (`blockUnknown=true`) is checked, then an
To edit a permission, simply click on the corresponding row in the table. When editing a permission, the current index of the permission in the list of permissions is editable.
This allows you to re-order permissions if needed; see <<rule-based-authorization-plugin.adoc#permission-ordering-and-resolution,Permission Ordering>>.
+In general, you want to permissions listed from most specific to least specific in `security.json`.
diff --git a/solr/webapp/web/js/angular/app.js b/solr/webapp/web/js/angular/app.js
index 89fd852..847733e 100644
--- a/solr/webapp/web/js/angular/app.js
+++ b/solr/webapp/web/js/angular/app.js
@@ -426,6 +426,12 @@ solrAdminApp.config([
if (rejection.config.headers.doNotIntercept) {
return rejection;
}
+
+ // Some page controllers, such as Schema Designer, handle errors internally to provide a better user experience than the global error handler
+ var isHandledByPageController =
+ (rejection.config.url && rejection.config.url.startsWith("/api/schema-designer/")) ||
+ (rejection.status === 403 && $location.path() === "/~security");
+
if (rejection.status === 0) {
$rootScope.$broadcast('connectionStatusActive');
if (!$rootScope.retryCount) $rootScope.retryCount=0;
@@ -433,7 +439,7 @@ solrAdminApp.config([
var $http = $injector.get('$http');
var result = $http(rejection.config);
return result;
- } else if (rejection.status === 401) {
+ } else if (rejection.status === 401 && !isHandledByPageController) {
// Authentication redirect
var headers = rejection.headers();
var wwwAuthHeader = headers['www-authenticate'];
@@ -455,10 +461,13 @@ solrAdminApp.config([
$location.path('/login');
}
} else {
- // schema designer prefers to handle errors itself
- var isHandledBySchemaDesigner = rejection.config.url && rejection.config.url.startsWith("/api/schema-designer/");
- if (!isHandledBySchemaDesigner) {
- $rootScope.exceptions[rejection.config.url] = rejection.data.error;
+ // some controllers prefer to handle errors internally
+ if (!isHandledByPageController) {
+ if (rejection.data.error) {
+ $rootScope.exceptions[rejection.config.url] = rejection.data.error;
+ } else if (rejection.data.message) {
+ $rootScope.exceptions[rejection.config.url] = {msg:rejection.data.message+" from "+rejection.data.url};
+ }
}
}
return $q.reject(rejection);
@@ -563,7 +572,7 @@ solrAdminApp.controller('MainController', function($scope, $route, $rootScope, $
SchemaDesigner.get({path: "configs"}, function (ignore) {
// no-op, just checking if we have access to this path
}, function(e) {
- if (e.status === 403) {
+ if (e.status === 401 || e.status === 403) {
$scope.isSchemaDesignerEnabled = false;
}
});
diff --git a/solr/webapp/web/js/angular/controllers/schema-designer.js b/solr/webapp/web/js/angular/controllers/schema-designer.js
index ecc128d..ef3a0d8 100644
--- a/solr/webapp/web/js/angular/controllers/schema-designer.js
+++ b/solr/webapp/web/js/angular/controllers/schema-designer.js
@@ -168,7 +168,7 @@ solrAdminApp.controller('SchemaDesignerController', function ($scope, $timeout,
$scope.showNewSchemaDialog();
}
}, function(e) {
- if (e.status === 403) {
+ if (e.status === 401 || e.status === 403) {
$scope.isSchemaDesignerEnabled = false;
$scope.hideAll();
}
diff --git a/solr/webapp/web/js/angular/controllers/security.js b/solr/webapp/web/js/angular/controllers/security.js
index 93a120e..aa7ecd9 100644
--- a/solr/webapp/web/js/angular/controllers/security.js
+++ b/solr/webapp/web/js/angular/controllers/security.js
@@ -186,7 +186,6 @@ solrAdminApp.controller('SecurityController', function ($scope, $timeout, $cooki
$scope.permFilterTypes = ["", "name", "role", "path", "collection"];
System.get(function(data) {
- // console.log(">> system: "+JSON.stringify(data));
$scope.authenticationPlugin = data.security ? data.security["authenticationPlugin"] : null;
$scope.authorizationPlugin = data.security ? data.security["authorizationPlugin"] : null;
$scope.myRoles = data.security ? data.security["roles"] : [];
@@ -196,7 +195,7 @@ solrAdminApp.controller('SecurityController', function ($scope, $timeout, $cooki
$scope.solrHome = data["solr_home"];
$scope.refreshSecurityPanel();
}, function(e) {
- if (e.status === 403) {
+ if (e.status === 401 || e.status === 403) {
$scope.isSecurityAdminEnabled = true;
$scope.hasSecurityEditPerm = false;
$scope.hideAll();
diff --git a/solr/webapp/web/partials/security.html b/solr/webapp/web/partials/security.html
index b3b7b8a..c34f13c 100644
--- a/solr/webapp/web/partials/security.html
+++ b/solr/webapp/web/partials/security.html
@@ -31,7 +31,7 @@ limitations under the License.
<pre>
- bin/solr auth enable -type basicAuth -prompt true -z {{zkHost}}
+ bin/solr auth enable -type basicAuth -prompt true -z {{zkHost}} -blockUnknown true
</pre>
</div>
@@ -51,10 +51,10 @@ limitations under the License.
<span ng-show="manageUsersEnabled" id="realm-field">
<label for="realmName">Realm: </label><input disabled class="input-text" type="text" id="realmName" ng-model="realmName">
</span>
- <span id="block-field"><label for="block_unknown">Block anonymous requests?</label><input class="input-check" type="checkbox" id="block_unknown" ng-model="blockUnknown" ng-change="onBlockUnknownChange()" ng-true-value="'true'" ng-false-value="'false'"/><a ng-click="showHelp('blockUnknownHelp')"><img class="help-ico" src="img/ico/question-white.png"/></a>
+ <span id="block-field" ng-show="manageUsersEnabled"><label for="block_unknown">Block anonymous requests?</label><input class="input-check" type="checkbox" id="block_unknown" ng-model="blockUnknown" ng-change="onBlockUnknownChange()" ng-true-value="'true'" ng-false-value="'false'"/><a ng-click="showHelp('blockUnknownHelp')"><img class="help-ico" src="img/ico/question-white.png"/></a>
<div id="blockUnknownHelp" class="help" ng-show="helpId === 'blockUnknownHelp'">
<div class="help-top">
- <p>If checked, un-authenticated requests to any Solr endpoint are blocked. If un-checked, then any endpoint that is not protected with a permission will be accessible by anonymous users. Only disable this check if you want to allow un-authenticated access to specific endpoints that are configured with <b>role: null</b>. For more information, see:
+ <p>If checked, un-authenticated requests to any Solr endpoint are blocked. If un-checked, then any endpoint that is not protected with a permission will be accessible by anonymous users. Only disable this check if you want to allow un-authenticated access to specific endpoints that are configured with <b>role: null</b>. All other endpoints should be protected with explicit role bindings that require authentication. For more information, see:
<div class="help-anchor"><a target="_blank" href="https://solr.apache.org/guide/basic-authentication-plugin.html#enable-basic-authentication">Basic Authentication</a></div></p>
</div>
</div>