Apache
/
lucene
mirror of https://github.com/apache/lucene.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

SOLR-13344: Admin UI inaccessible with RuleBasedAuthorizationPlugin 

(cherry picked from commit 96ef35cd2c)
This commit is contained in:
Jan Høydahl 2019-04-04 16:07:23 +02:00
parent 4b86a39680
commit 9dd51915fa
3 changed files with 8 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
solr/CHANGES.txt
View File

@ -118,6 +118,8 @@ Bug Fixes
* SOLR-13349: High CPU usage in Solr due to Java 8 bug (Erick Erickson) * SOLR-13349: High CPU usage in Solr due to Java 8 bug (Erick Erickson)
* SOLR-13344: Admin UI inaccessible with RuleBasedAuthorizationPlugin (janhoy, Jason Gerlowski)
* SOLR-13352: Remove risk of deadlock/threadleak when shutting down an Overseer(TriggerThread). (hossman) * SOLR-13352: Remove risk of deadlock/threadleak when shutting down an Overseer(TriggerThread). (hossman)
* SOLR-13362: Add 'includeIndexFieldFlags' support to SolrJ LukeRequest (Jason Gerlowski) * SOLR-13362: Add 'includeIndexFieldFlags' support to SolrJ LukeRequest (Jason Gerlowski)

1
solr/core/src/java/org/apache/solr/servlet/HttpSolrCall.java
View File

@ -550,6 +550,7 @@ public class HttpSolrCall {
private boolean shouldAuthorize() { private boolean shouldAuthorize() {
if(PublicKeyHandler.PATH.equals(path)) return false; if(PublicKeyHandler.PATH.equals(path)) return false;
//admin/info/key is the path where public key is exposed . it is always unsecured //admin/info/key is the path where public key is exposed . it is always unsecured
if ("/".equals(path) || "/solr/".equals(path)) return false; // Static Admin UI files must always be served
if (cores.getPkiAuthenticationPlugin() != null && req.getUserPrincipal() != null) { if (cores.getPkiAuthenticationPlugin() != null && req.getUserPrincipal() != null) {
boolean b = cores.getPkiAuthenticationPlugin().needsAuthorization(req); boolean b = cores.getPkiAuthenticationPlugin().needsAuthorization(req);
log.debug("PkiAuthenticationPlugin says authorization required : {} ", b); log.debug("PkiAuthenticationPlugin says authorization required : {} ", b);

5
solr/solr-ref-guide/src/rule-based-authorization-plugin.adoc
View File

@ -24,6 +24,11 @@ The roles can be used with any of the authentication plugins or with a custom au
Once defined through the API, roles are stored in `security.json`. Once defined through the API, roles are stored in `security.json`.
[CAUTION]
====
Solr's Admin UI interacts with Solr using its regular APIs. When rule-based authorization is in use, logged-in users not authorized to access the full range of these APIs may see some sections of the UI that appear blank or "broken". For best results, the Admin UI should only be accessed by users with full API access.
====
== Enable the Authorization Plugin == Enable the Authorization Plugin
The plugin must be enabled in `security.json`. This file and where to put it in your system is described in detail in the section <<authentication-and-authorization-plugins.adoc#enable-plugins-with-security-json,Enable Plugins with security.json>>. The plugin must be enabled in `security.json`. This file and where to put it in your system is described in detail in the section <<authentication-and-authorization-plugins.adoc#enable-plugins-with-security-json,Enable Plugins with security.json>>.