SOLR-15527: Security admin screen for managing users, roles, and permissions

solr/CHANGES.txt

@@ -359,6 +359,8 @@ New Features
 
 * SOLR-15208: Add the countDist aggregation to the stats, facet and timeseries Streaming Expressions (Joel Bernstein)
 
+* SOLR-15527: Security screen in Admin UI for managing users, roles, and permissions (Timothy Potter)
+
 Improvements
 ---------------------
 * SOLR-15460: Implement LIKE, IS NOT NULL, IS NULL, and support wildcard * in equals string literal for Parallel SQL (Timothy Potter, Houston Putman)

solr/core/src/java/org/apache/solr/handler/admin/SystemInfoHandler.java

@@ -33,6 +33,7 @@
 
 import com.codahale.metrics.Gauge;
 import org.apache.lucene.LucenePackage;
+import org.apache.solr.common.cloud.UrlScheme;
 import org.apache.solr.common.util.SimpleOrderedMap;
 import org.apache.solr.core.CoreContainer;
 import org.apache.solr.core.SolrCore;
@@ -351,6 +352,8 @@ public SimpleOrderedMap<Object> getSecurityInfo(SolrQueryRequest req)
       }
     }
 
+    info.add("tls", UrlScheme.HTTPS.equals(UrlScheme.INSTANCE.getUrlScheme()));
+
     return info;
   }
 

solr/core/src/java/org/apache/solr/util/SolrCLI.java

@@ -3977,8 +3977,15 @@ private int handleBasicAuth(CommandLine cli) throws Exception {
             password = credentials.split(":")[1];
           } else {
             Console console = System.console();
-            username = console.readLine("Enter username: ");
-            password = new String(console.readPassword("Enter password: "));
+            // keep prompting until they've entered a non-empty username & password
+            do {
+              username = console.readLine("Enter username: ");
+            } while (username == null || username.trim().length() == 0);
+            username = username.trim();
+
+            do {
+              password = new String(console.readPassword("Enter password: "));
+            } while (password.length() == 0);
           }
 
           boolean blockUnknown = Boolean.valueOf(cli.getOptionValue("blockUnknown", "true"));

solr/solr-ref-guide/src/basic-authentication-plugin.adoc

@@ -26,6 +26,8 @@ To control user permissions, you may need to configure an authorization plugin a
 To use Basic authentication, you must first create a `security.json` file.
 This file and where to put it is described in detail in the section <<authentication-and-authorization-plugins.adoc#configuring-security-json,Configuring security.json>>.
 
+If running in cloud mode, you can use the `bin/solr auth` command-line utility to enable security for a new installation, see: `bin/solr auth --help` for more details.
+
 For Basic authentication, `security.json` must have an `authentication` block which defines the class being used for authentication.
 Usernames and passwords (as a sha256(password+salt) hash) could be added when the file is created, or can be added later with the Authentication API, described below.
 

solr/solr-ref-guide/src/securing-solr.adoc

@@ -2,7 +2,8 @@
 :page-children: authentication-and-authorization-plugins, \
     audit-logging, \
     enabling-ssl, \
-    zookeeper-access-control
+    zookeeper-access-control, \
+    security-ui
 // Licensed to the Apache Software Foundation (ASF) under one
 // or more contributor license agreements.  See the NOTICE file
 // distributed with this work for additional information
@@ -39,6 +40,8 @@ See the section <<enabling-ssl.adoc#,Enabling TLS (SSL)>> for details.
 
 == Authentication and Authorization
 
+Use the <<security-ui.adoc#,Security>> screen in the Admin UI to manage users, roles, and permissions.
+
 See chapter <<authentication-and-authorization-plugins.adoc#,Configuring Authentication and Authorization>> to learn how to work with the `security.json` file.
 
 [#securing-solr-auth-plugins]

solr/solr-ref-guide/src/security-ui.adoc

@@ -0,0 +1,109 @@
+= Security UI
+:experimental:
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+The Security screen allows administrators with the `security-edit` permission to manage users, roles, and permissions.
+The Security screen works with Solr running in cloud and standalone modes.
+
+.Security Screen
+image::images/solr-admin-ui/security.png[]
+
+== Getting Started
+
+The Security screen warns you if security is not enabled for Solr. You are strongly encouraged to enable security for Solr instances exposed on any network other than localhost.
+
+image::images/security-ui/security-not-enabled-warn.png[image,width=500]
+
+When first getting started with Solr, use the `bin/solr auth` command-line utility to enable security for your Solr installation (cloud mode only), see <<solr-control-script-reference.adoc#authentication,bin/solr auth>> for usage instructions.
+For example, the following command will enable *basic authentication* and prompt you for the username and password for the initial user with administrative access:
+[source,bash]
+----
+ bin/solr auth enable -type basicAuth -prompt true -z localhost:2181
+----
+_Note: The `auth` utility only works with Solr running in cloud mode and thus requires a Zookeeper connection string passed via the `-z` option._
+
+After enabling security, you'll need to refresh the Admin UI and login with the credentials you provided to the `auth` utility to see the updated Security panel.
+You do not need to restart Solr as the security configuration will be refreshed from Zookeeper automatically.
+
+The Security screen provides the following features:
+
+* Security Settings: Details about the configured authentication and authorization plugins.
+* Users: Read, create, update, and delete user accounts if using the <<basic-authentication-plugin.adoc#,Basic Authentication>> plugin; this panel is disabled for all other authentication plugins.
+* Roles: Read, create, and update roles if using the <<rule-based-authorization-plugin.adoc#,Rule-based Authorization>> plugin; this panel is disabled for all other authorization plugins.
+* Permissions: Read, create, update, and delete permissions if using the <<rule-based-authorization-plugin.adoc#,Rule-based Authorization>> plugin.
+
+== User Management
+
+Administrators can read, create, update, and delete user accounts when using the <<basic-authentication-plugin.adoc#,Basic Authentication>> plugin.
+
+image::images/security-ui/users.png[image,width=500]
+
+.Limited User Management Capabilities
+[NOTE]
+====
+Solr's user management is intended to be used by administrators to grant access to protected APIs and lacks common user account management facilities, like password expiration and password self-service (change / reset / recovery).
+Consequently, if a user account has been compromised, then an administrator needs to change the password or disable that account using the UI or API.
+====
+
+To edit a user account, click on the row in the table to open the edit user dialog. You can change a user's password and change their role membership.
+
+image::images/security-ui/edit-user-dialog.png[image,width=400]
+
+For systems with many user accounts, use the filter controls at the top of the user table to find users based on common properties.
+
+image::images/security-ui/filter-users.png[image,width=400]
+
+For other authentication plugins, such as the <<jwt-authentication-plugin.adoc#,JWT Authentication>> plugin, this panel will be disabled as users are managed by an external system.
+
+== Role Management
+
+<<rule-based-authorization-plugin.adoc#roles,Roles>> link users to permissions. If using the <<rule-based-authorization-plugin.adoc#,Rule-based Authorization>> plugin, administrators can read, create, and update roles. Deleting roles is not supported.
+
+image::images/security-ui/roles.png[image,width=500]
+
+To edit a role, simply click on the corresponding row in the table.
+
+If not using the Rule-based Authorization plugin, the Roles panel will be disabled as user role assignment is managed by an external system.
+
+== Permission Management
+
+The *Permissions* panel on the Security screen allows administrators to read, create, update, and delete permissions.
+
+image::images/security-ui/permissions.png[image,width=900]
+
+For detailed information about how permissions work in Solr, see: <<rule-based-authorization-plugin.adoc#permissions,Rule-based Authorization Permissions>>.
+
+=== Add Permission
+
+Click on the btn:[Add Permission] button to open the Add Permission dialog.
+
+image::images/security-ui/add-permission.png[image,width=600]
+
+You can _either_ select a *Predefined* permission from the drop-down select list or provide a unique name for a custom permission.
+Creating a new *Predefined* permission is simply a matter of mapping the permission to zero or more roles as the other settings, such as path, are immutable for predefined permissions.
+If you need fine-grained control over the path, request method, or collection, then create a custom permission.
+
+If you do not select any roles for a permission, then the permission is assigned the `null` role, which means grants the permission to anonymous users.
+However, if *Block anonymous requests* (`blockUnknown=true`) is checked, then anonymous users will not be allowed to make requests, thus permission with the `null` role are effectively inactive.
+
+To edit a permission, simply click on the corresponding row in the table. When editing a permission, the current index of the permission in the list of permissions is editable.
+This allows you to re-order permissions if needed; see <<rule-based-authorization-plugin.adoc#permission-ordering-and-resolution,Permission Ordering>>.
+
+
+
+

solr/solr-ref-guide/src/solr-admin-ui.adoc

@@ -85,6 +85,14 @@ This server resides at https://issues.apache.org/jira/browse/SOLR.
 
 These links cannot be modified without editing the `index.html` in the `server/solr/solr-webapp` directory that contains the Admin UI files.
 
+== Security
+
+Users with the `security-edit` permission can manage users, roles, and permissions using the <<security-ui.adoc#,Security>> panel in the Admin UI.
+Users with the `security-read` permission can view the Security panel but all update actions on the panel are disabled.
+
+.Security Screen
+image::images/solr-admin-ui/security.png[image,width=800]
+
 == Schema Designer
 
 The <<schema-designer.adoc#,Schema Designer>> screen provides an interactive experience to create a schema using sample data.
@@ -97,7 +105,6 @@ image::images/solr-admin-ui/schema-designer.png[image]
 The Schema Designer is only available on Solr instances running <<cluster-types.adoc#solrcloud-mode,SolrCloud>>.
 ====
 
-
 == Collection-Specific Tools
 
 In the left-hand navigation bar, you will see a pull-down menu titled Collection Selector that can be used to access collection specific administration screens.
@@ -139,6 +146,7 @@ Here are sections throughout the Guide describing each screen of the Admin UI:
 [cols="1,1",frame=none,grid=none,stripes=none]
 |===
 | <<configuring-logging.adoc#logging-screen,Logging Screen>>: Recent log messages and configuration of log levels.
+| <<security-ui.adoc#,Security>>: Manage users, roles, and permissions.
 | <<cloud-screens.adoc#,Cloud Screens>>: Access to SolrCloud node data and status.
 | <<schema-designer.adoc#,Schema Designer>>: Interactively create a schema using sample data.
 | <<collections-core-admin.adoc#,Collections / Core Admin>>: Collection or Core management tools.

solr/webapp/web/css/angular/menu.css

@@ -253,7 +253,7 @@ limitations under the License.
 
 #menu #index.global p a { background-image: url( ../../img/ico/dashboard.png ); }
 
-#menu #login.global p a { background-image: url( ../../img/ico/users.png ); }
+#menu #login.global p a { background-image: url( ../../img/ico/logout.png ); }
 
 #menu #logging.global p a { background-image: url( ../../img/ico/inbox-document-text.png ); }
 #menu #logging.global .level a { background-image: url( ../../img/ico/gear.png ); }
@@ -272,6 +272,7 @@ limitations under the License.
 #menu #cloud.global .graph a { background-image: url( ../../img/ico/molecule.png ); }
 
 #menu #schema-designer.global p a { background-image: url( ../../img/ico/book-open-text.png ); }
+#menu #security.global p a { background-image: url( ../../img/ico/users.png ); }
 
 .sub-menu .ping.error a
 {