SOLR-18233 Strengthen Basic Authentication password policy (backport branch_9x)

[janhoy]

https://issues.apache.org/jira/browse/SOLR-18233

This backports the main/10x code in #4534 to 9x. In 9x there are quite some differences in CLI land and some defaults have changed etc. So the cherry-pick was not clean without adaptation. Therefore I use a PR for the backport...

The backport is AI assisted, but manually reviewed. I also ran the manual verification tests below and tested correct response in Admin UI.

How to test manually

Build this branch locally, then:

bin/solr start -c

# User creation with username==password -> REJECTED
bin/solr auth enable --credentials solr:solr

# Enable auth with a strong password -> OK
bin/solr auth enable --credentials solr:SolrRocks

# Verify set-user rejects username==password via API
curl -i -u solr:SolrRocks -X POST http://localhost:8983/solr/admin/authentication \
  -H 'Content-Type: application/json' -d '{"set-user": {"bob": "bob"}}'  # → error

# Verify escape hatch works -> allowed to create username==password and to authenticate
bin/solr auth disable --credentials solr:SolrRocks
export SOLR_SECURITY_AUTH_BASICAUTH_ALLOWUSERASPASSWORD=true
bin/solr restart -c
bin/solr auth enable --credentials solr:solr
curl -I -u solr:solr http://localhost:8983/solr/admin/info/system   # → 200

# Verify that existing user cannot login with username==password without the escape hatch
export SOLR_SECURITY_AUTH_BASICAUTH_ALLOWUSERASPASSWORD=false
bin/solr restart -c
curl -I -u solr:solr http://localhost:8983/solr/admin/info/system   # → 401

# Shut down
bin/solr stop

[janhoy]

Set this to draft since I reverted the main/10x commits. Once a new PR is ready and merged for main, I'll update this PR again..

[Copilot]

Pull request overview

Backport of SOLR-18233 to branch_9x to strengthen Basic Authentication by rejecting passwords equal to the username, adding a temporary escape-hatch system property/env var for upgrades, and aligning CLI/UI/docs/tests with the new policy and updated security.json template behavior.

Changes:

• Enforce username != password in Basic Auth login and set-user, with an escape-hatch via solr.security.auth.basicauth.allowuseraspassword (EnvUtils-enabled).
• Harden bin/solr auth enable by relying on a best-practice security.json template with template users that have no password set by default, and improve CLI messaging/behavior.
• Improve Admin UI Security panel error surfacing by routing security API errors to the panel dialog (instead of the global banner) and updating docs and tests accordingly.

Reviewed changes

Copilot reviewed 17 out of 17 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
solr/webapp/web/js/angular/controllers/security.js	Improve Security panel error parsing/display and listen for security-specific interceptor broadcasts.
solr/webapp/web/js/angular/app.js	Route /api/cluster/security/* errors to Security panel and suppress unhandled rejection console noise.
solr/solrj-streaming/src/test/org/apache/solr/client/solrj/io/stream/CloudAuthStreamTest.java	Update test credentials so passwords differ from usernames.
solr/solr-ref-guide/modules/upgrade-notes/pages/major-changes-in-solr-9.adoc	Add upgrade note about the strengthened Basic Auth password policy and escape hatch.
solr/solr-ref-guide/modules/deployment-guide/pages/solr-control-script-reference.adoc	Document updated bin/solr auth enable behavior, template users, and blockUnknown defaulting to the template.
solr/solr-ref-guide/modules/deployment-guide/pages/basic-authentication-plugin.adoc	Document cloud-mode enablement via CLI and the new password constraint.
solr/core/src/test/org/apache/solr/security/TestSha256AuthenticationProvider.java	Add unit tests for username==password rejection and escape-hatch behavior.
solr/core/src/test/org/apache/solr/security/BasicAuthOnSingleNodeTest.java	Update test password and credential hash.
solr/core/src/test/org/apache/solr/security/AuthWithShardHandlerFactoryOverrideTest.java	Update test password and credential hash.
solr/core/src/test/org/apache/solr/handler/admin/SecurityConfHandlerTest.java	Adapt test to new error handling behavior (ExceptionWithErrObject / 400).
solr/core/src/test/org/apache/solr/cloud/TestQueryingOnDownCollection.java	Update test password and credential hash to avoid username==password.
solr/core/src/test/org/apache/solr/cli/AuthToolTest.java	Add CLI tests for rejecting username==password and honoring escape hatch; reset ZK security state between tests.
solr/core/src/resources/security.json	Update distributed template: remove preset password hashes and adjust role mappings for template users.
solr/core/src/java/org/apache/solr/security/Sha256AuthenticationProvider.java	Enforce username!=password at login and set-user, with escape hatch via EnvUtils-based property.
solr/core/src/java/org/apache/solr/handler/admin/SecurityConfHandler.java	Throw structured BAD_REQUEST errors (ExceptionWithErrObject) when command processing fails.
solr/core/src/java/org/apache/solr/cli/AuthTool.java	Enforce username!=password in CLI, respect template blockUnknown unless explicitly overridden, and report template users.
changelog/unreleased/SOLR-18233-Strengthen-Basic-Authentication-password-policy.yml	Add unreleased changelog entry for SOLR-18233.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.