Summary
When creating a user via the Solr Admin UI (Security / Authentication), Solr writes an invalid security.json into ZooKeeper by adding an unexpected property "v".
This corrupts the JSON and prevents all Solr nodes in the SolrCloud cluster from starting.
Environment
Solr: 9.10 (SolrCloud)
Cluster: 3 nodes
ZooKeeper
Authentication: BasicAuthPlugin
Authorization: RuleBasedAuthorizationPlugin
Steps to Reproduce
Start a SolrCloud cluster with BasicAuth + RuleBasedAuthorization enabled.
security.json is initially valid and Solr starts normally.
Open the Admin UI → Security → Authentication.
Use the user interface to create a new user (username + password), set their permissions, and save.
Solr updates security.json in ZooKeeper.
Restart the Solr pods/nodes (or wait until they are restarted by the orchestrator).
Actual Behavior
After the user is created via the UI, the updated security.json in ZooKeeper contains an extra property "v" that breaks the JSON structure.
Example (simplified):
json
{
"authentication": {
"class": "solr.BasicAuthPlugin",
"credentials": {
"solr": "xxxx",
"new_user": "yyyy"
},
"v": 0 // <-- this property is added in an invalid position
}
}
On restart, all Solr nodes fail to start. The pods go into CrashLoopBackOff and the Solr web UI is unavailable.
In solr.log, Solr reports errors while parsing security.json (JSON parse exception / invalid JSON).
This effectively brings down the entire SolrCloud cluster just by creating a user through the Admin UI.
Expected Behavior
Creating a user via the Admin UI should update security.json with valid JSON.
Solr should continue to start normally after the change.
Any internal "v" (version) field used by Solr should be written in a way that does not break the JSON structure.
Impact
A simple administrative action (creating a user via UI) can:
Corrupt security.json,
Prevent the whole SolrCloud cluster from starting,
Require manual intervention in ZooKeeper to fix or restore security.json.
Impact
A simple administrative action (creating a user via UI) can:
- Corrupt security.json,
- Prevent the whole SolrCloud cluster from starting,
- Require manual intervention in ZooKeeper to fix or restore security.json.
Additional Notes
Manually fixing security.json in ZooKeeper (removing or relocating the "v" property and restoring valid JSON) allows the cluster to start again.
Creating users via the authentication API (/admin/authentication with set-user) does not appear to cause this issue (please confirm).
It looks like the Admin UI path for updating users is writing the version field "v" into the wrong place in security.json.
Request
- Please investigate the Admin UI path for updating security.json when creating/modifying users under BasicAuth.
- Ensure that any internal version metadata (such as "v") is written in a JSON-safe way and does not corrupt the security.json structure.
- Ideally, add validation and error handling so that an invalid security.json cannot be written to ZooKeeper.
Summary
When creating a user via the Solr Admin UI (Security / Authentication), Solr writes an invalid security.json into ZooKeeper by adding an unexpected property "v".
This corrupts the JSON and prevents all Solr nodes in the SolrCloud cluster from starting.
Environment
Solr: 9.10 (SolrCloud)
Cluster: 3 nodes
ZooKeeper
Authentication: BasicAuthPlugin
Authorization: RuleBasedAuthorizationPlugin
Steps to Reproduce
Start a SolrCloud cluster with BasicAuth + RuleBasedAuthorization enabled.
security.json is initially valid and Solr starts normally.
Open the Admin UI → Security → Authentication.
Use the user interface to create a new user (username + password), set their permissions, and save.
Solr updates security.json in ZooKeeper.
Restart the Solr pods/nodes (or wait until they are restarted by the orchestrator).
Actual Behavior
After the user is created via the UI, the updated security.json in ZooKeeper contains an extra property "v" that breaks the JSON structure.
Example (simplified):
json
On restart, all Solr nodes fail to start. The pods go into CrashLoopBackOff and the Solr web UI is unavailable.
In solr.log, Solr reports errors while parsing security.json (JSON parse exception / invalid JSON).
This effectively brings down the entire SolrCloud cluster just by creating a user through the Admin UI.
Expected Behavior
Creating a user via the Admin UI should update security.json with valid JSON.
Solr should continue to start normally after the change.
Any internal "v" (version) field used by Solr should be written in a way that does not break the JSON structure.
Impact
A simple administrative action (creating a user via UI) can:
Corrupt security.json,
Prevent the whole SolrCloud cluster from starting,
Require manual intervention in ZooKeeper to fix or restore security.json.
Impact
A simple administrative action (creating a user via UI) can:
Additional Notes
Manually fixing security.json in ZooKeeper (removing or relocating the "v" property and restoring valid JSON) allows the cluster to start again.
Creating users via the authentication API (/admin/authentication with set-user) does not appear to cause this issue (please confirm).
It looks like the Admin UI path for updating users is writing the version field "v" into the wrong place in security.json.
Request