Apache Solr
Apache Software Foundationdatabase5 credentials
Unauthenticated Solr API/Admin Access
apache-solr / unauthenticated-default
Solr does not require HTTP authentication until an authentication plugin is configured through security.json or equivalent deployment configuration. Without auth, Admin UI and query/update APIs may be reachable to anyone with network access.
Unauthenticated access
open defaultno authentication required- username
- none
- password
- none
Location
Solr Admin UI and HTTP APIs, commonly :8983/solrAdmin, collections, config, query, and update endpoints when no auth plugin is active
security.jsonabsence of authentication plugin or blockUnknown/user configuration means no Solr HTTP auth enforcement
ZooKeeper-stored security.json for SolrCloud clusters
Solr startup and security plugin logs indicating whether authentication is configured
Notes
This represents absence of Solr HTTP authentication, not a blank username/password. Exposure depends on security.json, SolrCloud ZooKeeper state, reverse proxies, network controls, and collection/update permissions.
Solr Basic Authentication User Password
apache-solr / basic-auth-user-password
Solr can enable the BasicAuthPlugin or other authentication plugins in security.json. Users and password hashes protect the Admin UI, Collections API, and query/update APIs.
Location
Solr Admin UI, Collections API, query/update handlers, and V2 APIssecurity.jsonauthentication plugin, users, password hashes, blockUnknown, and authorization config
ZooKeeper security.json storage for SolrCloud clusters
Kubernetes Secrets, Solr Operator secrets, and password vaults
Solr request logs, security audit logs, and client traces
JWT / Bearer Token Credential
apache-solr / bearer-jwt-and-api-token
Solr can use JWT/OIDC or plugin-based bearer tokens for API access. Clients present tokens to query and update collections.
Location
AuthorizationBasic or Bearer/JWT token for Solr API requests
security.json, OIDC/JWT plugin configuration, client configs, and .env files
SOLR_AUTH_TYPE, SOLR_AUTHENTICATION_OPTS, SOLR_TOKENCI/CD variables, Kubernetes Secrets, and identity-provider client stores
HTTP traces and auth plugin debug logs
ZooKeeper Digest / Kerberos JAAS Secret
apache-solr / zk-digest-and-jaas-secret
SolrCloud deployments commonly protect ZooKeeper with digest auth, SASL/Kerberos, JAAS files, and ZK ACL credentials.
Location
solr.in.sh, jaas.conf, zoo.cfgZooKeeper digest credentials, JAAS login modules, and Solr ZK auth settings
SOLR_ZK_CREDS_AND_ACLS, SOLR_JAAS_FILEKubernetes Secrets, keytabs, and deployment vaults
ZooKeeper ACL/auth logs and SolrCloud startup logs
TLS Keystore / Private Key
apache-solr / tls-private-key-and-keystore
Solr can secure HTTP and internode traffic with TLS keystores, truststores, and private keys.
Looks like
pattern-----BEGIN (RSA |EC |ENCRYPTED |)PRIVATE KEY-----Location
solr.in.sh, solr-ssl.keystore.p12, solr-ssl.keystore.jksSSL key/trust store paths and passwords
SOLR_SSL_KEY_STORE_PASSWORD, SOLR_SSL_TRUST_STORE_PASSWORDKubernetes Secrets, Java keystores, and certificate vaults
cluster backups and support bundles
Scope
Authorized use
LOLCreds helps map the credential surface of real products: known defaults, generated values, credential locations, and exposure patterns.