lucene-solr-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jason Gerlowski <gerlowsk...@gmail.com>
Subject Re: alias read access impossible for anyone other than admin?
Date Tue, 28 May 2019 11:31:11 GMT
Hey Aroop,

The fix in SOLR-13355 is available starting in 8.1.  It will also be
available in 7.7.2 once that is released.  (Jan Hoydahl started the
release process for 7.7.2, but held off for a number of other ongoing
releases.  He's recently resumed work on the release though, and I
expect we'll see 7.7.2 in a week or two.)

RuleBasedAuthorizationPlugin does have some coverage in the ref-guide,
as you've likely seen:
https://lucene.apache.org/solr/guide/7_7/rule-based-authorization-plugin.html.
I don't think SOLR-13355 involved any changes to that documentation:
it fixed a bug that deviated from what was described in the ref-guide,
so there were no changes required when that bug was fixed.  That said,
if you see something I've missed, or think that page could be improved
more generally, it's definitely worth raising a JIRA for.  RBAP
permission matching/processing can be subtle for those using it for
the first time, so any improvement to the docs will go a long way.

Jason

On Sat, May 25, 2019 at 3:12 AM Aroop Ganguly <aroopganguly@icloud.com> wrote:
>
> hi jason
>
> which version of solr has the definitive fix for the rbap again ?
> also is there a jira to fix or create a documentation for the same that works :) ?
>
> aroop
>
>
> > On May 24, 2019, at 9:55 AM, Jason Gerlowski <gerlowskija@gmail.com> wrote:
> >
> > Hi Sotiris,
> >
> > First, what version of Solr are you running?  We've made some fixes
> > recently (esp. SOLR-13355) to RBAP, and they might affect the behavior
> > you're seeing or any fixes we can recommend.
> >
> > Second, the order of permissions in security.json has a huge effect on
> > how .  Solr always uses the first permission rule that matches a given
> > API...later rules are ignored if a match is found in earlier ones.
> > The first rule in your permissions block ({"name": "all", "role":
> > "admin"}) will match all APIs and will only allow requests through if
> > the requesting user has the "admin" role.  So "user" being unable to
> > query an alias makes sense.  Usually "all" and other catchall
> > permissions are best used at the very bottom of your permissions list.
> > That way the catchall is the last rule to be checked, giving other
> > rules a chance to match first.
> >
> > Hope that helps.
> >
> > Jason
> >
> > On Wed, May 22, 2019 at 6:21 AM Sotiris Fragkiskos <sfranky@gmail.com> wrote:
> >>
> >> Hi everyone!
> >> I've been trying unsuccessfully to read an alias to a collection with a
> >> curl command.
> >> The command only works when I put in the admin credentials, although the
> >> user I want access for also has the required role for accessing.
> >> Is this perhaps built-in, or should anyone be able to access an alias from
> >> the API?
> >>
> >> The command I'm using is:
> >> curl http://
> >> <user>:<pass>@<solrhostname>/solr/<AliasName>/select?q=<field>:<value>
> >> This fails for the user but succeeds for the admin
> >>
> >> My minimum working example of security.json follows.
> >> Many thanks!
> >>
> >> {
> >>  "authentication":{
> >>    "blockUnknown":true,
> >>    "class":"solr.BasicAuthPlugin",
> >>    "credentials":{
> >>      "admin":"blahblahblah",
> >>      "user":"blahblah"},
> >>    "":{"v":13}},
> >>  "authorization":{
> >>    "class":"solr.RuleBasedAuthorizationPlugin",
> >>    "permissions":[
> >>      {
> >>        "name":"all",
> >>        "role":"admin",
> >>        "index":1},
> >>      {
> >>        "name":"readColl",
> >>        "collection":"Coll",
> >>        "path":"/select/*",
> >>        "role":"readColl",
> >>        "index":2},
> >>      {
> >>        "name":"readSCollAlias",
> >>        "collection":"sCollAlias",
> >>        "path":"/select/*",
> >>        "role":"readSCollAlias",
> >>        "index":3}],
> >>    "user-role":{
> >>      "admin":[
> >>        "admin",
> >>        "readSCollAlias"],
> >>      "user":["readSCollAlias"]},
> >>    "":{"v":21}}}
>

Mime
View raw message