lucene-solr-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sotiris Fragkiskos <sfra...@gmail.com>
Subject Re: alias read access impossible for anyone other than admin?
Date Mon, 03 Jun 2019 18:05:38 GMT
it's 7.2.1. Thanks!

On Mon, Jun 3, 2019 at 6:26 PM Jason Gerlowski <gerlowskija@gmail.com>
wrote:

> Hi Sotiris,
>
> What version of Solr are you running?  The behavior has changed some
> over time, both intentionally and due to bugs that have come and gone
> over time.  I (or someone else) can explain things and offer you
> better help once we know your Solr version.
>
> Jason
>
> On Mon, Jun 3, 2019 at 12:13 PM Sotiris Fragkiskos <sfranky@gmail.com>
> wrote:
> >
> > Hi again,
> >
> > I moved the "all" permission to the bottom as suggested, but it still
> > doesn't work. Actually, i tried all possible combinations that I could
> > think of, but I just can't get it to work.
> > Could there be something else that I'm doing wrong? I'm a complete
> newbie,
> > so pretty much anything is a possibility at this point :(
> > Could it be because I use getfile/putfile commands to update the
> > security.json file? (it seems to be working, i.e. what i put with putfile
> > is later retrieved successfully with getfile)
> > Could there be some system update/refresh mechanism that I'm not aware of
> > and is currently not taking place?
> > Could someone please ELI5 going through the rules one by one? I can't
> > exactly understand the "narrative" that's going on,
> >
> > My security.json file's "authorization"  at this point looks like the
> > snippet below, and almost nothing is working (except admin, and userC
> who,
> > for some weird reason, can access  readCollC55b , which is tied to a role
> > that the userC is NOT tied to..
> > I'm completely lost.... any pointers, anyone?
> > Mind you, i'm testing whether it works either directly in the browser by
> > prepending a "username:password@" to the URL or from the cmdline with a
> > curl command like so:
> > *curl http://<user:pass>@IP/solr/collName/select?q=field:value*
> >
> > Many thanks!
> > Sotiri
> >
> > "authorization":{
> >     "class":"solr.RuleBasedAuthorizationPlugin",
> >     "permissions":[
> >       {
> >         "name":"readCollA",
> >         "collection":"CollA",
> >         "path":"/select/*",
> >         "role":"readCollA",
> >         "index":1},
> >       {
> >         "name":"readCollB",
> >         "collection":"CollB",
> >         "path":"/select/*",
> >         "role":"readCollB",
> >         "index":2},
> >       {
> >         "name":"readCollC55b",
> >         "collection":"CollC55b",
> >         "path":"/select/*",
> >         "role":"readCollC55b",
> >         "index":3},
> >       {
> >         "name":"readCollCProduction",
> >         "collection":"CollCProd",
> >         "path":"/select/*",
> >         "role":"readCollCProduction",
> >         "index":4},
> >       {
> >         "name":"all",
> >         "role":"admin",
> >         "index":5}],
> >     "user-role":{
> >       "admin":[
> >         "admin",
> >         "readCollB",
> >         "readCollA",
> >         "readCollC55b",
> >         "readCollCProduction"],
> >       "userA":["readCollC55b"],
> >       "userB":["readCollC55b"],
> >       "userC":["readCollCProduction"],
> >       "userD":[
> >         "readCollCProduction",
> >         "readCollC55b",
> >         "readCollB",
> >         "readCollA"]},
> >
> >
> >
> > On Fri, May 31, 2019 at 9:07 PM Sotiris Fragkiskos <sfranky@gmail.com>
> > wrote:
> >
> > > Terribly sorry about the duplicate post. It was just when i had first
> > > subscribed, i mustn't have verified my subscription because i never
> > > received any posts. I could also not find my post in the mailing list
> > > archive, so I thought it never arrived. It was only today that I tried
> > > subscribing again (+verifying) that I started receiving emails.
> > > Thanks for your explanation, I had read this in the manual but it
> didn't
> > > make much sense to me. I intepreted my order as: "first rule, the
> request
> > > is not from an admin so fail, check the next rule, it's from role
> readColl
> > > trying to access Coll, go ahead"
> > > I will try it as soon as I can. Thanks very much.
> > > I'm currently using 7.2.
> > >
> > > On Fri, May 31, 2019 at 8:27 PM Jason Gerlowski <gerlowskija@gmail.com
> >
> > > wrote:
> > >
> > >> Hi Sotiris,
> > >>
> > >> Is this your second time asking this question here, or is there a
> > >> subtle difference I'm missing?  You asked a very similar question a
> > >> week or so ago, and I replied with a few suggestions for changing your
> > >> security.json and with a few questions.  In case you missed it for
> > >> whatever reason, I'll include my original response below:
> > >>
> > >> -----
> > >>
> > >> Hi Sotiris,
> > >>
> > >> First, what version of Solr are you running?  We've made some fixes
> > >> recently (esp. SOLR-13355) to RBAP, and they might affect the behavior
> > >> you're seeing or any fixes we can recommend.
> > >>
> > >> Second, the order of permissions in security.json has a huge effect on
> > >> how .  Solr always uses the first permission rule that matches a given
> > >> API...later rules are ignored if a match is found in earlier ones.
> > >> The first rule in your permissions block ({"name": "all", "role":
> > >> "admin"}) will match all APIs and will only allow requests through if
> > >> the requesting user has the "admin" role.  So "user" being unable to
> > >> query an alias makes sense.  Usually "all" and other catchall
> > >> permissions are best used at the very bottom of your permissions list.
> > >> That way the catchall is the last rule to be checked, giving other
> > >> rules a chance to match first.
> > >>
> > >> Hope that helps.
> > >>
> > >> On Fri, May 31, 2019 at 9:34 AM Sotiris Fragkiskos <sfranky@gmail.com
> >
> > >> wrote:
> > >> >
> > >> > Hi everyone!
> > >> > I've been trying unsuccessfully to read an alias to a collection
> with a
> > >> > curl command.
> > >> > The command only works when I put in the admin credentials,
> although the
> > >> > user I want access for also has the required role for accessing.
> > >> > Is this perhaps built-in, or should anyone be able to access an
> alias
> > >> from
> > >> > the API?
> > >> >
> > >> > The command I'm using is:
> > >> > curl http://<user>:<pass>@<solrhostname>/solr
> > >> > /<AliasName>/select?q=<field>:<value>
> > >> > This fails for the user but succeeds for the admin
> > >> >
> > >> > My minimum working example of security.json follows.
> > >> > Many thanks!
> > >> >
> > >> > {
> > >> >   "authentication":{
> > >> >     "blockUnknown":true,
> > >> >     "class":"solr.BasicAuthPlugin",
> > >> >     "credentials":{
> > >> >       "admin":"blahblahblah",
> > >> >       "user":"blahblah"},
> > >> >     "":{"v":13}},
> > >> >   "authorization":{
> > >> >     "class":"solr.RuleBasedAuthorizationPlugin",
> > >> >     "permissions":[
> > >> >       {
> > >> >         "name":"all",
> > >> >         "role":"admin",
> > >> >         "index":1},
> > >> >       {
> > >> >         "name":"readColl",
> > >> >         "collection":"Coll",
> > >> >         "path":"/select/*",
> > >> >         "role":"readColl",
> > >> >         "index":2},
> > >> >       {
> > >> >         "name":"readSCollAlias",
> > >> >         "collection":"sCollAlias",
> > >> >         "path":"/select/*",
> > >> >         "role":"readSCollAlias",
> > >> >         "index":3}],
> > >> >     "user-role":{
> > >> >       "admin":[
> > >> >         "admin",
> > >> >         "readSCollAlias"],
> > >> >       "user":["readSCollAlias"]},
> > >> >     "":{"v":21}}}
> > >>
> > >
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message