lucene-solr-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jason Gerlowski <gerlowsk...@gmail.com>
Subject Re: Problems with restricting access to users using Basic auth
Date Tue, 03 Sep 2019 13:36:11 GMT
Yeah, it beats me.  If you've made sure that the security.json in
ZooKeeper is exactly the same as the one I posted but you're still
getting different results, then I'm stumped.  Maybe someone else here
has an idea.

Out of curiosity, are you setting your security.json via the
authentication/authorization APIs, or by uploading the file directly
to ZooKeeper?

RuleBasedAuthorizationPlugin logging has improved in more recent
versions of Solr, so that when the log-level is raised to DEBUG
there's a lot more information given for each request about which
permissions apply and what the result of looking at each is.  But that
won't help you on 7.6 unfortunately.

Good luck, and let us know if you are able to fix things, or
eventually find out what the difference in behavior is between our two
setups.

Jason

On Tue, Sep 3, 2019 at 8:01 AM Salmaan Rashid Syed
<salmaan.rashid@mroads.com> wrote:
>
> Hi Jason,
>
> Apologies for the late reply. My laptop was broken and I got it today from
> service centre.
>
> I am still having issues with solr-user able to view the Collections list
> as follow.
>
> Testing permissions for user [solr]
>     Request [/admin/collections?action=LIST] returned status [200]
>     Request [/collection1/select?q=*:*] returned status [200]
>     Request [/collection2/select?q=*:*] returned status [200]
>     Request [/collection3/select?q=*:*] returned status [200]
>
> Testing permissions for user [solr-user]
>     Request [/admin/collections?action=LIST] returned status [200]
>     Request [/collection1/select?q=*:*] returned status [200]
>     Request [/collection2/select?q=*:*] returned status [200]
>     Request [/collection3/select?q=*:*] returned status [403]
>
> I am still wondering wher I am going wrong.
>
> Thanks,
> Salmaan
>
>
>
>
> On Thu, Aug 29, 2019 at 1:34 PM Salmaan Rashid Syed <
> salmaan.rashid@mroads.com> wrote:
>
> > Thanks a lot Jason,
> >
> > I will try this out and let you know.
> >
> > Thanks again.
> >
> > On Wed 28 Aug, 2019, 7:45 PM Jason Gerlowski, <gerlowskija@gmail.com>
> > wrote:
> >
> >> Hi Salmaan,
> >>
> >> Are you still seeing this behavior, or were you able to figure things out?
> >>
> >> I just got a chance to try out the security.json in Solr 7.6 myself,
> >> and I can't reproduce the behavior you're seeing.
> >>
> >> It might be helpful to level set here.  Make sure that our
> >> security.json settings and our test requests are exactly the same.
> >>
> >> This is the security.json I used in my test deployment:
> >>
> >> {
> >>   "authentication":{
> >>    "blockUnknown": true,
> >>    "class":"solr.BasicAuthPlugin",
> >>    "credentials":{
> >>      "solr":"gP31s0FQevh3k0i0y6g9AP/TZLWctxfZjtC9sOh8vZU=
> >> J7an406gVyx4v4CkR8YLgmhClk9Yv/fIBSfZoi1f0kY=",
> >>      "solr-user":"gP31s0FQevh3k0i0y6g9AP/TZLWctxfZjtC9sOh8vZU=
> >> J7an406gVyx4v4CkR8YLgmhClk9Yv/fIBSfZoi1f0kY="
> >>    }
> >>   },
> >>   "authorization":{
> >>    "class":"solr.RuleBasedAuthorizationPlugin",
> >>    "permissions":[
> >>       {"name": "dev-read", "collection": ["collection1",
> >> "collection2"], "role": ["dev", "admin"] },
> >>       {"name": "security-edit", "role": "admin"},
> >>       {"name": "security-read", "role": "admin"},
> >>       {"name": "schema-edit", "role": "admin"},
> >>       {"name": "schema-read", "role": "admin"},
> >>       {"name": "config-edit", "role": "admin"},
> >>       {"name": "config-read", "role": "admin"},
> >>       {"name": "core-admin-edit", "role": "admin"},
> >>       {"name": "core-admin-read", "role": "admin"},
> >>       {"name": "collection-api-edit", "role": "admin"},
> >>       {"name": "collection-api-read", "role": "admin"},
> >>       {"name": "read", "role": "admin"},
> >>       {"name": "update", "role": "admin"},
> >>       {"name": "all", "role": "admin"}
> >>    ],
> >>    "user-role":{
> >>      "solr":"admin",
> >>      "solr-user": "dev"
> >>    }
> >>   }
> >> }
> >>
> >> And this is the output of a script I use to test permissions quickly:
> >>
> >> $ ./test-security.sh
> >>
> >> Testing permissions for user [solr]
> >>     Request [/admin/collections?action=LIST] returned status [200]
> >>     Request [/collection1/select?q=*:*] returned status [200]
> >>     Request [/collection2/select?q=*:*] returned status [200]
> >>     Request [/collection3/select?q=*:*] returned status [200]
> >>
> >> Testing permissions for user [solr-user]
> >>     Request [/admin/collections?action=LIST] returned status [403]
> >>     Request [/collection1/select?q=*:*] returned status [200]
> >>     Request [/collection2/select?q=*:*] returned status [200]
> >>     Request [/collection3/select?q=*:*] returned status [403]
> >>
> >> You can find this script here, to see the exact curl commands being
> >> used and run it yourself: https://paste.apache.org/tjtdg
> >>
> >> That output looks correct to me.  solr-user is prevented from
> >> accessing other APIs and other collections, but can access collection1
> >> and collection2.
> >>
> >> Does your security.json match mine, or do the permissions differ in
> >> some way?  Can you still reproduce the behavior using my script?
> >>
> >> Good luck,
> >>
> >> Jason
> >>
> >> On Thu, Aug 22, 2019 at 2:13 AM Salmaan Rashid Syed
> >> <salmaan.rashid@mroads.com> wrote:
> >> >
> >> > Hi,
> >> >
> >> > Any suggestions as to what can be done?
> >> >
> >> > Regards,
> >> > Salmaan
> >> >
> >> >
> >> > On Wed, Aug 21, 2019 at 4:33 PM Jason Gerlowski <gerlowskija@gmail.com>
> >> > wrote:
> >> >
> >> > > Ah, ok.  SOLR-13355 still affects 7.6, so that explains why you're
> >> > > seeing this behavior.
> >> > >
> >> > > You could upgrade to get the new behavior, but you don't need to-
> >> > > there's a workaround.  You just need to add a few extra rules to your
> >> > > security.json.  The problem in SOLR-13355 is that the "all" permission
> >> > > isn't being considered for APIs that are covered by other predefined
> >> > > permissions.  So the workaround is to add a permission rule for each
> >> > > of the predefined permissions, locking them down to the "admin" role.
> >> > > It really bloats security.json, but should do the job.  So your
> >> > > security.json should have a permissions section that looks like the
> >> > > JSON below:
> >> > >
> >> > > {"name": "dev-read", "collection": ["collection1", "collection2"],
> >> > > "role": "dev"},
> >> > > {"name": "security-edit", "role": "admin"},
> >> > > {"name": "security-read", "role": "admin"},
> >> > > {"name": "schema-edit", "role": "admin"},
> >> > > {"name": "schema-read", "role": "admin"},
> >> > > {"name": "config-edit", "role": "admin"},
> >> > > {"name": "config-read", "role": "admin"},
> >> > > {"name": "core-admin-edit", "role": "admin"},
> >> > > {"name": "core-admin-read", "role": "admin"},
> >> > > {"name": "collection-api-edit", "role": "admin"},
> >> > > {"name": "collection-api-read", "role": "admin"},
> >> > > {"name": "read", "role": "admin"},
> >> > > {"name": "update", "role": "admin"},
> >> > > {"name": "all", "role": "admin"}
> >> > >
> >> > > Hope that helps.  Let me know if that still has any problems for you.
> >> > >
> >> > > Jason
> >> > >
> >> > > On Wed, Aug 21, 2019 at 6:48 AM Salmaan Rashid Syed
> >> > > <salmaan.rashid@mroads.com> wrote:
> >> > > >
> >> > > > Hi Jason,
> >> > > >
> >> > > > Is there a way to fix this in version 7.6?
> >> > > >
> >> > > > Or is it mandatory to upgrade to other versions?
> >> > > >
> >> > > > If I have to upgrade to a higher version, then what is the best
way
> >> to do
> >> > > > this without effecting the current configuration and indexed
data?
> >> > > >
> >> > > > Thanks,
> >> > > > Salmaan
> >> > > >
> >> > > >
> >> > > >
> >> > > > On Wed, Aug 21, 2019 at 4:13 PM Salmaan Rashid Syed <
> >> > > > salmaan.rashid@mroads.com> wrote:
> >> > > >
> >> > > > > Hi Jason,
> >> > > > >
> >> > > > > I am using version 7.6 of Solr.
> >> > > > >
> >> > > > > Thanks,
> >> > > > > Salmaan
> >> > > > >
> >> > > > >
> >> > > > >
> >> > > > > On Wed, Aug 21, 2019 at 4:12 PM Jason Gerlowski <
> >> gerlowskija@gmail.com
> >> > > >
> >> > > > > wrote:
> >> > > > >
> >> > > > >> The "all" permissions _should_ block solr-user from
accessing
> >> all of
> >> > > > >> those resources, and I believe it does in newer versions
of Solr.
> >> > > > >> There was a bug with it that was fixed a few versions
back
> >> though- it
> >> > > > >> sounds like you might be running into that. (see
> >> > > > >> https://issues.apache.org/jira/browse/SOLR-13355) What
version
> >> of
> >> > > Solr
> >> > > > >> are you using?
> >> > > > >>
> >> > > > >> Jason
> >> > > > >>
> >> > > > >>
> >> > > > >>
> >> > > > >> On Wed, Aug 21, 2019 at 5:21 AM Salmaan Rashid Syed
> >> > > > >> <salmaan.rashid@mroads.com> wrote:
> >> > > > >> >
> >> > > > >> > Hi Jason,
> >> > > > >> >
> >> > > > >> > Thanks for your prompt reply.
> >> > > > >> >
> >> > > > >> > Your code does address few of my concerns like
restricting
> >> > > *solr-user*
> >> > > > >> from
> >> > > > >> > accessing the dashboard and from executing other
request
> >> methods
> >> > > apart
> >> > > > >> from
> >> > > > >> > *"update"* and *"read"*.
> >> > > > >> >
> >> > > > >> > But I am still able to access other collections
such as
> >> > > *"Collection3",
> >> > > > >> > "Collection4"* and so on, apart from the intended
two
> >> collection
> >> > > > >> entered in
> >> > > > >> > the code. I can give *"update"* and *"read" *requests
to these
> >> > > external
> >> > > > >> > Collections which solr-user should not be able
to do.
> >> > > > >> >
> >> > > > >> > Moreover solr-user can look at the
> >> > > > >> > *http://localhost:8983/solr/admin/authentication
> >> > > > >> > <http://localhost:8983/solr/admin/authentication>*
link which
> >> > > lists the
> >> > > > >> > users and their *SHA256* coded passwords. How can
I hide this
> >> and
> >> > > > >> restrict
> >> > > > >> > access to other collections?
> >> > > > >> >
> >> > > > >> > Thanks and regards
> >> > > > >> > Salmaan
> >> > > > >> >
> >> > > > >> >
> >> > > > >> > On Wed, Aug 21, 2019 at 5:07 AM Jason Gerlowski
<
> >> > > gerlowskija@gmail.com>
> >> > > > >> > wrote:
> >> > > > >> >
> >> > > > >> > > Hi Salmaan,
> >> > > > >> > >
> >> > > > >> > > Solr's RuleBasedAuthorizationPlugin allows
requests through
> >> if
> >> > > none of
> >> > > > >> > > the specified permissions apply.  I think
that's what you're
> >> > > running
> >> > > > >> > > into in your example above.  If you want to
lockdown a
> >> particular
> >> > > API
> >> > > > >> > > (or set of APIs) then you need to explicitly
add a
> >> permission that
> >> > > > >> > > restricts those APIs to a particular role.
> >> > > > >> > >
> >> > > > >> > > One way to get the behavior that it sounds
like you're
> >> looking for
> >> > > > >> > > would be to add a catch-all permission at
the bottom of your
> >> > > > >> > > permissions list that restricts all other
APIs to "admin".
> >> This
> >> > > would
> >> > > > >> > > look a bit like:
> >> > > > >> > >
> >> > > > >> > >  "permissions":[
> >> > > > >> > >     {
> >> > > > >> > >         "name":"security-edit",
> >> > > > >> > >         "role":"admin"
> >> > > > >> > >     },
> >> > > > >> > >     {
> >> > > > >> > >         "collection": ["Collection1", "Collection2"],
> >> > > > >> > >         "name": ["update", "read"],
> >> > > > >> > >         "role": "dev"
> >> > > > >> > >     },
> >> > > > >> > >     {
> >> > > > >> > >         "name": "all",
> >> > > > >> > >         "role": "admin"
> >> > > > >> > >     }
> >> > > > >> > > ]
> >> > > > >> > >
> >> > > > >> > > Hope that helps get you started.
> >> > > > >> > >
> >> > > > >> > > Best,
> >> > > > >> > >
> >> > > > >> > > Jason
> >> > > > >> > >
> >> > > > >> > > On Tue, Aug 20, 2019 at 3:19 AM Salmaan Rashid
Syed
> >> > > > >> > > <salmaan.rashid@mroads.com> wrote:
> >> > > > >> > > >
> >> > > > >> > > > Hi Solr Users,
> >> > > > >> > > >
> >> > > > >> > > > I want to create a user that has restricted
access to
> >> Solr. I
> >> > > did
> >> > > > >> the
> >> > > > >> > > > follwowing:-
> >> > > > >> > > >
> >> > > > >> > > >
> >> > > > >> > > >    1. {
> >> > > > >> > > >    2. "authentication":{
> >> > > > >> > > >    3.    "blockUnknown": true,
> >> > > > >> > > >    4.    "class":"solr.BasicAuthPlugin",
> >> > > > >> > > >    5.    "credentials":{
> >> > > > >> > > >    6. "solr-admin":
> >> > > > >> > > >    "2IUJD9dxRhxSXaJGdMP5z8ggSn4I285Ty9GCWeRNMUg=
> >> > > > >> > > > /sSNJJufPtj4baRizoJshJawFsWvopvZSqZpQ/Nwd78="
> >> > > > >> > > >    ,
> >> > > > >> > > >    7. "solr-user":
> >> > > > >> > > >    "p+XwOh15p/rvFltv2LXP1CwtbvwBgGlC9qcDKxV73B4=
> >> > > > >> > > > DcNsjfA6Wf16V1XKT+YraosSFQ5Cr3eRUX6BQnx9XKA="
> >> > > > >> > > >
> >> > > > >> > > >    8.                  }
> >> > > > >> > > >    9. },
> >> > > > >> > > >    10. "authorization":{
> >> > > > >> > > >    11.    "class":"solr.RuleBasedAuthorizationPlugin",
> >> > > > >> > > >    12.    "user-role":{"solr-admin":"admin",
> >> "solr-user":"dev"},
> >> > > > >> > > >    13.    "permissions":[
> >> > > > >> > > >    14.       {
> >> > > > >> > > >    15.        "name":"security-edit",
> >> > > > >> > > >    16.        "role":"admin"
> >> > > > >> > > >    17.       },
> >> > > > >> > > >    18.       {
> >> > > > >> > > >    19.         "collection": ["Collection1",
> >> "Collection2"],
> >> > > > >> > > >    20.         "name": ["update", "read"],
> >> > > > >> > > >    21.         "role": "dev"
> >> > > > >> > > >    22.       }
> >> > > > >> > > >    23.       ]
> >> > > > >> > > >    24. }}
> >> > > > >> > > >
> >> > > > >> > > >
> >> > > > >> > > > But when Login intot the Solr admin dash-board
using
> >> Solr-user
> >> > > > >> > > credentials,
> >> > > > >> > > > I can read, select, write, update, delete
collections and
> >> do all
> >> > > > >> sorts of
> >> > > > >> > > > things like a solr-admin can do.
> >> > > > >> > > >
> >> > > > >> > > > I want solr-user to be able to access
only *Collection1*
> >> and
> >> > > > >> > > *Collection2*
> >> > > > >> > > > and be able to only *update *and *read*.
He should not be
> >> able
> >> > > to
> >> > > > >> access
> >> > > > >> > > > other collections and do anything apart
from the above
> >> mentioned
> >> > > > >> role.
> >> > > > >> > > >
> >> > > > >> > > > Where am I exactly going wrong?
> >> > > > >> > > >
> >> > > > >> > > > Thanks and Regards,
> >> > > > >> > > > Salmaan
> >> > > > >> > >
> >> > > > >>
> >> > > > >
> >> > >
> >>
> >

Mime
View raw message