lucene-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dominique Béjean (JIRA) <j...@apache.org>
Subject [jira] [Updated] (SOLR-13097) RuleBasedAuthorizationPlugin is not fully fonctionnal in Solr standalone mode
Date Wed, 02 Jan 2019 07:20:00 GMT

     [ https://issues.apache.org/jira/browse/SOLR-13097?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Dominique Béjean updated SOLR-13097:
------------------------------------
    Description: 
In Solr standalone mode, the collections element of the request context is not populated by
the core name.

For instance, the following request:

{{[http://user1:xxxxxx@localhost:8983/solr/biblio/select?indent=on&q=*:*&wt=json]}}

reports this in log:

{{2018-12-30 12:24:52.102 INFO (qtp1731656333-20) [ x:biblio] o.a.s.s.HttpSolrCall USER_REQUIRED
auth header Basic Mjox context : userPrincipal: [[principal: 2]] type: [READ], collections:
[], Path: [/select] path : /select params :q=*:*&indent=on&wt=json}}

The consequence is that RuleBasedAuthorizationPlugin is not able to apply this kind of permission:

{{{}}{{"name":"read-biblio",}}
{{ \{{ "path":"/select",}}}}
{{ {{ "role":["admin","read","r1"],}}}}
{{ \{{ "collection":"biblio",}}}}
{{ \{{ "index":2}}}}}

In Solrcloud mode in the init() method of HttpSolrCall.java, the collections element is populated
with either the collection name matching the core name in the request or the collection names
provided in the collection parameter.

{{if (cores.isZooKeeperAware()) {}}
 {{    // init collectionList (usually one name but not when there are aliases)}}
 {{    String def = core != null ? core.getCoreDescriptor().getCollectionName() : origCorename;}}
 {{    collectionsList = resolveCollectionListOrAlias(queryParams.get(COLLECTION_PROP, def));
// &collection= takes precedence}}
 {{    ...}}

 

I expect init() method could be improved in order to populate collections element with the
core name for Solr standalone mode.

 

  was:
In Solr standalone mode, the collections element of the request context is not populated by
the core name.

For instance, the following request:

{{http://user1:xxxxxx@localhost:8983/solr/biblio/select?indent=on&q=*:*&wt=json}}

reports this in log:

{{2018-12-30 12:24:52.102 INFO (qtp1731656333-20) [ x:biblio] o.a.s.s.HttpSolrCall USER_REQUIRED
auth header Basic Mjox context : userPrincipal: [[principal: 2]] type: [READ], collections:
[], Path: [/select] path : /select params :q=*:*&indent=on&wt=json}}

The consequence is that RuleBasedAuthorizationPlugin is not able to apply this kind of permission:

{{{"name":"read-biblio",}}
{{ "path":"/select",}}
{{ "role":["admin","read","r1"],}}
{{ "collection":"biblio",}}
{{ "index":2}}}

In Solrcloud mode in the init() method of HttpSolrCall.java, the collections element is populated
with either the collection name matching the core name in the request or the collection names
provided in the collection parameter.

{{if (cores.isZooKeeperAware()) {}}
{{    // init collectionList (usually one name but not when there are aliases)}}
{{    String def = core != null ? core.getCoreDescriptor().getCollectionName() : origCorename;}}
{{    collectionsList = resolveCollectionListOrAlias(queryParams.get(COLLECTION_PROP, def));
// &collection= takes precedence}}
{{    ...}}
{{ }}}

I expect init() method could be improved in order to populate collections element with the
core name for Solr standalone mode.

 


> RuleBasedAuthorizationPlugin is not fully fonctionnal in Solr standalone mode
> -----------------------------------------------------------------------------
>
>                 Key: SOLR-13097
>                 URL: https://issues.apache.org/jira/browse/SOLR-13097
>             Project: Solr
>          Issue Type: Bug
>      Security Level: Public(Default Security Level. Issues are Public) 
>          Components: Authentication
>    Affects Versions: 6.6.5, 7.5
>            Reporter: Dominique Béjean
>            Priority: Major
>
> In Solr standalone mode, the collections element of the request context is not populated
by the core name.
> For instance, the following request:
> {{[http://user1:xxxxxx@localhost:8983/solr/biblio/select?indent=on&q=*:*&wt=json]}}
> reports this in log:
> {{2018-12-30 12:24:52.102 INFO (qtp1731656333-20) [ x:biblio] o.a.s.s.HttpSolrCall USER_REQUIRED
auth header Basic Mjox context : userPrincipal: [[principal: 2]] type: [READ], collections:
[], Path: [/select] path : /select params :q=*:*&indent=on&wt=json}}
> The consequence is that RuleBasedAuthorizationPlugin is not able to apply this kind of
permission:
> {{{}}{{"name":"read-biblio",}}
> {{ \{{ "path":"/select",}}}}
> {{ {{ "role":["admin","read","r1"],}}}}
> {{ \{{ "collection":"biblio",}}}}
> {{ \{{ "index":2}}}}}
> In Solrcloud mode in the init() method of HttpSolrCall.java, the collections element
is populated with either the collection name matching the core name in the request or the
collection names provided in the collection parameter.
> {{if (cores.isZooKeeperAware()) {}}
>  {{    // init collectionList (usually one name but not when there are aliases)}}
>  {{    String def = core != null ? core.getCoreDescriptor().getCollectionName() : origCorename;}}
>  {{    collectionsList = resolveCollectionListOrAlias(queryParams.get(COLLECTION_PROP,
def)); // &collection= takes precedence}}
>  {{    ...}}
>  
> I expect init() method could be improved in order to populate collections element with
the core name for Solr standalone mode.
>  



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lucene.apache.org
For additional commands, e-mail: dev-help@lucene.apache.org


Mime
View raw message