lucene-solr-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dominique Bejean <dominique.bej...@eolya.fr>
Subject Re: RuleBasedAuthorizationPlugin configuration
Date Wed, 02 Jan 2019 07:23:13 GMT
Hi,

I created a Jira issue
https://issues.apache.org/jira/browse/SOLR-13097

Regards.

Dominique


Le lun. 31 déc. 2018 à 11:26, Dominique Bejean <dominique.bejean@eolya.fr>
a écrit :

> Hi,
>
> In debugging mode, I discovered that only in SolrCloud mode the collection
> name is extract from the request path in the init() method of
> HttpSolrCall.java
>
>    if (cores.isZooKeeperAware()) {
>       // init collectionList (usually one name but not when there are
> aliases)
>       ...
>     }
>
> So in Solr standalone mode, only authentication is fully fonctionnal, not
> authorization !
>
> Regards.
>
> Dominique
>
>
>
>
>
> Le dim. 30 déc. 2018 à 13:40, Dominique Bejean <dominique.bejean@eolya.fr>
> a écrit :
>
>> Hi,
>>
>> After reading more carefully the log file, here is my understanding.
>>
>> The request
>>
>> http://2:xxxxxx@localhost:8983/solr/biblio/select?indent=on&q=*:*&wt=json
>>
>>
>> report this in log
>>
>> 2018-12-30 12:24:52.102 INFO  (qtp1731656333-20) [   x:biblio]
>> o.a.s.s.HttpSolrCall USER_REQUIRED auth header Basic Mjox context :
>> userPrincipal: [[principal: 2]] type: [READ], collections: [], Path:
>> [/select] path : /select params :q=*:*&indent=on&wt=json
>>
>> collections is empty, so it looks like "/select" is not collection
>> specific and so it is not possible to define read access by collection.
>>
>> Can someone confirm ?
>>
>> Regards
>>
>> Dominique
>>
>>
>>
>>
>>
>> Le ven. 21 déc. 2018 à 10:46, Dominique Bejean <dominique.bejean@eolya.fr>
>> a écrit :
>>
>>> Hi,
>>>
>>> I am trying to configure security.json file, in order to define the
>>> following users and permissions :
>>>
>>>    - user "admin" with all permissions on all collections
>>>    - user "read" with read  permissions  on all collections
>>>    - user "1" with only read  permissions  on biblio collection
>>>    - user "2" with only read  permissions  on personnes collection
>>>
>>> Here is my security.json file
>>>
>>> {
>>>   "authentication":{
>>>     "blockUnknown":true,
>>>     "class":"solr.BasicAuthPlugin",
>>>     "credentials":{
>>>       "admin":"4uwfcjV7bCqOdLF/Qn2wiTyC7zIWN6lyA1Bgp1yqZj0=
>>> 7PCh68vhIlZXg1l45kSlvGKowMg1bm/L3eSfgT5dzjs=",
>>>       "read":"azUFSo9/plsGkQGhSQuk8YXoir22pALVpP8wFkd7wlk=
>>> gft4wNAeuvz7P8bv/Jv6TK94g516/qXe9cFWe/VlhDo=",
>>>       "1":"azUFSo9/plsGkQGhSQuk8YXoir22pALVpP8wFkd7wlk=
>>> gft4wNAeuvz7P8bv/Jv6TK94g516/qXe9cFWe/VlhDo=",
>>>       "2":"azUFSo9/plsGkQGhSQuk8YXoir22pALVpP8wFkd7wlk=
>>> gft4wNAeuvz7P8bv/Jv6TK94g516/qXe9cFWe/VlhDo="},
>>>     "":{"v":0}},
>>>   "authorization":{
>>>     "class":"solr.RuleBasedAuthorizationPlugin",
>>>     "permissions":[
>>>       {
>>>         "name":"all",
>>>         "role":"admin",
>>>         "index":1},
>>>       {
>>>         "name":"read-biblio",
>>>         "path":"/select",
>>>         "role":["admin","read","r1"],
>>>         "collection":"biblio",
>>>         "index":2},
>>>       {
>>>         "name":"read-personnes",
>>>         "path":"/select",
>>>         "role":["admin","read","r2"],
>>>         "collection":"personnes",
>>>         "index":3},
>>>      {
>>>         "name":"read",
>>>         "collection":"*",
>>>         "role":["admin","read"],
>>>         "index":4}],
>>>     "user-role":{
>>>       "admin":"admin",
>>>       "read":"read",
>>>       "1":"r1",
>>>       "2":"r2"}
>>>   }
>>> }
>>>
>>>
>>> I have a 403 errors for user 1 on biblio and user 2 on personnes while
>>> using the "/select" requestHandler. However according to r1 and r2 roles
>>> and premissions order, the access should be allowed.
>>>
>>> I have duplicated the TestRuleBasedAuthorizationPlugin.java class in
>>> order to test these exact same permissions and roles. checkRules reports
>>> access is allowed !!!
>>>
>>> I don't understand where is the problem. Any ideas ?
>>>
>>> Regards
>>>
>>> Dominique
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message