ctargett commented on a change in pull request #924: SOLR-13820: Improve RBAP documentation URL: https://github.com/apache/lucene-solr/pull/924#discussion_r332027528
########## File path: solr/solr-ref-guide/src/rule-based-authorization-plugin.adoc ########## @@ -129,67 +218,55 @@ The pre-defined permissions are: * *read*: this permission is allowed to perform any read action on any collection. This includes querying using search handlers (using <<requesthandlers-and-searchcomponents-in-solrconfig.adoc#searchhandlers,request handlers>>) such as `/select`, `/get`, `/browse`, `/tvrh`, `/terms`, `/clustering`, `/elevate`, `/export`, `/spell`, `/clustering`, and `/sql`. This applies to all collections by default ( `collection:"*"` ). * *all*: Any requests coming to Solr. -== Authorization API +=== Permission Ordering and Resolution -=== Authorization API Endpoint +The permission syntax discussed above doesn't do anything to prevent multiple permissions from overlapping and applying to the same Solr APIs. In cases where multiple permissions match an incoming request, Solr chooses the first matching permission and ignores all others - even if those other permissions would match the incoming request! -`/admin/authorization`: takes a set of commands to create permissions, map permissions to roles, and map roles to users. +Since Solr only uses the first matching permission it finds, it's important for administrators to understand what ordering Solr uses when processing the permission list. -=== Manage Permissions +The ordering Solr users is complicated. Solr tries to check first any permissions which are specific or relevant to the incoming request, only moving on to more general permissions if none of the more-specific ones match. In effect, this means that different requests may check the same permissions in very different orders. -Three commands control managing permissions: +If the incoming request is collection-agnostic (doesn't apply to a paritcular collection), Solr checks permissions in the following order: +. Permissions with a `collection` value of `null` and a `path` value matching the request's request handler Review comment: This isn't displaying right it seems - I believe you need a line break before the numbered list starts. ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services --------------------------------------------------------------------- To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org For additional commands, e-mail: issues-h...@lucene.apache.org