Ken Liccardo created SOLR-15202:
-----------------------------------
Summary: Rule-Based Authorization Plugin not honoring "collection"
permission parameter
Key: SOLR-15202
URL: https://issues.apache.org/jira/browse/SOLR-15202
Project: Solr
Issue Type: Bug
Security Level: Public (Default Security Level. Issues are Public)
Components: Authorization
Affects Versions: 8.8.1
Environment: Debian Buster, openjdk 11, Solr 8.8.1 stand-alone,
installed as a service
Reporter: Ken Liccardo
It appears the "collection" parameter of authorization.permissions in
security.json is not honored. That is, a request made to a collection endpoint
by an unauthorized user(role) is allowed. For example, consider the following
permissions entry in authorization section of security.json:
{{"permissions":[\{"name":"p1","collection":"col1","path":"/select","role":"col1-query"}]}}
A user who is NOT assigned role "col1-query" may still query this collection at
the following endpoint:
{{[/solr/col1/select?q=id%3A*|http://myserver/solr/col1/select?q=id%3A*]}}
However, if the "collection" parameter is removed from the permissions as
follows:
{{"permissions":[\{"name":"p1","path":"/select","role":"col1-query}]}}
then a user who is NOT assigned role "col1-query" is rightfully blocked from
the endpoint with error 403.
In other words, the "collection" parameter, when present in security.json
authorization.permissions section, is not being matched against the request,
and therefore the restriction represented by this permissions entry is not
enacted.
After further investigation by turning on debug logging for the
RuleBasedAuthorizationPlugin and RuleBasedAuthorizationPluginBase, the
authorization request is logged as follows:
{{o.a.s.s.RuleBasedAuthorizationPluginBase Attempting to authorize request to
[/select] of type: [READ], associated with collections[[]]}}
So, even thought the request was made to collection "col1", for some reason
this information is not being passed to the plugin, as represented by the empty
collections array in the log message "... associated with collections [[ ]]".
In the java code, RuleBasedAuthorizationPluginBase.java, this information
appears to come from context.getCollectionRequests(), which appears to be
returning an empty array [ ] instead of, I suppose, ["col1"] that one might
expect from the request /solr/col1/select.
Whether this is a problem in solr.RuleBasedAuthorizationPlugin, or in whatever
module passes the context object to the Plugin, I do not know at this point.
But whatever the case, it renders impotent the potentially highly useful
"collection" parameter that would allow us to restrict access by collection
name.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org
For additional commands, e-mail: issues-h...@lucene.apache.org
