Re: Issues with Authentication / Role based authorization
Brian, Thanks for your reply. My first post was bit convoluted, tried to explain the issue in the subsequent post. Here's a security JSON. I've solr and beehive assigned the admin role which allows them to have access to "update" and "read". This works as expected. I add a new role "browseRole" in order to restrict certain user to only have access to browse on gettingstarted collection. "authorization.enabled": true, "authorization": { "class": "solr.RuleBasedAuthorizationPlugin", "user-role": { "solr": "admin", "beehive": [ "admin" ], "dev": [ "browseRole" ] }, "permissions": [ { "name": "update", "role": "admin" }, { "name": "read", "role": "admin" }, { "name": "browse", "collection": "gettingstarted", "path": "/browse", "role": "browseRole" } ], "": { "v": 6 } } } But when I log in as "dev", I seemed to have similar access to "solr" and "beehive". "dev" can add/delete data, create collection, etc. Will the order of the permissions matter here even though "dev" is assigned to a specific role ? -- View this message in context: http://lucene.472066.n3.nabble.com/Issues-with-Authentication-Role-based-authorization-tp4276024p4276203.html Sent from the Solr - User mailing list archive at Nabble.com.
Re: Issues with Authentication / Role based authorization
I can't say I followed your entire example, but I think you're running into a couple of issues: 1) Users don't get any roles by default. So, when you initial setup includes this: { "name": "all", "role": "all" } but nobody has the "all" role, it doesn't surprise me that it rejected your request. 2) Roles are not hierarchical. Again looking at your initial configuration file, giving the "solr" user the "admin" role only gives it access to the security-edit functionality. It won't have access to anything else. Even though "admin" might imply access to everything or all roles, it doesn't actually mean anything. It is just a name. The applies to the "all" role as well. 3) Rules are checked in order, and the first matching rule is utilized. In that first example again, the "all" rule is going to match any request, so basically it is like the rules underneath it don't exist. Solr will never even consider them, as a request would match the "all" rule first. You need to order rules where you put the most specific rules first and the most general ones last. - Brian Vanecek ** This email and any attachments may contain information that is confidential and/or privileged for the sole use of the intended recipient. Any use, review, disclosure, copying, distribution or reliance by others, and any forwarding of this email or its contents, without the express permission of the sender is strictly prohibited by law. If you are not the intended recipient, please contact the sender immediately, delete the e-mail and destroy all copies. **
Re: Issues with Authentication / Role based authorization
Anyone ? -- View this message in context: http://lucene.472066.n3.nabble.com/Issues-with-Authentication-Role-based-authorization-tp4276024p4276153.html Sent from the Solr - User mailing list archive at Nabble.com.
Re: Issues with Authentication / Role based authorization
client.solrj.impl.LBHttpSolrClient.doRequest(LBHttpSolrClient.java:372) at org.apache.solr.client.solrj.impl.LBHttpSolrClient.request(LBHttpSolrClient.java:325) at org.apache.solr.handler.component.HttpShardHandlerFactory.makeLoadBalancedRequest(HttpShardHandlerFactory.java:246) at org.apache.solr.handler.component.HttpShardHandler$1.call(HttpShardHandler.java:201) at org.apache.solr.handler.component.HttpShardHandler$1.call(HttpShardHandler.java:163) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at org.apache.solr.common.util.ExecutorUtil$MDCAwareThreadPoolExecutor$1.run(ExecutorUtil.java:231) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) This changed the authorization realm for some reason. If I log back in as "solr" or "superuser", I could no longer access request handlers, which was possible before adding the two new roles, i.e. "browseRole","selectRole". I went back and assigned"superuser" to these roles, only after that it was able to access the request handlers, though with above exceptions. Here's authentication : { "responseHeader": { "status": 0, "QTime": 0 }, "authentication.enabled": true, "authentication": { "blockUnknown": true, "class": "solr.BasicAuthPlugin", "credentials": { "solr": "IV0EHq1OnNrj6gvRCwvFwTrZ1+z1oBbnQdiVC3otuq0= Ndd7LKvVBAaZIF0QAVi1ekCfAJXr1GGfLtRUXhgrF8c=", "superuser": "SOkYlwKY6aW0Tr31o9xE3etyR6XHNtxw2fSY80s1CZs= LFOQr7kQefru9L/F/l3ORPiJNzMGmS5xzVcxcYE5GL0=", "beehive": "NRWjSrEYDEh3ZrIVKV/3GvVT46rMxRLXI0cmyAD132E= vUg7DcwOj4hMGRi8Fjya4guhuz7L1dM8HvvXKzVHI8M=" }, "": { "v": 2 } } } And authorization: { "responseHeader": { "status": 0, "QTime": 0 }, "authorization.enabled": true, "authorization": { "class": "solr.RuleBasedAuthorizationPlugin", "user-role": { "solr": "admin", "superuser": [ "browseRole", "selectRole" ], "beehive": [ "browseRole", "selectRole" ] }, "permissions": [ { "name": "security-edit", "role": "admin" }, { "name": "select", "collection": "gettingstarted", "path": "/select/*", "role": "selectRole" }, { "name": "browse", "collection": "gettingstarted", "path": "/browse", "role": "browseRole" } ], "": { "v": 7 } } } I was under the impression that these roles are independent of each other, based on the assignment, individual user should be able to access their respective areas. On a related note, I was not able to make roles like "all", "read" work. Not sure what I'm doing wrong here. Any feedback will be appreciated. Thanks, Shamik -- View this message in context: http://lucene.472066.n3.nabble.com/Issues-with-Authentication-Role-based-authorization-tp4276024p4276056.html Sent from the Solr - User mailing list archive at Nabble.com.