Re: Issues with Authentication / Role based authorization
Brian,
Thanks for your reply. My first post was bit convoluted, tried to explain
the issue in the subsequent post. Here's a security JSON. I've solr and
beehive assigned the admin role which allows them to have access to "update"
and "read". This works as expected. I add a new role "browseRole" in order
to restrict certain user to only have access to browse on gettingstarted
collection.
"authorization.enabled": true,
"authorization": {
"class": "solr.RuleBasedAuthorizationPlugin",
"user-role": {
"solr": "admin",
"beehive": [
"admin"
],
"dev": [
"browseRole"
]
},
"permissions": [
{
"name": "update",
"role": "admin"
},
{
"name": "read",
"role": "admin"
},
{
"name": "browse",
"collection": "gettingstarted",
"path": "/browse",
"role": "browseRole"
}
],
"": {
"v": 6
}
}
}
But when I log in as "dev", I seemed to have similar access to "solr" and
"beehive". "dev" can add/delete data, create collection, etc. Will the order
of the permissions matter here even though "dev" is assigned to a specific
role ?
--
View this message in context:
http://lucene.472066.n3.nabble.com/Issues-with-Authentication-Role-based-authorization-tp4276024p4276203.html
Sent from the Solr - User mailing list archive at Nabble.com.
Re: Issues with Authentication / Role based authorization
I can't say I followed your entire example, but I think you're running
into a couple of issues:
1) Users don't get any roles by default. So, when you initial setup
includes this:
{
"name": "all",
"role": "all"
}
but nobody has the "all" role, it doesn't surprise me that it rejected
your request.
2) Roles are not hierarchical. Again looking at your initial configuration
file, giving the "solr" user the "admin" role only gives it access to the
security-edit functionality. It won't have access to anything else. Even
though "admin" might imply access to everything or all roles, it doesn't
actually mean anything. It is just a name. The applies to the "all" role
as well.
3) Rules are checked in order, and the first matching rule is utilized. In
that first example again, the "all" rule is going to match any request, so
basically it is like the rules underneath it don't exist. Solr will never
even consider them, as a request would match the "all" rule first. You
need to order rules where you put the most specific rules first and the
most general ones last.
- Brian Vanecek
**
This email and any attachments may contain information that is confidential
and/or privileged for the sole use of the intended recipient. Any use, review,
disclosure, copying, distribution or reliance by others, and any forwarding of
this email or its contents, without the express permission of the sender is
strictly prohibited by law. If you are not the intended recipient, please
contact the sender immediately, delete the e-mail and destroy all copies.
**
Re: Issues with Authentication / Role based authorization
Anyone ? -- View this message in context: http://lucene.472066.n3.nabble.com/Issues-with-Authentication-Role-based-authorization-tp4276024p4276153.html Sent from the Solr - User mailing list archive at Nabble.com.
Re: Issues with Authentication / Role based authorization
client.solrj.impl.LBHttpSolrClient.doRequest(LBHttpSolrClient.java:372)
at
org.apache.solr.client.solrj.impl.LBHttpSolrClient.request(LBHttpSolrClient.java:325)
at
org.apache.solr.handler.component.HttpShardHandlerFactory.makeLoadBalancedRequest(HttpShardHandlerFactory.java:246)
at
org.apache.solr.handler.component.HttpShardHandler$1.call(HttpShardHandler.java:201)
at
org.apache.solr.handler.component.HttpShardHandler$1.call(HttpShardHandler.java:163)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at
java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at
org.apache.solr.common.util.ExecutorUtil$MDCAwareThreadPoolExecutor$1.run(ExecutorUtil.java:231)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
This changed the authorization realm for some reason. If I log back in as
"solr" or "superuser", I could no longer access request handlers, which was
possible before adding the two new roles, i.e. "browseRole","selectRole". I
went back and assigned"superuser" to these roles, only after that it was
able to access the request handlers, though with above exceptions.
Here's authentication :
{
"responseHeader": {
"status": 0,
"QTime": 0
},
"authentication.enabled": true,
"authentication": {
"blockUnknown": true,
"class": "solr.BasicAuthPlugin",
"credentials": {
"solr": "IV0EHq1OnNrj6gvRCwvFwTrZ1+z1oBbnQdiVC3otuq0=
Ndd7LKvVBAaZIF0QAVi1ekCfAJXr1GGfLtRUXhgrF8c=",
"superuser": "SOkYlwKY6aW0Tr31o9xE3etyR6XHNtxw2fSY80s1CZs=
LFOQr7kQefru9L/F/l3ORPiJNzMGmS5xzVcxcYE5GL0=",
"beehive": "NRWjSrEYDEh3ZrIVKV/3GvVT46rMxRLXI0cmyAD132E=
vUg7DcwOj4hMGRi8Fjya4guhuz7L1dM8HvvXKzVHI8M="
},
"": {
"v": 2
}
}
}
And authorization:
{
"responseHeader": {
"status": 0,
"QTime": 0
},
"authorization.enabled": true,
"authorization": {
"class": "solr.RuleBasedAuthorizationPlugin",
"user-role": {
"solr": "admin",
"superuser": [
"browseRole",
"selectRole"
],
"beehive": [
"browseRole",
"selectRole"
]
},
"permissions": [
{
"name": "security-edit",
"role": "admin"
},
{
"name": "select",
"collection": "gettingstarted",
"path": "/select/*",
"role": "selectRole"
},
{
"name": "browse",
"collection": "gettingstarted",
"path": "/browse",
"role": "browseRole"
}
],
"": {
"v": 7
}
}
}
I was under the impression that these roles are independent of each other,
based on the assignment, individual user should be able to access their
respective areas. On a related note, I was not able to make roles like
"all", "read" work.
Not sure what I'm doing wrong here. Any feedback will be appreciated.
Thanks,
Shamik
--
View this message in context:
http://lucene.472066.n3.nabble.com/Issues-with-Authentication-Role-based-authorization-tp4276024p4276056.html
Sent from the Solr - User mailing list archive at Nabble.com.
