Re: RuleBasedAuthorizationPlugin configuration
Hi Dominique
Were you able to resolve this ?
I am also stuck with understanding a minimal permission-set to give to a
readonly user to read from the /select endpoint.
Regards
Aroop
> On Jan 1, 2019, at 11:23 PM, Dominique Bejean
> wrote:
>
> Hi,
>
> I created a Jira issue
> https://issues.apache.org/jira/browse/SOLR-13097
>
> Regards.
>
> Dominique
>
>
> Le lun. 31 déc. 2018 à 11:26, Dominique Bejean
> a écrit :
>
>> Hi,
>>
>> In debugging mode, I discovered that only in SolrCloud mode the collection
>> name is extract from the request path in the init() method of
>> HttpSolrCall.java
>>
>> if (cores.isZooKeeperAware()) {
>> // init collectionList (usually one name but not when there are
>> aliases)
>> ...
>>}
>>
>> So in Solr standalone mode, only authentication is fully fonctionnal, not
>> authorization !
>>
>> Regards.
>>
>> Dominique
>>
>>
>>
>>
>>
>> Le dim. 30 déc. 2018 à 13:40, Dominique Bejean
>> a écrit :
>>
>>> Hi,
>>>
>>> After reading more carefully the log file, here is my understanding.
>>>
>>> The request
>>>
>>> http://2:xx@localhost:8983/solr/biblio/select?indent=on=*:*=json
>>>
>>>
>>> report this in log
>>>
>>> 2018-12-30 12:24:52.102 INFO (qtp1731656333-20) [ x:biblio]
>>> o.a.s.s.HttpSolrCall USER_REQUIRED auth header Basic Mjox context :
>>> userPrincipal: [[principal: 2]] type: [READ], collections: [], Path:
>>> [/select] path : /select params :q=*:*=on=json
>>>
>>> collections is empty, so it looks like "/select" is not collection
>>> specific and so it is not possible to define read access by collection.
>>>
>>> Can someone confirm ?
>>>
>>> Regards
>>>
>>> Dominique
>>>
>>>
>>>
>>>
>>>
>>> Le ven. 21 déc. 2018 à 10:46, Dominique Bejean
>>> a écrit :
>>>
Hi,
I am trying to configure security.json file, in order to define the
following users and permissions :
- user "admin" with all permissions on all collections
- user "read" with read permissions on all collections
- user "1" with only read permissions on biblio collection
- user "2" with only read permissions on personnes collection
Here is my security.json file
{
"authentication":{
"blockUnknown":true,
"class":"solr.BasicAuthPlugin",
"credentials":{
"admin":"4uwfcjV7bCqOdLF/Qn2wiTyC7zIWN6lyA1Bgp1yqZj0=
7PCh68vhIlZXg1l45kSlvGKowMg1bm/L3eSfgT5dzjs=",
"read":"azUFSo9/plsGkQGhSQuk8YXoir22pALVpP8wFkd7wlk=
gft4wNAeuvz7P8bv/Jv6TK94g516/qXe9cFWe/VlhDo=",
"1":"azUFSo9/plsGkQGhSQuk8YXoir22pALVpP8wFkd7wlk=
gft4wNAeuvz7P8bv/Jv6TK94g516/qXe9cFWe/VlhDo=",
"2":"azUFSo9/plsGkQGhSQuk8YXoir22pALVpP8wFkd7wlk=
gft4wNAeuvz7P8bv/Jv6TK94g516/qXe9cFWe/VlhDo="},
"":{"v":0}},
"authorization":{
"class":"solr.RuleBasedAuthorizationPlugin",
"permissions":[
{
"name":"all",
"role":"admin",
"index":1},
{
"name":"read-biblio",
"path":"/select",
"role":["admin","read","r1"],
"collection":"biblio",
"index":2},
{
"name":"read-personnes",
"path":"/select",
"role":["admin","read","r2"],
"collection":"personnes",
"index":3},
{
"name":"read",
"collection":"*",
"role":["admin","read"],
"index":4}],
"user-role":{
"admin":"admin",
"read":"read",
"1":"r1",
"2":"r2"}
}
}
I have a 403 errors for user 1 on biblio and user 2 on personnes while
using the "/select" requestHandler. However according to r1 and r2 roles
and premissions order, the access should be allowed.
I have duplicated the TestRuleBasedAuthorizationPlugin.java class in
order to test these exact same permissions and roles. checkRules reports
access is allowed !!!
I don't understand where is the problem. Any ideas ?
Regards
Dominique
Re: RuleBasedAuthorizationPlugin configuration
Hi,
I created a Jira issue
https://issues.apache.org/jira/browse/SOLR-13097
Regards.
Dominique
Le lun. 31 déc. 2018 à 11:26, Dominique Bejean
a écrit :
> Hi,
>
> In debugging mode, I discovered that only in SolrCloud mode the collection
> name is extract from the request path in the init() method of
> HttpSolrCall.java
>
>if (cores.isZooKeeperAware()) {
> // init collectionList (usually one name but not when there are
> aliases)
> ...
> }
>
> So in Solr standalone mode, only authentication is fully fonctionnal, not
> authorization !
>
> Regards.
>
> Dominique
>
>
>
>
>
> Le dim. 30 déc. 2018 à 13:40, Dominique Bejean
> a écrit :
>
>> Hi,
>>
>> After reading more carefully the log file, here is my understanding.
>>
>> The request
>>
>> http://2:xx@localhost:8983/solr/biblio/select?indent=on=*:*=json
>>
>>
>> report this in log
>>
>> 2018-12-30 12:24:52.102 INFO (qtp1731656333-20) [ x:biblio]
>> o.a.s.s.HttpSolrCall USER_REQUIRED auth header Basic Mjox context :
>> userPrincipal: [[principal: 2]] type: [READ], collections: [], Path:
>> [/select] path : /select params :q=*:*=on=json
>>
>> collections is empty, so it looks like "/select" is not collection
>> specific and so it is not possible to define read access by collection.
>>
>> Can someone confirm ?
>>
>> Regards
>>
>> Dominique
>>
>>
>>
>>
>>
>> Le ven. 21 déc. 2018 à 10:46, Dominique Bejean
>> a écrit :
>>
>>> Hi,
>>>
>>> I am trying to configure security.json file, in order to define the
>>> following users and permissions :
>>>
>>>- user "admin" with all permissions on all collections
>>>- user "read" with read permissions on all collections
>>>- user "1" with only read permissions on biblio collection
>>>- user "2" with only read permissions on personnes collection
>>>
>>> Here is my security.json file
>>>
>>> {
>>> "authentication":{
>>> "blockUnknown":true,
>>> "class":"solr.BasicAuthPlugin",
>>> "credentials":{
>>> "admin":"4uwfcjV7bCqOdLF/Qn2wiTyC7zIWN6lyA1Bgp1yqZj0=
>>> 7PCh68vhIlZXg1l45kSlvGKowMg1bm/L3eSfgT5dzjs=",
>>> "read":"azUFSo9/plsGkQGhSQuk8YXoir22pALVpP8wFkd7wlk=
>>> gft4wNAeuvz7P8bv/Jv6TK94g516/qXe9cFWe/VlhDo=",
>>> "1":"azUFSo9/plsGkQGhSQuk8YXoir22pALVpP8wFkd7wlk=
>>> gft4wNAeuvz7P8bv/Jv6TK94g516/qXe9cFWe/VlhDo=",
>>> "2":"azUFSo9/plsGkQGhSQuk8YXoir22pALVpP8wFkd7wlk=
>>> gft4wNAeuvz7P8bv/Jv6TK94g516/qXe9cFWe/VlhDo="},
>>> "":{"v":0}},
>>> "authorization":{
>>> "class":"solr.RuleBasedAuthorizationPlugin",
>>> "permissions":[
>>> {
>>> "name":"all",
>>> "role":"admin",
>>> "index":1},
>>> {
>>> "name":"read-biblio",
>>> "path":"/select",
>>> "role":["admin","read","r1"],
>>> "collection":"biblio",
>>> "index":2},
>>> {
>>> "name":"read-personnes",
>>> "path":"/select",
>>> "role":["admin","read","r2"],
>>> "collection":"personnes",
>>> "index":3},
>>> {
>>> "name":"read",
>>> "collection":"*",
>>> "role":["admin","read"],
>>> "index":4}],
>>> "user-role":{
>>> "admin":"admin",
>>> "read":"read",
>>> "1":"r1",
>>> "2":"r2"}
>>> }
>>> }
>>>
>>>
>>> I have a 403 errors for user 1 on biblio and user 2 on personnes while
>>> using the "/select" requestHandler. However according to r1 and r2 roles
>>> and premissions order, the access should be allowed.
>>>
>>> I have duplicated the TestRuleBasedAuthorizationPlugin.java class in
>>> order to test these exact same permissions and roles. checkRules reports
>>> access is allowed !!!
>>>
>>> I don't understand where is the problem. Any ideas ?
>>>
>>> Regards
>>>
>>> Dominique
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
Re: RuleBasedAuthorizationPlugin configuration
Hi,
In debugging mode, I discovered that only in SolrCloud mode the collection
name is extract from the request path in the init() method of
HttpSolrCall.java
if (cores.isZooKeeperAware()) {
// init collectionList (usually one name but not when there are
aliases)
...
}
So in Solr standalone mode, only authentication is fully fonctionnal, not
authorization !
Regards.
Dominique
Le dim. 30 déc. 2018 à 13:40, Dominique Bejean
a écrit :
> Hi,
>
> After reading more carefully the log file, here is my understanding.
>
> The request
>
> http://2:xx@localhost:8983/solr/biblio/select?indent=on=*:*=json
>
> report this in log
>
> 2018-12-30 12:24:52.102 INFO (qtp1731656333-20) [ x:biblio]
> o.a.s.s.HttpSolrCall USER_REQUIRED auth header Basic Mjox context :
> userPrincipal: [[principal: 2]] type: [READ], collections: [], Path:
> [/select] path : /select params :q=*:*=on=json
>
> collections is empty, so it looks like "/select" is not collection
> specific and so it is not possible to define read access by collection.
>
> Can someone confirm ?
>
> Regards
>
> Dominique
>
>
>
>
>
> Le ven. 21 déc. 2018 à 10:46, Dominique Bejean
> a écrit :
>
>> Hi,
>>
>> I am trying to configure security.json file, in order to define the
>> following users and permissions :
>>
>>- user "admin" with all permissions on all collections
>>- user "read" with read permissions on all collections
>>- user "1" with only read permissions on biblio collection
>>- user "2" with only read permissions on personnes collection
>>
>> Here is my security.json file
>>
>> {
>> "authentication":{
>> "blockUnknown":true,
>> "class":"solr.BasicAuthPlugin",
>> "credentials":{
>> "admin":"4uwfcjV7bCqOdLF/Qn2wiTyC7zIWN6lyA1Bgp1yqZj0=
>> 7PCh68vhIlZXg1l45kSlvGKowMg1bm/L3eSfgT5dzjs=",
>> "read":"azUFSo9/plsGkQGhSQuk8YXoir22pALVpP8wFkd7wlk=
>> gft4wNAeuvz7P8bv/Jv6TK94g516/qXe9cFWe/VlhDo=",
>> "1":"azUFSo9/plsGkQGhSQuk8YXoir22pALVpP8wFkd7wlk=
>> gft4wNAeuvz7P8bv/Jv6TK94g516/qXe9cFWe/VlhDo=",
>> "2":"azUFSo9/plsGkQGhSQuk8YXoir22pALVpP8wFkd7wlk=
>> gft4wNAeuvz7P8bv/Jv6TK94g516/qXe9cFWe/VlhDo="},
>> "":{"v":0}},
>> "authorization":{
>> "class":"solr.RuleBasedAuthorizationPlugin",
>> "permissions":[
>> {
>> "name":"all",
>> "role":"admin",
>> "index":1},
>> {
>> "name":"read-biblio",
>> "path":"/select",
>> "role":["admin","read","r1"],
>> "collection":"biblio",
>> "index":2},
>> {
>> "name":"read-personnes",
>> "path":"/select",
>> "role":["admin","read","r2"],
>> "collection":"personnes",
>> "index":3},
>> {
>> "name":"read",
>> "collection":"*",
>> "role":["admin","read"],
>> "index":4}],
>> "user-role":{
>> "admin":"admin",
>> "read":"read",
>> "1":"r1",
>> "2":"r2"}
>> }
>> }
>>
>>
>> I have a 403 errors for user 1 on biblio and user 2 on personnes while
>> using the "/select" requestHandler. However according to r1 and r2 roles
>> and premissions order, the access should be allowed.
>>
>> I have duplicated the TestRuleBasedAuthorizationPlugin.java class in
>> order to test these exact same permissions and roles. checkRules reports
>> access is allowed !!!
>>
>> I don't understand where is the problem. Any ideas ?
>>
>> Regards
>>
>> Dominique
>>
>>
>>
>>
>>
>>
>>
>>
Re: RuleBasedAuthorizationPlugin configuration
Hi,
After reading more carefully the log file, here is my understanding.
The request
http://2:xx@localhost:8983/solr/biblio/select?indent=on=*:*=json
report this in log
2018-12-30 12:24:52.102 INFO (qtp1731656333-20) [ x:biblio]
o.a.s.s.HttpSolrCall USER_REQUIRED auth header Basic Mjox context :
userPrincipal: [[principal: 2]] type: [READ], collections: [], Path:
[/select] path : /select params :q=*:*=on=json
collections is empty, so it looks like "/select" is not collection specific
and so it is not possible to define read access by collection.
Can someone confirm ?
Regards
Dominique
Le ven. 21 déc. 2018 à 10:46, Dominique Bejean
a écrit :
> Hi,
>
> I am trying to configure security.json file, in order to define the
> following users and permissions :
>
>- user "admin" with all permissions on all collections
>- user "read" with read permissions on all collections
>- user "1" with only read permissions on biblio collection
>- user "2" with only read permissions on personnes collection
>
> Here is my security.json file
>
> {
> "authentication":{
> "blockUnknown":true,
> "class":"solr.BasicAuthPlugin",
> "credentials":{
> "admin":"4uwfcjV7bCqOdLF/Qn2wiTyC7zIWN6lyA1Bgp1yqZj0=
> 7PCh68vhIlZXg1l45kSlvGKowMg1bm/L3eSfgT5dzjs=",
> "read":"azUFSo9/plsGkQGhSQuk8YXoir22pALVpP8wFkd7wlk=
> gft4wNAeuvz7P8bv/Jv6TK94g516/qXe9cFWe/VlhDo=",
> "1":"azUFSo9/plsGkQGhSQuk8YXoir22pALVpP8wFkd7wlk=
> gft4wNAeuvz7P8bv/Jv6TK94g516/qXe9cFWe/VlhDo=",
> "2":"azUFSo9/plsGkQGhSQuk8YXoir22pALVpP8wFkd7wlk=
> gft4wNAeuvz7P8bv/Jv6TK94g516/qXe9cFWe/VlhDo="},
> "":{"v":0}},
> "authorization":{
> "class":"solr.RuleBasedAuthorizationPlugin",
> "permissions":[
> {
> "name":"all",
> "role":"admin",
> "index":1},
> {
> "name":"read-biblio",
> "path":"/select",
> "role":["admin","read","r1"],
> "collection":"biblio",
> "index":2},
> {
> "name":"read-personnes",
> "path":"/select",
> "role":["admin","read","r2"],
> "collection":"personnes",
> "index":3},
> {
> "name":"read",
> "collection":"*",
> "role":["admin","read"],
> "index":4}],
> "user-role":{
> "admin":"admin",
> "read":"read",
> "1":"r1",
> "2":"r2"}
> }
> }
>
>
> I have a 403 errors for user 1 on biblio and user 2 on personnes while
> using the "/select" requestHandler. However according to r1 and r2 roles
> and premissions order, the access should be allowed.
>
> I have duplicated the TestRuleBasedAuthorizationPlugin.java class in order
> to test these exact same permissions and roles. checkRules reports access
> is allowed !!!
>
> I don't understand where is the problem. Any ideas ?
>
> Regards
>
> Dominique
>
>
>
>
>
>
>
>
RuleBasedAuthorizationPlugin configuration
Hi,
I am trying to configure security.json file, in order to define the
following users and permissions :
- user "admin" with all permissions on all collections
- user "read" with read permissions on all collections
- user "1" with only read permissions on biblio collection
- user "2" with only read permissions on personnes collection
Here is my security.json file
{
"authentication":{
"blockUnknown":true,
"class":"solr.BasicAuthPlugin",
"credentials":{
"admin":"4uwfcjV7bCqOdLF/Qn2wiTyC7zIWN6lyA1Bgp1yqZj0=
7PCh68vhIlZXg1l45kSlvGKowMg1bm/L3eSfgT5dzjs=",
"read":"azUFSo9/plsGkQGhSQuk8YXoir22pALVpP8wFkd7wlk=
gft4wNAeuvz7P8bv/Jv6TK94g516/qXe9cFWe/VlhDo=",
"1":"azUFSo9/plsGkQGhSQuk8YXoir22pALVpP8wFkd7wlk=
gft4wNAeuvz7P8bv/Jv6TK94g516/qXe9cFWe/VlhDo=",
"2":"azUFSo9/plsGkQGhSQuk8YXoir22pALVpP8wFkd7wlk=
gft4wNAeuvz7P8bv/Jv6TK94g516/qXe9cFWe/VlhDo="},
"":{"v":0}},
"authorization":{
"class":"solr.RuleBasedAuthorizationPlugin",
"permissions":[
{
"name":"all",
"role":"admin",
"index":1},
{
"name":"read-biblio",
"path":"/select",
"role":["admin","read","r1"],
"collection":"biblio",
"index":2},
{
"name":"read-personnes",
"path":"/select",
"role":["admin","read","r2"],
"collection":"personnes",
"index":3},
{
"name":"read",
"collection":"*",
"role":["admin","read"],
"index":4}],
"user-role":{
"admin":"admin",
"read":"read",
"1":"r1",
"2":"r2"}
}
}
I have a 403 errors for user 1 on biblio and user 2 on personnes while
using the "/select" requestHandler. However according to r1 and r2 roles
and premissions order, the access should be allowed.
I have duplicated the TestRuleBasedAuthorizationPlugin.java class in order
to test these exact same permissions and roles. checkRules reports access
is allowed !!!
I don't understand where is the problem. Any ideas ?
Regards
Dominique
