Re: RuleBasedAuthorizationPlugin configuration
Hi Dominique Were you able to resolve this ? I am also stuck with understanding a minimal permission-set to give to a readonly user to read from the /select endpoint. Regards Aroop > On Jan 1, 2019, at 11:23 PM, Dominique Bejean > wrote: > > Hi, > > I created a Jira issue > https://issues.apache.org/jira/browse/SOLR-13097 > > Regards. > > Dominique > > > Le lun. 31 déc. 2018 à 11:26, Dominique Bejean > a écrit : > >> Hi, >> >> In debugging mode, I discovered that only in SolrCloud mode the collection >> name is extract from the request path in the init() method of >> HttpSolrCall.java >> >> if (cores.isZooKeeperAware()) { >> // init collectionList (usually one name but not when there are >> aliases) >> ... >>} >> >> So in Solr standalone mode, only authentication is fully fonctionnal, not >> authorization ! >> >> Regards. >> >> Dominique >> >> >> >> >> >> Le dim. 30 déc. 2018 à 13:40, Dominique Bejean >> a écrit : >> >>> Hi, >>> >>> After reading more carefully the log file, here is my understanding. >>> >>> The request >>> >>> http://2:xx@localhost:8983/solr/biblio/select?indent=on=*:*=json >>> >>> >>> report this in log >>> >>> 2018-12-30 12:24:52.102 INFO (qtp1731656333-20) [ x:biblio] >>> o.a.s.s.HttpSolrCall USER_REQUIRED auth header Basic Mjox context : >>> userPrincipal: [[principal: 2]] type: [READ], collections: [], Path: >>> [/select] path : /select params :q=*:*=on=json >>> >>> collections is empty, so it looks like "/select" is not collection >>> specific and so it is not possible to define read access by collection. >>> >>> Can someone confirm ? >>> >>> Regards >>> >>> Dominique >>> >>> >>> >>> >>> >>> Le ven. 21 déc. 2018 à 10:46, Dominique Bejean >>> a écrit : >>> Hi, I am trying to configure security.json file, in order to define the following users and permissions : - user "admin" with all permissions on all collections - user "read" with read permissions on all collections - user "1" with only read permissions on biblio collection - user "2" with only read permissions on personnes collection Here is my security.json file { "authentication":{ "blockUnknown":true, "class":"solr.BasicAuthPlugin", "credentials":{ "admin":"4uwfcjV7bCqOdLF/Qn2wiTyC7zIWN6lyA1Bgp1yqZj0= 7PCh68vhIlZXg1l45kSlvGKowMg1bm/L3eSfgT5dzjs=", "read":"azUFSo9/plsGkQGhSQuk8YXoir22pALVpP8wFkd7wlk= gft4wNAeuvz7P8bv/Jv6TK94g516/qXe9cFWe/VlhDo=", "1":"azUFSo9/plsGkQGhSQuk8YXoir22pALVpP8wFkd7wlk= gft4wNAeuvz7P8bv/Jv6TK94g516/qXe9cFWe/VlhDo=", "2":"azUFSo9/plsGkQGhSQuk8YXoir22pALVpP8wFkd7wlk= gft4wNAeuvz7P8bv/Jv6TK94g516/qXe9cFWe/VlhDo="}, "":{"v":0}}, "authorization":{ "class":"solr.RuleBasedAuthorizationPlugin", "permissions":[ { "name":"all", "role":"admin", "index":1}, { "name":"read-biblio", "path":"/select", "role":["admin","read","r1"], "collection":"biblio", "index":2}, { "name":"read-personnes", "path":"/select", "role":["admin","read","r2"], "collection":"personnes", "index":3}, { "name":"read", "collection":"*", "role":["admin","read"], "index":4}], "user-role":{ "admin":"admin", "read":"read", "1":"r1", "2":"r2"} } } I have a 403 errors for user 1 on biblio and user 2 on personnes while using the "/select" requestHandler. However according to r1 and r2 roles and premissions order, the access should be allowed. I have duplicated the TestRuleBasedAuthorizationPlugin.java class in order to test these exact same permissions and roles. checkRules reports access is allowed !!! I don't understand where is the problem. Any ideas ? Regards Dominique
Re: RuleBasedAuthorizationPlugin configuration
Hi, I created a Jira issue https://issues.apache.org/jira/browse/SOLR-13097 Regards. Dominique Le lun. 31 déc. 2018 à 11:26, Dominique Bejean a écrit : > Hi, > > In debugging mode, I discovered that only in SolrCloud mode the collection > name is extract from the request path in the init() method of > HttpSolrCall.java > >if (cores.isZooKeeperAware()) { > // init collectionList (usually one name but not when there are > aliases) > ... > } > > So in Solr standalone mode, only authentication is fully fonctionnal, not > authorization ! > > Regards. > > Dominique > > > > > > Le dim. 30 déc. 2018 à 13:40, Dominique Bejean > a écrit : > >> Hi, >> >> After reading more carefully the log file, here is my understanding. >> >> The request >> >> http://2:xx@localhost:8983/solr/biblio/select?indent=on=*:*=json >> >> >> report this in log >> >> 2018-12-30 12:24:52.102 INFO (qtp1731656333-20) [ x:biblio] >> o.a.s.s.HttpSolrCall USER_REQUIRED auth header Basic Mjox context : >> userPrincipal: [[principal: 2]] type: [READ], collections: [], Path: >> [/select] path : /select params :q=*:*=on=json >> >> collections is empty, so it looks like "/select" is not collection >> specific and so it is not possible to define read access by collection. >> >> Can someone confirm ? >> >> Regards >> >> Dominique >> >> >> >> >> >> Le ven. 21 déc. 2018 à 10:46, Dominique Bejean >> a écrit : >> >>> Hi, >>> >>> I am trying to configure security.json file, in order to define the >>> following users and permissions : >>> >>>- user "admin" with all permissions on all collections >>>- user "read" with read permissions on all collections >>>- user "1" with only read permissions on biblio collection >>>- user "2" with only read permissions on personnes collection >>> >>> Here is my security.json file >>> >>> { >>> "authentication":{ >>> "blockUnknown":true, >>> "class":"solr.BasicAuthPlugin", >>> "credentials":{ >>> "admin":"4uwfcjV7bCqOdLF/Qn2wiTyC7zIWN6lyA1Bgp1yqZj0= >>> 7PCh68vhIlZXg1l45kSlvGKowMg1bm/L3eSfgT5dzjs=", >>> "read":"azUFSo9/plsGkQGhSQuk8YXoir22pALVpP8wFkd7wlk= >>> gft4wNAeuvz7P8bv/Jv6TK94g516/qXe9cFWe/VlhDo=", >>> "1":"azUFSo9/plsGkQGhSQuk8YXoir22pALVpP8wFkd7wlk= >>> gft4wNAeuvz7P8bv/Jv6TK94g516/qXe9cFWe/VlhDo=", >>> "2":"azUFSo9/plsGkQGhSQuk8YXoir22pALVpP8wFkd7wlk= >>> gft4wNAeuvz7P8bv/Jv6TK94g516/qXe9cFWe/VlhDo="}, >>> "":{"v":0}}, >>> "authorization":{ >>> "class":"solr.RuleBasedAuthorizationPlugin", >>> "permissions":[ >>> { >>> "name":"all", >>> "role":"admin", >>> "index":1}, >>> { >>> "name":"read-biblio", >>> "path":"/select", >>> "role":["admin","read","r1"], >>> "collection":"biblio", >>> "index":2}, >>> { >>> "name":"read-personnes", >>> "path":"/select", >>> "role":["admin","read","r2"], >>> "collection":"personnes", >>> "index":3}, >>> { >>> "name":"read", >>> "collection":"*", >>> "role":["admin","read"], >>> "index":4}], >>> "user-role":{ >>> "admin":"admin", >>> "read":"read", >>> "1":"r1", >>> "2":"r2"} >>> } >>> } >>> >>> >>> I have a 403 errors for user 1 on biblio and user 2 on personnes while >>> using the "/select" requestHandler. However according to r1 and r2 roles >>> and premissions order, the access should be allowed. >>> >>> I have duplicated the TestRuleBasedAuthorizationPlugin.java class in >>> order to test these exact same permissions and roles. checkRules reports >>> access is allowed !!! >>> >>> I don't understand where is the problem. Any ideas ? >>> >>> Regards >>> >>> Dominique >>> >>> >>> >>> >>> >>> >>> >>>
Re: RuleBasedAuthorizationPlugin configuration
Hi, In debugging mode, I discovered that only in SolrCloud mode the collection name is extract from the request path in the init() method of HttpSolrCall.java if (cores.isZooKeeperAware()) { // init collectionList (usually one name but not when there are aliases) ... } So in Solr standalone mode, only authentication is fully fonctionnal, not authorization ! Regards. Dominique Le dim. 30 déc. 2018 à 13:40, Dominique Bejean a écrit : > Hi, > > After reading more carefully the log file, here is my understanding. > > The request > > http://2:xx@localhost:8983/solr/biblio/select?indent=on=*:*=json > > report this in log > > 2018-12-30 12:24:52.102 INFO (qtp1731656333-20) [ x:biblio] > o.a.s.s.HttpSolrCall USER_REQUIRED auth header Basic Mjox context : > userPrincipal: [[principal: 2]] type: [READ], collections: [], Path: > [/select] path : /select params :q=*:*=on=json > > collections is empty, so it looks like "/select" is not collection > specific and so it is not possible to define read access by collection. > > Can someone confirm ? > > Regards > > Dominique > > > > > > Le ven. 21 déc. 2018 à 10:46, Dominique Bejean > a écrit : > >> Hi, >> >> I am trying to configure security.json file, in order to define the >> following users and permissions : >> >>- user "admin" with all permissions on all collections >>- user "read" with read permissions on all collections >>- user "1" with only read permissions on biblio collection >>- user "2" with only read permissions on personnes collection >> >> Here is my security.json file >> >> { >> "authentication":{ >> "blockUnknown":true, >> "class":"solr.BasicAuthPlugin", >> "credentials":{ >> "admin":"4uwfcjV7bCqOdLF/Qn2wiTyC7zIWN6lyA1Bgp1yqZj0= >> 7PCh68vhIlZXg1l45kSlvGKowMg1bm/L3eSfgT5dzjs=", >> "read":"azUFSo9/plsGkQGhSQuk8YXoir22pALVpP8wFkd7wlk= >> gft4wNAeuvz7P8bv/Jv6TK94g516/qXe9cFWe/VlhDo=", >> "1":"azUFSo9/plsGkQGhSQuk8YXoir22pALVpP8wFkd7wlk= >> gft4wNAeuvz7P8bv/Jv6TK94g516/qXe9cFWe/VlhDo=", >> "2":"azUFSo9/plsGkQGhSQuk8YXoir22pALVpP8wFkd7wlk= >> gft4wNAeuvz7P8bv/Jv6TK94g516/qXe9cFWe/VlhDo="}, >> "":{"v":0}}, >> "authorization":{ >> "class":"solr.RuleBasedAuthorizationPlugin", >> "permissions":[ >> { >> "name":"all", >> "role":"admin", >> "index":1}, >> { >> "name":"read-biblio", >> "path":"/select", >> "role":["admin","read","r1"], >> "collection":"biblio", >> "index":2}, >> { >> "name":"read-personnes", >> "path":"/select", >> "role":["admin","read","r2"], >> "collection":"personnes", >> "index":3}, >> { >> "name":"read", >> "collection":"*", >> "role":["admin","read"], >> "index":4}], >> "user-role":{ >> "admin":"admin", >> "read":"read", >> "1":"r1", >> "2":"r2"} >> } >> } >> >> >> I have a 403 errors for user 1 on biblio and user 2 on personnes while >> using the "/select" requestHandler. However according to r1 and r2 roles >> and premissions order, the access should be allowed. >> >> I have duplicated the TestRuleBasedAuthorizationPlugin.java class in >> order to test these exact same permissions and roles. checkRules reports >> access is allowed !!! >> >> I don't understand where is the problem. Any ideas ? >> >> Regards >> >> Dominique >> >> >> >> >> >> >> >>
Re: RuleBasedAuthorizationPlugin configuration
Hi, After reading more carefully the log file, here is my understanding. The request http://2:xx@localhost:8983/solr/biblio/select?indent=on=*:*=json report this in log 2018-12-30 12:24:52.102 INFO (qtp1731656333-20) [ x:biblio] o.a.s.s.HttpSolrCall USER_REQUIRED auth header Basic Mjox context : userPrincipal: [[principal: 2]] type: [READ], collections: [], Path: [/select] path : /select params :q=*:*=on=json collections is empty, so it looks like "/select" is not collection specific and so it is not possible to define read access by collection. Can someone confirm ? Regards Dominique Le ven. 21 déc. 2018 à 10:46, Dominique Bejean a écrit : > Hi, > > I am trying to configure security.json file, in order to define the > following users and permissions : > >- user "admin" with all permissions on all collections >- user "read" with read permissions on all collections >- user "1" with only read permissions on biblio collection >- user "2" with only read permissions on personnes collection > > Here is my security.json file > > { > "authentication":{ > "blockUnknown":true, > "class":"solr.BasicAuthPlugin", > "credentials":{ > "admin":"4uwfcjV7bCqOdLF/Qn2wiTyC7zIWN6lyA1Bgp1yqZj0= > 7PCh68vhIlZXg1l45kSlvGKowMg1bm/L3eSfgT5dzjs=", > "read":"azUFSo9/plsGkQGhSQuk8YXoir22pALVpP8wFkd7wlk= > gft4wNAeuvz7P8bv/Jv6TK94g516/qXe9cFWe/VlhDo=", > "1":"azUFSo9/plsGkQGhSQuk8YXoir22pALVpP8wFkd7wlk= > gft4wNAeuvz7P8bv/Jv6TK94g516/qXe9cFWe/VlhDo=", > "2":"azUFSo9/plsGkQGhSQuk8YXoir22pALVpP8wFkd7wlk= > gft4wNAeuvz7P8bv/Jv6TK94g516/qXe9cFWe/VlhDo="}, > "":{"v":0}}, > "authorization":{ > "class":"solr.RuleBasedAuthorizationPlugin", > "permissions":[ > { > "name":"all", > "role":"admin", > "index":1}, > { > "name":"read-biblio", > "path":"/select", > "role":["admin","read","r1"], > "collection":"biblio", > "index":2}, > { > "name":"read-personnes", > "path":"/select", > "role":["admin","read","r2"], > "collection":"personnes", > "index":3}, > { > "name":"read", > "collection":"*", > "role":["admin","read"], > "index":4}], > "user-role":{ > "admin":"admin", > "read":"read", > "1":"r1", > "2":"r2"} > } > } > > > I have a 403 errors for user 1 on biblio and user 2 on personnes while > using the "/select" requestHandler. However according to r1 and r2 roles > and premissions order, the access should be allowed. > > I have duplicated the TestRuleBasedAuthorizationPlugin.java class in order > to test these exact same permissions and roles. checkRules reports access > is allowed !!! > > I don't understand where is the problem. Any ideas ? > > Regards > > Dominique > > > > > > > >
RuleBasedAuthorizationPlugin configuration
Hi, I am trying to configure security.json file, in order to define the following users and permissions : - user "admin" with all permissions on all collections - user "read" with read permissions on all collections - user "1" with only read permissions on biblio collection - user "2" with only read permissions on personnes collection Here is my security.json file { "authentication":{ "blockUnknown":true, "class":"solr.BasicAuthPlugin", "credentials":{ "admin":"4uwfcjV7bCqOdLF/Qn2wiTyC7zIWN6lyA1Bgp1yqZj0= 7PCh68vhIlZXg1l45kSlvGKowMg1bm/L3eSfgT5dzjs=", "read":"azUFSo9/plsGkQGhSQuk8YXoir22pALVpP8wFkd7wlk= gft4wNAeuvz7P8bv/Jv6TK94g516/qXe9cFWe/VlhDo=", "1":"azUFSo9/plsGkQGhSQuk8YXoir22pALVpP8wFkd7wlk= gft4wNAeuvz7P8bv/Jv6TK94g516/qXe9cFWe/VlhDo=", "2":"azUFSo9/plsGkQGhSQuk8YXoir22pALVpP8wFkd7wlk= gft4wNAeuvz7P8bv/Jv6TK94g516/qXe9cFWe/VlhDo="}, "":{"v":0}}, "authorization":{ "class":"solr.RuleBasedAuthorizationPlugin", "permissions":[ { "name":"all", "role":"admin", "index":1}, { "name":"read-biblio", "path":"/select", "role":["admin","read","r1"], "collection":"biblio", "index":2}, { "name":"read-personnes", "path":"/select", "role":["admin","read","r2"], "collection":"personnes", "index":3}, { "name":"read", "collection":"*", "role":["admin","read"], "index":4}], "user-role":{ "admin":"admin", "read":"read", "1":"r1", "2":"r2"} } } I have a 403 errors for user 1 on biblio and user 2 on personnes while using the "/select" requestHandler. However according to r1 and r2 roles and premissions order, the access should be allowed. I have duplicated the TestRuleBasedAuthorizationPlugin.java class in order to test these exact same permissions and roles. checkRules reports access is allowed !!! I don't understand where is the problem. Any ideas ? Regards Dominique