[
https://issues.apache.org/jira/browse/SOLR-9804?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16000174#comment-16000174
]
Noble Paul edited comment on SOLR-9804 at 5/8/17 1:53 AM:
----------------------------------------------------------
[~sleem]
{{collection:null}} means it is not a collection specific request. (admin
requests such as , {{collection-admin-read}} etc)
{{/update}} is a collection specific request. remove it and it should work
was (Author: noble.paul):
[~sleem]
{{collection:null}} means it is not a collection specific request.
{{/update}} is a collection specific request. remove it and it should work
> Rule-Based Authorization Plugin does not secure access for update operations
> ----------------------------------------------------------------------------
>
> Key: SOLR-9804
> URL: https://issues.apache.org/jira/browse/SOLR-9804
> Project: Solr
> Issue Type: Bug
> Security Level: Public(Default Security Level. Issues are Public)
> Components: security
> Affects Versions: 6.3
> Environment: Linux:
> # uname -a
> Linux hostname 3.10.0-327.36.3.el7.x86_64 #1 SMP Mon Oct 24 16:09:20 UTC 2016
> x86_64 x86_64 x86_64 GNU/Linux
> /solr -version
> 6.3.0
> Reporter: Sleem
> Labels: authorization, security, update
>
> It looks like the /update path is not filtered by the Rule-Based
> Authorization Plugin. Even if you set permission using the path permission
> "/update" or the pre-defined permission "update". Below is the security.json
> {code:JavaScript}
> {
> "authentication":{
> "class":"solr.BasicAuthPlugin",
> "blockUnknown":true,
> "credentials":{
> "admin":"JrcQ8Lh/xKmucz9CaGVXwTpXxGSUZOt32i6W2f4tIfY=
> PuAJx8DjI0Ozy2gQXteG5KfRAbOmXuRFZVjHbrIIzVk=",
> "update":"tFdQLTQd9qXAStQek5xQQPlVcmXgjI/w4+9rjAZyqTU=
> by0LXUAdNAtcJW+DuycI2zc4NyDjCiexOgMaqEFIklU=",
> "solr":"GglOeZytbUBCKW8QT1H7kVs0eHc0x8+iNmpz7x8DKMI=
> 5JR1Ul8QehmP3nb2U6Bc/N1qwrQljLfiKPTxm35FikA="}},
> "authorization":{
> "class":"solr.RuleBasedAuthorizationPlugin",
> "user-role":{
> "admin":["admin_role"],
> "update":["update_role"],
> "solr":["read_role"]},
> "permissions":[
> {
> "collection":null,
> "name":"security-edit",
> "role":["admin_role"],
> "index":1},
> {
> "collection":null,
> "name":"schema-edit",
> "role":["admin_role"],
> "index":2},
> {
> "collection":null,
> "name":"config-edit",
> "role":["admin_role"],
> "index":3},
> {
> "collection":null,
> "name":"core-admin-edit",
> "role":["admin_role"],
> "index":4},
> {
> "collection":null,
> "name":"collection-admin-edit",
> "role":["admin_role"],
> "index":5},
> {
> "collection":null,
> "name":"security-read",
> "role":["admin_role"],
> "index":6},
> {
> "collection":null,
> "name":"schema-read",
> "role":[
> "admin_role",
> "update_role"],
> "index":7},
> {
> "collection":null,
> "name":"core-admin-read",
> "role":[
> "admin_role",
> "update_role"],
> "index":8},
> {
> "collection":null,
> "name":"config-read",
> "role":[
> "admin_role",
> "update_role"],
> "index":9},
> {
> "collection":null,
> "name":"collection-admin-read",
> "role":[
> "admin_role",
> "update_role"],
> "index":10},
> {
> "collection":null,
> "name":"update",
> "role":[
> "admin_role",
> "update_role"],
> "index":11},
> {
> "collection":null,
> "name":"read",
> "role":[
> "admin_role",
> "update_role",
> "read_role"],
> "index":12},
> {
> "collection":null,
> "name":"all",
> "role":["admin_role"],
> "index":13},
> {
> "collection":null,
> "path":"/*",
> "role":["admin_role"],
> "index":14}],
> "":{"v":138}}}
> {code}
> I have tested update using SolrJ and by hitting the /update on the browser
> using the solr user (who has no rights to update). Both were suceeded update
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org
For additional commands, e-mail: dev-h...@lucene.apache.org
