Re: Issues with Authentication / Role based authorization

Tue, 10 May 2016 23:41:27 -0700 

Ok, I'm really struggling to figure out the right approach here. I wanted to
make it simple and started fresh. Removed the existing node (node1 and
node2), started the server in Cloud mode and uploaded the following
security.json.

{
  "authentication": {
    "blockUnknown": true,
    "class": "solr.BasicAuthPlugin",
    "credentials": {
      "solr": "IV0EHq1OnNrj6gvRCwvFwTrZ1+z1oBbnQdiVC3otuq0=
Ndd7LKvVBAaZIF0QAVi1ekCfAJXr1GGfLtRUXhgrF8c="
    }
  },
  "authorization": {
    "class": "solr.RuleBasedAuthorizationPlugin",
    "permissions": [
      {
        "name": "security-edit",
        "role": "admin"
      },
           {
        "name": "all",
        "role": "all"
      },
      {
        "name": "browse",
        "collection": "gettingstarted",
        "path": "/browse",
        "role": "browseRole"
      },
      {
        "name": "select",
        "collection": "gettingstarted",
        "path": "/select/*",
        "role": "selectRole"
      }
    ],
    "user-role": {
           "solr": ["admin"]
    }
  }
}

When I try to login using solr/SolrRocks, I' got the following exception:

INFO  - 2016-05-11 05:55:48.830; [   ]
org.apache.solr.security.RuleBasedAuthorizationPlugin; This resource is
configured to have a permission
org.apache.solr.security.RuleBasedAuthorizationPlugin$Permission@167ffde1,
The principal [principal: solr] does not have the right role 
INFO  - 2016-05-11 05:55:48.834; [   ] org.apache.solr.servlet.HttpSolrCall;
USER_REQUIRED auth header Basic c29scjpTb2xyUm9ja3M= context : [FAILED
toString()] 

Now, I removed the node, started all over again and uploaded a bare-bone
security.json.

{
        "authentication": {
                "blockUnknown": true,
                "class": "solr.BasicAuthPlugin",
                "credentials": {
                        "solr": "IV0EHq1OnNrj6gvRCwvFwTrZ1+z1oBbnQdiVC3otuq0=
Ndd7LKvVBAaZIF0QAVi1ekCfAJXr1GGfLtRUXhgrF8c="
                }
        },
        "authorization": {
                "class": "solr.RuleBasedAuthorizationPlugin",
                "user-role": {
                        "solr": "admin"
                },
                "permissions": [{
                        "name": "security-edit",
                        "role": "admin"
                }]
        }
}

I was able to access solr admin and request handlers without any issue.
Entire admin functionality, including create/modify collections were
accessible.

Is it safe to assume that the default security.json can accept only one role
?

Now, I added couple of users through curl {"set-user": {"superuser":
"Password1","beehive": "Password1"}}.

Then, assigned "superuser" to admin role.
{"set-user-role":{"superuser":"admin"}}

I'm able to access both admin and request handlers. So far so good.

I added couple of new roles,

{"set-permission" : {"name":"select", "collection": "gettingstarted", 
"path": "/select/*", "role": "selectRole"}}
{"set-permission" : {"name":"browse", "collection": "gettingstarted", 
"path": "/browse", "role": "browseRole"}}

Then assigned user "beehive" to these roles.

{"set-user-role":{"beehive":["browseRole","selectRole"]}}

Logged in as "beehive" and accessed /browse. The page came up, but threw the
following exception:

[c:gettingstarted s:shard2 r:core_node2 x:gettingstarted_shard2_replica1]
org.apache.solr.common.SolrException;
org.apache.solr.client.solrj.impl.HttpSolrClient$RemoteSolrException: Error
from server at
http://192.168.1.100:7574/solr/gettingstarted_shard1_replica2: Expected mime
type application/octet-stream but got text/html. <html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/>
<title>Error 401 Unauthorized request, Response code: 401</title>
</head>
<body>
HTTP ERROR 401

<p>Problem accessing /solr/gettingstarted_shard1_replica2/browse. Reason:
<pre>    Unauthorized request, Response code:
401</pre></p><hr>/<small>Powered by Jetty://</small>/<hr/>

</body>
</html>

        at
org.apache.solr.client.solrj.impl.HttpSolrClient.executeMethod(HttpSolrClient.java:544)
        at
org.apache.solr.client.solrj.impl.HttpSolrClient.request(HttpSolrClient.java:240)
        at
org.apache.solr.client.solrj.impl.HttpSolrClient.request(HttpSolrClient.java:229)
        at
org.apache.solr.client.solrj.impl.LBHttpSolrClient.doRequest(LBHttpSolrClient.java:372)
        at
org.apache.solr.client.solrj.impl.LBHttpSolrClient.request(LBHttpSolrClient.java:325)
        at
org.apache.solr.handler.component.HttpShardHandlerFactory.makeLoadBalancedRequest(HttpShardHandlerFactory.java:246)
        at
org.apache.solr.handler.component.HttpShardHandler$1.call(HttpShardHandler.java:201)
        at
org.apache.solr.handler.component.HttpShardHandler$1.call(HttpShardHandler.java:163)
        at java.util.concurrent.FutureTask.run(FutureTask.java:266)
        at 
java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
        at java.util.concurrent.FutureTask.run(FutureTask.java:266)
        at
org.apache.solr.common.util.ExecutorUtil$MDCAwareThreadPoolExecutor$1.run(ExecutorUtil.java:231)
        at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
        at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
        at java.lang.Thread.run(Thread.java:745)

This changed the authorization realm for some reason. If I log back in as
"solr" or "superuser", I could no longer access request handlers, which was
possible before adding the two new roles, i.e. "browseRole","selectRole". I
went back and assigned"superuser" to these roles, only after that it was
able to access the request handlers, though with above exceptions.

Here's authentication :

{
  "responseHeader": {
    "status": 0,
    "QTime": 0
  },
  "authentication.enabled": true,
  "authentication": {
    "blockUnknown": true,
    "class": "solr.BasicAuthPlugin",
    "credentials": {
      "solr": "IV0EHq1OnNrj6gvRCwvFwTrZ1+z1oBbnQdiVC3otuq0=
Ndd7LKvVBAaZIF0QAVi1ekCfAJXr1GGfLtRUXhgrF8c=",
      "superuser": "SOkYlwKY6aW0Tr31o9xE3etyR6XHNtxw2fSY80s1CZs=
LFOQr7kQefru9L/F/l3ORPiJNzMGmS5xzVcxcYE5GL0=",
      "beehive": "NRWjSrEYDEh3ZrIVKV/3GvVT46rMxRLXI0cmyAD132E=
vUg7DcwOj4hMGRi8Fjya4guhuz7L1dM8HvvXKzVHI8M="
    },
    "": {
      "v": 2
    }
  }
}

And authorization:
{
  "responseHeader": {
    "status": 0,
    "QTime": 0
  },
  "authorization.enabled": true,
  "authorization": {
    "class": "solr.RuleBasedAuthorizationPlugin",
    "user-role": {
      "solr": "admin",
      "superuser": [
        "browseRole",
        "selectRole"
      ],
      "beehive": [
        "browseRole",
        "selectRole"
      ]
    },
    "permissions": [
      {
        "name": "security-edit",
        "role": "admin"
      },
      {
        "name": "select",
        "collection": "gettingstarted",
        "path": "/select/*",
        "role": "selectRole"
      },
      {
        "name": "browse",
        "collection": "gettingstarted",
        "path": "/browse",
        "role": "browseRole"
      }
    ],
    "": {
      "v": 7
    }
  }
}

I was under the impression that these roles are independent of each other,
based on the assignment, individual user should be able to access their
respective areas. On a related note, I was not able to make roles like
"all", "read" work.

Not sure what I'm doing wrong here. Any feedback will be appreciated.

Thanks,
Shamik




--
View this message in context: 
http://lucene.472066.n3.nabble.com/Issues-with-Authentication-Role-based-authorization-tp4276024p4276056.html
Sent from the Solr - User mailing list archive at Nabble.com.

Reply via email to