Hi Dominique Were you able to resolve this ? I am also stuck with understanding a minimal permission-set to give to a readonly user to read from the /select endpoint.
Regards Aroop > On Jan 1, 2019, at 11:23 PM, Dominique Bejean <dominique.bej...@eolya.fr> > wrote: > > Hi, > > I created a Jira issue > https://issues.apache.org/jira/browse/SOLR-13097 > > Regards. > > Dominique > > > Le lun. 31 déc. 2018 à 11:26, Dominique Bejean <dominique.bej...@eolya.fr> > a écrit : > >> Hi, >> >> In debugging mode, I discovered that only in SolrCloud mode the collection >> name is extract from the request path in the init() method of >> HttpSolrCall.java >> >> if (cores.isZooKeeperAware()) { >> // init collectionList (usually one name but not when there are >> aliases) >> ... >> } >> >> So in Solr standalone mode, only authentication is fully fonctionnal, not >> authorization ! >> >> Regards. >> >> Dominique >> >> >> >> >> >> Le dim. 30 déc. 2018 à 13:40, Dominique Bejean <dominique.bej...@eolya.fr> >> a écrit : >> >>> Hi, >>> >>> After reading more carefully the log file, here is my understanding. >>> >>> The request >>> >>> http://2:xxxxxx@localhost:8983/solr/biblio/select?indent=on&q=*:*&wt=json >>> >>> >>> report this in log >>> >>> 2018-12-30 12:24:52.102 INFO (qtp1731656333-20) [ x:biblio] >>> o.a.s.s.HttpSolrCall USER_REQUIRED auth header Basic Mjox context : >>> userPrincipal: [[principal: 2]] type: [READ], collections: [], Path: >>> [/select] path : /select params :q=*:*&indent=on&wt=json >>> >>> collections is empty, so it looks like "/select" is not collection >>> specific and so it is not possible to define read access by collection. >>> >>> Can someone confirm ? >>> >>> Regards >>> >>> Dominique >>> >>> >>> >>> >>> >>> Le ven. 21 déc. 2018 à 10:46, Dominique Bejean <dominique.bej...@eolya.fr> >>> a écrit : >>> >>>> Hi, >>>> >>>> I am trying to configure security.json file, in order to define the >>>> following users and permissions : >>>> >>>> - user "admin" with all permissions on all collections >>>> - user "read" with read permissions on all collections >>>> - user "1" with only read permissions on biblio collection >>>> - user "2" with only read permissions on personnes collection >>>> >>>> Here is my security.json file >>>> >>>> { >>>> "authentication":{ >>>> "blockUnknown":true, >>>> "class":"solr.BasicAuthPlugin", >>>> "credentials":{ >>>> "admin":"4uwfcjV7bCqOdLF/Qn2wiTyC7zIWN6lyA1Bgp1yqZj0= >>>> 7PCh68vhIlZXg1l45kSlvGKowMg1bm/L3eSfgT5dzjs=", >>>> "read":"azUFSo9/plsGkQGhSQuk8YXoir22pALVpP8wFkd7wlk= >>>> gft4wNAeuvz7P8bv/Jv6TK94g516/qXe9cFWe/VlhDo=", >>>> "1":"azUFSo9/plsGkQGhSQuk8YXoir22pALVpP8wFkd7wlk= >>>> gft4wNAeuvz7P8bv/Jv6TK94g516/qXe9cFWe/VlhDo=", >>>> "2":"azUFSo9/plsGkQGhSQuk8YXoir22pALVpP8wFkd7wlk= >>>> gft4wNAeuvz7P8bv/Jv6TK94g516/qXe9cFWe/VlhDo="}, >>>> "":{"v":0}}, >>>> "authorization":{ >>>> "class":"solr.RuleBasedAuthorizationPlugin", >>>> "permissions":[ >>>> { >>>> "name":"all", >>>> "role":"admin", >>>> "index":1}, >>>> { >>>> "name":"read-biblio", >>>> "path":"/select", >>>> "role":["admin","read","r1"], >>>> "collection":"biblio", >>>> "index":2}, >>>> { >>>> "name":"read-personnes", >>>> "path":"/select", >>>> "role":["admin","read","r2"], >>>> "collection":"personnes", >>>> "index":3}, >>>> { >>>> "name":"read", >>>> "collection":"*", >>>> "role":["admin","read"], >>>> "index":4}], >>>> "user-role":{ >>>> "admin":"admin", >>>> "read":"read", >>>> "1":"r1", >>>> "2":"r2"} >>>> } >>>> } >>>> >>>> >>>> I have a 403 errors for user 1 on biblio and user 2 on personnes while >>>> using the "/select" requestHandler. However according to r1 and r2 roles >>>> and premissions order, the access should be allowed. >>>> >>>> I have duplicated the TestRuleBasedAuthorizationPlugin.java class in >>>> order to test these exact same permissions and roles. checkRules reports >>>> access is allowed !!! >>>> >>>> I don't understand where is the problem. Any ideas ? >>>> >>>> Regards >>>> >>>> Dominique >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>>