Hi all, Diving into the RuleBasedAuthorizationPlugin for the first time in awhile, and found that the predefined permission "all" isn't behaving the way I'd expect it to. I'm trying to figure out whether it doesn't work the way I think, whether I'm just making a dumb mistake, or whether it's currently broken on master (and some 7x versions)
My intent is to create two users, one with readonly access, and an admin user with access to all APIs. I'm trying to achieve this with the security.json below: { "authentication": { "blockUnknown": true, "class": "solr.BasicAuthPlugin", "credentials": { "readonly": "<pw>", "admin": "<pw>"}}, "authorization": { "class": "solr.RuleBasedAuthorizationPlugin", "permissions": [ {"name":"read","role": "*"}, {"name":"schema-read", "role":"*"}, {"name":"config-read", "role":"*"}, {"name":"collection-admin-read", "role":"*"}, {"name":"metrics-read", "role":"*"}, {"name":"core-admin-read","role":"*"}, {"name": "all", "role": "admin_role"} ], "user-role": { "readonly": "readonly_role", "admin": "admin_role" }}} When I go to test this though, I'm surprised to find that the "readonly" user is still able to access APIs that I would expect to be locked down. The "readonly" user can even update security permissions with the curl command below! curl -X POST -H 'Content-Type: application/json' -u "readonly:readonlyPassword" http://localhost:8983/solr/admin/authorization --d @some_auth_json.json My expectation was that the predefined "all" permission would act as a catch all, and restrict all requests to "admin_role" that require permissions I didn't explicitly give to my "readonly" user. But it doesn't seem to work that way. Am I misunderstanding what the "all" permission does, or is this a bug? Thanks for any help or clarification. Jason