Hi all,
Diving into the RuleBasedAuthorizationPlugin for the first time in
awhile, and found that the predefined permission "all" isn't behaving
the way I'd expect it to. I'm trying to figure out whether it doesn't
work the way I think, whether I'm just making a dumb mistake, or
whether it's currently broken on master (and some 7x versions)
My intent is to create two users, one with readonly access, and an
admin user with access to all APIs. I'm trying to achieve this with
the security.json below:
{
"authentication": {
"blockUnknown": true,
"class": "solr.BasicAuthPlugin",
"credentials": {
"readonly": "<pw>",
"admin": "<pw>"}},
"authorization": {
"class": "solr.RuleBasedAuthorizationPlugin",
"permissions": [
{"name":"read","role": "*"},
{"name":"schema-read", "role":"*"},
{"name":"config-read", "role":"*"},
{"name":"collection-admin-read", "role":"*"},
{"name":"metrics-read", "role":"*"},
{"name":"core-admin-read","role":"*"},
{"name": "all", "role": "admin_role"}
],
"user-role": {
"readonly": "readonly_role",
"admin": "admin_role"
}}}
When I go to test this though, I'm surprised to find that the
"readonly" user is still able to access APIs that I would expect to be
locked down. The "readonly" user can even update security permissions
with the curl command below!
curl -X POST -H 'Content-Type: application/json' -u
"readonly:readonlyPassword"
http://localhost:8983/solr/admin/authorization --d
@some_auth_json.json
My expectation was that the predefined "all" permission would act as a
catch all, and restrict all requests to "admin_role" that require
permissions I didn't explicitly give to my "readonly" user. But it
doesn't seem to work that way. Am I misunderstanding what the "all"
permission does, or is this a bug?
Thanks for any help or clarification.
Jason
