Re: alias read access impossible for anyone other than admin?

Fri, 24 May 2019 09:55:37 -0700 

Hi Sotiris,

First, what version of Solr are you running?  We've made some fixes
recently (esp. SOLR-13355) to RBAP, and they might affect the behavior
you're seeing or any fixes we can recommend.

Second, the order of permissions in security.json has a huge effect on
how .  Solr always uses the first permission rule that matches a given
API...later rules are ignored if a match is found in earlier ones.
The first rule in your permissions block ({"name": "all", "role":
"admin"}) will match all APIs and will only allow requests through if
the requesting user has the "admin" role.  So "user" being unable to
query an alias makes sense.  Usually "all" and other catchall
permissions are best used at the very bottom of your permissions list.
That way the catchall is the last rule to be checked, giving other
rules a chance to match first.

Hope that helps.

Jason

On Wed, May 22, 2019 at 6:21 AM Sotiris Fragkiskos <sfra...@gmail.com> wrote:
>
> Hi everyone!
> I've been trying unsuccessfully to read an alias to a collection with a
> curl command.
> The command only works when I put in the admin credentials, although the
> user I want access for also has the required role for accessing.
> Is this perhaps built-in, or should anyone be able to access an alias from
> the API?
>
> The command I'm using is:
> curl http://
> <user>:<pass>@<solrhostname>/solr/<AliasName>/select?q=<field>:<value>
> This fails for the user but succeeds for the admin
>
> My minimum working example of security.json follows.
> Many thanks!
>
> {
>   "authentication":{
>     "blockUnknown":true,
>     "class":"solr.BasicAuthPlugin",
>     "credentials":{
>       "admin":"blahblahblah",
>       "user":"blahblah"},
>     "":{"v":13}},
>   "authorization":{
>     "class":"solr.RuleBasedAuthorizationPlugin",
>     "permissions":[
>       {
>         "name":"all",
>         "role":"admin",
>         "index":1},
>       {
>         "name":"readColl",
>         "collection":"Coll",
>         "path":"/select/*",
>         "role":"readColl",
>         "index":2},
>       {
>         "name":"readSCollAlias",
>         "collection":"sCollAlias",
>         "path":"/select/*",
>         "role":"readSCollAlias",
>         "index":3}],
>     "user-role":{
>       "admin":[
>         "admin",
>         "readSCollAlias"],
>       "user":["readSCollAlias"]},
>     "":{"v":21}}}

Reply via email to