The "all" permissions _should_ block solr-user from accessing all of those resources, and I believe it does in newer versions of Solr. There was a bug with it that was fixed a few versions back though- it sounds like you might be running into that. (see https://issues.apache.org/jira/browse/SOLR-13355) What version of Solr are you using?
Jason On Wed, Aug 21, 2019 at 5:21 AM Salmaan Rashid Syed <salmaan.ras...@mroads.com> wrote: > > Hi Jason, > > Thanks for your prompt reply. > > Your code does address few of my concerns like restricting *solr-user* from > accessing the dashboard and from executing other request methods apart from > *"update"* and *"read"*. > > But I am still able to access other collections such as *"Collection3", > "Collection4"* and so on, apart from the intended two collection entered in > the code. I can give *"update"* and *"read" *requests to these external > Collections which solr-user should not be able to do. > > Moreover solr-user can look at the > *http://localhost:8983/solr/admin/authentication > <http://localhost:8983/solr/admin/authentication>* link which lists the > users and their *SHA256* coded passwords. How can I hide this and restrict > access to other collections? > > Thanks and regards > Salmaan > > > On Wed, Aug 21, 2019 at 5:07 AM Jason Gerlowski <gerlowsk...@gmail.com> > wrote: > > > Hi Salmaan, > > > > Solr's RuleBasedAuthorizationPlugin allows requests through if none of > > the specified permissions apply. I think that's what you're running > > into in your example above. If you want to lockdown a particular API > > (or set of APIs) then you need to explicitly add a permission that > > restricts those APIs to a particular role. > > > > One way to get the behavior that it sounds like you're looking for > > would be to add a catch-all permission at the bottom of your > > permissions list that restricts all other APIs to "admin". This would > > look a bit like: > > > > "permissions":[ > > { > > "name":"security-edit", > > "role":"admin" > > }, > > { > > "collection": ["Collection1", "Collection2"], > > "name": ["update", "read"], > > "role": "dev" > > }, > > { > > "name": "all", > > "role": "admin" > > } > > ] > > > > Hope that helps get you started. > > > > Best, > > > > Jason > > > > On Tue, Aug 20, 2019 at 3:19 AM Salmaan Rashid Syed > > <salmaan.ras...@mroads.com> wrote: > > > > > > Hi Solr Users, > > > > > > I want to create a user that has restricted access to Solr. I did the > > > follwowing:- > > > > > > > > > 1. { > > > 2. "authentication":{ > > > 3. "blockUnknown": true, > > > 4. "class":"solr.BasicAuthPlugin", > > > 5. "credentials":{ > > > 6. "solr-admin": > > > "2IUJD9dxRhxSXaJGdMP5z8ggSn4I285Ty9GCWeRNMUg= > > > /sSNJJufPtj4baRizoJshJawFsWvopvZSqZpQ/Nwd78=" > > > , > > > 7. "solr-user": > > > "p+XwOh15p/rvFltv2LXP1CwtbvwBgGlC9qcDKxV73B4= > > > DcNsjfA6Wf16V1XKT+YraosSFQ5Cr3eRUX6BQnx9XKA=" > > > > > > 8. } > > > 9. }, > > > 10. "authorization":{ > > > 11. "class":"solr.RuleBasedAuthorizationPlugin", > > > 12. "user-role":{"solr-admin":"admin", "solr-user":"dev"}, > > > 13. "permissions":[ > > > 14. { > > > 15. "name":"security-edit", > > > 16. "role":"admin" > > > 17. }, > > > 18. { > > > 19. "collection": ["Collection1", "Collection2"], > > > 20. "name": ["update", "read"], > > > 21. "role": "dev" > > > 22. } > > > 23. ] > > > 24. }} > > > > > > > > > But when Login intot the Solr admin dash-board using Solr-user > > credentials, > > > I can read, select, write, update, delete collections and do all sorts of > > > things like a solr-admin can do. > > > > > > I want solr-user to be able to access only *Collection1* and > > *Collection2* > > > and be able to only *update *and *read*. He should not be able to access > > > other collections and do anything apart from the above mentioned role. > > > > > > Where am I exactly going wrong? > > > > > > Thanks and Regards, > > > Salmaan > >
