Hi, Any suggestions as to what can be done?
Regards, Salmaan On Wed, Aug 21, 2019 at 4:33 PM Jason Gerlowski <gerlowsk...@gmail.com> wrote: > Ah, ok. SOLR-13355 still affects 7.6, so that explains why you're > seeing this behavior. > > You could upgrade to get the new behavior, but you don't need to- > there's a workaround. You just need to add a few extra rules to your > security.json. The problem in SOLR-13355 is that the "all" permission > isn't being considered for APIs that are covered by other predefined > permissions. So the workaround is to add a permission rule for each > of the predefined permissions, locking them down to the "admin" role. > It really bloats security.json, but should do the job. So your > security.json should have a permissions section that looks like the > JSON below: > > {"name": "dev-read", "collection": ["collection1", "collection2"], > "role": "dev"}, > {"name": "security-edit", "role": "admin"}, > {"name": "security-read", "role": "admin"}, > {"name": "schema-edit", "role": "admin"}, > {"name": "schema-read", "role": "admin"}, > {"name": "config-edit", "role": "admin"}, > {"name": "config-read", "role": "admin"}, > {"name": "core-admin-edit", "role": "admin"}, > {"name": "core-admin-read", "role": "admin"}, > {"name": "collection-api-edit", "role": "admin"}, > {"name": "collection-api-read", "role": "admin"}, > {"name": "read", "role": "admin"}, > {"name": "update", "role": "admin"}, > {"name": "all", "role": "admin"} > > Hope that helps. Let me know if that still has any problems for you. > > Jason > > On Wed, Aug 21, 2019 at 6:48 AM Salmaan Rashid Syed > <salmaan.ras...@mroads.com> wrote: > > > > Hi Jason, > > > > Is there a way to fix this in version 7.6? > > > > Or is it mandatory to upgrade to other versions? > > > > If I have to upgrade to a higher version, then what is the best way to do > > this without effecting the current configuration and indexed data? > > > > Thanks, > > Salmaan > > > > > > > > On Wed, Aug 21, 2019 at 4:13 PM Salmaan Rashid Syed < > > salmaan.ras...@mroads.com> wrote: > > > > > Hi Jason, > > > > > > I am using version 7.6 of Solr. > > > > > > Thanks, > > > Salmaan > > > > > > > > > > > > On Wed, Aug 21, 2019 at 4:12 PM Jason Gerlowski <gerlowsk...@gmail.com > > > > > wrote: > > > > > >> The "all" permissions _should_ block solr-user from accessing all of > > >> those resources, and I believe it does in newer versions of Solr. > > >> There was a bug with it that was fixed a few versions back though- it > > >> sounds like you might be running into that. (see > > >> https://issues.apache.org/jira/browse/SOLR-13355) What version of > Solr > > >> are you using? > > >> > > >> Jason > > >> > > >> > > >> > > >> On Wed, Aug 21, 2019 at 5:21 AM Salmaan Rashid Syed > > >> <salmaan.ras...@mroads.com> wrote: > > >> > > > >> > Hi Jason, > > >> > > > >> > Thanks for your prompt reply. > > >> > > > >> > Your code does address few of my concerns like restricting > *solr-user* > > >> from > > >> > accessing the dashboard and from executing other request methods > apart > > >> from > > >> > *"update"* and *"read"*. > > >> > > > >> > But I am still able to access other collections such as > *"Collection3", > > >> > "Collection4"* and so on, apart from the intended two collection > > >> entered in > > >> > the code. I can give *"update"* and *"read" *requests to these > external > > >> > Collections which solr-user should not be able to do. > > >> > > > >> > Moreover solr-user can look at the > > >> > *http://localhost:8983/solr/admin/authentication > > >> > <http://localhost:8983/solr/admin/authentication>* link which > lists the > > >> > users and their *SHA256* coded passwords. How can I hide this and > > >> restrict > > >> > access to other collections? > > >> > > > >> > Thanks and regards > > >> > Salmaan > > >> > > > >> > > > >> > On Wed, Aug 21, 2019 at 5:07 AM Jason Gerlowski < > gerlowsk...@gmail.com> > > >> > wrote: > > >> > > > >> > > Hi Salmaan, > > >> > > > > >> > > Solr's RuleBasedAuthorizationPlugin allows requests through if > none of > > >> > > the specified permissions apply. I think that's what you're > running > > >> > > into in your example above. If you want to lockdown a particular > API > > >> > > (or set of APIs) then you need to explicitly add a permission that > > >> > > restricts those APIs to a particular role. > > >> > > > > >> > > One way to get the behavior that it sounds like you're looking for > > >> > > would be to add a catch-all permission at the bottom of your > > >> > > permissions list that restricts all other APIs to "admin". This > would > > >> > > look a bit like: > > >> > > > > >> > > "permissions":[ > > >> > > { > > >> > > "name":"security-edit", > > >> > > "role":"admin" > > >> > > }, > > >> > > { > > >> > > "collection": ["Collection1", "Collection2"], > > >> > > "name": ["update", "read"], > > >> > > "role": "dev" > > >> > > }, > > >> > > { > > >> > > "name": "all", > > >> > > "role": "admin" > > >> > > } > > >> > > ] > > >> > > > > >> > > Hope that helps get you started. > > >> > > > > >> > > Best, > > >> > > > > >> > > Jason > > >> > > > > >> > > On Tue, Aug 20, 2019 at 3:19 AM Salmaan Rashid Syed > > >> > > <salmaan.ras...@mroads.com> wrote: > > >> > > > > > >> > > > Hi Solr Users, > > >> > > > > > >> > > > I want to create a user that has restricted access to Solr. I > did > > >> the > > >> > > > follwowing:- > > >> > > > > > >> > > > > > >> > > > 1. { > > >> > > > 2. "authentication":{ > > >> > > > 3. "blockUnknown": true, > > >> > > > 4. "class":"solr.BasicAuthPlugin", > > >> > > > 5. "credentials":{ > > >> > > > 6. "solr-admin": > > >> > > > "2IUJD9dxRhxSXaJGdMP5z8ggSn4I285Ty9GCWeRNMUg= > > >> > > > /sSNJJufPtj4baRizoJshJawFsWvopvZSqZpQ/Nwd78=" > > >> > > > , > > >> > > > 7. "solr-user": > > >> > > > "p+XwOh15p/rvFltv2LXP1CwtbvwBgGlC9qcDKxV73B4= > > >> > > > DcNsjfA6Wf16V1XKT+YraosSFQ5Cr3eRUX6BQnx9XKA=" > > >> > > > > > >> > > > 8. } > > >> > > > 9. }, > > >> > > > 10. "authorization":{ > > >> > > > 11. "class":"solr.RuleBasedAuthorizationPlugin", > > >> > > > 12. "user-role":{"solr-admin":"admin", "solr-user":"dev"}, > > >> > > > 13. "permissions":[ > > >> > > > 14. { > > >> > > > 15. "name":"security-edit", > > >> > > > 16. "role":"admin" > > >> > > > 17. }, > > >> > > > 18. { > > >> > > > 19. "collection": ["Collection1", "Collection2"], > > >> > > > 20. "name": ["update", "read"], > > >> > > > 21. "role": "dev" > > >> > > > 22. } > > >> > > > 23. ] > > >> > > > 24. }} > > >> > > > > > >> > > > > > >> > > > But when Login intot the Solr admin dash-board using Solr-user > > >> > > credentials, > > >> > > > I can read, select, write, update, delete collections and do all > > >> sorts of > > >> > > > things like a solr-admin can do. > > >> > > > > > >> > > > I want solr-user to be able to access only *Collection1* and > > >> > > *Collection2* > > >> > > > and be able to only *update *and *read*. He should not be able > to > > >> access > > >> > > > other collections and do anything apart from the above mentioned > > >> role. > > >> > > > > > >> > > > Where am I exactly going wrong? > > >> > > > > > >> > > > Thanks and Regards, > > >> > > > Salmaan > > >> > > > > >> > > > >