Hi Salmaan,
Are you still seeing this behavior, or were you able to figure things out?
I just got a chance to try out the security.json in Solr 7.6 myself,
and I can't reproduce the behavior you're seeing.
It might be helpful to level set here. Make sure that our
security.json settings and our test requests are exactly the same.
This is the security.json I used in my test deployment:
{
"authentication":{
"blockUnknown": true,
"class":"solr.BasicAuthPlugin",
"credentials":{
"solr":"gP31s0FQevh3k0i0y6g9AP/TZLWctxfZjtC9sOh8vZU=
J7an406gVyx4v4CkR8YLgmhClk9Yv/fIBSfZoi1f0kY=",
"solr-user":"gP31s0FQevh3k0i0y6g9AP/TZLWctxfZjtC9sOh8vZU=
J7an406gVyx4v4CkR8YLgmhClk9Yv/fIBSfZoi1f0kY="
}
},
"authorization":{
"class":"solr.RuleBasedAuthorizationPlugin",
"permissions":[
{"name": "dev-read", "collection": ["collection1",
"collection2"], "role": ["dev", "admin"] },
{"name": "security-edit", "role": "admin"},
{"name": "security-read", "role": "admin"},
{"name": "schema-edit", "role": "admin"},
{"name": "schema-read", "role": "admin"},
{"name": "config-edit", "role": "admin"},
{"name": "config-read", "role": "admin"},
{"name": "core-admin-edit", "role": "admin"},
{"name": "core-admin-read", "role": "admin"},
{"name": "collection-api-edit", "role": "admin"},
{"name": "collection-api-read", "role": "admin"},
{"name": "read", "role": "admin"},
{"name": "update", "role": "admin"},
{"name": "all", "role": "admin"}
],
"user-role":{
"solr":"admin",
"solr-user": "dev"
}
}
}
And this is the output of a script I use to test permissions quickly:
$ ./test-security.sh
Testing permissions for user [solr]
Request [/admin/collections?action=LIST] returned status [200]
Request [/collection1/select?q=*:*] returned status [200]
Request [/collection2/select?q=*:*] returned status [200]
Request [/collection3/select?q=*:*] returned status [200]
Testing permissions for user [solr-user]
Request [/admin/collections?action=LIST] returned status [403]
Request [/collection1/select?q=*:*] returned status [200]
Request [/collection2/select?q=*:*] returned status [200]
Request [/collection3/select?q=*:*] returned status [403]
You can find this script here, to see the exact curl commands being
used and run it yourself: https://paste.apache.org/tjtdg
That output looks correct to me. solr-user is prevented from
accessing other APIs and other collections, but can access collection1
and collection2.
Does your security.json match mine, or do the permissions differ in
some way? Can you still reproduce the behavior using my script?
Good luck,
Jason
On Thu, Aug 22, 2019 at 2:13 AM Salmaan Rashid Syed
<salmaan.ras...@mroads.com> wrote:
>
> Hi,
>
> Any suggestions as to what can be done?
>
> Regards,
> Salmaan
>
>
> On Wed, Aug 21, 2019 at 4:33 PM Jason Gerlowski <gerlowsk...@gmail.com>
> wrote:
>
> > Ah, ok. SOLR-13355 still affects 7.6, so that explains why you're
> > seeing this behavior.
> >
> > You could upgrade to get the new behavior, but you don't need to-
> > there's a workaround. You just need to add a few extra rules to your
> > security.json. The problem in SOLR-13355 is that the "all" permission
> > isn't being considered for APIs that are covered by other predefined
> > permissions. So the workaround is to add a permission rule for each
> > of the predefined permissions, locking them down to the "admin" role.
> > It really bloats security.json, but should do the job. So your
> > security.json should have a permissions section that looks like the
> > JSON below:
> >
> > {"name": "dev-read", "collection": ["collection1", "collection2"],
> > "role": "dev"},
> > {"name": "security-edit", "role": "admin"},
> > {"name": "security-read", "role": "admin"},
> > {"name": "schema-edit", "role": "admin"},
> > {"name": "schema-read", "role": "admin"},
> > {"name": "config-edit", "role": "admin"},
> > {"name": "config-read", "role": "admin"},
> > {"name": "core-admin-edit", "role": "admin"},
> > {"name": "core-admin-read", "role": "admin"},
> > {"name": "collection-api-edit", "role": "admin"},
> > {"name": "collection-api-read", "role": "admin"},
> > {"name": "read", "role": "admin"},
> > {"name": "update", "role": "admin"},
> > {"name": "all", "role": "admin"}
> >
> > Hope that helps. Let me know if that still has any problems for you.
> >
> > Jason
> >
> > On Wed, Aug 21, 2019 at 6:48 AM Salmaan Rashid Syed
> > <salmaan.ras...@mroads.com> wrote:
> > >
> > > Hi Jason,
> > >
> > > Is there a way to fix this in version 7.6?
> > >
> > > Or is it mandatory to upgrade to other versions?
> > >
> > > If I have to upgrade to a higher version, then what is the best way to do
> > > this without effecting the current configuration and indexed data?
> > >
> > > Thanks,
> > > Salmaan
> > >
> > >
> > >
> > > On Wed, Aug 21, 2019 at 4:13 PM Salmaan Rashid Syed <
> > > salmaan.ras...@mroads.com> wrote:
> > >
> > > > Hi Jason,
> > > >
> > > > I am using version 7.6 of Solr.
> > > >
> > > > Thanks,
> > > > Salmaan
> > > >
> > > >
> > > >
> > > > On Wed, Aug 21, 2019 at 4:12 PM Jason Gerlowski <gerlowsk...@gmail.com
> > >
> > > > wrote:
> > > >
> > > >> The "all" permissions _should_ block solr-user from accessing all of
> > > >> those resources, and I believe it does in newer versions of Solr.
> > > >> There was a bug with it that was fixed a few versions back though- it
> > > >> sounds like you might be running into that. (see
> > > >> https://issues.apache.org/jira/browse/SOLR-13355) What version of
> > Solr
> > > >> are you using?
> > > >>
> > > >> Jason
> > > >>
> > > >>
> > > >>
> > > >> On Wed, Aug 21, 2019 at 5:21 AM Salmaan Rashid Syed
> > > >> <salmaan.ras...@mroads.com> wrote:
> > > >> >
> > > >> > Hi Jason,
> > > >> >
> > > >> > Thanks for your prompt reply.
> > > >> >
> > > >> > Your code does address few of my concerns like restricting
> > *solr-user*
> > > >> from
> > > >> > accessing the dashboard and from executing other request methods
> > apart
> > > >> from
> > > >> > *"update"* and *"read"*.
> > > >> >
> > > >> > But I am still able to access other collections such as
> > *"Collection3",
> > > >> > "Collection4"* and so on, apart from the intended two collection
> > > >> entered in
> > > >> > the code. I can give *"update"* and *"read" *requests to these
> > external
> > > >> > Collections which solr-user should not be able to do.
> > > >> >
> > > >> > Moreover solr-user can look at the
> > > >> > *http://localhost:8983/solr/admin/authentication
> > > >> > <http://localhost:8983/solr/admin/authentication>* link which
> > lists the
> > > >> > users and their *SHA256* coded passwords. How can I hide this and
> > > >> restrict
> > > >> > access to other collections?
> > > >> >
> > > >> > Thanks and regards
> > > >> > Salmaan
> > > >> >
> > > >> >
> > > >> > On Wed, Aug 21, 2019 at 5:07 AM Jason Gerlowski <
> > gerlowsk...@gmail.com>
> > > >> > wrote:
> > > >> >
> > > >> > > Hi Salmaan,
> > > >> > >
> > > >> > > Solr's RuleBasedAuthorizationPlugin allows requests through if
> > none of
> > > >> > > the specified permissions apply. I think that's what you're
> > running
> > > >> > > into in your example above. If you want to lockdown a particular
> > API
> > > >> > > (or set of APIs) then you need to explicitly add a permission that
> > > >> > > restricts those APIs to a particular role.
> > > >> > >
> > > >> > > One way to get the behavior that it sounds like you're looking for
> > > >> > > would be to add a catch-all permission at the bottom of your
> > > >> > > permissions list that restricts all other APIs to "admin". This
> > would
> > > >> > > look a bit like:
> > > >> > >
> > > >> > > "permissions":[
> > > >> > > {
> > > >> > > "name":"security-edit",
> > > >> > > "role":"admin"
> > > >> > > },
> > > >> > > {
> > > >> > > "collection": ["Collection1", "Collection2"],
> > > >> > > "name": ["update", "read"],
> > > >> > > "role": "dev"
> > > >> > > },
> > > >> > > {
> > > >> > > "name": "all",
> > > >> > > "role": "admin"
> > > >> > > }
> > > >> > > ]
> > > >> > >
> > > >> > > Hope that helps get you started.
> > > >> > >
> > > >> > > Best,
> > > >> > >
> > > >> > > Jason
> > > >> > >
> > > >> > > On Tue, Aug 20, 2019 at 3:19 AM Salmaan Rashid Syed
> > > >> > > <salmaan.ras...@mroads.com> wrote:
> > > >> > > >
> > > >> > > > Hi Solr Users,
> > > >> > > >
> > > >> > > > I want to create a user that has restricted access to Solr. I
> > did
> > > >> the
> > > >> > > > follwowing:-
> > > >> > > >
> > > >> > > >
> > > >> > > > 1. {
> > > >> > > > 2. "authentication":{
> > > >> > > > 3. "blockUnknown": true,
> > > >> > > > 4. "class":"solr.BasicAuthPlugin",
> > > >> > > > 5. "credentials":{
> > > >> > > > 6. "solr-admin":
> > > >> > > > "2IUJD9dxRhxSXaJGdMP5z8ggSn4I285Ty9GCWeRNMUg=
> > > >> > > > /sSNJJufPtj4baRizoJshJawFsWvopvZSqZpQ/Nwd78="
> > > >> > > > ,
> > > >> > > > 7. "solr-user":
> > > >> > > > "p+XwOh15p/rvFltv2LXP1CwtbvwBgGlC9qcDKxV73B4=
> > > >> > > > DcNsjfA6Wf16V1XKT+YraosSFQ5Cr3eRUX6BQnx9XKA="
> > > >> > > >
> > > >> > > > 8. }
> > > >> > > > 9. },
> > > >> > > > 10. "authorization":{
> > > >> > > > 11. "class":"solr.RuleBasedAuthorizationPlugin",
> > > >> > > > 12. "user-role":{"solr-admin":"admin", "solr-user":"dev"},
> > > >> > > > 13. "permissions":[
> > > >> > > > 14. {
> > > >> > > > 15. "name":"security-edit",
> > > >> > > > 16. "role":"admin"
> > > >> > > > 17. },
> > > >> > > > 18. {
> > > >> > > > 19. "collection": ["Collection1", "Collection2"],
> > > >> > > > 20. "name": ["update", "read"],
> > > >> > > > 21. "role": "dev"
> > > >> > > > 22. }
> > > >> > > > 23. ]
> > > >> > > > 24. }}
> > > >> > > >
> > > >> > > >
> > > >> > > > But when Login intot the Solr admin dash-board using Solr-user
> > > >> > > credentials,
> > > >> > > > I can read, select, write, update, delete collections and do all
> > > >> sorts of
> > > >> > > > things like a solr-admin can do.
> > > >> > > >
> > > >> > > > I want solr-user to be able to access only *Collection1* and
> > > >> > > *Collection2*
> > > >> > > > and be able to only *update *and *read*. He should not be able
> > to
> > > >> access
> > > >> > > > other collections and do anything apart from the above mentioned
> > > >> role.
> > > >> > > >
> > > >> > > > Where am I exactly going wrong?
> > > >> > > >
> > > >> > > > Thanks and Regards,
> > > >> > > > Salmaan
> > > >> > >
> > > >>
> > > >
> >
