Hi Luca, Your permissions look correct, generally speaking. What version of Solr are you running?
There are some known problems using the RuleBasedAuthorizationPlugin in standalone mode - see https://issues.apache.org/jira/browse/SOLR-13097 for more details. Normally I would suspect that you're running into those, but it seems like you're saying that without the "all" permission then your other collection-specific permissions work just fine? Best, Jason On Thu, Apr 29, 2021 at 2:34 PM Luca Fregolon <[email protected]> wrote: > Hello, > I am trying to configure Solr authentication using Basic > Authentication and Role Based Authorization. I've been facing issues > configuring the authorization part, while the authentication part > works fine. My goal is to define three groups, containing one user > each. One user (chatbot) should have read permission on all > collections and should be able to write on only one collection. > Another user should have read permissions on all the collections and > write permissions on all the collections but one, which is the one the > other user is allowed to write on. > Then there is a user (superadmin) that should be able to do everything. > > I am using Solr 8, in standalone mode. > I tried to write the following security.json file but every request > made by chatbot and console users gets rejected and the log points out > that superadmin is the only group allowed to perform the request. > If I delete the "all" rule, everything works as supposed to but I > cannot have a privileged user. This, in my opinion, seems not coherent > with what is written in the reference guide about the permission > priority ( > https://solr.apache.org/guide/8_8/rule-based-authorization-plugin.html). > I did a lot of research before posting here but I didn't find any > solutions, so I would appreciate any help to sort it out. > > { > "authentication": { > "class": "solr.BasicAuthPlugin", > "blockUnknown": true, > "credentials": { > "superadmin-user":"...", > "chatbot-user":"...", > "console-user":"..." > } > }, > "authorization": { > "class": "solr.RuleBasedAuthorizationPlugin", > "user-role": { > "chatbot-user": "chatbot", > "console-user": "console", > "superadmin-user": "superadmin" > }, > "permissions": [ > {"collection":["col1", "col2", "col3", "col4", "col5"], > "role":["chatbot","console"], "path":"/select"}, > {"collection":"col5", "role":"chatbot", "path":"/update"}, > {"collection":["col1", "col2", "col3", "col4"], > "role":"console", "path":"/update"}, > {"name":"all", "role":"superadmin"} > ] > } > } > > Luca >
