Hi Jason, thank you for your reply. I'm sorry I didn't see it before, I was going to write the same answer that you posted. I checked the source code of the Authorization Plugin and the problem is the distinction between core and collections (in standalone mode and Solr cloud respectively). In fact, RuleBasedAuthorizationPlugin just checks for collections, which are not defined in Solr standalone mode. I think that I was wrong in saying that everything was working because I probably didn't check if I was denied to do some specific operations and I only checked what I was allowed to do (since before I was denied to do any operation). Thank you again for your support. Kind regards, Luca
On 2021/05/10 17:06:25, Jason Gerlowski <[email protected]> wrote: > Hi Luca,> > > Your permissions look correct, generally speaking. What version of Solr> > are you running?> > > There are some known problems using the RuleBasedAuthorizationPlugin in> > standalone mode - see https://issues.apache.org/jira/browse/SOLR-13097 for> > more details. Normally I would suspect that you're running into those, but> > it seems like you're saying that without the "all" permission then your> > other collection-specific permissions work just fine?> > > Best,> > > Jason> > > On Thu, Apr 29, 2021 at 2:34 PM Luca Fregolon <[email protected]> wrote:> > > > Hello,> > > I am trying to configure Solr authentication using Basic> > > Authentication and Role Based Authorization. I've been facing issues> > > configuring the authorization part, while the authentication part> > > works fine. My goal is to define three groups, containing one user> > > each. One user (chatbot) should have read permission on all> > > collections and should be able to write on only one collection.> > > Another user should have read permissions on all the collections and> > > write permissions on all the collections but one, which is the one the> > > other user is allowed to write on.> > > Then there is a user (superadmin) that should be able to do everything.> > >> > > I am using Solr 8, in standalone mode.> > > I tried to write the following security.json file but every request> > > made by chatbot and console users gets rejected and the log points out> > > that superadmin is the only group allowed to perform the request.> > > If I delete the "all" rule, everything works as supposed to but I> > > cannot have a privileged user. This, in my opinion, seems not coherent> > > with what is written in the reference guide about the permission> > > priority (> > > https://solr.apache.org/guide/8_8/rule-based-authorization-plugin.html).> > > I did a lot of research before posting here but I didn't find any> > > solutions, so I would appreciate any help to sort it out.> > >> > > {> > > "authentication": {> > > "class": "solr.BasicAuthPlugin",> > > "blockUnknown": true,> > > "credentials": {> > > "superadmin-user":"...",> > > "chatbot-user":"...",> > > "console-user":"..."> > > }> > > },> > > "authorization": {> > > "class": "solr.RuleBasedAuthorizationPlugin",> > > "user-role": {> > > "chatbot-user": "chatbot",> > > "console-user": "console",> > > "superadmin-user": "superadmin"> > > },> > > "permissions": [> > > {"collection":["col1", "col2", "col3", "col4", "col5"],> > > "role":["chatbot","console"], "path":"/select"},> > > {"collection":"col5", "role":"chatbot", "path":"/update"},> > > {"collection":["col1", "col2", "col3", "col4"],> > > "role":"console", "path":"/update"},> > > {"name":"all", "role":"superadmin"}> > > ]> > > }> > > }> > >> > > Luca> > >> >
