Hi, Everything is fine, the problem was in my code, I have another question
Is one Thread1 used when calling the doAuthenticate method and when calling the interceptInternodeRequest method? And show the code where exactly this happens! Thank you 😊 вт, 4 апр. 2023 г., 14:35 Jan Høydahl <[email protected]>: > I think the way forward here is to create a minimal re-production example > for others to try. > Ideally using a setup with basic auth, you could help us reproduce with a > script like this: > > Copy my-security.json into current folder > bin/solr start -c (or using docker) > solr create -c coll1 > solr create -c coll2 > solr create -c coll3 > # Enable security with custom config > bin/solr zk cp my-security.json zk:/security.json > > Browse to http://localhost:8983 and login with user 'foo' > > Verify that user 'foo' can search collection coll1: > curl "http://localhost:8983/solr/coll1/select?q=*:*"; > > Verify that user 'foo cannot search collection coll2: > curl "http://localhost:8983/solr/coll2/select?q=*:*"; > > Jan > > > 4. apr. 2023 kl. 12:27 skrev MEXANIK <[email protected]>: > > > > Jan, Hi!! > > > > I have such a problem that out of 5 collections, 2 of them can be read > > using the john_sl user with admin_x accesses. But if the "admin_rwx" > > accesses are taken away from the "admin" user, then the john_sl user will > > not be able to read 2 collections previously available for reading ... > How > > is this understand? any ideas? > > > > пн, 3 апр. 2023 г., 23:34 Jan Høydahl <[email protected]>: > > > >> Hi, > >> > >> I recommend reading the docs thoroughly and then clean up your config > >> somewhat: > >> > https://solr.apache.org/guide/solr/latest/deployment-guide/rule-based-authorization-plugin.html > >> > >> Solr's authz works differently than most other RBAC products. You may be > >> confused by order of evaluation, which is a bit upside down. > >> > >> Solr does NOT start with the user's role and then evaluate what > >> paths/permissions he can do. > >> On the contrary, Solr starts with the request path, e.g. > >> <collection>/select, then hunts through your permissions:[] array > >> top-to-bottom to find ONE SINGLE permission that matches the path (and > >> optionally collection name), and once it finds that permission, it will > >> check that the user has one of the roles listed in that permission (or > >> "all"). > >> > >> Also, if you do not list every single path or predefined permission, > then > >> any path not listed will be allowed by default, which is scary. It is > >> common practice to have an "all" permission at the very end, and have > that > >> one require some kind of admin role. Looks like you have that. > >> > >> In your security.json you list a "read" permission several times, and > also > >> other permissions several times. Solr will only consider the FIRST which > >> satisfies the request. So make sure to place the more specific and > >> restrictive permissions on top, and then you can have "fall-through" > >> permissions near the end. > >> > >> I also see that you use a custom Auth plugin, but I assume that one > works. > >> If you face continued problems I recommend creating a reproduction case > >> with BasicAuth and as few roles/permissions as possible to reproduce > your > >> issue. Then others can try out your config and help you find flaws. > >> > >> Jan > >> > >>> 3. apr. 2023 kl. 12:24 skrev MEXANIK <[email protected]>: > >>> > >>> Jan, Hi, Thank you > >>> > >>> Need more information so you can help? > >>> > >>> > >>> > >>> пт, 31 мар. 2023 г., 12:16 MEXANIK <[email protected]>: > >>> > >>>> Sorry, test1Collection* > >>>> > >>>> чт, 30 мар. 2023 г., 17:14 MEXANIK <[email protected]>: > >>>> > >>>>> When you send a read request for the test2Collection collection, the > >> logs > >>>>> do not display as a collection, and I get 10 entries with admin_x > >> rights > >>>>> > >>>>> > >>>>> attached log with description > >>>>> > >>>>> > >>>>> > >>>>> ср, 29 мар. 2023 г., 16:39 Jan Høydahl <[email protected]>: > >>>>> > >>>>>> Permissions are evaluated in order from top to bottom. > >>>>>> The first "read" permission found requires roles "admin_ro", > >>>>>> "admin_rwx", "solr-internal-traffic", so that should be selected. > >>>>>> > >>>>>> Do you have any logs that can shed light over what happens? > >>>>>> > >>>>>> Jan > >>>>>> > >>>>>>> 29. mar. 2023 kl. 14:27 skrev MEXANIK <[email protected]>: > >>>>>>> > >>>>>>> I logged in using the john_sl user in Solr UI, and sent a request > to > >>>>>> read > >>>>>>> the collection, but I can read some of the collections, but I don't > >>>>>> want > >>>>>>> them to be read. > >>>>>>> > >>>>>>> If I replace the admin user's rights from admin_rwx to admin_x, > then > >>>>>> the > >>>>>>> john_sl user can't read either > >>>>>>> > >>>>>>> How do I make it so that john_sl cannot read collections with > admin_x > >>>>>>> rights, but at the same time so that the admin user has admin_rwx > >>>>>> rights?? > >>>>>>> > >>>>>>> Help!! > >>>>>>> > >>>>>>> Example security.json http://replit.com/@irkuev666/Test#data.json > >>>>>> > >>>>>> > >> > >> > >
