[jira] [Updated] (SOLR-11089) RuleBasedAuthorization plugin ignores permissions.

Suage 1981 (JIRA) Tue, 18 Jul 2017 02:53:22 -0700

     [ 
https://issues.apache.org/jira/browse/SOLR-11089?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Suage 1981 updated SOLR-11089:
------------------------------
    Description: 
Expected behavior (as described in docs):
- Unauthenticated users should not get access to /admin/authentication and 
/admin/authentication

Demonstrated behavior:
- /admin/authentication and /admin/authentication are publicly available. So it 
looks like permissions are ignored totally: 
{code}
2017-07-16T17:36:39.379Z [DEBUG] 
[org.apache.solr.servlet.SolrDispatchFilter#authenticateRequest] Request to 
authenticate: (GET /solr/admin/authorization)@2095474071 
org.eclipse.jetty.server.Request@7ce66597, domain: 10.0.1.31, port: 8983
2017-07-16T17:36:39.379Z [DEBUG] 
[org.apache.solr.servlet.SolrDispatchFilter#doFilter] User principal: null
2017-07-16T17:36:39.380Z [DEBUG] [org.apache.solr.servlet.HttpSolrCall#call] 
AuthorizationContext : userPrincipal: [null] type: [ADMIN], collections: [], 
Path: [/admin/authorization] path : /admin/authorization params :
2017-07-16T17:36:39.380Z [DEBUG] 
[org.apache.solr.security.RuleBasedAuthorizationPlugin#checkPathPerm] No 
permissions configured for the resource /admin/authorization . So allowed to 
access
2017-07-16T17:36:39.380Z [INFO] 
[org.apache.solr.servlet.HttpSolrCall#handleAdminRequest] [admin] webapp=null 
path=/admin/authorization params={} status=0 QTime=0
{code}

{{zkcli -cmd get /security.json | grep -v '^2'|grep -v '^$'}}:
{code}
{
  "authentication": 
    "class": "solr.BasicAuthPlugin",
    "credentials": {
      "SOLR_TEST": "tiBhLoJSYJP1meUp7zgaiRXnZp52tXQM7PttV62CV5k= 
c2hhaXRodTFmdWxvaXBoOXVlbGFzaGk2T29nZWl5YWlQM2Y="
    }
  },
  "authorization": {
    "class": "solr.RuleBasedAuthorizationPlugin",
    "permissions": [{
        "name": "security-read",
        "role": "administrator"
      }, {
        "name": "security-edit",
        "role": "administrator"
      }, {
        "name": "schema-edit",
        "role": "administrator"
      }, {
        "name": "config-edit",
        "role": "administrator"
      }, {
        "name": "collection-admin-edit",
        "role": "administrator"
      }, {
        "name": "collection-admin-read",
        "role": "administrator"
      }
    ],
    "user-role": {
      "SOLR_TEST": "administrator"
    }
  }
}
{code}



  was:
Expected behavior (as described in docs):
- Unauthenticated users should not get access to /admin/authentication and 
/admin/authentication

Demonstrated behavior:
- /admin/authentication and /admin/authentication are publicly available. So it 
looks like permissions are ignored totally: 
{code}
2017-07-16T17:36:39.379Z [DEBUG] 
[org.apache.solr.servlet.SolrDispatchFilter#authenticateRequest] Request to 
authenticate: (GET /solr/admin/authorization)@2095474071 
org.eclipse.jetty.server.Request@7ce66597, domain: 10.0.1.31, port: 8983
2017-07-16T17:36:39.379Z [DEBUG] 
[org.apache.solr.servlet.SolrDispatchFilter#doFilter] User principal: null
2017-07-16T17:36:39.380Z [DEBUG] [org.apache.solr.servlet.HttpSolrCall#call] 
AuthorizationContext : userPrincipal: [null] type: [ADMIN], collections: [], 
Path: [/admin/authorization] path : /admin/authorization params :
2017-07-16T17:36:39.380Z [DEBUG] 
[org.apache.solr.security.RuleBasedAuthorizationPlugin#checkPathPerm] No 
permissions configured for the resource /admin/authorization . So allowed to 
access
2017-07-16T17:36:39.380Z [INFO] 
[org.apache.solr.servlet.HttpSolrCall#handleAdminRequest] [admin] webapp=null 
path=/admin/authorization params={} status=0 QTime=0
{code}

{{zkcli -cmd get /security.json | grep -v ^2|grep -v '^$'}}:
{code}
{
  "authentication": {
    "class": "solr.BasicAuthPlugin",
    "credentials": {
      "SOLR_TEST": "tiBhLoJSYJP1meUp7zgaiRXnZp52tXQM7PttV62CV5k= 
c2hhaXRodTFmdWxvaXBoOXVlbGFzaGk2T29nZWl5YWlQM2Y="
    }
  },
  "authorization": {
    "class": "solr.RuleBasedAuthorizationPlugin",
    "permissions": [{
        "name": "security-read",
        "role": "administrator"
      }, {
        "name": "security-edit",
        "role": "administrator"
      }, {
        "name": "schema-edit",
        "role": "administrator"
      }, {
        "name": "config-edit",
        "role": "administrator"
      }, {
        "name": "collection-admin-edit",
        "role": "administrator"
      }, {
        "name": "collection-admin-read",
        "role": "administrator"
      }
    ],
    "user-role": {
      "SOLR_TEST": "administrator"
    }
  }
}
{code}




> RuleBasedAuthorization plugin ignores permissions.
> --------------------------------------------------
>
>                 Key: SOLR-11089
>                 URL: https://issues.apache.org/jira/browse/SOLR-11089
>             Project: Solr
>          Issue Type: Bug
>      Security Level: Public(Default Security Level. Issues are Public) 
>          Components: Authentication
>    Affects Versions: 5.5.4
>         Environment: SolrCloud with 3 nodes and test collection. No data. 
> Single shard.
> Zookeper v.3.4.5
>            Reporter: Suage 1981
>            Priority: Critical
>
> Expected behavior (as described in docs):
> - Unauthenticated users should not get access to /admin/authentication and 
> /admin/authentication
> Demonstrated behavior:
> - /admin/authentication and /admin/authentication are publicly available. So 
> it looks like permissions are ignored totally: 
> {code}
> 2017-07-16T17:36:39.379Z [DEBUG] 
> [org.apache.solr.servlet.SolrDispatchFilter#authenticateRequest] Request to 
> authenticate: (GET /solr/admin/authorization)@2095474071 
> org.eclipse.jetty.server.Request@7ce66597, domain: 10.0.1.31, port: 8983
> 2017-07-16T17:36:39.379Z [DEBUG] 
> [org.apache.solr.servlet.SolrDispatchFilter#doFilter] User principal: null
> 2017-07-16T17:36:39.380Z [DEBUG] [org.apache.solr.servlet.HttpSolrCall#call] 
> AuthorizationContext : userPrincipal: [null] type: [ADMIN], collections: [], 
> Path: [/admin/authorization] path : /admin/authorization params :
> 2017-07-16T17:36:39.380Z [DEBUG] 
> [org.apache.solr.security.RuleBasedAuthorizationPlugin#checkPathPerm] No 
> permissions configured for the resource /admin/authorization . So allowed to 
> access
> 2017-07-16T17:36:39.380Z [INFO] 
> [org.apache.solr.servlet.HttpSolrCall#handleAdminRequest] [admin] webapp=null 
> path=/admin/authorization params={} status=0 QTime=0
> {code}
> {{zkcli -cmd get /security.json | grep -v '^2'|grep -v '^$'}}:
> {code}
> {
>   "authentication": 
>     "class": "solr.BasicAuthPlugin",
>     "credentials": {
>       "SOLR_TEST": "tiBhLoJSYJP1meUp7zgaiRXnZp52tXQM7PttV62CV5k= 
> c2hhaXRodTFmdWxvaXBoOXVlbGFzaGk2T29nZWl5YWlQM2Y="
>     }
>   },
>   "authorization": {
>     "class": "solr.RuleBasedAuthorizationPlugin",
>     "permissions": [{
>         "name": "security-read",
>         "role": "administrator"
>       }, {
>         "name": "security-edit",
>         "role": "administrator"
>       }, {
>         "name": "schema-edit",
>         "role": "administrator"
>       }, {
>         "name": "config-edit",
>         "role": "administrator"
>       }, {
>         "name": "collection-admin-edit",
>         "role": "administrator"
>       }, {
>         "name": "collection-admin-read",
>         "role": "administrator"
>       }
>     ],
>     "user-role": {
>       "SOLR_TEST": "administrator"
>     }
>   }
> }
> {code}



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

[jira] [Updated] (SOLR-11089) RuleBasedAuthorization plugin ignores permissions.

Reply via email to