[
https://issues.apache.org/jira/browse/SOLR-12514?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16521962#comment-16521962
]
Varun Thacker commented on SOLR-12514:
--------------------------------------
Hi Mahesh,
Are you trying this on Solr 7.3.1 ?
Here are the steps that I tried on Solr 7.3 and Solr 7.3.1 which worked for
me. Can you spot if I am doing anything differently which is why I wasn't able
to reproduce this
# Start a 2 node solr cluster
{code:java}
bin/solr start -e cloud -noprompt{code}
# Create a collection with 1 shards X 1 replica
{code:java}
http://localhost:8983/solr/admin/collections?action=create&name=test_collection&numShards=1&replicationFactor=1&createNodeSet=192.168.1.3:7574_solr{code}
# Upload a security.json like this
{code:java}
{
"authentication":{
"blockUnknown": true,
"class":"solr.BasicAuthPlugin",
"credentials":{"solr":"IV0EHq1OnNrj6gvRCwvFwTrZ1+z1oBbnQdiVC3otuq0=
Ndd7LKvVBAaZIF0QAVi1ekCfAJXr1GGfLtRUXhgrF8c="}
},
"authorization":{
"class":"solr.RuleBasedAuthorizationPlugin",
"permissions":[{ "name":"read", "collection":"test_collection",
"role":"search_user"}],
"user-role":{"solr":"search_user"}
}}{code}
# Query against port 8983 as the collection is only hosted on 7574
{code:java}
curl -u solr:SolrRocks 'http://localhost:8983/solr/test_collection/select?q=*:*'
{
"responseHeader":{
"zkConnected":true,
"status":0,
"QTime":24,
"params":{
"q":"*:*"}},
"response":{"numFound":0,"start":0,"docs":[]
}}{code}
> Rule-base Authorization plugin skips authorization if querying node does not
> have collection replica
> ----------------------------------------------------------------------------------------------------
>
> Key: SOLR-12514
> URL: https://issues.apache.org/jira/browse/SOLR-12514
> Project: Solr
> Issue Type: Bug
> Security Level: Public(Default Security Level. Issues are Public)
> Components: security
> Affects Versions: 7.3.1
> Reporter: Mahesh Kumar Vasanthu Somashekar
> Priority: Major
> Attachments: Screen Shot 2018-06-24 at 9.36.45 PM.png, security.json
>
>
> Solr serves client requests going throught 3 steps - init(), authorize() and
> handle-request ([link
> git-link|https://github.com/apache/lucene-solr/blob/releases/lucene-solr/7.3.1/solr/core/src/java/org/apache/solr/servlet/HttpSolrCall.java#L471]).
> init() initializes all required information to be used by authorize().
> init() skips initializing if request is to be served remotely, which leads to
> skipping authorization step ([link
> git-link|https://github.com/apache/lucene-solr/blob/releases/lucene-solr/7.3.1/solr/core/src/java/org/apache/solr/servlet/HttpSolrCall.java#L291]).
> init() relies on 'cores' object which only has information of local node
> (which is perfect as per design). It should actually be getting security
> information (security.json) from zookeeper, which has global view of the
> cluster.
>
> Example:
> SolrCloud setup consists of 2 nodes (solr-7.3.1):
> live_nodes: [
> "localhost:8983_solr",
> "localhost:8984_solr",
> ]
> Two collections are created - 'collection-rf-1' with RF=1 and
> 'collection-rf-2' with RF=2.
> Two users are created - 'collection-rf-1-user' and 'collection-rf-2-user'.
> Security configuration is as below (security.json attached):
> "authorization":{
> "class":"solr.RuleBasedAuthorizationPlugin",
> "permissions":[
> { "name":"read", "collection":"collection-rf-2", "role":"collection-rf-2",
> "index":1}
> ,
> { "name":"read", "collection":"collection-rf-1", "role":"collection-rf-1",
> "index":2}
> ,
> { "name":"read", "role":"*", "index":3}
> ,
> ...
> "user-role":
> { "collection-rf-1-user":[ "collection-rf-1"], "collection-rf-2-user":[
> "collection-rf-2"]}
> ,
> ...
>
> Basically, its setup to that 'collection-rf-1-user' user can only access
> 'collection-rf-1' collection and 'collection-rf-2-user' user can only access
> 'collection-rf-2' collection.
> Also note that 'collection-rf-1' collection replica is only on
> 'localhost:8983_solr' node, whereas ''collection-rf-2' collection replica is
> on both live nodes.
>
> Authorization does not work as expected for 'collection-rf-1' collection:
> $ curl -u collection-rf-2-user:password
> 'http://*localhost:8983*/solr/collection-rf-1/select?q=*:*'
> <html>
> <head>
> <meta http-equiv="Content-Type" content="text/html;charset=utf-8"/>
> <title>Error 403 Unauthorized request, Response code: 403</title>
> </head>
> <body><h2>HTTP ERROR 403</h2>
> <p>Problem accessing /solr/collection-rf-1/select. Reason:
> <pre> Unauthorized request, Response code: 403</pre></p>
> </body>
> </html>
> $ curl -u collection-rf-2-user:password
> 'http://*localhost:8984*/solr/collection-rf-1/select?q=*:*'
> {
> "responseHeader":{
> "zkConnected":true,
> "status":0,
> "QTime":0,
> "params":{
> "q":"*:*"}},
> "response":{"numFound":0,"start":0,"docs":[]
> }}
>
> Whereas authorization works perfectly for 'collection-rf-2' collection (as
> both nodes have replica):
> $ curl -u collection-rf-1-user:password
> 'http://*localhost:8984*/solr/collection-rf-2/select?q=*:*'
> <html>
> <head>
> <meta http-equiv="Content-Type" content="text/html;charset=utf-8"/>
> <title>Error 403 Unauthorized request, Response code: 403</title>
> </head>
> <body><h2>HTTP ERROR 403</h2>
> <p>Problem accessing /solr/collection-rf-2/select. Reason:
> <pre> Unauthorized request, Response code: 403</pre></p>
> </body>
> </html>
> $ curl -u collection-rf-1-user:password
> 'http://*localhost:8983*/solr/collection-rf-2/select?q=*:*'
> <html>
> <head>
> <meta http-equiv="Content-Type" content="text/html;charset=utf-8"/>
> <title>Error 403 Unauthorized request, Response code: 403</title>
> </head>
> <body><h2>HTTP ERROR 403</h2>
> <p>Problem accessing /solr/collection-rf-2/select. Reason:
> <pre> Unauthorized request, Response code: 403</pre></p>
> </body>
> </html>
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
