[ 
https://issues.apache.org/jira/browse/SOLR-9804?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16577290#comment-16577290
 ] 

Jan H√łydahl commented on SOLR-9804:
-----------------------------------

So if this due to collection:null or due to the zk version tag, and should we 
close this as invalid or should we change something?

> Rule-Based Authorization Plugin does not secure access for update operations
> ----------------------------------------------------------------------------
>
>                 Key: SOLR-9804
>                 URL: https://issues.apache.org/jira/browse/SOLR-9804
>             Project: Solr
>          Issue Type: Bug
>      Security Level: Public(Default Security Level. Issues are Public) 
>          Components: security
>    Affects Versions: 6.3
>         Environment: Linux:
> # uname -a
> Linux hostname 3.10.0-327.36.3.el7.x86_64 #1 SMP Mon Oct 24 16:09:20 UTC 2016 
> x86_64 x86_64 x86_64 GNU/Linux
> /solr -version
> 6.3.0
>            Reporter: Sleem
>            Priority: Major
>              Labels: authorization, security, update
>
> It looks like the /update path is not filtered by the Rule-Based 
> Authorization Plugin. Even if you set permission using the path permission 
> "/update" or the pre-defined permission "update". Below is the security.json
> {code:JavaScript}
>     {
>   "authentication":{
>     "class":"solr.BasicAuthPlugin",
>     "blockUnknown":true,
>     "credentials":{
>       "admin":"JrcQ8Lh/xKmucz9CaGVXwTpXxGSUZOt32i6W2f4tIfY= 
> PuAJx8DjI0Ozy2gQXteG5KfRAbOmXuRFZVjHbrIIzVk=",
>       "update":"tFdQLTQd9qXAStQek5xQQPlVcmXgjI/w4+9rjAZyqTU= 
> by0LXUAdNAtcJW+DuycI2zc4NyDjCiexOgMaqEFIklU=",
>       "solr":"GglOeZytbUBCKW8QT1H7kVs0eHc0x8+iNmpz7x8DKMI= 
> 5JR1Ul8QehmP3nb2U6Bc/N1qwrQljLfiKPTxm35FikA="}},
>   "authorization":{
>     "class":"solr.RuleBasedAuthorizationPlugin",
>     "user-role":{
>       "admin":["admin_role"],
>       "update":["update_role"],
>       "solr":["read_role"]},
>     "permissions":[
>       {
>         "collection":null,
>         "name":"security-edit",
>         "role":["admin_role"],
>         "index":1},
>       {
>         "collection":null,
>         "name":"schema-edit",
>         "role":["admin_role"],
>         "index":2},
>       {
>         "collection":null,
>         "name":"config-edit",
>         "role":["admin_role"],
>         "index":3},
>       {
>         "collection":null,
>         "name":"core-admin-edit",
>         "role":["admin_role"],
>         "index":4},
>       {
>         "collection":null,
>         "name":"collection-admin-edit",
>         "role":["admin_role"],
>         "index":5},
>       {
>         "collection":null,
>         "name":"security-read",
>         "role":["admin_role"],
>         "index":6},
>       {
>         "collection":null,
>         "name":"schema-read",
>         "role":[
>           "admin_role",
>           "update_role"],
>         "index":7},
>       {
>         "collection":null,
>         "name":"core-admin-read",
>         "role":[
>           "admin_role",
>           "update_role"],
>         "index":8},
>       {
>         "collection":null,
>         "name":"config-read",
>         "role":[
>           "admin_role",
>           "update_role"],
>         "index":9},
>       {
>         "collection":null,
>         "name":"collection-admin-read",
>         "role":[
>           "admin_role",
>           "update_role"],
>         "index":10},
>       {
>         "collection":null,
>         "name":"update",
>         "role":[
>           "admin_role",
>           "update_role"],
>         "index":11},
>       {
>         "collection":null,
>         "name":"read",
>         "role":[
>           "admin_role",
>           "update_role",
>           "read_role"],
>         "index":12},
>       {
>         "collection":null,
>         "name":"all",
>         "role":["admin_role"],
>         "index":13},
>       {
>         "collection":null,
>         "path":"/*",
>         "role":["admin_role"],
>         "index":14}],
>     "":{"v":138}}}
> {code}
> I have tested update using SolrJ and by hitting the /update on the browser 
> using the solr user (who has no rights to update). Both were suceeded update



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org
For additional commands, e-mail: dev-h...@lucene.apache.org

Reply via email to