[
https://issues.apache.org/jira/browse/SOLR-13355?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16805202#comment-16805202
]
Jason Gerlowski commented on SOLR-13355:
----------------------------------------
I attached a patch fixing this behavior. When I go to commit, I'll probably
split this into two pieces: (1) a refactor to make it easier to understand
what's going on in the code involved but no functional changes, and (2) a small
functional change with some tests. Will commit over the weekend if further
testing looks good.
> RuleBasedAuthorizationPlugin ignores "all" permission for most handlers
> -----------------------------------------------------------------------
>
> Key: SOLR-13355
> URL: https://issues.apache.org/jira/browse/SOLR-13355
> Project: Solr
> Issue Type: Bug
> Security Level: Public(Default Security Level. Issues are Public)
> Components: security
> Affects Versions: 7.5, 8.0, master (9.0)
> Reporter: Jason Gerlowski
> Assignee: Jason Gerlowski
> Priority: Major
> Attachments: SOLR-13355.patch
>
>
> RuleBasedAuthorizationPlugin defines a set of predefined permission rules
> that users can use ootb to lock down sets of APIs to different roles (and
> ultimately, users). The widest of these, the "all" permission is intended to
> be a catch-all that covers all requests not handled by an earlier rule.
> But in practice, "all" doesn't seem to have any effect on most endpoints.
> For example, the security.json below will still allow the readonly user to
> hit almost all endpoints!
> {code}
> {
> "authentication": {
> "blockUnknown": true,
> "class": "solr.BasicAuthPlugin",
> "credentials": {
> "readonly": "<pw>",
> "admin": "<pw>"}},
> "authorization": {
> "class": "solr.RuleBasedAuthorizationPlugin",
> "permissions": [
> {"name":"read","role": "*"},
> {"name":"schema-read", "role":"*"},
> {"name":"config-read", "role":"*"},
> {"name":"collection-admin-read", "role":"*"},
> {"name":"metrics-read", "role":"*"},
> {"name":"core-admin-read","role":"*"},
> {"name": "all", "role": "admin_role"}
> ],
> "user-role": {
> "readonly": "readonly_role",
> "admin": "admin_role"
> }}}
> {code}
> It looks like this happens because we neglect to check for the "all" special
> case in the branch of code that gets triggered for Handlers that implement
> PermissionNameProvider. See
> [here|https://github.com/apache/lucene-solr/blob/master/solr/core/src/java/org/apache/solr/security/RuleBasedAuthorizationPlugin.java#L122].
> e.g. With the security.json above if the "readonly" user makes a request to
> {{/admin/authorization}}, the PermissionNameProvider will return
> {{SECURITY_EDIT}}. When deciding whether the "all" permission applies to
> that endpoint, the code compares SECURITY_EDIT to ALL, sees they don't match,
> and decides that "all" doesn't apply.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org
For additional commands, e-mail: dev-h...@lucene.apache.org
