[ https://issues.apache.org/jira/browse/SOLR-13355?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16805202#comment-16805202 ]
Jason Gerlowski commented on SOLR-13355: ---------------------------------------- I attached a patch fixing this behavior. When I go to commit, I'll probably split this into two pieces: (1) a refactor to make it easier to understand what's going on in the code involved but no functional changes, and (2) a small functional change with some tests. Will commit over the weekend if further testing looks good. > RuleBasedAuthorizationPlugin ignores "all" permission for most handlers > ----------------------------------------------------------------------- > > Key: SOLR-13355 > URL: https://issues.apache.org/jira/browse/SOLR-13355 > Project: Solr > Issue Type: Bug > Security Level: Public(Default Security Level. Issues are Public) > Components: security > Affects Versions: 7.5, 8.0, master (9.0) > Reporter: Jason Gerlowski > Assignee: Jason Gerlowski > Priority: Major > Attachments: SOLR-13355.patch > > > RuleBasedAuthorizationPlugin defines a set of predefined permission rules > that users can use ootb to lock down sets of APIs to different roles (and > ultimately, users). The widest of these, the "all" permission is intended to > be a catch-all that covers all requests not handled by an earlier rule. > But in practice, "all" doesn't seem to have any effect on most endpoints. > For example, the security.json below will still allow the readonly user to > hit almost all endpoints! > {code} > { > "authentication": { > "blockUnknown": true, > "class": "solr.BasicAuthPlugin", > "credentials": { > "readonly": "<pw>", > "admin": "<pw>"}}, > "authorization": { > "class": "solr.RuleBasedAuthorizationPlugin", > "permissions": [ > {"name":"read","role": "*"}, > {"name":"schema-read", "role":"*"}, > {"name":"config-read", "role":"*"}, > {"name":"collection-admin-read", "role":"*"}, > {"name":"metrics-read", "role":"*"}, > {"name":"core-admin-read","role":"*"}, > {"name": "all", "role": "admin_role"} > ], > "user-role": { > "readonly": "readonly_role", > "admin": "admin_role" > }}} > {code} > It looks like this happens because we neglect to check for the "all" special > case in the branch of code that gets triggered for Handlers that implement > PermissionNameProvider. See > [here|https://github.com/apache/lucene-solr/blob/master/solr/core/src/java/org/apache/solr/security/RuleBasedAuthorizationPlugin.java#L122]. > e.g. With the security.json above if the "readonly" user makes a request to > {{/admin/authorization}}, the PermissionNameProvider will return > {{SECURITY_EDIT}}. When deciding whether the "all" permission applies to > that endpoint, the code compares SECURITY_EDIT to ALL, sees they don't match, > and decides that "all" doesn't apply. -- This message was sent by Atlassian JIRA (v7.6.3#76005) --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org