[
https://issues.apache.org/jira/browse/SOLR-11089?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jan Høydahl resolved SOLR-11089.
--------------------------------
Resolution: Information Provided
Closing old issue from early days of the security framework, this is proven to
work. If you manage to reproduce in newer versions, please re-open or create a
new issue.
> RuleBasedAuthorization plugin ignores permissions.
> --------------------------------------------------
>
> Key: SOLR-11089
> URL: https://issues.apache.org/jira/browse/SOLR-11089
> Project: Solr
> Issue Type: Bug
> Security Level: Public(Default Security Level. Issues are Public)
> Components: Authentication
> Affects Versions: 5.5.4
> Environment: SolrCloud with 3 nodes and test collection. No data.
> Single shard.
> Zookeper v.3.4.5
> Reporter: Suage 1981
> Priority: Critical
>
> Expected behavior (as described in docs):
> - Unauthenticated users should not get access to /admin/authentication and
> /admin/authentication
> Demonstrated behavior:
> - /admin/authentication and /admin/authentication are publicly available. So
> it looks like permissions are ignored totally:
> {code}
> 2017-07-16T17:36:39.379Z [DEBUG]
> [org.apache.solr.servlet.SolrDispatchFilter#authenticateRequest] Request to
> authenticate: (GET /solr/admin/authorization)@2095474071
> org.eclipse.jetty.server.Request@7ce66597, domain: 10.0.1.31, port: 8983
> 2017-07-16T17:36:39.379Z [DEBUG]
> [org.apache.solr.servlet.SolrDispatchFilter#doFilter] User principal: null
> 2017-07-16T17:36:39.380Z [DEBUG] [org.apache.solr.servlet.HttpSolrCall#call]
> AuthorizationContext : userPrincipal: [null] type: [ADMIN], collections: [],
> Path: [/admin/authorization] path : /admin/authorization params :
> 2017-07-16T17:36:39.380Z [DEBUG]
> [org.apache.solr.security.RuleBasedAuthorizationPlugin#checkPathPerm] No
> permissions configured for the resource /admin/authorization . So allowed to
> access
> 2017-07-16T17:36:39.380Z [INFO]
> [org.apache.solr.servlet.HttpSolrCall#handleAdminRequest] [admin] webapp=null
> path=/admin/authorization params={} status=0 QTime=0
> {code}
> {{zkcli -cmd get /security.json | grep -v '^2'|grep -v '^$'}}:
> {code}
> {
> "authentication":
> "class": "solr.BasicAuthPlugin",
> "credentials": {
> "SOLR_TEST": "tiBhLoJSYJP1meUp7zgaiRXnZp52tXQM7PttV62CV5k=
> c2hhaXRodTFmdWxvaXBoOXVlbGFzaGk2T29nZWl5YWlQM2Y="
> }
> },
> "authorization": {
> "class": "solr.RuleBasedAuthorizationPlugin",
> "permissions": [{
> "name": "security-read",
> "role": "administrator"
> }, {
> "name": "security-edit",
> "role": "administrator"
> }, {
> "name": "schema-edit",
> "role": "administrator"
> }, {
> "name": "config-edit",
> "role": "administrator"
> }, {
> "name": "collection-admin-edit",
> "role": "administrator"
> }, {
> "name": "collection-admin-read",
> "role": "administrator"
> }
> ],
> "user-role": {
> "SOLR_TEST": "administrator"
> }
> }
> }
> {code}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
