[jira] [Updated] (SOLR-12514) Rule-base Authorization plugin skips authorization if querying node does not have collection replica

Tue, 23 Apr 2019 22:43:57 -0700 


     [ 
https://issues.apache.org/jira/browse/SOLR-12514?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Noble Paul updated SOLR-12514:
------------------------------
    Security: Public  (was: Private (Security Issue))

> Rule-base Authorization plugin skips authorization if querying node does not 
> have collection replica
> ----------------------------------------------------------------------------------------------------
>
>                 Key: SOLR-12514
>                 URL: https://issues.apache.org/jira/browse/SOLR-12514
>             Project: Solr
>          Issue Type: Bug
>      Security Level: Public(Default Security Level. Issues are Public) 
>          Components: security
>    Affects Versions: 7.3.1
>            Reporter: Mahesh Kumar Vasanthu Somashekar
>            Assignee: Noble Paul
>            Priority: Major
>             Fix For: 7.7
>
>         Attachments: SOLR-12514.patch, SOLR-12514.patch, Screen Shot 
> 2018-06-24 at 9.36.45 PM.png, demo.sh, security.json
>
>
> Solr serves client requests going throught 3 steps - init(), authorize() and 
> handle-request ([link 
> git-link|https://github.com/apache/lucene-solr/blob/releases/lucene-solr/7.3.1/solr/core/src/java/org/apache/solr/servlet/HttpSolrCall.java#L471]).
>  init() initializes all required information to be used by authorize(). 
> init() skips initializing if request is to be served remotely, which leads to 
> skipping authorization step ([link 
> git-link|https://github.com/apache/lucene-solr/blob/releases/lucene-solr/7.3.1/solr/core/src/java/org/apache/solr/servlet/HttpSolrCall.java#L291]).
>  init() relies on 'cores' object which only has information of local node 
> (which is perfect as per design). It should actually be getting security 
> information (security.json) from zookeeper, which has global view of the 
> cluster.
>  
> Example:
> SolrCloud setup consists of 2 nodes (solr-7.3.1):
> {code:javascript}
> live_nodes: [
>  "localhost:8983_solr",
>  "localhost:8984_solr",
> ]
> {code}
> Two collections are created - 'collection-rf-1' with RF=1 and 
> 'collection-rf-2' with RF=2.
> Two users are created - 'collection-rf-1-user' and 'collection-rf-2-user'.
> Security configuration is as below (security.json attached):
> {code:javascript}
> "authorization":{
>   "class":"solr.RuleBasedAuthorizationPlugin",
>   "permissions":[
>     { "name":"read", "collection":"collection-rf-2", 
> "role":"collection-rf-2", "index":1},
>     { "name":"read", "collection":"collection-rf-1", 
> "role":"collection-rf-1", "index":2},
>     { "name":"read", "role":"*", "index":3},
>     ...
>   "user-role":
>     { "collection-rf-1-user":[ "collection-rf-1"], "collection-rf-2-user":[ 
> "collection-rf-2"]},
>     ...
> {code}
>  
> Basically, its setup to that 'collection-rf-1-user' user can only access 
> 'collection-rf-1' collection and 'collection-rf-2-user' user can only access 
> 'collection-rf-2' collection.
> Also note that 'collection-rf-1' collection replica is only on 
> 'localhost:8983_solr' node, whereas ''collection-rf-2' collection replica is 
> on both live nodes.
>  
> Authorization does not work as expected for 'collection-rf-1' collection:
> $ curl -u collection-rf-2-user:password 
> 'http://*localhost:8983*/solr/collection-rf-1/select?q=*:*'
> {code:html}
>  <html>
>  <head>
>  <meta http-equiv="Content-Type" content="text/html;charset=utf-8"/>
>  <title>Error 403 Unauthorized request, Response code: 403</title>
>  </head>
>  <body><h2>HTTP ERROR 403</h2>
>  <p>Problem accessing /solr/collection-rf-1/select. Reason:
>  <pre> Unauthorized request, Response code: 403</pre></p>
>  </body>
>  </html>
> {code}
> $ curl -u collection-rf-2-user:password 
> 'http://*localhost:8984*/solr/collection-rf-1/select?q=*:*'
> {code:javascript}
>  {
>    "responseHeader":{
>      "zkConnected":true,
>      "status":0,
>      "QTime":0,
>      "params":{
>        "q":"*:*"}},
>    "response":{"numFound":0,"start":0,"docs":[]
>  }}
> {code}
>  
> Whereas authorization works perfectly for 'collection-rf-2' collection (as 
> both nodes have replica):
> $ curl -u collection-rf-1-user:password 
> 'http://*localhost:8984*/solr/collection-rf-2/select?q=*:*'
> {code:html}
>  <html>
>  <head>
>  <meta http-equiv="Content-Type" content="text/html;charset=utf-8"/>
>  <title>Error 403 Unauthorized request, Response code: 403</title>
>  </head>
>  <body><h2>HTTP ERROR 403</h2>
>  <p>Problem accessing /solr/collection-rf-2/select. Reason:
>  <pre> Unauthorized request, Response code: 403</pre></p>
>  </body>
>  </html>
> {code}
> $ curl -u collection-rf-1-user:password 
> 'http://*localhost:8983*/solr/collection-rf-2/select?q=*:*'
> {code:html}
>  <html>
>  <head>
>  <meta http-equiv="Content-Type" content="text/html;charset=utf-8"/>
>  <title>Error 403 Unauthorized request, Response code: 403</title>
>  </head>
>  <body><h2>HTTP ERROR 403</h2>
>  <p>Problem accessing /solr/collection-rf-2/select. Reason:
>  <pre> Unauthorized request, Response code: 403</pre></p>
>  </body>
>  </html>
> {code}
>  



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org
For additional commands, e-mail: dev-h...@lucene.apache.org

Reply via email to