ctargett commented on a change in pull request #924: SOLR-13820: Improve RBAP documentation URL: https://github.com/apache/lucene-solr/pull/924#discussion_r332026596
########## File path: solr/solr-ref-guide/src/rule-based-authorization-plugin.adoc ########## @@ -129,67 +218,55 @@ The pre-defined permissions are: * *read*: this permission is allowed to perform any read action on any collection. This includes querying using search handlers (using <<requesthandlers-and-searchcomponents-in-solrconfig.adoc#searchhandlers,request handlers>>) such as `/select`, `/get`, `/browse`, `/tvrh`, `/terms`, `/clustering`, `/elevate`, `/export`, `/spell`, `/clustering`, and `/sql`. This applies to all collections by default ( `collection:"*"` ). * *all*: Any requests coming to Solr. -== Authorization API +=== Permission Ordering and Resolution -=== Authorization API Endpoint +The permission syntax discussed above doesn't do anything to prevent multiple permissions from overlapping and applying to the same Solr APIs. In cases where multiple permissions match an incoming request, Solr chooses the first matching permission and ignores all others - even if those other permissions would match the incoming request! -`/admin/authorization`: takes a set of commands to create permissions, map permissions to roles, and map roles to users. +Since Solr only uses the first matching permission it finds, it's important for administrators to understand what ordering Solr uses when processing the permission list. -=== Manage Permissions +The ordering Solr users is complicated. Solr tries to check first any permissions which are specific or relevant to the incoming request, only moving on to more general permissions if none of the more-specific ones match. In effect, this means that different requests may check the same permissions in very different orders. Review comment: Typo in first sentence, I think you mean `The ordering Solr uses...` instead of `The ordering Solr users...`. ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected] With regards, Apache Git Services --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
