[
https://issues.apache.org/jira/browse/SOLR-13097?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17513424#comment-17513424
]
Clemens Fuchslocher edited comment on SOLR-13097 at 3/28/22, 2:46 PM:
----------------------------------------------------------------------
Is there really no way to limit the access of a user to a specific core in
standalone mode?
Isn't this a very common use case?
I tried the following security.json with Solr 8.11.1 but it doesn't work as
expected:
{noformat}
$ cat /srv/solr/cores/security.json
{
"authentication": {
"class": "solr.BasicAuthPlugin",
"credentials": {
"earth": "4c5xodAKcIQ80W/5DpI2ozHLk6jWxzJud/m8VkZI44E= YnlnMUZDRnNNUw==",
"moon": "mIKfAsu2By/DyxFFklEx0jmHTpjyP/TjXQH0+UN86gQ= QkxDcjJKSVREaA==",
"admin": "I0nDN1AwXieTf9rMw6+CmJ+CtxKqjfNi2f3JwmRTk3c= eDZqMVZ5VWFFVw=="
},
"blockUnknown": true
},
"authorization": {
"class": "solr.RuleBasedAuthorizationPlugin",
"user-role": {
"earth": "earth_role",
"moon": "moon_role",
"admin": "admin_role"
},
"permissions": [
{ "role": "earth_role", "collection": "earth_core", "name": "read" },
{ "role": "earth_role", "collection": "earth_core", "name": "update" },
{ "role": "moon_role", "collection": "moon_core", "name": "read" },
{ "role": "moon_role", "collection": "moon_core", "name": "update" },
{ "role": "admin_role", "name": "all" }
]
}
}
{noformat}
{noformat}
$ cat /srv/solr/cores/earth_core/core.properties
name=earth_core
collection=earth_core
{noformat}
{noformat}
$ cat /srv/solr/cores/moon_core/core.properties
name=moon_core
collection=moon_core
{noformat}
h4. 1. (/) User admin should be able to access the earth_core:
{noformat}
$ curl 'http://admin:[email protected]:8983/solr/earth_core/query?q=*:*&indent=true'
{
"responseHeader":{
"status":0,
"QTime":0,
"params":{
"q":"*:*",
"indent":"true"}},
"response":{"numFound":0,"start":0,"numFoundExact":true,"docs":[]
}}
{noformat}
solr.log:
{noformat}
DEBUG (qtp1910936570-19) [ x:earth_core]
o.a.s.s.RuleBasedAuthorizationPluginBase Attempting to authorize request to
[/query] of type: [UNKNOWN], associated with collections [[]]
DEBUG (qtp1910936570-19) [ x:earth_core]
o.a.s.s.RuleBasedAuthorizationPluginBase Authorizing collection-aware request,
checking perms applicable to all (*) collections
DEBUG (qtp1910936570-19) [ x:earth_core]
o.a.s.s.RuleBasedAuthorizationPluginBase Found perm [{
"role":"admin_role",
"name":"all"}] to govern resource [/query]
DEBUG (qtp1910936570-19) [ x:earth_core]
o.a.s.s.RuleBasedAuthorizationPluginBase Governing permission [{
"role":"admin_role",
"name":"all"}] allows access to role [admin_role]; permitting access
...
INFO (qtp1910936570-19) [ x:earth_core] o.a.s.c.S.Request [earth_core]
webapp=/solr path=/query params={q=*:*&indent=true} hits=0 status=0 QTime=152
...
{noformat}
h4. 2. (/) User admin should be able to access the moon_core:
{noformat}
$ curl 'http://admin:[email protected]:8983/solr/moon_core/query?q=*:*&indent=true'
{
"responseHeader":{
"status":0,
"QTime":1,
"params":{
"q":"*:*",
"indent":"true"}},
"response":{"numFound":0,"start":0,"numFoundExact":true,"docs":[]
}}
{noformat}
solr.log:
{noformat}
...
DEBUG (qtp1910936570-23) [ x:moon_core]
o.a.s.s.RuleBasedAuthorizationPluginBase Attempting to authorize request to
[/query] of type: [UNKNOWN], associated with collections [[]]
DEBUG (qtp1910936570-23) [ x:moon_core]
o.a.s.s.RuleBasedAuthorizationPluginBase Authorizing collection-aware request,
checking perms applicable to all (*) collections
DEBUG (qtp1910936570-23) [ x:moon_core]
o.a.s.s.RuleBasedAuthorizationPluginBase Found perm [{
"role":"admin_role",
"name":"all"}] to govern resource [/query]
DEBUG (qtp1910936570-23) [ x:moon_core]
o.a.s.s.RuleBasedAuthorizationPluginBase Governing permission [{
"role":"admin_role",
"name":"all"}] allows access to role [admin_role]; permitting access
...
INFO (qtp1910936570-23) [ x:moon_core] o.a.s.c.S.Request [moon_core]
webapp=/solr path=/query params={q=*:*&indent=true} hits=0 status=0 QTime=0
...
{noformat}
h4. 1. (x) User earth should be able to access the earth_core:
This doesn't work.
{noformat}
$ curl 'http://earth:[email protected]:8983/solr/earth_core/query?q=*:*&indent=true'
...
<title>Error 403 Unauthorized request, Response code: 403</title>
...
{noformat}
solr.log:
{noformat}
...
DEBUG (qtp1910936570-15) [ x:earth_core]
o.a.s.s.RuleBasedAuthorizationPluginBase Attempting to authorize request to
[/query] of type: [UNKNOWN], associated with collections [[]]
DEBUG (qtp1910936570-15) [ x:earth_core]
o.a.s.s.RuleBasedAuthorizationPluginBase Authorizing collection-aware request,
checking perms applicable to all (*) collections
DEBUG (qtp1910936570-15) [ x:earth_core]
o.a.s.s.RuleBasedAuthorizationPluginBase Found perm [{
"role":"admin_role",
"name":"all"}] to govern resource [/query]
INFO (qtp1910936570-15) [ x:earth_core]
o.a.s.s.RuleBasedAuthorizationPluginBase This resource is configured to have a
permission {
"role":"admin_role",
"name":"all"}, The principal
org.apache.solr.security.BasicAuthPlugin$BasicAuthUserPrincipal@655d88ca[username=earth,pwd=*****]
does not have the right role
...
{noformat}
h4. 2. (/) User earth should not be able to access the moon_core:
{noformat}
$ curl 'http://earth:[email protected]:8983/solr/moon_core/query?q=*:*&indent=true'
...
<title>Error 403 Unauthorized request, Response code: 403</title>
...
{noformat}
solr.log:
{noformat}
...
DEBUG (qtp1910936570-19) [ x:moon_core]
o.a.s.s.RuleBasedAuthorizationPluginBase Attempting to authorize request to
[/query] of type: [UNKNOWN], associated with collections [[]]
DEBUG (qtp1910936570-19) [ x:moon_core]
o.a.s.s.RuleBasedAuthorizationPluginBase Authorizing collection-aware request,
checking perms applicable to all (*) collections
DEBUG (qtp1910936570-19) [ x:moon_core]
o.a.s.s.RuleBasedAuthorizationPluginBase Found perm [{
"role":"admin_role",
"name":"all"}] to govern resource [/query]
INFO (qtp1910936570-19) [ x:moon_core]
o.a.s.s.RuleBasedAuthorizationPluginBase This resource is configured to have a
permission {
"role":"admin_role",
"name":"all"}, The principal
org.apache.solr.security.BasicAuthPlugin$BasicAuthUserPrincipal@596514d2[username=earth,pwd=*****]
does not have the right role
...
{noformat}
h4. 3. (x) User moon should be able to access the moon_core:
This doesn't work.
{noformat}
$ curl 'http://moon:[email protected]:8983/solr/moon_core/query?q=*:*&indent=true'
...
<body><h2>HTTP ERROR 403 Unauthorized request, Response code: 403</h2>
...
{noformat}
solr.log:
{noformat}
...
DEBUG (qtp1910936570-19) [ x:moon_core]
o.a.s.s.RuleBasedAuthorizationPluginBase Attempting to authorize request to
[/query] of type: [UNKNOWN], associated with collections [[]]
DEBUG (qtp1910936570-19) [ x:moon_core]
o.a.s.s.RuleBasedAuthorizationPluginBase Authorizing collection-aware request,
checking perms applicable to all (*) collections
DEBUG (qtp1910936570-19) [ x:moon_core]
o.a.s.s.RuleBasedAuthorizationPluginBase Found perm [{
"role":"admin_role",
"name":"all"}] to govern resource [/query]
INFO (qtp1910936570-19) [ x:moon_core]
o.a.s.s.RuleBasedAuthorizationPluginBase This resource is configured to have a
permission {
"role":"admin_role",
"name":"all"}, The principal
org.apache.solr.security.BasicAuthPlugin$BasicAuthUserPrincipal@2e6cb515[username=moon,pwd=*****]
does not have the right role
...
{noformat}
h4. 4. (/) User moon should not be able to access the earth_core:
{noformat}
$ curl 'http://moon:[email protected]:8983/solr/earth_core/query?q=*:*&indent=true'
...
<title>Error 403 Unauthorized request, Response code: 403</title>
...
{noformat}
solr.log:
{noformat}
...
DEBUG (qtp1910936570-22) [ x:earth_core]
o.a.s.s.RuleBasedAuthorizationPluginBase Attempting to authorize request to
[/query] of type: [UNKNOWN], associated with collections [[]]
DEBUG (qtp1910936570-22) [ x:earth_core]
o.a.s.s.RuleBasedAuthorizationPluginBase Authorizing collection-aware request,
checking perms applicable to all (*) collections
DEBUG (qtp1910936570-22) [ x:earth_core]
o.a.s.s.RuleBasedAuthorizationPluginBase Found perm [{
"role":"admin_role",
"name":"all"}] to govern resource [/query]
INFO (qtp1910936570-22) [ x:earth_core]
o.a.s.s.RuleBasedAuthorizationPluginBase This resource is configured to have a
permission {
"role":"admin_role",
"name":"all"}, The principal
org.apache.solr.security.BasicAuthPlugin$BasicAuthUserPrincipal@68706e69[username=moon,pwd=*****]
does not have the right role
...
{noformat}
was (Author: JIRAUSER287205):
Is there really no way to limit the access of a user to a specific core in
standalone mode?
Isn't this a very common use case?
I tried the following security.json but it doesn't work as expected:
{noformat}
$ cat /srv/solr/cores/security.json
{
"authentication": {
"class": "solr.BasicAuthPlugin",
"credentials": {
"earth": "4c5xodAKcIQ80W/5DpI2ozHLk6jWxzJud/m8VkZI44E= YnlnMUZDRnNNUw==",
"moon": "mIKfAsu2By/DyxFFklEx0jmHTpjyP/TjXQH0+UN86gQ= QkxDcjJKSVREaA==",
"admin": "I0nDN1AwXieTf9rMw6+CmJ+CtxKqjfNi2f3JwmRTk3c= eDZqMVZ5VWFFVw=="
},
"blockUnknown": true
},
"authorization": {
"class": "solr.RuleBasedAuthorizationPlugin",
"user-role": {
"earth": "earth_role",
"moon": "moon_role",
"admin": "admin_role"
},
"permissions": [
{ "role": "earth_role", "collection": "earth_core", "name": "read" },
{ "role": "earth_role", "collection": "earth_core", "name": "update" },
{ "role": "moon_role", "collection": "moon_core", "name": "read" },
{ "role": "moon_role", "collection": "moon_core", "name": "update" },
{ "role": "admin_role", "name": "all" }
]
}
}
{noformat}
{noformat}
$ cat /srv/solr/cores/earth_core/core.properties
name=earth_core
collection=earth_core
{noformat}
{noformat}
$ cat /srv/solr/cores/moon_core/core.properties
name=moon_core
collection=moon_core
{noformat}
h4. 1. (/) User admin should be able to access the earth_core:
{noformat}
$ curl 'http://admin:[email protected]:8983/solr/earth_core/query?q=*:*&indent=true'
{
"responseHeader":{
"status":0,
"QTime":0,
"params":{
"q":"*:*",
"indent":"true"}},
"response":{"numFound":0,"start":0,"numFoundExact":true,"docs":[]
}}
{noformat}
solr.log:
{noformat}
DEBUG (qtp1910936570-19) [ x:earth_core]
o.a.s.s.RuleBasedAuthorizationPluginBase Attempting to authorize request to
[/query] of type: [UNKNOWN], associated with collections [[]]
DEBUG (qtp1910936570-19) [ x:earth_core]
o.a.s.s.RuleBasedAuthorizationPluginBase Authorizing collection-aware request,
checking perms applicable to all (*) collections
DEBUG (qtp1910936570-19) [ x:earth_core]
o.a.s.s.RuleBasedAuthorizationPluginBase Found perm [{
"role":"admin_role",
"name":"all"}] to govern resource [/query]
DEBUG (qtp1910936570-19) [ x:earth_core]
o.a.s.s.RuleBasedAuthorizationPluginBase Governing permission [{
"role":"admin_role",
"name":"all"}] allows access to role [admin_role]; permitting access
...
INFO (qtp1910936570-19) [ x:earth_core] o.a.s.c.S.Request [earth_core]
webapp=/solr path=/query params={q=*:*&indent=true} hits=0 status=0 QTime=152
...
{noformat}
h4. 2. (/) User admin should be able to access the moon_core:
{noformat}
$ curl 'http://admin:[email protected]:8983/solr/moon_core/query?q=*:*&indent=true'
{
"responseHeader":{
"status":0,
"QTime":1,
"params":{
"q":"*:*",
"indent":"true"}},
"response":{"numFound":0,"start":0,"numFoundExact":true,"docs":[]
}}
{noformat}
solr.log:
{noformat}
...
DEBUG (qtp1910936570-23) [ x:moon_core]
o.a.s.s.RuleBasedAuthorizationPluginBase Attempting to authorize request to
[/query] of type: [UNKNOWN], associated with collections [[]]
DEBUG (qtp1910936570-23) [ x:moon_core]
o.a.s.s.RuleBasedAuthorizationPluginBase Authorizing collection-aware request,
checking perms applicable to all (*) collections
DEBUG (qtp1910936570-23) [ x:moon_core]
o.a.s.s.RuleBasedAuthorizationPluginBase Found perm [{
"role":"admin_role",
"name":"all"}] to govern resource [/query]
DEBUG (qtp1910936570-23) [ x:moon_core]
o.a.s.s.RuleBasedAuthorizationPluginBase Governing permission [{
"role":"admin_role",
"name":"all"}] allows access to role [admin_role]; permitting access
...
INFO (qtp1910936570-23) [ x:moon_core] o.a.s.c.S.Request [moon_core]
webapp=/solr path=/query params={q=*:*&indent=true} hits=0 status=0 QTime=0
...
{noformat}
h4. 1. (x) User earth should be able to access the earth_core:
This doesn't work.
{noformat}
$ curl 'http://earth:[email protected]:8983/solr/earth_core/query?q=*:*&indent=true'
...
<title>Error 403 Unauthorized request, Response code: 403</title>
...
{noformat}
solr.log:
{noformat}
...
DEBUG (qtp1910936570-15) [ x:earth_core]
o.a.s.s.RuleBasedAuthorizationPluginBase Attempting to authorize request to
[/query] of type: [UNKNOWN], associated with collections [[]]
DEBUG (qtp1910936570-15) [ x:earth_core]
o.a.s.s.RuleBasedAuthorizationPluginBase Authorizing collection-aware request,
checking perms applicable to all (*) collections
DEBUG (qtp1910936570-15) [ x:earth_core]
o.a.s.s.RuleBasedAuthorizationPluginBase Found perm [{
"role":"admin_role",
"name":"all"}] to govern resource [/query]
INFO (qtp1910936570-15) [ x:earth_core]
o.a.s.s.RuleBasedAuthorizationPluginBase This resource is configured to have a
permission {
"role":"admin_role",
"name":"all"}, The principal
org.apache.solr.security.BasicAuthPlugin$BasicAuthUserPrincipal@655d88ca[username=earth,pwd=*****]
does not have the right role
...
{noformat}
h4. 2. (/) User earth should not be able to access the moon_core:
{noformat}
$ curl 'http://earth:[email protected]:8983/solr/moon_core/query?q=*:*&indent=true'
...
<title>Error 403 Unauthorized request, Response code: 403</title>
...
{noformat}
solr.log:
{noformat}
...
DEBUG (qtp1910936570-19) [ x:moon_core]
o.a.s.s.RuleBasedAuthorizationPluginBase Attempting to authorize request to
[/query] of type: [UNKNOWN], associated with collections [[]]
DEBUG (qtp1910936570-19) [ x:moon_core]
o.a.s.s.RuleBasedAuthorizationPluginBase Authorizing collection-aware request,
checking perms applicable to all (*) collections
DEBUG (qtp1910936570-19) [ x:moon_core]
o.a.s.s.RuleBasedAuthorizationPluginBase Found perm [{
"role":"admin_role",
"name":"all"}] to govern resource [/query]
INFO (qtp1910936570-19) [ x:moon_core]
o.a.s.s.RuleBasedAuthorizationPluginBase This resource is configured to have a
permission {
"role":"admin_role",
"name":"all"}, The principal
org.apache.solr.security.BasicAuthPlugin$BasicAuthUserPrincipal@596514d2[username=earth,pwd=*****]
does not have the right role
...
{noformat}
h4. 3. (x) User moon should be able to access the moon_core:
This doesn't work.
{noformat}
$ curl 'http://moon:[email protected]:8983/solr/moon_core/query?q=*:*&indent=true'
...
<body><h2>HTTP ERROR 403 Unauthorized request, Response code: 403</h2>
...
{noformat}
solr.log:
{noformat}
...
DEBUG (qtp1910936570-19) [ x:moon_core]
o.a.s.s.RuleBasedAuthorizationPluginBase Attempting to authorize request to
[/query] of type: [UNKNOWN], associated with collections [[]]
DEBUG (qtp1910936570-19) [ x:moon_core]
o.a.s.s.RuleBasedAuthorizationPluginBase Authorizing collection-aware request,
checking perms applicable to all (*) collections
DEBUG (qtp1910936570-19) [ x:moon_core]
o.a.s.s.RuleBasedAuthorizationPluginBase Found perm [{
"role":"admin_role",
"name":"all"}] to govern resource [/query]
INFO (qtp1910936570-19) [ x:moon_core]
o.a.s.s.RuleBasedAuthorizationPluginBase This resource is configured to have a
permission {
"role":"admin_role",
"name":"all"}, The principal
org.apache.solr.security.BasicAuthPlugin$BasicAuthUserPrincipal@2e6cb515[username=moon,pwd=*****]
does not have the right role
...
{noformat}
h4. 4. (/) User moon should not be able to access the earth_core:
{noformat}
$ curl 'http://moon:[email protected]:8983/solr/earth_core/query?q=*:*&indent=true'
...
<title>Error 403 Unauthorized request, Response code: 403</title>
...
{noformat}
solr.log:
{noformat}
...
DEBUG (qtp1910936570-22) [ x:earth_core]
o.a.s.s.RuleBasedAuthorizationPluginBase Attempting to authorize request to
[/query] of type: [UNKNOWN], associated with collections [[]]
DEBUG (qtp1910936570-22) [ x:earth_core]
o.a.s.s.RuleBasedAuthorizationPluginBase Authorizing collection-aware request,
checking perms applicable to all (*) collections
DEBUG (qtp1910936570-22) [ x:earth_core]
o.a.s.s.RuleBasedAuthorizationPluginBase Found perm [{
"role":"admin_role",
"name":"all"}] to govern resource [/query]
INFO (qtp1910936570-22) [ x:earth_core]
o.a.s.s.RuleBasedAuthorizationPluginBase This resource is configured to have a
permission {
"role":"admin_role",
"name":"all"}, The principal
org.apache.solr.security.BasicAuthPlugin$BasicAuthUserPrincipal@68706e69[username=moon,pwd=*****]
does not have the right role
...
{noformat}
> RuleBasedAuthorizationPlugin is not fully fonctionnal in Solr standalone mode
> -----------------------------------------------------------------------------
>
> Key: SOLR-13097
> URL: https://issues.apache.org/jira/browse/SOLR-13097
> Project: Solr
> Issue Type: Bug
> Components: Authentication
> Affects Versions: 6.6.5, 7.5
> Environment: Solr standalone
> Reporter: Dominique Béjean
> Priority: Major
>
> In Solr standalone mode, the collections element of the request context is
> not populated by the core name.
> For instance, the following request:
> {code:java}
> http://user1:xxxxxx@localhost:8983/solr/biblio/select?indent=on&q=*:*&wt=json{code}
> reports this in log:
> {code:java}
> 2018-12-30 12:24:52.102 INFO (qtp1731656333-20) [ x:biblio]
> o.a.s.s.HttpSolrCall USER_REQUIRED auth header Basic Mjox context :
> userPrincipal: [[principal: 2]] type: [READ], collections: [], Path:
> [/select] path : /select params :q=:&indent=on&wt=json{code}
> The consequence is that RuleBasedAuthorizationPlugin is not able to apply
> this kind of permission:
> {code:java}
> {"name":"read-biblio",
> "path":"/select",
> "role":["admin","read","r1"],
> "collection":"biblio",
> "index":2}{code}
> In Solrcloud mode in the init() method of HttpSolrCall.java, the collections
> element is populated with either the collection name matching the core name
> in the request or the collection names provided in the collection parameter.
> {code:java}
> if (cores.isZooKeeperAware()) {
> // init collectionList (usually one name but not when there are aliases)
> String def = core != null ? core.getCoreDescriptor().getCollectionName()
> : origCorename;
> collectionsList =
> resolveCollectionListOrAlias(queryParams.get(COLLECTION_PROP, def)); //
> &collection= takes precedence
> ...
> }{code}
>
> I expect init() method could be improved in order to populate collections
> element with the core name for Solr standalone mode.
>
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
