[jira] [Comment Edited] (SOLR-13472) HTTP requests to a node that does not hold a core of the collection are unauthorized
[
https://issues.apache.org/jira/browse/SOLR-13472?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16877454#comment-16877454
]
Ishan Chattopadhyaya edited comment on SOLR-13472 at 7/15/19 1:14 PM:
--
Attached a WIP patch based on this solution. -This requires
forwardCredentials=true, as follows-:
{code:java}
{
"authentication": {
"blockUnknown": true,
"class": "solr.BasicAuthPlugin",
"forwardCredentials": "false",
"credentials": {
"solr": "IV0EHq1OnNrj6gvRCwvFwTrZ1+z1oBbnQdiVC3otuq0=
Ndd7LKvVBAaZIF0QAVi1ekCfAJXr1GGfLtRUXhgrF8c=",
"indexer_app": "IV0EHq1OnNrj6gvRCwvFwTrZ1+z1oBbnQdiVC3otuq0=
Ndd7LKvVBAaZIF0QAVi1ekCfAJXr1GGfLtRUXhgrF8c=",
"read_user": "IV0EHq1OnNrj6gvRCwvFwTrZ1+z1oBbnQdiVC3otuq0=
Ndd7LKvVBAaZIF0QAVi1ekCfAJXr1GGfLtRUXhgrF8c="
}
},
"authorization": {
"class": "solr.RuleBasedAuthorizationPlugin",
"permissions": [
{
"name": "read",
"role": "*"
},
{
"name": "update",
"role": [
"indexer",
"admin"
]
},
{
"name": "all",
"role": "admin"
}
],
"user-role": {
"solr": "admin",
"indexer_app": "indexer"
}
}
}
{code}
Edit: This is no longer needed, as per the committed fix.
was (Author: ichattopadhyaya):
Attached a WIP patch based on this solution. This requires
forwardCredentials=true, as follows:
{code}
{
"authentication": {
"blockUnknown": true,
"class": "solr.BasicAuthPlugin",
"forwardCredentials": "false",
"credentials": {
"solr": "IV0EHq1OnNrj6gvRCwvFwTrZ1+z1oBbnQdiVC3otuq0=
Ndd7LKvVBAaZIF0QAVi1ekCfAJXr1GGfLtRUXhgrF8c=",
"indexer_app": "IV0EHq1OnNrj6gvRCwvFwTrZ1+z1oBbnQdiVC3otuq0=
Ndd7LKvVBAaZIF0QAVi1ekCfAJXr1GGfLtRUXhgrF8c=",
"read_user": "IV0EHq1OnNrj6gvRCwvFwTrZ1+z1oBbnQdiVC3otuq0=
Ndd7LKvVBAaZIF0QAVi1ekCfAJXr1GGfLtRUXhgrF8c="
}
},
"authorization": {
"class": "solr.RuleBasedAuthorizationPlugin",
"permissions": [
{
"name": "read",
"role": "*"
},
{
"name": "update",
"role": [
"indexer",
"admin"
]
},
{
"name": "all",
"role": "admin"
}
],
"user-role": {
"solr": "admin",
"indexer_app": "indexer"
}
}
}
{code}
> HTTP requests to a node that does not hold a core of the collection are
> unauthorized
>
>
> Key: SOLR-13472
> URL: https://issues.apache.org/jira/browse/SOLR-13472
> Project: Solr
> Issue Type: Bug
> Components: Authorization
>Affects Versions: 7.7.1, 8.0
>Reporter: adfel
>Assignee: Ishan Chattopadhyaya
>Priority: Minor
> Labels: security
> Fix For: 8.2
>
> Attachments: SOLR-13472.patch, SOLR-13472.patch
>
> Time Spent: 20m
> Remaining Estimate: 0h
>
> When creating collection in SolrCloud, collection is available for queries
> and updates through all Solr nodes, in particular nodes that does not hold
> one of collection's cores. This is expected behaviour that works when using
> SolrJ client or HTTP requests.
> When enabling authorization rules it seems that this behaviour is broken for
> HTTP requests:
> - executing request to a node that holds part of the collection (core) obey
> to authorization rules as expected.
> - other nodes respond with code 403 - unauthorized request.
> SolrJ still works as expected.
> Tested both with BasicAuthPlugin and KerberosPlugin authentication plugins.
> +Steps for reproduce:+
> 1. Create a cloud made of 2 nodes (node_1, node_2).
> 2. Configure authentication and authorization by uploading following
> security.json file to zookeeper:
>
> {code:java}
> {
> "authentication": {
>"blockUnknown": true,
>"class": "solr.BasicAuthPlugin",
>"credentials": {
> "solr": "'solr' user password_hash",
> "indexer_app": "'indexer_app' password_hash",
> "read_user": "'read_user' password_hash"
>}
> },
> "authorization": {
>"class": "solr.RuleBasedAuthorizationPlugin",
>"permissions": [
> {
>"name": "read",
>"role": "*"
> },
> {
>"name": "update",
>"role": [
> "indexer",
> "admin"
>]
> },
> {
>"name": "all",
>"role": "admin"
> }
>],
>"user-role": {
> "solr": "admin",
> "indexer_app": "indexer"
>}
> }
> }{code}
>
> 3. create 'test' collection with one shard on *node_1*.
> --
> The following requests expected to succeed but return 403 status
> (unauthorized request):
> {code:java}
> curl -u read_user:read_user "http://node_2/solr/test/select?q=*:*;
> curl -u indexer_app:indexer_app "http://node_2/solr/test/select?q=*:*;
> curl -u indexer_app:indexer_app
[jira] [Comment Edited] (SOLR-13472) HTTP requests to a node that does not hold a core of the collection are unauthorized
[
https://issues.apache.org/jira/browse/SOLR-13472?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16879967#comment-16879967
]
Ishan Chattopadhyaya edited comment on SOLR-13472 at 7/11/19 12:55 AM:
---
Attaching a patch. As per this, the authorization should only be performed on a
node if the request is to be executed on that node. Skips authorization on a
node if the request has to be forwarded to another node. Note,
forwardCredentials here is not necessary with this approach as PKI will pass on
the original user principal as a payload for authorization on the forwarded
node.
Doing this ^ should take care of the BasicAuth case here. However, for Kerberos
case, the internode request is performed using Kerberos (not PKI), and hence
the receiving node will not have the original user principal in order to
authorize this request. I'll try to tackle this in -a separate JIRA- SOLR-13619.
was (Author: ichattopadhyaya):
Attaching a patch. As per this, the authorization should only be performed on a
node if the request is to be executed on that node. Skips authorization on a
node if the request has to be forwarded to another node. Note,
forwardCredentials here is not necessary with this approach as PKI will pass on
the original user principal as a payload for authorization on the forwarded
node.
Doing this ^ should take care of the BasicAuth case here. However, for Kerberos
case, the internode request is performed using Kerberos (not PKI), and hence
the receiving node will not have the original user principal in order to
authorize this request. I'll try to tackle this in a separate JIRA.
> HTTP requests to a node that does not hold a core of the collection are
> unauthorized
>
>
> Key: SOLR-13472
> URL: https://issues.apache.org/jira/browse/SOLR-13472
> Project: Solr
> Issue Type: Bug
> Components: Authorization
>Affects Versions: 7.7.1, 8.0
>Reporter: adfel
>Assignee: Ishan Chattopadhyaya
>Priority: Minor
> Labels: security
> Attachments: SOLR-13472.patch, SOLR-13472.patch
>
> Time Spent: 20m
> Remaining Estimate: 0h
>
> When creating collection in SolrCloud, collection is available for queries
> and updates through all Solr nodes, in particular nodes that does not hold
> one of collection's cores. This is expected behaviour that works when using
> SolrJ client or HTTP requests.
> When enabling authorization rules it seems that this behaviour is broken for
> HTTP requests:
> - executing request to a node that holds part of the collection (core) obey
> to authorization rules as expected.
> - other nodes respond with code 403 - unauthorized request.
> SolrJ still works as expected.
> Tested both with BasicAuthPlugin and KerberosPlugin authentication plugins.
> +Steps for reproduce:+
> 1. Create a cloud made of 2 nodes (node_1, node_2).
> 2. Configure authentication and authorization by uploading following
> security.json file to zookeeper:
>
> {code:java}
> {
> "authentication": {
>"blockUnknown": true,
>"class": "solr.BasicAuthPlugin",
>"credentials": {
> "solr": "'solr' user password_hash",
> "indexer_app": "'indexer_app' password_hash",
> "read_user": "'read_user' password_hash"
>}
> },
> "authorization": {
>"class": "solr.RuleBasedAuthorizationPlugin",
>"permissions": [
> {
>"name": "read",
>"role": "*"
> },
> {
>"name": "update",
>"role": [
> "indexer",
> "admin"
>]
> },
> {
>"name": "all",
>"role": "admin"
> }
>],
>"user-role": {
> "solr": "admin",
> "indexer_app": "indexer"
>}
> }
> }{code}
>
> 3. create 'test' collection with one shard on *node_1*.
> --
> The following requests expected to succeed but return 403 status
> (unauthorized request):
> {code:java}
> curl -u read_user:read_user "http://node_2/solr/test/select?q=*:*;
> curl -u indexer_app:indexer_app "http://node_2/solr/test/select?q=*:*;
> curl -u indexer_app:indexer_app "http://node_2/solr/test/update?commit=true;
> {code}
>
> Authenticated '_solr_' user requests works as expected. My guess is due to
> the special '_all_' role.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
-
To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org
For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Comment Edited] (SOLR-13472) HTTP requests to a node that does not hold a core of the collection are unauthorized
[
https://issues.apache.org/jira/browse/SOLR-13472?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16877454#comment-16877454
]
Ishan Chattopadhyaya edited comment on SOLR-13472 at 7/3/19 3:37 AM:
-
Attached a WIP patch based on this solution. This requires
forwardCredentials=true, as follows:
{code}
{
"authentication": {
"blockUnknown": true,
"class": "solr.BasicAuthPlugin",
"forwardCredentials": "false",
"credentials": {
"solr": "IV0EHq1OnNrj6gvRCwvFwTrZ1+z1oBbnQdiVC3otuq0=
Ndd7LKvVBAaZIF0QAVi1ekCfAJXr1GGfLtRUXhgrF8c=",
"indexer_app": "IV0EHq1OnNrj6gvRCwvFwTrZ1+z1oBbnQdiVC3otuq0=
Ndd7LKvVBAaZIF0QAVi1ekCfAJXr1GGfLtRUXhgrF8c=",
"read_user": "IV0EHq1OnNrj6gvRCwvFwTrZ1+z1oBbnQdiVC3otuq0=
Ndd7LKvVBAaZIF0QAVi1ekCfAJXr1GGfLtRUXhgrF8c="
}
},
"authorization": {
"class": "solr.RuleBasedAuthorizationPlugin",
"permissions": [
{
"name": "read",
"role": "*"
},
{
"name": "update",
"role": [
"indexer",
"admin"
]
},
{
"name": "all",
"role": "admin"
}
],
"user-role": {
"solr": "admin",
"indexer_app": "indexer"
}
}
}
{code}
was (Author: ichattopadhyaya):
Attached a WIP patch based on this solution.
> HTTP requests to a node that does not hold a core of the collection are
> unauthorized
>
>
> Key: SOLR-13472
> URL: https://issues.apache.org/jira/browse/SOLR-13472
> Project: Solr
> Issue Type: Bug
> Components: Authorization
>Affects Versions: 7.7.1, 8.0
>Reporter: adfel
>Assignee: Ishan Chattopadhyaya
>Priority: Minor
> Labels: security
> Attachments: SOLR-13472.patch
>
>
> When creating collection in SolrCloud, collection is available for queries
> and updates through all Solr nodes, in particular nodes that does not hold
> one of collection's cores. This is expected behaviour that works when using
> SolrJ client or HTTP requests.
> When enabling authorization rules it seems that this behaviour is broken for
> HTTP requests:
> - executing request to a node that holds part of the collection (core) obey
> to authorization rules as expected.
> - other nodes respond with code 403 - unauthorized request.
> SolrJ still works as expected.
> Tested both with BasicAuthPlugin and KerberosPlugin authentication plugins.
> +Steps for reproduce:+
> 1. Create a cloud made of 2 nodes (node_1, node_2).
> 2. Configure authentication and authorization by uploading following
> security.json file to zookeeper:
>
> {code:java}
> {
> "authentication": {
>"blockUnknown": true,
>"class": "solr.BasicAuthPlugin",
>"credentials": {
> "solr": "'solr' user password_hash",
> "indexer_app": "'indexer_app' password_hash",
> "read_user": "'read_user' password_hash"
>}
> },
> "authorization": {
>"class": "solr.RuleBasedAuthorizationPlugin",
>"permissions": [
> {
>"name": "read",
>"role": "*"
> },
> {
>"name": "update",
>"role": [
> "indexer",
> "admin"
>]
> },
> {
>"name": "all",
>"role": "admin"
> }
>],
>"user-role": {
> "solr": "admin",
> "indexer_app": "indexer"
>}
> }
> }{code}
>
> 3. create 'test' collection with one shard on *node_1*.
> --
> The following requests expected to succeed but return 403 status
> (unauthorized request):
> {code:java}
> curl -u read_user:read_user "http://node_2/solr/test/select?q=*:*;
> curl -u indexer_app:indexer_app "http://node_2/solr/test/select?q=*:*;
> curl -u indexer_app:indexer_app "http://node_2/solr/test/update?commit=true;
> {code}
>
> Authenticated '_solr_' user requests works as expected. My guess is due to
> the special '_all_' role.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
-
To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org
For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Comment Edited] (SOLR-13472) HTTP requests to a node that does not hold a core of the collection are unauthorized
[
https://issues.apache.org/jira/browse/SOLR-13472?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16877453#comment-16877453
]
Ishan Chattopadhyaya edited comment on SOLR-13472 at 7/3/19 3:38 AM:
-
The problem here was:
1. node_2 doesn't have a replica for test collection.
2. As a result, the permissions that have been set couldn't be validated.
3. The "all" permission here was claimed by "admin", and hence this request
was falsely marked MatchStatus.FORBIDDEN.
What should've happened is:
If node receiving the request doesn't host a replica, it should check if
"forwardCredentials" (SOLR-12799) is set to true (BasicAuthPlugin supports
this), and mark MatchStatus.NO_PERMISSION_FOUND, so that the request isn't
rejected right away, but validated properly on a forwarded node.
was (Author: ichattopadhyaya):
The problem here was:
1. node_2 doesn't have a replica for test collection.
2. As a result, the permissions that have been set couldn't be validated.
3. The "all" permission here was claimed by "admin", and hence this request was
falsely marked MatchStatus.FORBIDDEN.
What should've happened is:
If node receiving the request doesn't host a replica, it should check if
"forwardCredentials" is set to true (BasicAuthPlugin supports this), and mark
MatchStatus.NO_PERMISSION_FOUND, so that the request isn't rejected right away,
but validated properly on a forwarded node.
> HTTP requests to a node that does not hold a core of the collection are
> unauthorized
>
>
> Key: SOLR-13472
> URL: https://issues.apache.org/jira/browse/SOLR-13472
> Project: Solr
> Issue Type: Bug
> Components: Authorization
>Affects Versions: 7.7.1, 8.0
>Reporter: adfel
>Assignee: Ishan Chattopadhyaya
>Priority: Minor
> Labels: security
> Attachments: SOLR-13472.patch
>
>
> When creating collection in SolrCloud, collection is available for queries
> and updates through all Solr nodes, in particular nodes that does not hold
> one of collection's cores. This is expected behaviour that works when using
> SolrJ client or HTTP requests.
> When enabling authorization rules it seems that this behaviour is broken for
> HTTP requests:
> - executing request to a node that holds part of the collection (core) obey
> to authorization rules as expected.
> - other nodes respond with code 403 - unauthorized request.
> SolrJ still works as expected.
> Tested both with BasicAuthPlugin and KerberosPlugin authentication plugins.
> +Steps for reproduce:+
> 1. Create a cloud made of 2 nodes (node_1, node_2).
> 2. Configure authentication and authorization by uploading following
> security.json file to zookeeper:
>
> {code:java}
> {
> "authentication": {
>"blockUnknown": true,
>"class": "solr.BasicAuthPlugin",
>"credentials": {
> "solr": "'solr' user password_hash",
> "indexer_app": "'indexer_app' password_hash",
> "read_user": "'read_user' password_hash"
>}
> },
> "authorization": {
>"class": "solr.RuleBasedAuthorizationPlugin",
>"permissions": [
> {
>"name": "read",
>"role": "*"
> },
> {
>"name": "update",
>"role": [
> "indexer",
> "admin"
>]
> },
> {
>"name": "all",
>"role": "admin"
> }
>],
>"user-role": {
> "solr": "admin",
> "indexer_app": "indexer"
>}
> }
> }{code}
>
> 3. create 'test' collection with one shard on *node_1*.
> --
> The following requests expected to succeed but return 403 status
> (unauthorized request):
> {code:java}
> curl -u read_user:read_user "http://node_2/solr/test/select?q=*:*;
> curl -u indexer_app:indexer_app "http://node_2/solr/test/select?q=*:*;
> curl -u indexer_app:indexer_app "http://node_2/solr/test/update?commit=true;
> {code}
>
> Authenticated '_solr_' user requests works as expected. My guess is due to
> the special '_all_' role.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
-
To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org
For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Comment Edited] (SOLR-13472) HTTP requests to a node that does not hold a core of the collection are unauthorized
[
https://issues.apache.org/jira/browse/SOLR-13472?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16841065#comment-16841065
]
adfel edited comment on SOLR-13472 at 5/16/19 7:42 AM:
---
We tested using versions 7.7.1, 8.0.0 and a snapshot of 7.7.2 that was built
about a week ago.
was (Author: adfel70):
We tested against versions 7.7.1, 8.0.0 and a snapshot of 7.7.2 that was built
about a week ago.
> HTTP requests to a node that does not hold a core of the collection are
> unauthorized
>
>
> Key: SOLR-13472
> URL: https://issues.apache.org/jira/browse/SOLR-13472
> Project: Solr
> Issue Type: Bug
> Security Level: Public(Default Security Level. Issues are Public)
> Components: Authorization
>Affects Versions: 7.7.1, 8.0
>Reporter: adfel
>Priority: Minor
> Labels: security
>
> When creating collection in SolrCloud, collection is available for queries
> and updates through all Solr nodes, in particular nodes that does not hold
> one of collection's cores. This is expected behaviour that works when using
> SolrJ client or HTTP requests.
> When enabling authorization rules it seems that this behaviour is broken for
> HTTP requests:
> - executing request to a node that holds part of the collection (core) obey
> to authorization rules as expected.
> - other nodes respond with code 403 - unauthorized request.
> SolrJ still works as expected.
> Tested both with BasicAuthPlugin and KerberosPlugin authentication plugins.
> +Steps for reproduce:+
> 1. Create a cloud made of 2 nodes (node_1, node_2).
> 2. Configure authentication and authorization by uploading following
> security.json file to zookeeper:
>
> {code:java}
> {
> "authentication": {
>"blockUnknown": true,
>"class": "solr.BasicAuthPlugin",
>"credentials": {
> "solr": "'solr' user password_hash",
> "indexer_app": "'indexer_app' password_hash",
> "read_user": "'read_user' password_hash"
>}
> },
> "authorization": {
>"class": "solr.RuleBasedAuthorizationPlugin",
>"permissions": [
> {
>"name": "read",
>"role": "*"
> },
> {
>"name": "update",
>"role": [
> "indexer",
> "admin"
>]
> },
> {
>"name": "all",
>"role": "admin"
> }
>],
>"user-role": {
> "solr": "admin",
> "indexer_app": "indexer"
>}
> }
> }{code}
>
> 3. create 'test' collection with one shard on *node_1*.
> --
> The following requests expected to succeed but return 403 status
> (unauthorized request):
> {code:java}
> curl -u read_user:read_user "http://node_2/solr/test/select?q=*:*;
> curl -u indexer_app:indexer_app "http://node_2/solr/test/select?q=*:*;
> curl -u indexer_app:indexer_app "http://node_2/solr/test/update?commit=true;
> {code}
>
> Authenticated '_solr_' user requests works as expected. My guess is due to
> the special '_all_' role.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
-
To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org
For additional commands, e-mail: dev-h...@lucene.apache.org
