Re: Rule-Based Auth - update not working
One slight correction: I missed that you actually do have a
path/collection-specific permission in your list there. So Solr will
check the permissions in descending list-order for most requests - the
exception being /luke requests when the /luke permission filters to
the top and is checked first.
We should really change this resolution order to be something more commonsense.
Jason
On Sun, May 17, 2020 at 2:52 PM Jason Gerlowski wrote:
>
> Hi Isabelle,
>
> Two things to keep in mind with Solr's Rule-Based Authorization.
>
> 1. Each request is controlled by the first permission to that matches
> the request.
> 2. With the permissions you have present, Solr will check them in
> descending list order. (This isn't always true - collection-specific
> and path-specific permissions are given precedence, so you don't need
> to consider that.)
>
> As you can imagine given the rules above - permission order is very
> important. In your case the "all" rule will match pretty much all
> requests, which explains why an "indexing" user can't actually index.
> Generally speaking, it's best to put the most specific rules first,
> with the broader ones coming later.
>
> For more information, see the "Permission Ordering and Resolution"
> section in the page you linked to in your request.
>
> Good luck, hope that helps.
>
> Jason
>
> On Tue, May 12, 2020 at 12:34 PM Isabelle Giguere
> wrote:
> >
> > Hi;
> >
> > I'm using Solr 8.5.0.
> >
> > I'm having trouble setting up some permissions using the rule-based
> > authorization plugin:
> > https://lucene.apache.org/solr/guide/8_5/rule-based-authorization-plugin.html
> >
> > I have 3 users: "admin", "search", and "indexer".
> >
> > I have set permissions and user roles:
> > "permissions": [ { "name": "all", "role": "admin", "index": 1 },
> > { "name": "admin-luke", "collection": "*", "role": "luke", "index":
> > 2, "path": "/admin/luke" },
> > { "name": "read", "role": "searching", "index": 3 },
> > { "name": "update", "role": "indexing", "index": 4 }],
> > "user-role": { "admin": "admin",
> > "search": ["searching","luke"],
> > "indexer": "indexing" } }
> > Attached: full output of GET /admin/authorization
> >
> > So why can't user "indexer" add anything in a collection ? I always get
> > HTTP 403 Forbidden.
> > Using Postman, I click the checkbox to show the password, so I'm sure I
> > typed the right one.
> >
> > Note that user "search" can't use the /select handler either, as should be
> > the case with permission to "read". This user can, however, use the Luke
> > handler, as the custom permission allows.
> >
> > User "admin" can use any API. So at least the predefined permission "all"
> > does work.
> >
> > Note that the collections were created before enabling authentication and
> > authorization. Could that be the cause of the permission issues ?
> >
> > Thanks;
> >
> > Isabelle Giguère
> > Computational Linguist & Java Developer
> > Linguiste informaticienne & développeur java
> >
> >
Re: Rule-Based Auth - update not working
Hi Isabelle,
Two things to keep in mind with Solr's Rule-Based Authorization.
1. Each request is controlled by the first permission to that matches
the request.
2. With the permissions you have present, Solr will check them in
descending list order. (This isn't always true - collection-specific
and path-specific permissions are given precedence, so you don't need
to consider that.)
As you can imagine given the rules above - permission order is very
important. In your case the "all" rule will match pretty much all
requests, which explains why an "indexing" user can't actually index.
Generally speaking, it's best to put the most specific rules first,
with the broader ones coming later.
For more information, see the "Permission Ordering and Resolution"
section in the page you linked to in your request.
Good luck, hope that helps.
Jason
On Tue, May 12, 2020 at 12:34 PM Isabelle Giguere
wrote:
>
> Hi;
>
> I'm using Solr 8.5.0.
>
> I'm having trouble setting up some permissions using the rule-based
> authorization plugin:
> https://lucene.apache.org/solr/guide/8_5/rule-based-authorization-plugin.html
>
> I have 3 users: "admin", "search", and "indexer".
>
> I have set permissions and user roles:
> "permissions": [ { "name": "all", "role": "admin", "index": 1 },
> { "name": "admin-luke", "collection": "*", "role": "luke", "index": 2,
> "path": "/admin/luke" },
> { "name": "read", "role": "searching", "index": 3 },
> { "name": "update", "role": "indexing", "index": 4 }],
> "user-role": { "admin": "admin",
> "search": ["searching","luke"],
> "indexer": "indexing" } }
> Attached: full output of GET /admin/authorization
>
> So why can't user "indexer" add anything in a collection ? I always get HTTP
> 403 Forbidden.
> Using Postman, I click the checkbox to show the password, so I'm sure I typed
> the right one.
>
> Note that user "search" can't use the /select handler either, as should be
> the case with permission to "read". This user can, however, use the Luke
> handler, as the custom permission allows.
>
> User "admin" can use any API. So at least the predefined permission "all"
> does work.
>
> Note that the collections were created before enabling authentication and
> authorization. Could that be the cause of the permission issues ?
>
> Thanks;
>
> Isabelle Giguère
> Computational Linguist & Java Developer
> Linguiste informaticienne & développeur java
>
>
Rule-Based Auth - update not working
Hi;
I'm using Solr 8.5.0.
I'm having trouble setting up some permissions using the rule-based
authorization plugin:
https://lucene.apache.org/solr/guide/8_5/rule-based-authorization-plugin.html
I have 3 users: "admin", "search", and "indexer".
I have set permissions and user roles:
"permissions": [ { "name": "all", "role": "admin", "index": 1 },
{ "name": "admin-luke", "collection": "*", "role": "luke", "index": 2,
"path": "/admin/luke" },
{ "name": "read", "role": "searching", "index": 3 },
{ "name": "update", "role": "indexing", "index": 4 }],
"user-role": { "admin": "admin",
"search": ["searching","luke"],
"indexer": "indexing" } }
Attached: full output of GET /admin/authorization
So why can't user "indexer" add anything in a collection ? I always get HTTP
403 Forbidden.
Using Postman, I click the checkbox to show the password, so I'm sure I typed
the right one.
Note that user "search" can't use the /select handler either, as should be the
case with permission to "read". This user can, however, use the Luke handler,
as the custom permission allows.
User "admin" can use any API. So at least the predefined permission "all" does
work.
Note that the collections were created before enabling authentication and
authorization. Could that be the cause of the permission issues ?
Thanks;
Isabelle Giguère
Computational Linguist & Java Developer
Linguiste informaticienne & développeur java
permissions.json
Description: permissions.json
