[jira] [Commented] (SOLR-9804) Rule-Based Authorization Plugin does not secure access for update operations
[ https://issues.apache.org/jira/browse/SOLR-9804?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16577290#comment-16577290 ] Jan Høydahl commented on SOLR-9804: --- So if this due to collection:null or due to the zk version tag, and should we close this as invalid or should we change something? > Rule-Based Authorization Plugin does not secure access for update operations > > > Key: SOLR-9804 > URL: https://issues.apache.org/jira/browse/SOLR-9804 > Project: Solr > Issue Type: Bug > Security Level: Public(Default Security Level. Issues are Public) > Components: security >Affects Versions: 6.3 > Environment: Linux: > # uname -a > Linux hostname 3.10.0-327.36.3.el7.x86_64 #1 SMP Mon Oct 24 16:09:20 UTC 2016 > x86_64 x86_64 x86_64 GNU/Linux > /solr -version > 6.3.0 >Reporter: Sleem >Priority: Major > Labels: authorization, security, update > > It looks like the /update path is not filtered by the Rule-Based > Authorization Plugin. Even if you set permission using the path permission > "/update" or the pre-defined permission "update". Below is the security.json > {code:JavaScript} > { > "authentication":{ > "class":"solr.BasicAuthPlugin", > "blockUnknown":true, > "credentials":{ > "admin":"JrcQ8Lh/xKmucz9CaGVXwTpXxGSUZOt32i6W2f4tIfY= > PuAJx8DjI0Ozy2gQXteG5KfRAbOmXuRFZVjHbrIIzVk=", > "update":"tFdQLTQd9qXAStQek5xQQPlVcmXgjI/w4+9rjAZyqTU= > by0LXUAdNAtcJW+DuycI2zc4NyDjCiexOgMaqEFIklU=", > "solr":"GglOeZytbUBCKW8QT1H7kVs0eHc0x8+iNmpz7x8DKMI= > 5JR1Ul8QehmP3nb2U6Bc/N1qwrQljLfiKPTxm35FikA="}}, > "authorization":{ > "class":"solr.RuleBasedAuthorizationPlugin", > "user-role":{ > "admin":["admin_role"], > "update":["update_role"], > "solr":["read_role"]}, > "permissions":[ > { > "collection":null, > "name":"security-edit", > "role":["admin_role"], > "index":1}, > { > "collection":null, > "name":"schema-edit", > "role":["admin_role"], > "index":2}, > { > "collection":null, > "name":"config-edit", > "role":["admin_role"], > "index":3}, > { > "collection":null, > "name":"core-admin-edit", > "role":["admin_role"], > "index":4}, > { > "collection":null, > "name":"collection-admin-edit", > "role":["admin_role"], > "index":5}, > { > "collection":null, > "name":"security-read", > "role":["admin_role"], > "index":6}, > { > "collection":null, > "name":"schema-read", > "role":[ > "admin_role", > "update_role"], > "index":7}, > { > "collection":null, > "name":"core-admin-read", > "role":[ > "admin_role", > "update_role"], > "index":8}, > { > "collection":null, > "name":"config-read", > "role":[ > "admin_role", > "update_role"], > "index":9}, > { > "collection":null, > "name":"collection-admin-read", > "role":[ > "admin_role", > "update_role"], > "index":10}, > { > "collection":null, > "name":"update", > "role":[ > "admin_role", > "update_role"], > "index":11}, > { > "collection":null, > "name":"read", > "role":[ > "admin_role", > "update_role", > "read_role"], > "index":12}, > { > "collection":null, > "name":"all", > "role":["admin_role"], > "index":13}, > { > "collection":null, > "path":"/*", > "role":["admin_role"], > "index":14}], > "":{"v":138}}} > {code} > I have tested update using SolrJ and by hitting the /update on the browser > using the solr user (who has no rights to update). Both were suceeded update -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Commented] (SOLR-9804) Rule-Based Authorization Plugin does not secure access for update operations
[ https://issues.apache.org/jira/browse/SOLR-9804?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16000179#comment-16000179 ] Noble Paul commented on SOLR-9804: -- created SOLR-10627 > Rule-Based Authorization Plugin does not secure access for update operations > > > Key: SOLR-9804 > URL: https://issues.apache.org/jira/browse/SOLR-9804 > Project: Solr > Issue Type: Bug > Security Level: Public(Default Security Level. Issues are Public) > Components: security >Affects Versions: 6.3 > Environment: Linux: > # uname -a > Linux hostname 3.10.0-327.36.3.el7.x86_64 #1 SMP Mon Oct 24 16:09:20 UTC 2016 > x86_64 x86_64 x86_64 GNU/Linux > /solr -version > 6.3.0 >Reporter: Sleem > Labels: authorization, security, update > > It looks like the /update path is not filtered by the Rule-Based > Authorization Plugin. Even if you set permission using the path permission > "/update" or the pre-defined permission "update". Below is the security.json > {code:JavaScript} > { > "authentication":{ > "class":"solr.BasicAuthPlugin", > "blockUnknown":true, > "credentials":{ > "admin":"JrcQ8Lh/xKmucz9CaGVXwTpXxGSUZOt32i6W2f4tIfY= > PuAJx8DjI0Ozy2gQXteG5KfRAbOmXuRFZVjHbrIIzVk=", > "update":"tFdQLTQd9qXAStQek5xQQPlVcmXgjI/w4+9rjAZyqTU= > by0LXUAdNAtcJW+DuycI2zc4NyDjCiexOgMaqEFIklU=", > "solr":"GglOeZytbUBCKW8QT1H7kVs0eHc0x8+iNmpz7x8DKMI= > 5JR1Ul8QehmP3nb2U6Bc/N1qwrQljLfiKPTxm35FikA="}}, > "authorization":{ > "class":"solr.RuleBasedAuthorizationPlugin", > "user-role":{ > "admin":["admin_role"], > "update":["update_role"], > "solr":["read_role"]}, > "permissions":[ > { > "collection":null, > "name":"security-edit", > "role":["admin_role"], > "index":1}, > { > "collection":null, > "name":"schema-edit", > "role":["admin_role"], > "index":2}, > { > "collection":null, > "name":"config-edit", > "role":["admin_role"], > "index":3}, > { > "collection":null, > "name":"core-admin-edit", > "role":["admin_role"], > "index":4}, > { > "collection":null, > "name":"collection-admin-edit", > "role":["admin_role"], > "index":5}, > { > "collection":null, > "name":"security-read", > "role":["admin_role"], > "index":6}, > { > "collection":null, > "name":"schema-read", > "role":[ > "admin_role", > "update_role"], > "index":7}, > { > "collection":null, > "name":"core-admin-read", > "role":[ > "admin_role", > "update_role"], > "index":8}, > { > "collection":null, > "name":"config-read", > "role":[ > "admin_role", > "update_role"], > "index":9}, > { > "collection":null, > "name":"collection-admin-read", > "role":[ > "admin_role", > "update_role"], > "index":10}, > { > "collection":null, > "name":"update", > "role":[ > "admin_role", > "update_role"], > "index":11}, > { > "collection":null, > "name":"read", > "role":[ > "admin_role", > "update_role", > "read_role"], > "index":12}, > { > "collection":null, > "name":"all", > "role":["admin_role"], > "index":13}, > { > "collection":null, > "path":"/*", > "role":["admin_role"], > "index":14}], > "":{"v":138}}} > {code} > I have tested update using SolrJ and by hitting the /update on the browser > using the solr user (who has no rights to update). Both were suceeded update -- This message was sent by Atlassian JIRA (v6.3.15#6346) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Commented] (SOLR-9804) Rule-Based Authorization Plugin does not secure access for update operations
[ https://issues.apache.org/jira/browse/SOLR-9804?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16000174#comment-16000174 ] Noble Paul commented on SOLR-9804: -- [~sleem] {{collection:null}} means it is not a collection specific request. {{/update}} is a collection specific request. remove it and it should work > Rule-Based Authorization Plugin does not secure access for update operations > > > Key: SOLR-9804 > URL: https://issues.apache.org/jira/browse/SOLR-9804 > Project: Solr > Issue Type: Bug > Security Level: Public(Default Security Level. Issues are Public) > Components: security >Affects Versions: 6.3 > Environment: Linux: > # uname -a > Linux hostname 3.10.0-327.36.3.el7.x86_64 #1 SMP Mon Oct 24 16:09:20 UTC 2016 > x86_64 x86_64 x86_64 GNU/Linux > /solr -version > 6.3.0 >Reporter: Sleem > Labels: authorization, security, update > > It looks like the /update path is not filtered by the Rule-Based > Authorization Plugin. Even if you set permission using the path permission > "/update" or the pre-defined permission "update". Below is the security.json > {code:JavaScript} > { > "authentication":{ > "class":"solr.BasicAuthPlugin", > "blockUnknown":true, > "credentials":{ > "admin":"JrcQ8Lh/xKmucz9CaGVXwTpXxGSUZOt32i6W2f4tIfY= > PuAJx8DjI0Ozy2gQXteG5KfRAbOmXuRFZVjHbrIIzVk=", > "update":"tFdQLTQd9qXAStQek5xQQPlVcmXgjI/w4+9rjAZyqTU= > by0LXUAdNAtcJW+DuycI2zc4NyDjCiexOgMaqEFIklU=", > "solr":"GglOeZytbUBCKW8QT1H7kVs0eHc0x8+iNmpz7x8DKMI= > 5JR1Ul8QehmP3nb2U6Bc/N1qwrQljLfiKPTxm35FikA="}}, > "authorization":{ > "class":"solr.RuleBasedAuthorizationPlugin", > "user-role":{ > "admin":["admin_role"], > "update":["update_role"], > "solr":["read_role"]}, > "permissions":[ > { > "collection":null, > "name":"security-edit", > "role":["admin_role"], > "index":1}, > { > "collection":null, > "name":"schema-edit", > "role":["admin_role"], > "index":2}, > { > "collection":null, > "name":"config-edit", > "role":["admin_role"], > "index":3}, > { > "collection":null, > "name":"core-admin-edit", > "role":["admin_role"], > "index":4}, > { > "collection":null, > "name":"collection-admin-edit", > "role":["admin_role"], > "index":5}, > { > "collection":null, > "name":"security-read", > "role":["admin_role"], > "index":6}, > { > "collection":null, > "name":"schema-read", > "role":[ > "admin_role", > "update_role"], > "index":7}, > { > "collection":null, > "name":"core-admin-read", > "role":[ > "admin_role", > "update_role"], > "index":8}, > { > "collection":null, > "name":"config-read", > "role":[ > "admin_role", > "update_role"], > "index":9}, > { > "collection":null, > "name":"collection-admin-read", > "role":[ > "admin_role", > "update_role"], > "index":10}, > { > "collection":null, > "name":"update", > "role":[ > "admin_role", > "update_role"], > "index":11}, > { > "collection":null, > "name":"read", > "role":[ > "admin_role", > "update_role", > "read_role"], > "index":12}, > { > "collection":null, > "name":"all", > "role":["admin_role"], > "index":13}, > { > "collection":null, > "path":"/*", > "role":["admin_role"], > "index":14}], > "":{"v":138}}} > {code} > I have tested update using SolrJ and by hitting the /update on the browser > using the solr user (who has no rights to update). Both were suceeded update -- This message was sent by Atlassian JIRA (v6.3.15#6346) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Commented] (SOLR-9804) Rule-Based Authorization Plugin does not secure access for update operations
[ https://issues.apache.org/jira/browse/SOLR-9804?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=1629#comment-1629 ] Cassandra Targett commented on SOLR-9804: - I have no idea if it's a real issue. However, pinging [~noble.paul] since he had told me privately that he was going to fix that separately but I don't know if he did. > Rule-Based Authorization Plugin does not secure access for update operations > > > Key: SOLR-9804 > URL: https://issues.apache.org/jira/browse/SOLR-9804 > Project: Solr > Issue Type: Bug > Security Level: Public(Default Security Level. Issues are Public) > Components: security >Affects Versions: 6.3 > Environment: Linux: > # uname -a > Linux hostname 3.10.0-327.36.3.el7.x86_64 #1 SMP Mon Oct 24 16:09:20 UTC 2016 > x86_64 x86_64 x86_64 GNU/Linux > /solr -version > 6.3.0 >Reporter: Sleem > Labels: authorization, security, update > > It looks like the /update path is not filtered by the Rule-Based > Authorization Plugin. Even if you set permission using the path permission > "/update" or the pre-defined permission "update". Below is the security.json > {code:JavaScript} > { > "authentication":{ > "class":"solr.BasicAuthPlugin", > "blockUnknown":true, > "credentials":{ > "admin":"JrcQ8Lh/xKmucz9CaGVXwTpXxGSUZOt32i6W2f4tIfY= > PuAJx8DjI0Ozy2gQXteG5KfRAbOmXuRFZVjHbrIIzVk=", > "update":"tFdQLTQd9qXAStQek5xQQPlVcmXgjI/w4+9rjAZyqTU= > by0LXUAdNAtcJW+DuycI2zc4NyDjCiexOgMaqEFIklU=", > "solr":"GglOeZytbUBCKW8QT1H7kVs0eHc0x8+iNmpz7x8DKMI= > 5JR1Ul8QehmP3nb2U6Bc/N1qwrQljLfiKPTxm35FikA="}}, > "authorization":{ > "class":"solr.RuleBasedAuthorizationPlugin", > "user-role":{ > "admin":["admin_role"], > "update":["update_role"], > "solr":["read_role"]}, > "permissions":[ > { > "collection":null, > "name":"security-edit", > "role":["admin_role"], > "index":1}, > { > "collection":null, > "name":"schema-edit", > "role":["admin_role"], > "index":2}, > { > "collection":null, > "name":"config-edit", > "role":["admin_role"], > "index":3}, > { > "collection":null, > "name":"core-admin-edit", > "role":["admin_role"], > "index":4}, > { > "collection":null, > "name":"collection-admin-edit", > "role":["admin_role"], > "index":5}, > { > "collection":null, > "name":"security-read", > "role":["admin_role"], > "index":6}, > { > "collection":null, > "name":"schema-read", > "role":[ > "admin_role", > "update_role"], > "index":7}, > { > "collection":null, > "name":"core-admin-read", > "role":[ > "admin_role", > "update_role"], > "index":8}, > { > "collection":null, > "name":"config-read", > "role":[ > "admin_role", > "update_role"], > "index":9}, > { > "collection":null, > "name":"collection-admin-read", > "role":[ > "admin_role", > "update_role"], > "index":10}, > { > "collection":null, > "name":"update", > "role":[ > "admin_role", > "update_role"], > "index":11}, > { > "collection":null, > "name":"read", > "role":[ > "admin_role", > "update_role", > "read_role"], > "index":12}, > { > "collection":null, > "name":"all", > "role":["admin_role"], > "index":13}, > { > "collection":null, > "path":"/*", > "role":["admin_role"], > "index":14}], > "":{"v":138}}} > {code} > I have tested update using SolrJ and by hitting the /update on the browser > using the solr user (who has no rights to update). Both were suceeded update -- This message was sent by Atlassian JIRA (v6.3.15#6346) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Commented] (SOLR-9804) Rule-Based Authorization Plugin does not secure access for update operations
[ https://issues.apache.org/jira/browse/SOLR-9804?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=1586#comment-1586 ] Jan Høydahl commented on SOLR-9804: --- [~ctargett], do you want to open a separate issue for the {{collection:null}} issue, if you believe it is a real one? Regarding this issue, we should either be explicit and return an exception, e.g. "Not updated, version N already in ZK", or we should disregard any version in the JSON and let it always succeed, with the risk of two admins editing the same config without knowing and the last one wins. > Rule-Based Authorization Plugin does not secure access for update operations > > > Key: SOLR-9804 > URL: https://issues.apache.org/jira/browse/SOLR-9804 > Project: Solr > Issue Type: Bug > Security Level: Public(Default Security Level. Issues are Public) > Components: security >Affects Versions: 6.3 > Environment: Linux: > # uname -a > Linux hostname 3.10.0-327.36.3.el7.x86_64 #1 SMP Mon Oct 24 16:09:20 UTC 2016 > x86_64 x86_64 x86_64 GNU/Linux > /solr -version > 6.3.0 >Reporter: Sleem > Labels: authorization, security, update > > It looks like the /update path is not filtered by the Rule-Based > Authorization Plugin. Even if you set permission using the path permission > "/update" or the pre-defined permission "update". Below is the security.json > {code:JavaScript} > { > "authentication":{ > "class":"solr.BasicAuthPlugin", > "blockUnknown":true, > "credentials":{ > "admin":"JrcQ8Lh/xKmucz9CaGVXwTpXxGSUZOt32i6W2f4tIfY= > PuAJx8DjI0Ozy2gQXteG5KfRAbOmXuRFZVjHbrIIzVk=", > "update":"tFdQLTQd9qXAStQek5xQQPlVcmXgjI/w4+9rjAZyqTU= > by0LXUAdNAtcJW+DuycI2zc4NyDjCiexOgMaqEFIklU=", > "solr":"GglOeZytbUBCKW8QT1H7kVs0eHc0x8+iNmpz7x8DKMI= > 5JR1Ul8QehmP3nb2U6Bc/N1qwrQljLfiKPTxm35FikA="}}, > "authorization":{ > "class":"solr.RuleBasedAuthorizationPlugin", > "user-role":{ > "admin":["admin_role"], > "update":["update_role"], > "solr":["read_role"]}, > "permissions":[ > { > "collection":null, > "name":"security-edit", > "role":["admin_role"], > "index":1}, > { > "collection":null, > "name":"schema-edit", > "role":["admin_role"], > "index":2}, > { > "collection":null, > "name":"config-edit", > "role":["admin_role"], > "index":3}, > { > "collection":null, > "name":"core-admin-edit", > "role":["admin_role"], > "index":4}, > { > "collection":null, > "name":"collection-admin-edit", > "role":["admin_role"], > "index":5}, > { > "collection":null, > "name":"security-read", > "role":["admin_role"], > "index":6}, > { > "collection":null, > "name":"schema-read", > "role":[ > "admin_role", > "update_role"], > "index":7}, > { > "collection":null, > "name":"core-admin-read", > "role":[ > "admin_role", > "update_role"], > "index":8}, > { > "collection":null, > "name":"config-read", > "role":[ > "admin_role", > "update_role"], > "index":9}, > { > "collection":null, > "name":"collection-admin-read", > "role":[ > "admin_role", > "update_role"], > "index":10}, > { > "collection":null, > "name":"update", > "role":[ > "admin_role", > "update_role"], > "index":11}, > { > "collection":null, > "name":"read", > "role":[ > "admin_role", > "update_role", > "read_role"], > "index":12}, > { > "collection":null, > "name":"all", > "role":["admin_role"], > "index":13}, > { > "collection":null, > "path":"/*", > "role":["admin_role"], > "index":14}], > "":{"v":138}}} > {code} > I have tested update using SolrJ and by hitting the /update on the browser > using the solr user (who has no rights to update). Both were suceeded update -- This message was sent by Atlassian JIRA (v6.3.15#6346) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org