I believe that Joe needs to be given some level of access for him to be able to 
see the collections, and joe should always be required to give his/her/its 
password to access any collection.

-----Original Message-----
From: Terry Steichen [mailto:te...@net-frame.com] 
Sent: Monday, March 12, 2018 6:08 PM
To: solr-user@lucene.apache.org
Subject: Resend: Authorization on 6.6.0

I'm resending the information below because the original message got the 
security.json stuff garbled.

I'm using 6.6.0 with security.json active, having the content shown below.  I 
am running standalone mode, have two solr cores defined:
email1, and email2.  Since the 'blockUnknown' is set to false, everyone should 
have access to any unprotected resource.  As you can see, I have three users 
defined: joe, solr and terry (the latter two having an admin role).

What I expect to happen is for user joe (who is not an admin) to be able to 
access core emails2 without being challenged for his credentials. But, user joe 
should also be challenged and not allowed to access emails1. 

But solr appears to ignore the "collections" portion of the permission - it 
denies joe access to both cores. 

Is this a bug (in that auth doesn't work properly in 6.6.0 standalone), or am I 
(once again) missing something?


    "authentication": {
        "class": "solr.BasicAuthPlugin",
        "blockUnknown": true,
        "credentials": {
            "solr": "IV0EHq1OnNrj6gvRCwvFwTrZ1+z1oBbnQdiVC3otuq0=
            "joe": "iGx0BaTgmjmCxrRmaD3IsCb2MJ21x1vqhfdzbwyu9MY=
            "terry": "q71fVfo/DIeCSfc1zw6YMyXVjU24Jr2oLniEkXFdPe0=
        "": {
            "v": 0
    "authorization": {
        "class": "solr.RuleBasedAuthorizationPlugin",
        "user-role": {
            "solr": "admin",
            "terry": "admin"
        "permissions": [
                "path": "/select",
                "role": "admin"

Reply via email to