Hi Jason, Thanks for your prompt reply.
Your code does address few of my concerns like restricting *solr-user* from accessing the dashboard and from executing other request methods apart from *"update"* and *"read"*. But I am still able to access other collections such as *"Collection3", "Collection4"* and so on, apart from the intended two collection entered in the code. I can give *"update"* and *"read" *requests to these external Collections which solr-user should not be able to do. Moreover solr-user can look at the *http://localhost:8983/solr/admin/authentication <http://localhost:8983/solr/admin/authentication>* link which lists the users and their *SHA256* coded passwords. How can I hide this and restrict access to other collections? Thanks and regards Salmaan On Wed, Aug 21, 2019 at 5:07 AM Jason Gerlowski <gerlowsk...@gmail.com> wrote: > Hi Salmaan, > > Solr's RuleBasedAuthorizationPlugin allows requests through if none of > the specified permissions apply. I think that's what you're running > into in your example above. If you want to lockdown a particular API > (or set of APIs) then you need to explicitly add a permission that > restricts those APIs to a particular role. > > One way to get the behavior that it sounds like you're looking for > would be to add a catch-all permission at the bottom of your > permissions list that restricts all other APIs to "admin". This would > look a bit like: > > "permissions":[ > { > "name":"security-edit", > "role":"admin" > }, > { > "collection": ["Collection1", "Collection2"], > "name": ["update", "read"], > "role": "dev" > }, > { > "name": "all", > "role": "admin" > } > ] > > Hope that helps get you started. > > Best, > > Jason > > On Tue, Aug 20, 2019 at 3:19 AM Salmaan Rashid Syed > <salmaan.ras...@mroads.com> wrote: > > > > Hi Solr Users, > > > > I want to create a user that has restricted access to Solr. I did the > > follwowing:- > > > > > > 1. { > > 2. "authentication":{ > > 3. "blockUnknown": true, > > 4. "class":"solr.BasicAuthPlugin", > > 5. "credentials":{ > > 6. "solr-admin": > > "2IUJD9dxRhxSXaJGdMP5z8ggSn4I285Ty9GCWeRNMUg= > > /sSNJJufPtj4baRizoJshJawFsWvopvZSqZpQ/Nwd78=" > > , > > 7. "solr-user": > > "p+XwOh15p/rvFltv2LXP1CwtbvwBgGlC9qcDKxV73B4= > > DcNsjfA6Wf16V1XKT+YraosSFQ5Cr3eRUX6BQnx9XKA=" > > > > 8. } > > 9. }, > > 10. "authorization":{ > > 11. "class":"solr.RuleBasedAuthorizationPlugin", > > 12. "user-role":{"solr-admin":"admin", "solr-user":"dev"}, > > 13. "permissions":[ > > 14. { > > 15. "name":"security-edit", > > 16. "role":"admin" > > 17. }, > > 18. { > > 19. "collection": ["Collection1", "Collection2"], > > 20. "name": ["update", "read"], > > 21. "role": "dev" > > 22. } > > 23. ] > > 24. }} > > > > > > But when Login intot the Solr admin dash-board using Solr-user > credentials, > > I can read, select, write, update, delete collections and do all sorts of > > things like a solr-admin can do. > > > > I want solr-user to be able to access only *Collection1* and > *Collection2* > > and be able to only *update *and *read*. He should not be able to access > > other collections and do anything apart from the above mentioned role. > > > > Where am I exactly going wrong? > > > > Thanks and Regards, > > Salmaan >
