Hi Jason, I am using version 7.6 of Solr.
Thanks, Salmaan On Wed, Aug 21, 2019 at 4:12 PM Jason Gerlowski <gerlowsk...@gmail.com> wrote: > The "all" permissions _should_ block solr-user from accessing all of > those resources, and I believe it does in newer versions of Solr. > There was a bug with it that was fixed a few versions back though- it > sounds like you might be running into that. (see > https://issues.apache.org/jira/browse/SOLR-13355) What version of Solr > are you using? > > Jason > > > > On Wed, Aug 21, 2019 at 5:21 AM Salmaan Rashid Syed > <salmaan.ras...@mroads.com> wrote: > > > > Hi Jason, > > > > Thanks for your prompt reply. > > > > Your code does address few of my concerns like restricting *solr-user* > from > > accessing the dashboard and from executing other request methods apart > from > > *"update"* and *"read"*. > > > > But I am still able to access other collections such as *"Collection3", > > "Collection4"* and so on, apart from the intended two collection entered > in > > the code. I can give *"update"* and *"read" *requests to these external > > Collections which solr-user should not be able to do. > > > > Moreover solr-user can look at the > > *http://localhost:8983/solr/admin/authentication > > <http://localhost:8983/solr/admin/authentication>* link which lists the > > users and their *SHA256* coded passwords. How can I hide this and > restrict > > access to other collections? > > > > Thanks and regards > > Salmaan > > > > > > On Wed, Aug 21, 2019 at 5:07 AM Jason Gerlowski <gerlowsk...@gmail.com> > > wrote: > > > > > Hi Salmaan, > > > > > > Solr's RuleBasedAuthorizationPlugin allows requests through if none of > > > the specified permissions apply. I think that's what you're running > > > into in your example above. If you want to lockdown a particular API > > > (or set of APIs) then you need to explicitly add a permission that > > > restricts those APIs to a particular role. > > > > > > One way to get the behavior that it sounds like you're looking for > > > would be to add a catch-all permission at the bottom of your > > > permissions list that restricts all other APIs to "admin". This would > > > look a bit like: > > > > > > "permissions":[ > > > { > > > "name":"security-edit", > > > "role":"admin" > > > }, > > > { > > > "collection": ["Collection1", "Collection2"], > > > "name": ["update", "read"], > > > "role": "dev" > > > }, > > > { > > > "name": "all", > > > "role": "admin" > > > } > > > ] > > > > > > Hope that helps get you started. > > > > > > Best, > > > > > > Jason > > > > > > On Tue, Aug 20, 2019 at 3:19 AM Salmaan Rashid Syed > > > <salmaan.ras...@mroads.com> wrote: > > > > > > > > Hi Solr Users, > > > > > > > > I want to create a user that has restricted access to Solr. I did the > > > > follwowing:- > > > > > > > > > > > > 1. { > > > > 2. "authentication":{ > > > > 3. "blockUnknown": true, > > > > 4. "class":"solr.BasicAuthPlugin", > > > > 5. "credentials":{ > > > > 6. "solr-admin": > > > > "2IUJD9dxRhxSXaJGdMP5z8ggSn4I285Ty9GCWeRNMUg= > > > > /sSNJJufPtj4baRizoJshJawFsWvopvZSqZpQ/Nwd78=" > > > > , > > > > 7. "solr-user": > > > > "p+XwOh15p/rvFltv2LXP1CwtbvwBgGlC9qcDKxV73B4= > > > > DcNsjfA6Wf16V1XKT+YraosSFQ5Cr3eRUX6BQnx9XKA=" > > > > > > > > 8. } > > > > 9. }, > > > > 10. "authorization":{ > > > > 11. "class":"solr.RuleBasedAuthorizationPlugin", > > > > 12. "user-role":{"solr-admin":"admin", "solr-user":"dev"}, > > > > 13. "permissions":[ > > > > 14. { > > > > 15. "name":"security-edit", > > > > 16. "role":"admin" > > > > 17. }, > > > > 18. { > > > > 19. "collection": ["Collection1", "Collection2"], > > > > 20. "name": ["update", "read"], > > > > 21. "role": "dev" > > > > 22. } > > > > 23. ] > > > > 24. }} > > > > > > > > > > > > But when Login intot the Solr admin dash-board using Solr-user > > > credentials, > > > > I can read, select, write, update, delete collections and do all > sorts of > > > > things like a solr-admin can do. > > > > > > > > I want solr-user to be able to access only *Collection1* and > > > *Collection2* > > > > and be able to only *update *and *read*. He should not be able to > access > > > > other collections and do anything apart from the above mentioned > role. > > > > > > > > Where am I exactly going wrong? > > > > > > > > Thanks and Regards, > > > > Salmaan > > > >
