Hi,
Any suggestions as to what can be done?
Regards,
Salmaan
On Wed, Aug 21, 2019 at 4:33 PM Jason Gerlowski <gerlowsk...@gmail.com>
wrote:
> Ah, ok. SOLR-13355 still affects 7.6, so that explains why you're
> seeing this behavior.
>
> You could upgrade to get the new behavior, but you don't need to-
> there's a workaround. You just need to add a few extra rules to your
> security.json. The problem in SOLR-13355 is that the "all" permission
> isn't being considered for APIs that are covered by other predefined
> permissions. So the workaround is to add a permission rule for each
> of the predefined permissions, locking them down to the "admin" role.
> It really bloats security.json, but should do the job. So your
> security.json should have a permissions section that looks like the
> JSON below:
>
> {"name": "dev-read", "collection": ["collection1", "collection2"],
> "role": "dev"},
> {"name": "security-edit", "role": "admin"},
> {"name": "security-read", "role": "admin"},
> {"name": "schema-edit", "role": "admin"},
> {"name": "schema-read", "role": "admin"},
> {"name": "config-edit", "role": "admin"},
> {"name": "config-read", "role": "admin"},
> {"name": "core-admin-edit", "role": "admin"},
> {"name": "core-admin-read", "role": "admin"},
> {"name": "collection-api-edit", "role": "admin"},
> {"name": "collection-api-read", "role": "admin"},
> {"name": "read", "role": "admin"},
> {"name": "update", "role": "admin"},
> {"name": "all", "role": "admin"}
>
> Hope that helps. Let me know if that still has any problems for you.
>
> Jason
>
> On Wed, Aug 21, 2019 at 6:48 AM Salmaan Rashid Syed
> <salmaan.ras...@mroads.com> wrote:
> >
> > Hi Jason,
> >
> > Is there a way to fix this in version 7.6?
> >
> > Or is it mandatory to upgrade to other versions?
> >
> > If I have to upgrade to a higher version, then what is the best way to do
> > this without effecting the current configuration and indexed data?
> >
> > Thanks,
> > Salmaan
> >
> >
> >
> > On Wed, Aug 21, 2019 at 4:13 PM Salmaan Rashid Syed <
> > salmaan.ras...@mroads.com> wrote:
> >
> > > Hi Jason,
> > >
> > > I am using version 7.6 of Solr.
> > >
> > > Thanks,
> > > Salmaan
> > >
> > >
> > >
> > > On Wed, Aug 21, 2019 at 4:12 PM Jason Gerlowski <gerlowsk...@gmail.com
> >
> > > wrote:
> > >
> > >> The "all" permissions _should_ block solr-user from accessing all of
> > >> those resources, and I believe it does in newer versions of Solr.
> > >> There was a bug with it that was fixed a few versions back though- it
> > >> sounds like you might be running into that. (see
> > >> https://issues.apache.org/jira/browse/SOLR-13355) What version of
> Solr
> > >> are you using?
> > >>
> > >> Jason
> > >>
> > >>
> > >>
> > >> On Wed, Aug 21, 2019 at 5:21 AM Salmaan Rashid Syed
> > >> <salmaan.ras...@mroads.com> wrote:
> > >> >
> > >> > Hi Jason,
> > >> >
> > >> > Thanks for your prompt reply.
> > >> >
> > >> > Your code does address few of my concerns like restricting
> *solr-user*
> > >> from
> > >> > accessing the dashboard and from executing other request methods
> apart
> > >> from
> > >> > *"update"* and *"read"*.
> > >> >
> > >> > But I am still able to access other collections such as
> *"Collection3",
> > >> > "Collection4"* and so on, apart from the intended two collection
> > >> entered in
> > >> > the code. I can give *"update"* and *"read" *requests to these
> external
> > >> > Collections which solr-user should not be able to do.
> > >> >
> > >> > Moreover solr-user can look at the
> > >> > *http://localhost:8983/solr/admin/authentication
> > >> > <http://localhost:8983/solr/admin/authentication>* link which
> lists the
> > >> > users and their *SHA256* coded passwords. How can I hide this and
> > >> restrict
> > >> > access to other collections?
> > >> >
> > >> > Thanks and regards
> > >> > Salmaan
> > >> >
> > >> >
> > >> > On Wed, Aug 21, 2019 at 5:07 AM Jason Gerlowski <
> gerlowsk...@gmail.com>
> > >> > wrote:
> > >> >
> > >> > > Hi Salmaan,
> > >> > >
> > >> > > Solr's RuleBasedAuthorizationPlugin allows requests through if
> none of
> > >> > > the specified permissions apply. I think that's what you're
> running
> > >> > > into in your example above. If you want to lockdown a particular
> API
> > >> > > (or set of APIs) then you need to explicitly add a permission that
> > >> > > restricts those APIs to a particular role.
> > >> > >
> > >> > > One way to get the behavior that it sounds like you're looking for
> > >> > > would be to add a catch-all permission at the bottom of your
> > >> > > permissions list that restricts all other APIs to "admin". This
> would
> > >> > > look a bit like:
> > >> > >
> > >> > > "permissions":[
> > >> > > {
> > >> > > "name":"security-edit",
> > >> > > "role":"admin"
> > >> > > },
> > >> > > {
> > >> > > "collection": ["Collection1", "Collection2"],
> > >> > > "name": ["update", "read"],
> > >> > > "role": "dev"
> > >> > > },
> > >> > > {
> > >> > > "name": "all",
> > >> > > "role": "admin"
> > >> > > }
> > >> > > ]
> > >> > >
> > >> > > Hope that helps get you started.
> > >> > >
> > >> > > Best,
> > >> > >
> > >> > > Jason
> > >> > >
> > >> > > On Tue, Aug 20, 2019 at 3:19 AM Salmaan Rashid Syed
> > >> > > <salmaan.ras...@mroads.com> wrote:
> > >> > > >
> > >> > > > Hi Solr Users,
> > >> > > >
> > >> > > > I want to create a user that has restricted access to Solr. I
> did
> > >> the
> > >> > > > follwowing:-
> > >> > > >
> > >> > > >
> > >> > > > 1. {
> > >> > > > 2. "authentication":{
> > >> > > > 3. "blockUnknown": true,
> > >> > > > 4. "class":"solr.BasicAuthPlugin",
> > >> > > > 5. "credentials":{
> > >> > > > 6. "solr-admin":
> > >> > > > "2IUJD9dxRhxSXaJGdMP5z8ggSn4I285Ty9GCWeRNMUg=
> > >> > > > /sSNJJufPtj4baRizoJshJawFsWvopvZSqZpQ/Nwd78="
> > >> > > > ,
> > >> > > > 7. "solr-user":
> > >> > > > "p+XwOh15p/rvFltv2LXP1CwtbvwBgGlC9qcDKxV73B4=
> > >> > > > DcNsjfA6Wf16V1XKT+YraosSFQ5Cr3eRUX6BQnx9XKA="
> > >> > > >
> > >> > > > 8. }
> > >> > > > 9. },
> > >> > > > 10. "authorization":{
> > >> > > > 11. "class":"solr.RuleBasedAuthorizationPlugin",
> > >> > > > 12. "user-role":{"solr-admin":"admin", "solr-user":"dev"},
> > >> > > > 13. "permissions":[
> > >> > > > 14. {
> > >> > > > 15. "name":"security-edit",
> > >> > > > 16. "role":"admin"
> > >> > > > 17. },
> > >> > > > 18. {
> > >> > > > 19. "collection": ["Collection1", "Collection2"],
> > >> > > > 20. "name": ["update", "read"],
> > >> > > > 21. "role": "dev"
> > >> > > > 22. }
> > >> > > > 23. ]
> > >> > > > 24. }}
> > >> > > >
> > >> > > >
> > >> > > > But when Login intot the Solr admin dash-board using Solr-user
> > >> > > credentials,
> > >> > > > I can read, select, write, update, delete collections and do all
> > >> sorts of
> > >> > > > things like a solr-admin can do.
> > >> > > >
> > >> > > > I want solr-user to be able to access only *Collection1* and
> > >> > > *Collection2*
> > >> > > > and be able to only *update *and *read*. He should not be able
> to
> > >> access
> > >> > > > other collections and do anything apart from the above mentioned
> > >> role.
> > >> > > >
> > >> > > > Where am I exactly going wrong?
> > >> > > >
> > >> > > > Thanks and Regards,
> > >> > > > Salmaan
> > >> > >
> > >>
> > >
>
