Hi, I think this is related to this issue https://issues.apache.org/jira/browse/SOLR-13097
Regards Dominique Le jeu. 15 juil. 2021 à 10:37, Thomas Corthals <tho...@klascement.net> a écrit : > The docs are technically correct in consistently talking about "collection" > and not "core" in this regard. They could make it a bit clearer that it > doesn't apply equally to cores though. Just like you, I assumed they would > be interchangeable and found out the hard way. > > I asked about core specific rules recently: > > http://mail-archives.apache.org/mod_mbox/solr-users/202105.mbox/%3ccabewpvezzmf5kkaekoik7o-uvxiqzi43e-j7thsf0p213gy...@mail.gmail.com%3e > > Thomas > > Op do 15 jul. 2021 om 09:01 schreef Sebastien VERDET < > s.ver...@linkbynet.com > >: > > > Hello, > > > > thanks for the reply, even if it makes me sad. I could not find any > > reference to this limitation anywhere in the documentation, and the > > parameter/attribute does not generate any error in this case (and the > > rule is just ignored without notice). Or maybe it's just in the only > > piece of documentation I haven't read yet regarding authentication and > > authorization in solr ? > > > > -- > > Regards, > > _____________________________________________________ > > *Sebastien VERDET* > > Linux Systems and Applications Integrator – PID > > ---------------------------------------------------- > > *LINKBYNET* > > *Web : https://www.linkbynet.com <https://www.linkbynet.com>** > > *_____________________________________________________ > > > > *Before printing this e-mail, think about environment.* > > > > > > On 2021/07/13 16:00:31, Thomas Corthals <t...@klascement.net> wrote: > > > Hello Sebastien,> > > > > > > Unfortunately rules can only have a collection scope in SolrCloud, > > not a> > > > core scope in standalone Solr.> > > > > > > Thomas> > > > > > > Op di 13 jul. 2021 om 16:17 schreef Sebastien VERDET > > <s.ver...@linkbynet.com> > > > >:> > > > > > > > Hello everybody,> > > > >> > > > > I'm trying to deploy the "RBAP" plugin on a really basic solr 8.8.2> > > > > installation that was done using the Ansible galaxy module by Jeff> > > > > Geerling : https://galaxy.ansible.com/geerlingguy/solr> > > > >> > > > > This is pretty straightforward : standalone, started through > systemd.> > > > > I've kept the default 'collection1' core and created a > 'collection2'> > > > > core to perform my testing of permissions/roles, following the> > > > > documentation. Basically, I'm trying to create rules with only one> > > > > collection scope, and two users having permissions only on one of > the> > > > > cores/collection. And for now, i'm focusing on read permissions as > > other> > > > > will follow naturally.> > > > >> > > > > But this is not going as expected. In the permission ordering > section> > > > > (> > > > > > > > > > https://solr.apache.org/guide/8_8/rule-based-authorization-plugin.html#permission-ordering-and-resolution > ),> > > > > > > > >> > > > > it states that rules mentioning explicit collection names are taken> > > > > first. Here is my security.json resulting of API calls to create > > users,> > > > > permissions and roles :> > > > >> > > > > {> > > > > "authentication": {> > > > > "class": "solr.BasicAuthPlugin",> > > > > "blockUnknown": true,> > > > > "credentials": {> > > > > "solr": "XXXXXXXXX== YYYYYYYYYY=",> > > > > "seb": "AAAAAAAA= BBBBBBBBBBB=",> > > > > "Osman": "JJJJJJJJJJJJ== KKKKKKKKKKKK="> > > > > },> > > > > "": {> > > > > "v": 0> > > > > }> > > > > },> > > > > "authorization": {> > > > > "class": "solr.RuleBasedAuthorizationPlugin",> > > > > "permissions": [> > > > > {> > > > > "name": "security-edit",> > > > > "role": "admin",> > > > > "index": 1> > > > > },> > > > > {> > > > > "name": "read",> > > > > "role": [> > > > > "admin",> > > > > "Osman"> > > > > ],> > > > > "index": 2> > > > > },> > > > > {> > > > > "name": "update",> > > > > "role": [> > > > > "admin"> > > > > ],> > > > > "index": 3> > > > > },> > > > > {> > > > > "name": "coll_read",> > > > > "role": [> > > > > "read_sve"> > > > > ],> > > > > "collection": [> > > > > "collection2"> > > > > ],> > > > > "path": "/select",> > > > > "index": 4> > > > > }> > > > > ],> > > > > "user-role": {> > > > > "solr": "admin",> > > > > "seb": [> > > > > "read_sve"> > > > > ],> > > > > "Osman": [> > > > > "Osman"> > > > > ]> > > > > },> > > > > "": {> > > > > "v": 0> > > > > }> > > > > }> > > > > }> > > > >> > > > > I'm querying collection2 with user seb :> > > > >> > > > > curl -u seb:xxx -H "Content-Type: application/json"> > > > > "http://127.0.0.1:12001/solr/collection2/select?q=*delete*";> > > > >> > > > > I get a 403 error, with corresponding message in solr.log :> > > > >> > > > > 2021-07-13 13:23:53.934 INFO (qtp208684473-17) [ x:collection2]> > > > > o.a.s.s.RuleBasedAuthorizationPluginBase This resource is > > configured to> > > > > have a permission {> > > > > "name":"read",> > > > > "role":[> > > > > "admin",> > > > > "Osman"],> > > > > "index":2}, The principal> > > > > > > org.apache.solr.security.BasicAuthPlugin$BasicAuthUserPrincipal@54a23304 > [username=seb,pwd=*****]> > > > > > > > >> > > > > does not have the right role> > > > >> > > > > It takes the "global rule" instead of the collection specific one. > > I'ved> > > > > try to change orders (as there are indexes), always with api calls > > (by> > > > > deleting/recreating), even restarting the solr service between > > changes,> > > > > to no luck. "Global" permissions assignation works correctly, but > as> > > > > soon as we want to focus on one collection, we are in the dark.> > > > >> > > > > Many searches with different terms leads to almost no resources > > around> > > > > this plugin, so it's complicated to tackle. Did anyone already hav > > this> > > > > problem, and can share how it can be worked on ?> > > > >> > > > >> > > > > --> > > > >> > > > > Regards,> > > > > _____________________________________________________> > > > > *Sebastien VERDET*> > > > > Linux Systems and Applications Integrator – PID> > > > > ----------------------------------------------------> > > > > *LINKBYNET*> > > > > *Web : https://www.linkbynet.com <https://www.linkbynet.com>**> > > > > *_____________________________________________________> > > > >> > > > > *Before printing this e-mail, think about environment.*> > > > >> > > > >> > > > > > > > >
