Try to add "rolesClaim" to JWTAuthPlugin to tell it which JWT claim to use a role. E.g. if you pick the claim "roles", then your user would have the roles=[profile, email]. So try to map the role "email" to the "all" permission, and your requests should be allowed.
Jan > 3. nov. 2021 kl. 13:26 skrev Eric Pugh <ep...@opensourceconnections.com>: > > Has anyone gone through integrating Solr with Keycloak? I’m trying to > figure out how to map the Keycloak response back to what Solr needs to figure > out the user. > > Here is my security.json: > https://github.com/querqy/chorus/blob/75f153b699855e6e2862900bd4413764f7b6a01e/solr/security.json > > <https://github.com/querqy/chorus/blob/75f153b699855e6e2862900bd4413764f7b6a01e/solr/security.json> > > And what I am getting back: > > 2021-11-02 21:03:27.805 INFO (qtp332699949-17) [] > o.a.s.s.RuleBasedAuthorizationPluginBase This resource is configured to have > a permission { > "name":"all", > "role":"admin"}, The principal > JWTPrincipalWithUserRoles{username='4a3d078b-418a-48fc-a26b-80d51f973084', > token='*****', claims={exp=1635887907, iat=1635887007, auth_time=1635887007, > jti=cdab53d1-3dc2-4a7a-a98b-83b9b19257e6, > iss=http://keycloak:9080/auth/realms/chorus, aud=account, > sub=4a3d078b-418a-48fc-a26b-80d51f973084, typ=Bearer, azp=solr, > nonce=tawciobxw3parxd0kyjw2p7r8sszymvdx, > session_state=57f6aea7-f243-4fa3-a6e1-6e83926e65af, acr=1, > allowed-origins=[http://localhost:8983], realm_access={roles=[offline_access, > uma_authorization, default-roles-chorus]}, > resource_access={account={roles=[manage-account, manage-account-links, > view-profile]}}, scope=openid email profile, email_verified=false, name=bob > dole, preferred_username=b...@dole.com, given_name=bob, family_name=dole, > email=b...@dole.com}, roles=[profile, email]} does not have the right role > > _______________________ > Eric Pugh | Founder & CEO | OpenSource Connections, LLC | 434.466.1467 | > http://www.opensourceconnections.com <http://www.opensourceconnections.com/> > | My Free/Busy <http://tinyurl.com/eric-cal> > Co-Author: Apache Solr Enterprise Search Server, 3rd Ed > <https://www.packtpub.com/big-data-and-business-intelligence/apache-solr-enterprise-search-server-third-edition-raw> > > This e-mail and all contents, including attachments, is considered to be > Company Confidential unless explicitly stated otherwise, regardless of > whether attachments are marked as such. >
