Hi, Think there have been some bugs reported in this space, related to forwarding credentials inside the cluster, but could not find the JIRA. What have you set for 'forwardCredentials'? If it's false, try with true... Can you try to reproduce this on a single node system without sharding or distributed search, where the entire request is handled by the same node? Also, you may want to try the same with Solr 9.10 on a single node.
Jan > 28. nov. 2025 kl. 01:19 skrev kzs dr <[email protected]>: > > Hello, > > I have few questions about solr API and Basic Authorization permissions > > I can't post the security.json for now as my environment is airgap but my > configuration is the following : > > I am using Solr 9.7 - SolrCloud > Basic Authorization ON > Basic Authentication ON > > I have 2 users: > - user1 > - admin > > I defined follwing roles : > - user1: user-manage user-update user-read > - admin: admin > > And the permissions: > - security-edit: admin > - security-read: admin > - schema-edit: admin > - schema-read: user-manage > - config-edit: user-manage > - config-read: user-manage > - metrics-read: null > - health: null > - core-admin-edit: admin > - core-admin-read: user-manage > - collection-admin-edit: user-manage > - collection-admin-read: user-manage > - update: user-update > - read: user-read > *- all : admin* > > And block_unknown = false > > --- > > What I observe is the following behaviour: > > *With API V1 for user1, everything works fine *: > - create/list/delete collections > - index/search (select) > - configsets upload/list > - authorization & authentication endpoints are correctly refused (403), > according security-* rules > > *With API V2, some actions fails with 403* > - can't create/list/delete collections (api/collections: 403) > - can't search (api/c/mycollec/select : 403) > - can't list configsets (/api/cluster/configs : 403) > > If I set the permission > *all : user-manage* > then API V2 has same behaviour than API V1 with *user1* > > I tried to give specific custom permissions to role *user-manage* in order > ro to fix those API V2 403 > - with path /select, i could allow user1 to search with V2 > - couldn't find a path to allow collections list/delete/create on V2 (i > tried /api/collections, /collections, /api/collections/*) > > *This raises some questions to me :* > 1. Do permissions work same for V2 than V1 ? > 2. How do they work with api V2 ? Is there any documentation specific about > permissions on V2 > > Sorry if it is not very clear, thank you :) > Kzs
