I had no *forwardCredentials* defined in my Authorization block, I didn't find what was the default value in the doc. I changed it but it didn't change anything.
I will give a try with 9.10 to see Le ven. 28 nov. 2025 à 09:05, Jan Høydahl <[email protected]> a écrit : > Hi, > > Think there have been some bugs reported in this space, related to > forwarding credentials inside the cluster, but could not find the JIRA. > What have you set for 'forwardCredentials'? If it's false, try with true... > Can you try to reproduce this on a single node system without sharding or > distributed search, where the entire request is handled by the same node? > Also, you may want to try the same with Solr 9.10 on a single node. > > Jan > > > 28. nov. 2025 kl. 01:19 skrev kzs dr <[email protected]>: > > > > Hello, > > > > I have few questions about solr API and Basic Authorization permissions > > > > I can't post the security.json for now as my environment is airgap but my > > configuration is the following : > > > > I am using Solr 9.7 - SolrCloud > > Basic Authorization ON > > Basic Authentication ON > > > > I have 2 users: > > - user1 > > - admin > > > > I defined follwing roles : > > - user1: user-manage user-update user-read > > - admin: admin > > > > And the permissions: > > - security-edit: admin > > - security-read: admin > > - schema-edit: admin > > - schema-read: user-manage > > - config-edit: user-manage > > - config-read: user-manage > > - metrics-read: null > > - health: null > > - core-admin-edit: admin > > - core-admin-read: user-manage > > - collection-admin-edit: user-manage > > - collection-admin-read: user-manage > > - update: user-update > > - read: user-read > > *- all : admin* > > > > And block_unknown = false > > > > --- > > > > What I observe is the following behaviour: > > > > *With API V1 for user1, everything works fine *: > > - create/list/delete collections > > - index/search (select) > > - configsets upload/list > > - authorization & authentication endpoints are correctly refused (403), > > according security-* rules > > > > *With API V2, some actions fails with 403* > > - can't create/list/delete collections (api/collections: 403) > > - can't search (api/c/mycollec/select : 403) > > - can't list configsets (/api/cluster/configs : 403) > > > > If I set the permission > > *all : user-manage* > > then API V2 has same behaviour than API V1 with *user1* > > > > I tried to give specific custom permissions to role *user-manage* in > order > > ro to fix those API V2 403 > > - with path /select, i could allow user1 to search with V2 > > - couldn't find a path to allow collections list/delete/create on V2 (i > > tried /api/collections, /collections, /api/collections/*) > > > > *This raises some questions to me :* > > 1. Do permissions work same for V2 than V1 ? > > 2. How do they work with api V2 ? Is there any documentation specific > about > > permissions on V2 > > > > Sorry if it is not very clear, thank you :) > > Kzs > >
