Re: Authentication problems

[MEXANIK <ir...@gmail.com>]

Hi, Everything is fine, the problem was in my code, I have another question

Is one Thread1 used when calling the doAuthenticate method and when calling
the interceptInternodeRequest method?

And show the code where exactly this happens!

Thank you 😊

вт, 4 апр. 2023 г., 14:35 Jan Høydahl <ja...@cominvent.com>:

> I think the way forward here is to create a minimal re-production example
> for others to try.
> Ideally using a setup with basic auth, you could help us reproduce with a
> script like this:
>
> Copy my-security.json into current folder
> bin/solr start -c (or using docker)
> solr create -c coll1
> solr create -c coll2
> solr create -c coll3
> # Enable security with custom config
> bin/solr zk cp my-security.json zk:/security.json
>
> Browse to http://localhost:8983 and login with user 'foo'
>
> Verify that user 'foo' can search collection coll1:
> curl "http://localhost:8983/solr/coll1/select?q=*:*"
>
> Verify that user 'foo cannot search collection coll2:
> curl "http://localhost:8983/solr/coll2/select?q=*:*"
>
> Jan
>
> > 4. apr. 2023 kl. 12:27 skrev MEXANIK <ir...@gmail.com>:
> >
> > Jan, Hi!!
> >
> > I have such a problem that out of 5 collections, 2 of them can be read
> > using the john_sl user with admin_x accesses. But if the "admin_rwx"
> > accesses are taken away from the "admin" user, then the john_sl user will
> > not be able to read 2 collections previously available for reading ...
> How
> > is this understand? any ideas?
> >
> > пн, 3 апр. 2023 г., 23:34 Jan Høydahl <ja...@cominvent.com>:
> >
> >> Hi,
> >>
> >> I recommend reading the docs thoroughly and then clean up your config
> >> somewhat:
> >>
> https://solr.apache.org/guide/solr/latest/deployment-guide/rule-based-authorization-plugin.html
> >>
> >> Solr's authz works differently than most other RBAC products. You may be
> >> confused by order of evaluation, which is a bit upside down.
> >>
> >> Solr does NOT start with the user's role and then evaluate what
> >> paths/permissions he can do.
> >> On the contrary, Solr starts with the request path, e.g.
> >> <collection>/select, then hunts through your permissions:[] array
> >> top-to-bottom to find ONE SINGLE permission that matches the path (and
> >> optionally collection name), and once it finds that permission, it will
> >> check that the user has one of the roles listed in that permission (or
> >> "all").
> >>
> >> Also, if you do not list every single path or predefined permission,
> then
> >> any path not listed will be allowed by default, which is scary. It is
> >> common practice to have an "all" permission at the very end, and have
> that
> >> one require some kind of admin role. Looks like you have that.
> >>
> >> In your security.json you list a "read" permission several times, and
> also
> >> other permissions several times. Solr will only consider the FIRST which
> >> satisfies the request. So make sure to place the more specific and
> >> restrictive permissions on top, and then you can have "fall-through"
> >> permissions near the end.
> >>
> >> I also see that you use a custom Auth plugin, but I assume that one
> works.
> >> If you face continued problems I recommend creating a reproduction case
> >> with BasicAuth and as few roles/permissions as possible to reproduce
> your
> >> issue. Then others can try out your config and help you find flaws.
> >>
> >> Jan
> >>
> >>> 3. apr. 2023 kl. 12:24 skrev MEXANIK <ir...@gmail.com>:
> >>>
> >>> Jan, Hi, Thank you
> >>>
> >>> Need more information so you can help?
> >>>
> >>>
> >>>
> >>> пт, 31 мар. 2023 г., 12:16 MEXANIK <ir...@gmail.com>:
> >>>
> >>>> Sorry, test1Collection*
> >>>>
> >>>> чт, 30 мар. 2023 г., 17:14 MEXANIK <ir...@gmail.com>:
> >>>>
> >>>>> When you send a read request for the test2Collection collection, the
> >> logs
> >>>>> do not display as a collection, and I get 10 entries with admin_x
> >> rights
> >>>>>
> >>>>>
> >>>>> attached log with description
> >>>>>
> >>>>>
> >>>>>
> >>>>> ср, 29 мар. 2023 г., 16:39 Jan Høydahl <ja...@cominvent.com>:
> >>>>>
> >>>>>> Permissions are evaluated in order from top to bottom.
> >>>>>> The first "read" permission found requires roles "admin_ro",
> >>>>>> "admin_rwx", "solr-internal-traffic", so that should be selected.
> >>>>>>
> >>>>>> Do you have any logs that can shed light over what happens?
> >>>>>>
> >>>>>> Jan
> >>>>>>
> >>>>>>> 29. mar. 2023 kl. 14:27 skrev MEXANIK <ir...@gmail.com>:
> >>>>>>>
> >>>>>>> I logged in using the john_sl user in Solr UI, and sent a request
> to
> >>>>>> read
> >>>>>>> the collection, but I can read some of the collections, but I don't
> >>>>>> want
> >>>>>>> them to be read.
> >>>>>>>
> >>>>>>> If I replace the admin user's rights from admin_rwx to admin_x,
> then
> >>>>>> the
> >>>>>>> john_sl user can't read either
> >>>>>>>
> >>>>>>> How do I make it so that john_sl cannot read collections with
> admin_x
> >>>>>>> rights, but at the same time so that the admin user has admin_rwx
> >>>>>> rights??
> >>>>>>>
> >>>>>>> Help!!
> >>>>>>>
> >>>>>>> Example security.json http://replit.com/@irkuev666/Test#data.json
> >>>>>>
> >>>>>>
> >>
> >>
>
>