You are viewing a plain text version of this content. The canonical link for it is here.
Posted to solr-user@lucene.apache.org by Salmaan Rashid Syed <sa...@mroads.com> on 2019/08/20 07:18:57 UTC
Problems with restricting access to users using Basic auth
Hi Solr Users,
I want to create a user that has restricted access to Solr. I did the
follwowing:-
1. {
2. "authentication":{
3. "blockUnknown": true,
4. "class":"solr.BasicAuthPlugin",
5. "credentials":{
6. "solr-admin":
"2IUJD9dxRhxSXaJGdMP5z8ggSn4I285Ty9GCWeRNMUg=
/sSNJJufPtj4baRizoJshJawFsWvopvZSqZpQ/Nwd78="
,
7. "solr-user":
"p+XwOh15p/rvFltv2LXP1CwtbvwBgGlC9qcDKxV73B4=
DcNsjfA6Wf16V1XKT+YraosSFQ5Cr3eRUX6BQnx9XKA="
8. }
9. },
10. "authorization":{
11. "class":"solr.RuleBasedAuthorizationPlugin",
12. "user-role":{"solr-admin":"admin", "solr-user":"dev"},
13. "permissions":[
14. {
15. "name":"security-edit",
16. "role":"admin"
17. },
18. {
19. "collection": ["Collection1", "Collection2"],
20. "name": ["update", "read"],
21. "role": "dev"
22. }
23. ]
24. }}
But when Login intot the Solr admin dash-board using Solr-user credentials,
I can read, select, write, update, delete collections and do all sorts of
things like a solr-admin can do.
I want solr-user to be able to access only *Collection1* and *Collection2*
and be able to only *update *and *read*. He should not be able to access
other collections and do anything apart from the above mentioned role.
Where am I exactly going wrong?
Thanks and Regards,
Salmaan
Re: Problems with restricting access to users using Basic auth
Posted by Salmaan Rashid Syed <sa...@mroads.com>.
Hi Jason,
Unfortunately, the above mentioned workaround does not work for me.
I modified your script a little bit as follow and it still doesn't work.
{"name": "update", "collection": ["collection1", "collection2"],
"role": "dev"},
{"name": "read", "collection": ["collection1", "collection2"],
"role": "dev"},
{"name": "security-edit", "role": "admin"},
{"name": "security-read", "role": "admin"},
{"name": "schema-edit", "role": "admin"},
{"name": "schema-read", "role": "admin"},
{"name": "config-edit", "role": "admin"},
{"name": "config-read", "role": "admin"},
{"name": "core-admin-edit", "role": "admin"},
{"name": "core-admin-read", "role": "admin"},
{"name": "collection-api-edit", "role": "admin"},
{"name": "collection-api-read", "role": "admin"},
{"name": "read", "role": "admin"},
{"name": "update", "role": "admin"},
{"name": "all", "role": "admin"}
I can still use "*update"* and "*read"* methods into other collections
using *solr-user *login credentials.
Any help is highly appreciated.
Regards,
Salmaan
On Wed, Aug 21, 2019 at 4:33 PM Jason Gerlowski <ge...@gmail.com>
wrote:
> Ah, ok. SOLR-13355 still affects 7.6, so that explains why you're
> seeing this behavior.
>
> You could upgrade to get the new behavior, but you don't need to-
> there's a workaround. You just need to add a few extra rules to your
> security.json. The problem in SOLR-13355 is that the "all" permission
> isn't being considered for APIs that are covered by other predefined
> permissions. So the workaround is to add a permission rule for each
> of the predefined permissions, locking them down to the "admin" role.
> It really bloats security.json, but should do the job. So your
> security.json should have a permissions section that looks like the
> JSON below:
>
> {"name": "dev-read", "collection": ["collection1", "collection2"],
> "role": "dev"},
> {"name": "security-edit", "role": "admin"},
> {"name": "security-read", "role": "admin"},
> {"name": "schema-edit", "role": "admin"},
> {"name": "schema-read", "role": "admin"},
> {"name": "config-edit", "role": "admin"},
> {"name": "config-read", "role": "admin"},
> {"name": "core-admin-edit", "role": "admin"},
> {"name": "core-admin-read", "role": "admin"},
> {"name": "collection-api-edit", "role": "admin"},
> {"name": "collection-api-read", "role": "admin"},
> {"name": "read", "role": "admin"},
> {"name": "update", "role": "admin"},
> {"name": "all", "role": "admin"}
>
> Hope that helps. Let me know if that still has any problems for you.
>
> Jason
>
> On Wed, Aug 21, 2019 at 6:48 AM Salmaan Rashid Syed
> <sa...@mroads.com> wrote:
> >
> > Hi Jason,
> >
> > Is there a way to fix this in version 7.6?
> >
> > Or is it mandatory to upgrade to other versions?
> >
> > If I have to upgrade to a higher version, then what is the best way to do
> > this without effecting the current configuration and indexed data?
> >
> > Thanks,
> > Salmaan
> >
> >
> >
> > On Wed, Aug 21, 2019 at 4:13 PM Salmaan Rashid Syed <
> > salmaan.rashid@mroads.com> wrote:
> >
> > > Hi Jason,
> > >
> > > I am using version 7.6 of Solr.
> > >
> > > Thanks,
> > > Salmaan
> > >
> > >
> > >
> > > On Wed, Aug 21, 2019 at 4:12 PM Jason Gerlowski <gerlowskija@gmail.com
> >
> > > wrote:
> > >
> > >> The "all" permissions _should_ block solr-user from accessing all of
> > >> those resources, and I believe it does in newer versions of Solr.
> > >> There was a bug with it that was fixed a few versions back though- it
> > >> sounds like you might be running into that. (see
> > >> https://issues.apache.org/jira/browse/SOLR-13355) What version of
> Solr
> > >> are you using?
> > >>
> > >> Jason
> > >>
> > >>
> > >>
> > >> On Wed, Aug 21, 2019 at 5:21 AM Salmaan Rashid Syed
> > >> <sa...@mroads.com> wrote:
> > >> >
> > >> > Hi Jason,
> > >> >
> > >> > Thanks for your prompt reply.
> > >> >
> > >> > Your code does address few of my concerns like restricting
> *solr-user*
> > >> from
> > >> > accessing the dashboard and from executing other request methods
> apart
> > >> from
> > >> > *"update"* and *"read"*.
> > >> >
> > >> > But I am still able to access other collections such as
> *"Collection3",
> > >> > "Collection4"* and so on, apart from the intended two collection
> > >> entered in
> > >> > the code. I can give *"update"* and *"read" *requests to these
> external
> > >> > Collections which solr-user should not be able to do.
> > >> >
> > >> > Moreover solr-user can look at the
> > >> > *http://localhost:8983/solr/admin/authentication
> > >> > <http://localhost:8983/solr/admin/authentication>* link which
> lists the
> > >> > users and their *SHA256* coded passwords. How can I hide this and
> > >> restrict
> > >> > access to other collections?
> > >> >
> > >> > Thanks and regards
> > >> > Salmaan
> > >> >
> > >> >
> > >> > On Wed, Aug 21, 2019 at 5:07 AM Jason Gerlowski <
> gerlowskija@gmail.com>
> > >> > wrote:
> > >> >
> > >> > > Hi Salmaan,
> > >> > >
> > >> > > Solr's RuleBasedAuthorizationPlugin allows requests through if
> none of
> > >> > > the specified permissions apply. I think that's what you're
> running
> > >> > > into in your example above. If you want to lockdown a particular
> API
> > >> > > (or set of APIs) then you need to explicitly add a permission that
> > >> > > restricts those APIs to a particular role.
> > >> > >
> > >> > > One way to get the behavior that it sounds like you're looking for
> > >> > > would be to add a catch-all permission at the bottom of your
> > >> > > permissions list that restricts all other APIs to "admin". This
> would
> > >> > > look a bit like:
> > >> > >
> > >> > > "permissions":[
> > >> > > {
> > >> > > "name":"security-edit",
> > >> > > "role":"admin"
> > >> > > },
> > >> > > {
> > >> > > "collection": ["Collection1", "Collection2"],
> > >> > > "name": ["update", "read"],
> > >> > > "role": "dev"
> > >> > > },
> > >> > > {
> > >> > > "name": "all",
> > >> > > "role": "admin"
> > >> > > }
> > >> > > ]
> > >> > >
> > >> > > Hope that helps get you started.
> > >> > >
> > >> > > Best,
> > >> > >
> > >> > > Jason
> > >> > >
> > >> > > On Tue, Aug 20, 2019 at 3:19 AM Salmaan Rashid Syed
> > >> > > <sa...@mroads.com> wrote:
> > >> > > >
> > >> > > > Hi Solr Users,
> > >> > > >
> > >> > > > I want to create a user that has restricted access to Solr. I
> did
> > >> the
> > >> > > > follwowing:-
> > >> > > >
> > >> > > >
> > >> > > > 1. {
> > >> > > > 2. "authentication":{
> > >> > > > 3. "blockUnknown": true,
> > >> > > > 4. "class":"solr.BasicAuthPlugin",
> > >> > > > 5. "credentials":{
> > >> > > > 6. "solr-admin":
> > >> > > > "2IUJD9dxRhxSXaJGdMP5z8ggSn4I285Ty9GCWeRNMUg=
> > >> > > > /sSNJJufPtj4baRizoJshJawFsWvopvZSqZpQ/Nwd78="
> > >> > > > ,
> > >> > > > 7. "solr-user":
> > >> > > > "p+XwOh15p/rvFltv2LXP1CwtbvwBgGlC9qcDKxV73B4=
> > >> > > > DcNsjfA6Wf16V1XKT+YraosSFQ5Cr3eRUX6BQnx9XKA="
> > >> > > >
> > >> > > > 8. }
> > >> > > > 9. },
> > >> > > > 10. "authorization":{
> > >> > > > 11. "class":"solr.RuleBasedAuthorizationPlugin",
> > >> > > > 12. "user-role":{"solr-admin":"admin", "solr-user":"dev"},
> > >> > > > 13. "permissions":[
> > >> > > > 14. {
> > >> > > > 15. "name":"security-edit",
> > >> > > > 16. "role":"admin"
> > >> > > > 17. },
> > >> > > > 18. {
> > >> > > > 19. "collection": ["Collection1", "Collection2"],
> > >> > > > 20. "name": ["update", "read"],
> > >> > > > 21. "role": "dev"
> > >> > > > 22. }
> > >> > > > 23. ]
> > >> > > > 24. }}
> > >> > > >
> > >> > > >
> > >> > > > But when Login intot the Solr admin dash-board using Solr-user
> > >> > > credentials,
> > >> > > > I can read, select, write, update, delete collections and do all
> > >> sorts of
> > >> > > > things like a solr-admin can do.
> > >> > > >
> > >> > > > I want solr-user to be able to access only *Collection1* and
> > >> > > *Collection2*
> > >> > > > and be able to only *update *and *read*. He should not be able
> to
> > >> access
> > >> > > > other collections and do anything apart from the above mentioned
> > >> role.
> > >> > > >
> > >> > > > Where am I exactly going wrong?
> > >> > > >
> > >> > > > Thanks and Regards,
> > >> > > > Salmaan
> > >> > >
> > >>
> > >
>
Re: Problems with restricting access to users using Basic auth
Posted by Jason Gerlowski <ge...@gmail.com>.
Yeah, it beats me. If you've made sure that the security.json in
ZooKeeper is exactly the same as the one I posted but you're still
getting different results, then I'm stumped. Maybe someone else here
has an idea.
Out of curiosity, are you setting your security.json via the
authentication/authorization APIs, or by uploading the file directly
to ZooKeeper?
RuleBasedAuthorizationPlugin logging has improved in more recent
versions of Solr, so that when the log-level is raised to DEBUG
there's a lot more information given for each request about which
permissions apply and what the result of looking at each is. But that
won't help you on 7.6 unfortunately.
Good luck, and let us know if you are able to fix things, or
eventually find out what the difference in behavior is between our two
setups.
Jason
On Tue, Sep 3, 2019 at 8:01 AM Salmaan Rashid Syed
<sa...@mroads.com> wrote:
>
> Hi Jason,
>
> Apologies for the late reply. My laptop was broken and I got it today from
> service centre.
>
> I am still having issues with solr-user able to view the Collections list
> as follow.
>
> Testing permissions for user [solr]
> Request [/admin/collections?action=LIST] returned status [200]
> Request [/collection1/select?q=*:*] returned status [200]
> Request [/collection2/select?q=*:*] returned status [200]
> Request [/collection3/select?q=*:*] returned status [200]
>
> Testing permissions for user [solr-user]
> Request [/admin/collections?action=LIST] returned status [200]
> Request [/collection1/select?q=*:*] returned status [200]
> Request [/collection2/select?q=*:*] returned status [200]
> Request [/collection3/select?q=*:*] returned status [403]
>
> I am still wondering wher I am going wrong.
>
> Thanks,
> Salmaan
>
>
>
>
> On Thu, Aug 29, 2019 at 1:34 PM Salmaan Rashid Syed <
> salmaan.rashid@mroads.com> wrote:
>
> > Thanks a lot Jason,
> >
> > I will try this out and let you know.
> >
> > Thanks again.
> >
> > On Wed 28 Aug, 2019, 7:45 PM Jason Gerlowski, <ge...@gmail.com>
> > wrote:
> >
> >> Hi Salmaan,
> >>
> >> Are you still seeing this behavior, or were you able to figure things out?
> >>
> >> I just got a chance to try out the security.json in Solr 7.6 myself,
> >> and I can't reproduce the behavior you're seeing.
> >>
> >> It might be helpful to level set here. Make sure that our
> >> security.json settings and our test requests are exactly the same.
> >>
> >> This is the security.json I used in my test deployment:
> >>
> >> {
> >> "authentication":{
> >> "blockUnknown": true,
> >> "class":"solr.BasicAuthPlugin",
> >> "credentials":{
> >> "solr":"gP31s0FQevh3k0i0y6g9AP/TZLWctxfZjtC9sOh8vZU=
> >> J7an406gVyx4v4CkR8YLgmhClk9Yv/fIBSfZoi1f0kY=",
> >> "solr-user":"gP31s0FQevh3k0i0y6g9AP/TZLWctxfZjtC9sOh8vZU=
> >> J7an406gVyx4v4CkR8YLgmhClk9Yv/fIBSfZoi1f0kY="
> >> }
> >> },
> >> "authorization":{
> >> "class":"solr.RuleBasedAuthorizationPlugin",
> >> "permissions":[
> >> {"name": "dev-read", "collection": ["collection1",
> >> "collection2"], "role": ["dev", "admin"] },
> >> {"name": "security-edit", "role": "admin"},
> >> {"name": "security-read", "role": "admin"},
> >> {"name": "schema-edit", "role": "admin"},
> >> {"name": "schema-read", "role": "admin"},
> >> {"name": "config-edit", "role": "admin"},
> >> {"name": "config-read", "role": "admin"},
> >> {"name": "core-admin-edit", "role": "admin"},
> >> {"name": "core-admin-read", "role": "admin"},
> >> {"name": "collection-api-edit", "role": "admin"},
> >> {"name": "collection-api-read", "role": "admin"},
> >> {"name": "read", "role": "admin"},
> >> {"name": "update", "role": "admin"},
> >> {"name": "all", "role": "admin"}
> >> ],
> >> "user-role":{
> >> "solr":"admin",
> >> "solr-user": "dev"
> >> }
> >> }
> >> }
> >>
> >> And this is the output of a script I use to test permissions quickly:
> >>
> >> $ ./test-security.sh
> >>
> >> Testing permissions for user [solr]
> >> Request [/admin/collections?action=LIST] returned status [200]
> >> Request [/collection1/select?q=*:*] returned status [200]
> >> Request [/collection2/select?q=*:*] returned status [200]
> >> Request [/collection3/select?q=*:*] returned status [200]
> >>
> >> Testing permissions for user [solr-user]
> >> Request [/admin/collections?action=LIST] returned status [403]
> >> Request [/collection1/select?q=*:*] returned status [200]
> >> Request [/collection2/select?q=*:*] returned status [200]
> >> Request [/collection3/select?q=*:*] returned status [403]
> >>
> >> You can find this script here, to see the exact curl commands being
> >> used and run it yourself: https://paste.apache.org/tjtdg
> >>
> >> That output looks correct to me. solr-user is prevented from
> >> accessing other APIs and other collections, but can access collection1
> >> and collection2.
> >>
> >> Does your security.json match mine, or do the permissions differ in
> >> some way? Can you still reproduce the behavior using my script?
> >>
> >> Good luck,
> >>
> >> Jason
> >>
> >> On Thu, Aug 22, 2019 at 2:13 AM Salmaan Rashid Syed
> >> <sa...@mroads.com> wrote:
> >> >
> >> > Hi,
> >> >
> >> > Any suggestions as to what can be done?
> >> >
> >> > Regards,
> >> > Salmaan
> >> >
> >> >
> >> > On Wed, Aug 21, 2019 at 4:33 PM Jason Gerlowski <ge...@gmail.com>
> >> > wrote:
> >> >
> >> > > Ah, ok. SOLR-13355 still affects 7.6, so that explains why you're
> >> > > seeing this behavior.
> >> > >
> >> > > You could upgrade to get the new behavior, but you don't need to-
> >> > > there's a workaround. You just need to add a few extra rules to your
> >> > > security.json. The problem in SOLR-13355 is that the "all" permission
> >> > > isn't being considered for APIs that are covered by other predefined
> >> > > permissions. So the workaround is to add a permission rule for each
> >> > > of the predefined permissions, locking them down to the "admin" role.
> >> > > It really bloats security.json, but should do the job. So your
> >> > > security.json should have a permissions section that looks like the
> >> > > JSON below:
> >> > >
> >> > > {"name": "dev-read", "collection": ["collection1", "collection2"],
> >> > > "role": "dev"},
> >> > > {"name": "security-edit", "role": "admin"},
> >> > > {"name": "security-read", "role": "admin"},
> >> > > {"name": "schema-edit", "role": "admin"},
> >> > > {"name": "schema-read", "role": "admin"},
> >> > > {"name": "config-edit", "role": "admin"},
> >> > > {"name": "config-read", "role": "admin"},
> >> > > {"name": "core-admin-edit", "role": "admin"},
> >> > > {"name": "core-admin-read", "role": "admin"},
> >> > > {"name": "collection-api-edit", "role": "admin"},
> >> > > {"name": "collection-api-read", "role": "admin"},
> >> > > {"name": "read", "role": "admin"},
> >> > > {"name": "update", "role": "admin"},
> >> > > {"name": "all", "role": "admin"}
> >> > >
> >> > > Hope that helps. Let me know if that still has any problems for you.
> >> > >
> >> > > Jason
> >> > >
> >> > > On Wed, Aug 21, 2019 at 6:48 AM Salmaan Rashid Syed
> >> > > <sa...@mroads.com> wrote:
> >> > > >
> >> > > > Hi Jason,
> >> > > >
> >> > > > Is there a way to fix this in version 7.6?
> >> > > >
> >> > > > Or is it mandatory to upgrade to other versions?
> >> > > >
> >> > > > If I have to upgrade to a higher version, then what is the best way
> >> to do
> >> > > > this without effecting the current configuration and indexed data?
> >> > > >
> >> > > > Thanks,
> >> > > > Salmaan
> >> > > >
> >> > > >
> >> > > >
> >> > > > On Wed, Aug 21, 2019 at 4:13 PM Salmaan Rashid Syed <
> >> > > > salmaan.rashid@mroads.com> wrote:
> >> > > >
> >> > > > > Hi Jason,
> >> > > > >
> >> > > > > I am using version 7.6 of Solr.
> >> > > > >
> >> > > > > Thanks,
> >> > > > > Salmaan
> >> > > > >
> >> > > > >
> >> > > > >
> >> > > > > On Wed, Aug 21, 2019 at 4:12 PM Jason Gerlowski <
> >> gerlowskija@gmail.com
> >> > > >
> >> > > > > wrote:
> >> > > > >
> >> > > > >> The "all" permissions _should_ block solr-user from accessing
> >> all of
> >> > > > >> those resources, and I believe it does in newer versions of Solr.
> >> > > > >> There was a bug with it that was fixed a few versions back
> >> though- it
> >> > > > >> sounds like you might be running into that. (see
> >> > > > >> https://issues.apache.org/jira/browse/SOLR-13355) What version
> >> of
> >> > > Solr
> >> > > > >> are you using?
> >> > > > >>
> >> > > > >> Jason
> >> > > > >>
> >> > > > >>
> >> > > > >>
> >> > > > >> On Wed, Aug 21, 2019 at 5:21 AM Salmaan Rashid Syed
> >> > > > >> <sa...@mroads.com> wrote:
> >> > > > >> >
> >> > > > >> > Hi Jason,
> >> > > > >> >
> >> > > > >> > Thanks for your prompt reply.
> >> > > > >> >
> >> > > > >> > Your code does address few of my concerns like restricting
> >> > > *solr-user*
> >> > > > >> from
> >> > > > >> > accessing the dashboard and from executing other request
> >> methods
> >> > > apart
> >> > > > >> from
> >> > > > >> > *"update"* and *"read"*.
> >> > > > >> >
> >> > > > >> > But I am still able to access other collections such as
> >> > > *"Collection3",
> >> > > > >> > "Collection4"* and so on, apart from the intended two
> >> collection
> >> > > > >> entered in
> >> > > > >> > the code. I can give *"update"* and *"read" *requests to these
> >> > > external
> >> > > > >> > Collections which solr-user should not be able to do.
> >> > > > >> >
> >> > > > >> > Moreover solr-user can look at the
> >> > > > >> > *http://localhost:8983/solr/admin/authentication
> >> > > > >> > <http://localhost:8983/solr/admin/authentication>* link which
> >> > > lists the
> >> > > > >> > users and their *SHA256* coded passwords. How can I hide this
> >> and
> >> > > > >> restrict
> >> > > > >> > access to other collections?
> >> > > > >> >
> >> > > > >> > Thanks and regards
> >> > > > >> > Salmaan
> >> > > > >> >
> >> > > > >> >
> >> > > > >> > On Wed, Aug 21, 2019 at 5:07 AM Jason Gerlowski <
> >> > > gerlowskija@gmail.com>
> >> > > > >> > wrote:
> >> > > > >> >
> >> > > > >> > > Hi Salmaan,
> >> > > > >> > >
> >> > > > >> > > Solr's RuleBasedAuthorizationPlugin allows requests through
> >> if
> >> > > none of
> >> > > > >> > > the specified permissions apply. I think that's what you're
> >> > > running
> >> > > > >> > > into in your example above. If you want to lockdown a
> >> particular
> >> > > API
> >> > > > >> > > (or set of APIs) then you need to explicitly add a
> >> permission that
> >> > > > >> > > restricts those APIs to a particular role.
> >> > > > >> > >
> >> > > > >> > > One way to get the behavior that it sounds like you're
> >> looking for
> >> > > > >> > > would be to add a catch-all permission at the bottom of your
> >> > > > >> > > permissions list that restricts all other APIs to "admin".
> >> This
> >> > > would
> >> > > > >> > > look a bit like:
> >> > > > >> > >
> >> > > > >> > > "permissions":[
> >> > > > >> > > {
> >> > > > >> > > "name":"security-edit",
> >> > > > >> > > "role":"admin"
> >> > > > >> > > },
> >> > > > >> > > {
> >> > > > >> > > "collection": ["Collection1", "Collection2"],
> >> > > > >> > > "name": ["update", "read"],
> >> > > > >> > > "role": "dev"
> >> > > > >> > > },
> >> > > > >> > > {
> >> > > > >> > > "name": "all",
> >> > > > >> > > "role": "admin"
> >> > > > >> > > }
> >> > > > >> > > ]
> >> > > > >> > >
> >> > > > >> > > Hope that helps get you started.
> >> > > > >> > >
> >> > > > >> > > Best,
> >> > > > >> > >
> >> > > > >> > > Jason
> >> > > > >> > >
> >> > > > >> > > On Tue, Aug 20, 2019 at 3:19 AM Salmaan Rashid Syed
> >> > > > >> > > <sa...@mroads.com> wrote:
> >> > > > >> > > >
> >> > > > >> > > > Hi Solr Users,
> >> > > > >> > > >
> >> > > > >> > > > I want to create a user that has restricted access to
> >> Solr. I
> >> > > did
> >> > > > >> the
> >> > > > >> > > > follwowing:-
> >> > > > >> > > >
> >> > > > >> > > >
> >> > > > >> > > > 1. {
> >> > > > >> > > > 2. "authentication":{
> >> > > > >> > > > 3. "blockUnknown": true,
> >> > > > >> > > > 4. "class":"solr.BasicAuthPlugin",
> >> > > > >> > > > 5. "credentials":{
> >> > > > >> > > > 6. "solr-admin":
> >> > > > >> > > > "2IUJD9dxRhxSXaJGdMP5z8ggSn4I285Ty9GCWeRNMUg=
> >> > > > >> > > > /sSNJJufPtj4baRizoJshJawFsWvopvZSqZpQ/Nwd78="
> >> > > > >> > > > ,
> >> > > > >> > > > 7. "solr-user":
> >> > > > >> > > > "p+XwOh15p/rvFltv2LXP1CwtbvwBgGlC9qcDKxV73B4=
> >> > > > >> > > > DcNsjfA6Wf16V1XKT+YraosSFQ5Cr3eRUX6BQnx9XKA="
> >> > > > >> > > >
> >> > > > >> > > > 8. }
> >> > > > >> > > > 9. },
> >> > > > >> > > > 10. "authorization":{
> >> > > > >> > > > 11. "class":"solr.RuleBasedAuthorizationPlugin",
> >> > > > >> > > > 12. "user-role":{"solr-admin":"admin",
> >> "solr-user":"dev"},
> >> > > > >> > > > 13. "permissions":[
> >> > > > >> > > > 14. {
> >> > > > >> > > > 15. "name":"security-edit",
> >> > > > >> > > > 16. "role":"admin"
> >> > > > >> > > > 17. },
> >> > > > >> > > > 18. {
> >> > > > >> > > > 19. "collection": ["Collection1",
> >> "Collection2"],
> >> > > > >> > > > 20. "name": ["update", "read"],
> >> > > > >> > > > 21. "role": "dev"
> >> > > > >> > > > 22. }
> >> > > > >> > > > 23. ]
> >> > > > >> > > > 24. }}
> >> > > > >> > > >
> >> > > > >> > > >
> >> > > > >> > > > But when Login intot the Solr admin dash-board using
> >> Solr-user
> >> > > > >> > > credentials,
> >> > > > >> > > > I can read, select, write, update, delete collections and
> >> do all
> >> > > > >> sorts of
> >> > > > >> > > > things like a solr-admin can do.
> >> > > > >> > > >
> >> > > > >> > > > I want solr-user to be able to access only *Collection1*
> >> and
> >> > > > >> > > *Collection2*
> >> > > > >> > > > and be able to only *update *and *read*. He should not be
> >> able
> >> > > to
> >> > > > >> access
> >> > > > >> > > > other collections and do anything apart from the above
> >> mentioned
> >> > > > >> role.
> >> > > > >> > > >
> >> > > > >> > > > Where am I exactly going wrong?
> >> > > > >> > > >
> >> > > > >> > > > Thanks and Regards,
> >> > > > >> > > > Salmaan
> >> > > > >> > >
> >> > > > >>
> >> > > > >
> >> > >
> >>
> >
Re: Problems with restricting access to users using Basic auth
Posted by Salmaan Rashid Syed <sa...@mroads.com>.
Hi Jason,
Apologies for the late reply. My laptop was broken and I got it today from
service centre.
I am still having issues with solr-user able to view the Collections list
as follow.
Testing permissions for user [solr]
Request [/admin/collections?action=LIST] returned status [200]
Request [/collection1/select?q=*:*] returned status [200]
Request [/collection2/select?q=*:*] returned status [200]
Request [/collection3/select?q=*:*] returned status [200]
Testing permissions for user [solr-user]
Request [/admin/collections?action=LIST] returned status [200]
Request [/collection1/select?q=*:*] returned status [200]
Request [/collection2/select?q=*:*] returned status [200]
Request [/collection3/select?q=*:*] returned status [403]
I am still wondering wher I am going wrong.
Thanks,
Salmaan
On Thu, Aug 29, 2019 at 1:34 PM Salmaan Rashid Syed <
salmaan.rashid@mroads.com> wrote:
> Thanks a lot Jason,
>
> I will try this out and let you know.
>
> Thanks again.
>
> On Wed 28 Aug, 2019, 7:45 PM Jason Gerlowski, <ge...@gmail.com>
> wrote:
>
>> Hi Salmaan,
>>
>> Are you still seeing this behavior, or were you able to figure things out?
>>
>> I just got a chance to try out the security.json in Solr 7.6 myself,
>> and I can't reproduce the behavior you're seeing.
>>
>> It might be helpful to level set here. Make sure that our
>> security.json settings and our test requests are exactly the same.
>>
>> This is the security.json I used in my test deployment:
>>
>> {
>> "authentication":{
>> "blockUnknown": true,
>> "class":"solr.BasicAuthPlugin",
>> "credentials":{
>> "solr":"gP31s0FQevh3k0i0y6g9AP/TZLWctxfZjtC9sOh8vZU=
>> J7an406gVyx4v4CkR8YLgmhClk9Yv/fIBSfZoi1f0kY=",
>> "solr-user":"gP31s0FQevh3k0i0y6g9AP/TZLWctxfZjtC9sOh8vZU=
>> J7an406gVyx4v4CkR8YLgmhClk9Yv/fIBSfZoi1f0kY="
>> }
>> },
>> "authorization":{
>> "class":"solr.RuleBasedAuthorizationPlugin",
>> "permissions":[
>> {"name": "dev-read", "collection": ["collection1",
>> "collection2"], "role": ["dev", "admin"] },
>> {"name": "security-edit", "role": "admin"},
>> {"name": "security-read", "role": "admin"},
>> {"name": "schema-edit", "role": "admin"},
>> {"name": "schema-read", "role": "admin"},
>> {"name": "config-edit", "role": "admin"},
>> {"name": "config-read", "role": "admin"},
>> {"name": "core-admin-edit", "role": "admin"},
>> {"name": "core-admin-read", "role": "admin"},
>> {"name": "collection-api-edit", "role": "admin"},
>> {"name": "collection-api-read", "role": "admin"},
>> {"name": "read", "role": "admin"},
>> {"name": "update", "role": "admin"},
>> {"name": "all", "role": "admin"}
>> ],
>> "user-role":{
>> "solr":"admin",
>> "solr-user": "dev"
>> }
>> }
>> }
>>
>> And this is the output of a script I use to test permissions quickly:
>>
>> $ ./test-security.sh
>>
>> Testing permissions for user [solr]
>> Request [/admin/collections?action=LIST] returned status [200]
>> Request [/collection1/select?q=*:*] returned status [200]
>> Request [/collection2/select?q=*:*] returned status [200]
>> Request [/collection3/select?q=*:*] returned status [200]
>>
>> Testing permissions for user [solr-user]
>> Request [/admin/collections?action=LIST] returned status [403]
>> Request [/collection1/select?q=*:*] returned status [200]
>> Request [/collection2/select?q=*:*] returned status [200]
>> Request [/collection3/select?q=*:*] returned status [403]
>>
>> You can find this script here, to see the exact curl commands being
>> used and run it yourself: https://paste.apache.org/tjtdg
>>
>> That output looks correct to me. solr-user is prevented from
>> accessing other APIs and other collections, but can access collection1
>> and collection2.
>>
>> Does your security.json match mine, or do the permissions differ in
>> some way? Can you still reproduce the behavior using my script?
>>
>> Good luck,
>>
>> Jason
>>
>> On Thu, Aug 22, 2019 at 2:13 AM Salmaan Rashid Syed
>> <sa...@mroads.com> wrote:
>> >
>> > Hi,
>> >
>> > Any suggestions as to what can be done?
>> >
>> > Regards,
>> > Salmaan
>> >
>> >
>> > On Wed, Aug 21, 2019 at 4:33 PM Jason Gerlowski <ge...@gmail.com>
>> > wrote:
>> >
>> > > Ah, ok. SOLR-13355 still affects 7.6, so that explains why you're
>> > > seeing this behavior.
>> > >
>> > > You could upgrade to get the new behavior, but you don't need to-
>> > > there's a workaround. You just need to add a few extra rules to your
>> > > security.json. The problem in SOLR-13355 is that the "all" permission
>> > > isn't being considered for APIs that are covered by other predefined
>> > > permissions. So the workaround is to add a permission rule for each
>> > > of the predefined permissions, locking them down to the "admin" role.
>> > > It really bloats security.json, but should do the job. So your
>> > > security.json should have a permissions section that looks like the
>> > > JSON below:
>> > >
>> > > {"name": "dev-read", "collection": ["collection1", "collection2"],
>> > > "role": "dev"},
>> > > {"name": "security-edit", "role": "admin"},
>> > > {"name": "security-read", "role": "admin"},
>> > > {"name": "schema-edit", "role": "admin"},
>> > > {"name": "schema-read", "role": "admin"},
>> > > {"name": "config-edit", "role": "admin"},
>> > > {"name": "config-read", "role": "admin"},
>> > > {"name": "core-admin-edit", "role": "admin"},
>> > > {"name": "core-admin-read", "role": "admin"},
>> > > {"name": "collection-api-edit", "role": "admin"},
>> > > {"name": "collection-api-read", "role": "admin"},
>> > > {"name": "read", "role": "admin"},
>> > > {"name": "update", "role": "admin"},
>> > > {"name": "all", "role": "admin"}
>> > >
>> > > Hope that helps. Let me know if that still has any problems for you.
>> > >
>> > > Jason
>> > >
>> > > On Wed, Aug 21, 2019 at 6:48 AM Salmaan Rashid Syed
>> > > <sa...@mroads.com> wrote:
>> > > >
>> > > > Hi Jason,
>> > > >
>> > > > Is there a way to fix this in version 7.6?
>> > > >
>> > > > Or is it mandatory to upgrade to other versions?
>> > > >
>> > > > If I have to upgrade to a higher version, then what is the best way
>> to do
>> > > > this without effecting the current configuration and indexed data?
>> > > >
>> > > > Thanks,
>> > > > Salmaan
>> > > >
>> > > >
>> > > >
>> > > > On Wed, Aug 21, 2019 at 4:13 PM Salmaan Rashid Syed <
>> > > > salmaan.rashid@mroads.com> wrote:
>> > > >
>> > > > > Hi Jason,
>> > > > >
>> > > > > I am using version 7.6 of Solr.
>> > > > >
>> > > > > Thanks,
>> > > > > Salmaan
>> > > > >
>> > > > >
>> > > > >
>> > > > > On Wed, Aug 21, 2019 at 4:12 PM Jason Gerlowski <
>> gerlowskija@gmail.com
>> > > >
>> > > > > wrote:
>> > > > >
>> > > > >> The "all" permissions _should_ block solr-user from accessing
>> all of
>> > > > >> those resources, and I believe it does in newer versions of Solr.
>> > > > >> There was a bug with it that was fixed a few versions back
>> though- it
>> > > > >> sounds like you might be running into that. (see
>> > > > >> https://issues.apache.org/jira/browse/SOLR-13355) What version
>> of
>> > > Solr
>> > > > >> are you using?
>> > > > >>
>> > > > >> Jason
>> > > > >>
>> > > > >>
>> > > > >>
>> > > > >> On Wed, Aug 21, 2019 at 5:21 AM Salmaan Rashid Syed
>> > > > >> <sa...@mroads.com> wrote:
>> > > > >> >
>> > > > >> > Hi Jason,
>> > > > >> >
>> > > > >> > Thanks for your prompt reply.
>> > > > >> >
>> > > > >> > Your code does address few of my concerns like restricting
>> > > *solr-user*
>> > > > >> from
>> > > > >> > accessing the dashboard and from executing other request
>> methods
>> > > apart
>> > > > >> from
>> > > > >> > *"update"* and *"read"*.
>> > > > >> >
>> > > > >> > But I am still able to access other collections such as
>> > > *"Collection3",
>> > > > >> > "Collection4"* and so on, apart from the intended two
>> collection
>> > > > >> entered in
>> > > > >> > the code. I can give *"update"* and *"read" *requests to these
>> > > external
>> > > > >> > Collections which solr-user should not be able to do.
>> > > > >> >
>> > > > >> > Moreover solr-user can look at the
>> > > > >> > *http://localhost:8983/solr/admin/authentication
>> > > > >> > <http://localhost:8983/solr/admin/authentication>* link which
>> > > lists the
>> > > > >> > users and their *SHA256* coded passwords. How can I hide this
>> and
>> > > > >> restrict
>> > > > >> > access to other collections?
>> > > > >> >
>> > > > >> > Thanks and regards
>> > > > >> > Salmaan
>> > > > >> >
>> > > > >> >
>> > > > >> > On Wed, Aug 21, 2019 at 5:07 AM Jason Gerlowski <
>> > > gerlowskija@gmail.com>
>> > > > >> > wrote:
>> > > > >> >
>> > > > >> > > Hi Salmaan,
>> > > > >> > >
>> > > > >> > > Solr's RuleBasedAuthorizationPlugin allows requests through
>> if
>> > > none of
>> > > > >> > > the specified permissions apply. I think that's what you're
>> > > running
>> > > > >> > > into in your example above. If you want to lockdown a
>> particular
>> > > API
>> > > > >> > > (or set of APIs) then you need to explicitly add a
>> permission that
>> > > > >> > > restricts those APIs to a particular role.
>> > > > >> > >
>> > > > >> > > One way to get the behavior that it sounds like you're
>> looking for
>> > > > >> > > would be to add a catch-all permission at the bottom of your
>> > > > >> > > permissions list that restricts all other APIs to "admin".
>> This
>> > > would
>> > > > >> > > look a bit like:
>> > > > >> > >
>> > > > >> > > "permissions":[
>> > > > >> > > {
>> > > > >> > > "name":"security-edit",
>> > > > >> > > "role":"admin"
>> > > > >> > > },
>> > > > >> > > {
>> > > > >> > > "collection": ["Collection1", "Collection2"],
>> > > > >> > > "name": ["update", "read"],
>> > > > >> > > "role": "dev"
>> > > > >> > > },
>> > > > >> > > {
>> > > > >> > > "name": "all",
>> > > > >> > > "role": "admin"
>> > > > >> > > }
>> > > > >> > > ]
>> > > > >> > >
>> > > > >> > > Hope that helps get you started.
>> > > > >> > >
>> > > > >> > > Best,
>> > > > >> > >
>> > > > >> > > Jason
>> > > > >> > >
>> > > > >> > > On Tue, Aug 20, 2019 at 3:19 AM Salmaan Rashid Syed
>> > > > >> > > <sa...@mroads.com> wrote:
>> > > > >> > > >
>> > > > >> > > > Hi Solr Users,
>> > > > >> > > >
>> > > > >> > > > I want to create a user that has restricted access to
>> Solr. I
>> > > did
>> > > > >> the
>> > > > >> > > > follwowing:-
>> > > > >> > > >
>> > > > >> > > >
>> > > > >> > > > 1. {
>> > > > >> > > > 2. "authentication":{
>> > > > >> > > > 3. "blockUnknown": true,
>> > > > >> > > > 4. "class":"solr.BasicAuthPlugin",
>> > > > >> > > > 5. "credentials":{
>> > > > >> > > > 6. "solr-admin":
>> > > > >> > > > "2IUJD9dxRhxSXaJGdMP5z8ggSn4I285Ty9GCWeRNMUg=
>> > > > >> > > > /sSNJJufPtj4baRizoJshJawFsWvopvZSqZpQ/Nwd78="
>> > > > >> > > > ,
>> > > > >> > > > 7. "solr-user":
>> > > > >> > > > "p+XwOh15p/rvFltv2LXP1CwtbvwBgGlC9qcDKxV73B4=
>> > > > >> > > > DcNsjfA6Wf16V1XKT+YraosSFQ5Cr3eRUX6BQnx9XKA="
>> > > > >> > > >
>> > > > >> > > > 8. }
>> > > > >> > > > 9. },
>> > > > >> > > > 10. "authorization":{
>> > > > >> > > > 11. "class":"solr.RuleBasedAuthorizationPlugin",
>> > > > >> > > > 12. "user-role":{"solr-admin":"admin",
>> "solr-user":"dev"},
>> > > > >> > > > 13. "permissions":[
>> > > > >> > > > 14. {
>> > > > >> > > > 15. "name":"security-edit",
>> > > > >> > > > 16. "role":"admin"
>> > > > >> > > > 17. },
>> > > > >> > > > 18. {
>> > > > >> > > > 19. "collection": ["Collection1",
>> "Collection2"],
>> > > > >> > > > 20. "name": ["update", "read"],
>> > > > >> > > > 21. "role": "dev"
>> > > > >> > > > 22. }
>> > > > >> > > > 23. ]
>> > > > >> > > > 24. }}
>> > > > >> > > >
>> > > > >> > > >
>> > > > >> > > > But when Login intot the Solr admin dash-board using
>> Solr-user
>> > > > >> > > credentials,
>> > > > >> > > > I can read, select, write, update, delete collections and
>> do all
>> > > > >> sorts of
>> > > > >> > > > things like a solr-admin can do.
>> > > > >> > > >
>> > > > >> > > > I want solr-user to be able to access only *Collection1*
>> and
>> > > > >> > > *Collection2*
>> > > > >> > > > and be able to only *update *and *read*. He should not be
>> able
>> > > to
>> > > > >> access
>> > > > >> > > > other collections and do anything apart from the above
>> mentioned
>> > > > >> role.
>> > > > >> > > >
>> > > > >> > > > Where am I exactly going wrong?
>> > > > >> > > >
>> > > > >> > > > Thanks and Regards,
>> > > > >> > > > Salmaan
>> > > > >> > >
>> > > > >>
>> > > > >
>> > >
>>
>
Re: Problems with restricting access to users using Basic auth
Posted by Salmaan Rashid Syed <sa...@mroads.com>.
Thanks a lot Jason,
I will try this out and let you know.
Thanks again.
On Wed 28 Aug, 2019, 7:45 PM Jason Gerlowski, <ge...@gmail.com> wrote:
> Hi Salmaan,
>
> Are you still seeing this behavior, or were you able to figure things out?
>
> I just got a chance to try out the security.json in Solr 7.6 myself,
> and I can't reproduce the behavior you're seeing.
>
> It might be helpful to level set here. Make sure that our
> security.json settings and our test requests are exactly the same.
>
> This is the security.json I used in my test deployment:
>
> {
> "authentication":{
> "blockUnknown": true,
> "class":"solr.BasicAuthPlugin",
> "credentials":{
> "solr":"gP31s0FQevh3k0i0y6g9AP/TZLWctxfZjtC9sOh8vZU=
> J7an406gVyx4v4CkR8YLgmhClk9Yv/fIBSfZoi1f0kY=",
> "solr-user":"gP31s0FQevh3k0i0y6g9AP/TZLWctxfZjtC9sOh8vZU=
> J7an406gVyx4v4CkR8YLgmhClk9Yv/fIBSfZoi1f0kY="
> }
> },
> "authorization":{
> "class":"solr.RuleBasedAuthorizationPlugin",
> "permissions":[
> {"name": "dev-read", "collection": ["collection1",
> "collection2"], "role": ["dev", "admin"] },
> {"name": "security-edit", "role": "admin"},
> {"name": "security-read", "role": "admin"},
> {"name": "schema-edit", "role": "admin"},
> {"name": "schema-read", "role": "admin"},
> {"name": "config-edit", "role": "admin"},
> {"name": "config-read", "role": "admin"},
> {"name": "core-admin-edit", "role": "admin"},
> {"name": "core-admin-read", "role": "admin"},
> {"name": "collection-api-edit", "role": "admin"},
> {"name": "collection-api-read", "role": "admin"},
> {"name": "read", "role": "admin"},
> {"name": "update", "role": "admin"},
> {"name": "all", "role": "admin"}
> ],
> "user-role":{
> "solr":"admin",
> "solr-user": "dev"
> }
> }
> }
>
> And this is the output of a script I use to test permissions quickly:
>
> $ ./test-security.sh
>
> Testing permissions for user [solr]
> Request [/admin/collections?action=LIST] returned status [200]
> Request [/collection1/select?q=*:*] returned status [200]
> Request [/collection2/select?q=*:*] returned status [200]
> Request [/collection3/select?q=*:*] returned status [200]
>
> Testing permissions for user [solr-user]
> Request [/admin/collections?action=LIST] returned status [403]
> Request [/collection1/select?q=*:*] returned status [200]
> Request [/collection2/select?q=*:*] returned status [200]
> Request [/collection3/select?q=*:*] returned status [403]
>
> You can find this script here, to see the exact curl commands being
> used and run it yourself: https://paste.apache.org/tjtdg
>
> That output looks correct to me. solr-user is prevented from
> accessing other APIs and other collections, but can access collection1
> and collection2.
>
> Does your security.json match mine, or do the permissions differ in
> some way? Can you still reproduce the behavior using my script?
>
> Good luck,
>
> Jason
>
> On Thu, Aug 22, 2019 at 2:13 AM Salmaan Rashid Syed
> <sa...@mroads.com> wrote:
> >
> > Hi,
> >
> > Any suggestions as to what can be done?
> >
> > Regards,
> > Salmaan
> >
> >
> > On Wed, Aug 21, 2019 at 4:33 PM Jason Gerlowski <ge...@gmail.com>
> > wrote:
> >
> > > Ah, ok. SOLR-13355 still affects 7.6, so that explains why you're
> > > seeing this behavior.
> > >
> > > You could upgrade to get the new behavior, but you don't need to-
> > > there's a workaround. You just need to add a few extra rules to your
> > > security.json. The problem in SOLR-13355 is that the "all" permission
> > > isn't being considered for APIs that are covered by other predefined
> > > permissions. So the workaround is to add a permission rule for each
> > > of the predefined permissions, locking them down to the "admin" role.
> > > It really bloats security.json, but should do the job. So your
> > > security.json should have a permissions section that looks like the
> > > JSON below:
> > >
> > > {"name": "dev-read", "collection": ["collection1", "collection2"],
> > > "role": "dev"},
> > > {"name": "security-edit", "role": "admin"},
> > > {"name": "security-read", "role": "admin"},
> > > {"name": "schema-edit", "role": "admin"},
> > > {"name": "schema-read", "role": "admin"},
> > > {"name": "config-edit", "role": "admin"},
> > > {"name": "config-read", "role": "admin"},
> > > {"name": "core-admin-edit", "role": "admin"},
> > > {"name": "core-admin-read", "role": "admin"},
> > > {"name": "collection-api-edit", "role": "admin"},
> > > {"name": "collection-api-read", "role": "admin"},
> > > {"name": "read", "role": "admin"},
> > > {"name": "update", "role": "admin"},
> > > {"name": "all", "role": "admin"}
> > >
> > > Hope that helps. Let me know if that still has any problems for you.
> > >
> > > Jason
> > >
> > > On Wed, Aug 21, 2019 at 6:48 AM Salmaan Rashid Syed
> > > <sa...@mroads.com> wrote:
> > > >
> > > > Hi Jason,
> > > >
> > > > Is there a way to fix this in version 7.6?
> > > >
> > > > Or is it mandatory to upgrade to other versions?
> > > >
> > > > If I have to upgrade to a higher version, then what is the best way
> to do
> > > > this without effecting the current configuration and indexed data?
> > > >
> > > > Thanks,
> > > > Salmaan
> > > >
> > > >
> > > >
> > > > On Wed, Aug 21, 2019 at 4:13 PM Salmaan Rashid Syed <
> > > > salmaan.rashid@mroads.com> wrote:
> > > >
> > > > > Hi Jason,
> > > > >
> > > > > I am using version 7.6 of Solr.
> > > > >
> > > > > Thanks,
> > > > > Salmaan
> > > > >
> > > > >
> > > > >
> > > > > On Wed, Aug 21, 2019 at 4:12 PM Jason Gerlowski <
> gerlowskija@gmail.com
> > > >
> > > > > wrote:
> > > > >
> > > > >> The "all" permissions _should_ block solr-user from accessing all
> of
> > > > >> those resources, and I believe it does in newer versions of Solr.
> > > > >> There was a bug with it that was fixed a few versions back
> though- it
> > > > >> sounds like you might be running into that. (see
> > > > >> https://issues.apache.org/jira/browse/SOLR-13355) What version of
> > > Solr
> > > > >> are you using?
> > > > >>
> > > > >> Jason
> > > > >>
> > > > >>
> > > > >>
> > > > >> On Wed, Aug 21, 2019 at 5:21 AM Salmaan Rashid Syed
> > > > >> <sa...@mroads.com> wrote:
> > > > >> >
> > > > >> > Hi Jason,
> > > > >> >
> > > > >> > Thanks for your prompt reply.
> > > > >> >
> > > > >> > Your code does address few of my concerns like restricting
> > > *solr-user*
> > > > >> from
> > > > >> > accessing the dashboard and from executing other request methods
> > > apart
> > > > >> from
> > > > >> > *"update"* and *"read"*.
> > > > >> >
> > > > >> > But I am still able to access other collections such as
> > > *"Collection3",
> > > > >> > "Collection4"* and so on, apart from the intended two collection
> > > > >> entered in
> > > > >> > the code. I can give *"update"* and *"read" *requests to these
> > > external
> > > > >> > Collections which solr-user should not be able to do.
> > > > >> >
> > > > >> > Moreover solr-user can look at the
> > > > >> > *http://localhost:8983/solr/admin/authentication
> > > > >> > <http://localhost:8983/solr/admin/authentication>* link which
> > > lists the
> > > > >> > users and their *SHA256* coded passwords. How can I hide this
> and
> > > > >> restrict
> > > > >> > access to other collections?
> > > > >> >
> > > > >> > Thanks and regards
> > > > >> > Salmaan
> > > > >> >
> > > > >> >
> > > > >> > On Wed, Aug 21, 2019 at 5:07 AM Jason Gerlowski <
> > > gerlowskija@gmail.com>
> > > > >> > wrote:
> > > > >> >
> > > > >> > > Hi Salmaan,
> > > > >> > >
> > > > >> > > Solr's RuleBasedAuthorizationPlugin allows requests through if
> > > none of
> > > > >> > > the specified permissions apply. I think that's what you're
> > > running
> > > > >> > > into in your example above. If you want to lockdown a
> particular
> > > API
> > > > >> > > (or set of APIs) then you need to explicitly add a permission
> that
> > > > >> > > restricts those APIs to a particular role.
> > > > >> > >
> > > > >> > > One way to get the behavior that it sounds like you're
> looking for
> > > > >> > > would be to add a catch-all permission at the bottom of your
> > > > >> > > permissions list that restricts all other APIs to "admin".
> This
> > > would
> > > > >> > > look a bit like:
> > > > >> > >
> > > > >> > > "permissions":[
> > > > >> > > {
> > > > >> > > "name":"security-edit",
> > > > >> > > "role":"admin"
> > > > >> > > },
> > > > >> > > {
> > > > >> > > "collection": ["Collection1", "Collection2"],
> > > > >> > > "name": ["update", "read"],
> > > > >> > > "role": "dev"
> > > > >> > > },
> > > > >> > > {
> > > > >> > > "name": "all",
> > > > >> > > "role": "admin"
> > > > >> > > }
> > > > >> > > ]
> > > > >> > >
> > > > >> > > Hope that helps get you started.
> > > > >> > >
> > > > >> > > Best,
> > > > >> > >
> > > > >> > > Jason
> > > > >> > >
> > > > >> > > On Tue, Aug 20, 2019 at 3:19 AM Salmaan Rashid Syed
> > > > >> > > <sa...@mroads.com> wrote:
> > > > >> > > >
> > > > >> > > > Hi Solr Users,
> > > > >> > > >
> > > > >> > > > I want to create a user that has restricted access to Solr.
> I
> > > did
> > > > >> the
> > > > >> > > > follwowing:-
> > > > >> > > >
> > > > >> > > >
> > > > >> > > > 1. {
> > > > >> > > > 2. "authentication":{
> > > > >> > > > 3. "blockUnknown": true,
> > > > >> > > > 4. "class":"solr.BasicAuthPlugin",
> > > > >> > > > 5. "credentials":{
> > > > >> > > > 6. "solr-admin":
> > > > >> > > > "2IUJD9dxRhxSXaJGdMP5z8ggSn4I285Ty9GCWeRNMUg=
> > > > >> > > > /sSNJJufPtj4baRizoJshJawFsWvopvZSqZpQ/Nwd78="
> > > > >> > > > ,
> > > > >> > > > 7. "solr-user":
> > > > >> > > > "p+XwOh15p/rvFltv2LXP1CwtbvwBgGlC9qcDKxV73B4=
> > > > >> > > > DcNsjfA6Wf16V1XKT+YraosSFQ5Cr3eRUX6BQnx9XKA="
> > > > >> > > >
> > > > >> > > > 8. }
> > > > >> > > > 9. },
> > > > >> > > > 10. "authorization":{
> > > > >> > > > 11. "class":"solr.RuleBasedAuthorizationPlugin",
> > > > >> > > > 12. "user-role":{"solr-admin":"admin",
> "solr-user":"dev"},
> > > > >> > > > 13. "permissions":[
> > > > >> > > > 14. {
> > > > >> > > > 15. "name":"security-edit",
> > > > >> > > > 16. "role":"admin"
> > > > >> > > > 17. },
> > > > >> > > > 18. {
> > > > >> > > > 19. "collection": ["Collection1", "Collection2"],
> > > > >> > > > 20. "name": ["update", "read"],
> > > > >> > > > 21. "role": "dev"
> > > > >> > > > 22. }
> > > > >> > > > 23. ]
> > > > >> > > > 24. }}
> > > > >> > > >
> > > > >> > > >
> > > > >> > > > But when Login intot the Solr admin dash-board using
> Solr-user
> > > > >> > > credentials,
> > > > >> > > > I can read, select, write, update, delete collections and
> do all
> > > > >> sorts of
> > > > >> > > > things like a solr-admin can do.
> > > > >> > > >
> > > > >> > > > I want solr-user to be able to access only *Collection1* and
> > > > >> > > *Collection2*
> > > > >> > > > and be able to only *update *and *read*. He should not be
> able
> > > to
> > > > >> access
> > > > >> > > > other collections and do anything apart from the above
> mentioned
> > > > >> role.
> > > > >> > > >
> > > > >> > > > Where am I exactly going wrong?
> > > > >> > > >
> > > > >> > > > Thanks and Regards,
> > > > >> > > > Salmaan
> > > > >> > >
> > > > >>
> > > > >
> > >
>
Re: Problems with restricting access to users using Basic auth
Posted by Jason Gerlowski <ge...@gmail.com>.
Hi Salmaan,
Are you still seeing this behavior, or were you able to figure things out?
I just got a chance to try out the security.json in Solr 7.6 myself,
and I can't reproduce the behavior you're seeing.
It might be helpful to level set here. Make sure that our
security.json settings and our test requests are exactly the same.
This is the security.json I used in my test deployment:
{
"authentication":{
"blockUnknown": true,
"class":"solr.BasicAuthPlugin",
"credentials":{
"solr":"gP31s0FQevh3k0i0y6g9AP/TZLWctxfZjtC9sOh8vZU=
J7an406gVyx4v4CkR8YLgmhClk9Yv/fIBSfZoi1f0kY=",
"solr-user":"gP31s0FQevh3k0i0y6g9AP/TZLWctxfZjtC9sOh8vZU=
J7an406gVyx4v4CkR8YLgmhClk9Yv/fIBSfZoi1f0kY="
}
},
"authorization":{
"class":"solr.RuleBasedAuthorizationPlugin",
"permissions":[
{"name": "dev-read", "collection": ["collection1",
"collection2"], "role": ["dev", "admin"] },
{"name": "security-edit", "role": "admin"},
{"name": "security-read", "role": "admin"},
{"name": "schema-edit", "role": "admin"},
{"name": "schema-read", "role": "admin"},
{"name": "config-edit", "role": "admin"},
{"name": "config-read", "role": "admin"},
{"name": "core-admin-edit", "role": "admin"},
{"name": "core-admin-read", "role": "admin"},
{"name": "collection-api-edit", "role": "admin"},
{"name": "collection-api-read", "role": "admin"},
{"name": "read", "role": "admin"},
{"name": "update", "role": "admin"},
{"name": "all", "role": "admin"}
],
"user-role":{
"solr":"admin",
"solr-user": "dev"
}
}
}
And this is the output of a script I use to test permissions quickly:
$ ./test-security.sh
Testing permissions for user [solr]
Request [/admin/collections?action=LIST] returned status [200]
Request [/collection1/select?q=*:*] returned status [200]
Request [/collection2/select?q=*:*] returned status [200]
Request [/collection3/select?q=*:*] returned status [200]
Testing permissions for user [solr-user]
Request [/admin/collections?action=LIST] returned status [403]
Request [/collection1/select?q=*:*] returned status [200]
Request [/collection2/select?q=*:*] returned status [200]
Request [/collection3/select?q=*:*] returned status [403]
You can find this script here, to see the exact curl commands being
used and run it yourself: https://paste.apache.org/tjtdg
That output looks correct to me. solr-user is prevented from
accessing other APIs and other collections, but can access collection1
and collection2.
Does your security.json match mine, or do the permissions differ in
some way? Can you still reproduce the behavior using my script?
Good luck,
Jason
On Thu, Aug 22, 2019 at 2:13 AM Salmaan Rashid Syed
<sa...@mroads.com> wrote:
>
> Hi,
>
> Any suggestions as to what can be done?
>
> Regards,
> Salmaan
>
>
> On Wed, Aug 21, 2019 at 4:33 PM Jason Gerlowski <ge...@gmail.com>
> wrote:
>
> > Ah, ok. SOLR-13355 still affects 7.6, so that explains why you're
> > seeing this behavior.
> >
> > You could upgrade to get the new behavior, but you don't need to-
> > there's a workaround. You just need to add a few extra rules to your
> > security.json. The problem in SOLR-13355 is that the "all" permission
> > isn't being considered for APIs that are covered by other predefined
> > permissions. So the workaround is to add a permission rule for each
> > of the predefined permissions, locking them down to the "admin" role.
> > It really bloats security.json, but should do the job. So your
> > security.json should have a permissions section that looks like the
> > JSON below:
> >
> > {"name": "dev-read", "collection": ["collection1", "collection2"],
> > "role": "dev"},
> > {"name": "security-edit", "role": "admin"},
> > {"name": "security-read", "role": "admin"},
> > {"name": "schema-edit", "role": "admin"},
> > {"name": "schema-read", "role": "admin"},
> > {"name": "config-edit", "role": "admin"},
> > {"name": "config-read", "role": "admin"},
> > {"name": "core-admin-edit", "role": "admin"},
> > {"name": "core-admin-read", "role": "admin"},
> > {"name": "collection-api-edit", "role": "admin"},
> > {"name": "collection-api-read", "role": "admin"},
> > {"name": "read", "role": "admin"},
> > {"name": "update", "role": "admin"},
> > {"name": "all", "role": "admin"}
> >
> > Hope that helps. Let me know if that still has any problems for you.
> >
> > Jason
> >
> > On Wed, Aug 21, 2019 at 6:48 AM Salmaan Rashid Syed
> > <sa...@mroads.com> wrote:
> > >
> > > Hi Jason,
> > >
> > > Is there a way to fix this in version 7.6?
> > >
> > > Or is it mandatory to upgrade to other versions?
> > >
> > > If I have to upgrade to a higher version, then what is the best way to do
> > > this without effecting the current configuration and indexed data?
> > >
> > > Thanks,
> > > Salmaan
> > >
> > >
> > >
> > > On Wed, Aug 21, 2019 at 4:13 PM Salmaan Rashid Syed <
> > > salmaan.rashid@mroads.com> wrote:
> > >
> > > > Hi Jason,
> > > >
> > > > I am using version 7.6 of Solr.
> > > >
> > > > Thanks,
> > > > Salmaan
> > > >
> > > >
> > > >
> > > > On Wed, Aug 21, 2019 at 4:12 PM Jason Gerlowski <gerlowskija@gmail.com
> > >
> > > > wrote:
> > > >
> > > >> The "all" permissions _should_ block solr-user from accessing all of
> > > >> those resources, and I believe it does in newer versions of Solr.
> > > >> There was a bug with it that was fixed a few versions back though- it
> > > >> sounds like you might be running into that. (see
> > > >> https://issues.apache.org/jira/browse/SOLR-13355) What version of
> > Solr
> > > >> are you using?
> > > >>
> > > >> Jason
> > > >>
> > > >>
> > > >>
> > > >> On Wed, Aug 21, 2019 at 5:21 AM Salmaan Rashid Syed
> > > >> <sa...@mroads.com> wrote:
> > > >> >
> > > >> > Hi Jason,
> > > >> >
> > > >> > Thanks for your prompt reply.
> > > >> >
> > > >> > Your code does address few of my concerns like restricting
> > *solr-user*
> > > >> from
> > > >> > accessing the dashboard and from executing other request methods
> > apart
> > > >> from
> > > >> > *"update"* and *"read"*.
> > > >> >
> > > >> > But I am still able to access other collections such as
> > *"Collection3",
> > > >> > "Collection4"* and so on, apart from the intended two collection
> > > >> entered in
> > > >> > the code. I can give *"update"* and *"read" *requests to these
> > external
> > > >> > Collections which solr-user should not be able to do.
> > > >> >
> > > >> > Moreover solr-user can look at the
> > > >> > *http://localhost:8983/solr/admin/authentication
> > > >> > <http://localhost:8983/solr/admin/authentication>* link which
> > lists the
> > > >> > users and their *SHA256* coded passwords. How can I hide this and
> > > >> restrict
> > > >> > access to other collections?
> > > >> >
> > > >> > Thanks and regards
> > > >> > Salmaan
> > > >> >
> > > >> >
> > > >> > On Wed, Aug 21, 2019 at 5:07 AM Jason Gerlowski <
> > gerlowskija@gmail.com>
> > > >> > wrote:
> > > >> >
> > > >> > > Hi Salmaan,
> > > >> > >
> > > >> > > Solr's RuleBasedAuthorizationPlugin allows requests through if
> > none of
> > > >> > > the specified permissions apply. I think that's what you're
> > running
> > > >> > > into in your example above. If you want to lockdown a particular
> > API
> > > >> > > (or set of APIs) then you need to explicitly add a permission that
> > > >> > > restricts those APIs to a particular role.
> > > >> > >
> > > >> > > One way to get the behavior that it sounds like you're looking for
> > > >> > > would be to add a catch-all permission at the bottom of your
> > > >> > > permissions list that restricts all other APIs to "admin". This
> > would
> > > >> > > look a bit like:
> > > >> > >
> > > >> > > "permissions":[
> > > >> > > {
> > > >> > > "name":"security-edit",
> > > >> > > "role":"admin"
> > > >> > > },
> > > >> > > {
> > > >> > > "collection": ["Collection1", "Collection2"],
> > > >> > > "name": ["update", "read"],
> > > >> > > "role": "dev"
> > > >> > > },
> > > >> > > {
> > > >> > > "name": "all",
> > > >> > > "role": "admin"
> > > >> > > }
> > > >> > > ]
> > > >> > >
> > > >> > > Hope that helps get you started.
> > > >> > >
> > > >> > > Best,
> > > >> > >
> > > >> > > Jason
> > > >> > >
> > > >> > > On Tue, Aug 20, 2019 at 3:19 AM Salmaan Rashid Syed
> > > >> > > <sa...@mroads.com> wrote:
> > > >> > > >
> > > >> > > > Hi Solr Users,
> > > >> > > >
> > > >> > > > I want to create a user that has restricted access to Solr. I
> > did
> > > >> the
> > > >> > > > follwowing:-
> > > >> > > >
> > > >> > > >
> > > >> > > > 1. {
> > > >> > > > 2. "authentication":{
> > > >> > > > 3. "blockUnknown": true,
> > > >> > > > 4. "class":"solr.BasicAuthPlugin",
> > > >> > > > 5. "credentials":{
> > > >> > > > 6. "solr-admin":
> > > >> > > > "2IUJD9dxRhxSXaJGdMP5z8ggSn4I285Ty9GCWeRNMUg=
> > > >> > > > /sSNJJufPtj4baRizoJshJawFsWvopvZSqZpQ/Nwd78="
> > > >> > > > ,
> > > >> > > > 7. "solr-user":
> > > >> > > > "p+XwOh15p/rvFltv2LXP1CwtbvwBgGlC9qcDKxV73B4=
> > > >> > > > DcNsjfA6Wf16V1XKT+YraosSFQ5Cr3eRUX6BQnx9XKA="
> > > >> > > >
> > > >> > > > 8. }
> > > >> > > > 9. },
> > > >> > > > 10. "authorization":{
> > > >> > > > 11. "class":"solr.RuleBasedAuthorizationPlugin",
> > > >> > > > 12. "user-role":{"solr-admin":"admin", "solr-user":"dev"},
> > > >> > > > 13. "permissions":[
> > > >> > > > 14. {
> > > >> > > > 15. "name":"security-edit",
> > > >> > > > 16. "role":"admin"
> > > >> > > > 17. },
> > > >> > > > 18. {
> > > >> > > > 19. "collection": ["Collection1", "Collection2"],
> > > >> > > > 20. "name": ["update", "read"],
> > > >> > > > 21. "role": "dev"
> > > >> > > > 22. }
> > > >> > > > 23. ]
> > > >> > > > 24. }}
> > > >> > > >
> > > >> > > >
> > > >> > > > But when Login intot the Solr admin dash-board using Solr-user
> > > >> > > credentials,
> > > >> > > > I can read, select, write, update, delete collections and do all
> > > >> sorts of
> > > >> > > > things like a solr-admin can do.
> > > >> > > >
> > > >> > > > I want solr-user to be able to access only *Collection1* and
> > > >> > > *Collection2*
> > > >> > > > and be able to only *update *and *read*. He should not be able
> > to
> > > >> access
> > > >> > > > other collections and do anything apart from the above mentioned
> > > >> role.
> > > >> > > >
> > > >> > > > Where am I exactly going wrong?
> > > >> > > >
> > > >> > > > Thanks and Regards,
> > > >> > > > Salmaan
> > > >> > >
> > > >>
> > > >
> >
Re: Problems with restricting access to users using Basic auth
Posted by Salmaan Rashid Syed <sa...@mroads.com>.
Hi,
Any suggestions as to what can be done?
Regards,
Salmaan
On Wed, Aug 21, 2019 at 4:33 PM Jason Gerlowski <ge...@gmail.com>
wrote:
> Ah, ok. SOLR-13355 still affects 7.6, so that explains why you're
> seeing this behavior.
>
> You could upgrade to get the new behavior, but you don't need to-
> there's a workaround. You just need to add a few extra rules to your
> security.json. The problem in SOLR-13355 is that the "all" permission
> isn't being considered for APIs that are covered by other predefined
> permissions. So the workaround is to add a permission rule for each
> of the predefined permissions, locking them down to the "admin" role.
> It really bloats security.json, but should do the job. So your
> security.json should have a permissions section that looks like the
> JSON below:
>
> {"name": "dev-read", "collection": ["collection1", "collection2"],
> "role": "dev"},
> {"name": "security-edit", "role": "admin"},
> {"name": "security-read", "role": "admin"},
> {"name": "schema-edit", "role": "admin"},
> {"name": "schema-read", "role": "admin"},
> {"name": "config-edit", "role": "admin"},
> {"name": "config-read", "role": "admin"},
> {"name": "core-admin-edit", "role": "admin"},
> {"name": "core-admin-read", "role": "admin"},
> {"name": "collection-api-edit", "role": "admin"},
> {"name": "collection-api-read", "role": "admin"},
> {"name": "read", "role": "admin"},
> {"name": "update", "role": "admin"},
> {"name": "all", "role": "admin"}
>
> Hope that helps. Let me know if that still has any problems for you.
>
> Jason
>
> On Wed, Aug 21, 2019 at 6:48 AM Salmaan Rashid Syed
> <sa...@mroads.com> wrote:
> >
> > Hi Jason,
> >
> > Is there a way to fix this in version 7.6?
> >
> > Or is it mandatory to upgrade to other versions?
> >
> > If I have to upgrade to a higher version, then what is the best way to do
> > this without effecting the current configuration and indexed data?
> >
> > Thanks,
> > Salmaan
> >
> >
> >
> > On Wed, Aug 21, 2019 at 4:13 PM Salmaan Rashid Syed <
> > salmaan.rashid@mroads.com> wrote:
> >
> > > Hi Jason,
> > >
> > > I am using version 7.6 of Solr.
> > >
> > > Thanks,
> > > Salmaan
> > >
> > >
> > >
> > > On Wed, Aug 21, 2019 at 4:12 PM Jason Gerlowski <gerlowskija@gmail.com
> >
> > > wrote:
> > >
> > >> The "all" permissions _should_ block solr-user from accessing all of
> > >> those resources, and I believe it does in newer versions of Solr.
> > >> There was a bug with it that was fixed a few versions back though- it
> > >> sounds like you might be running into that. (see
> > >> https://issues.apache.org/jira/browse/SOLR-13355) What version of
> Solr
> > >> are you using?
> > >>
> > >> Jason
> > >>
> > >>
> > >>
> > >> On Wed, Aug 21, 2019 at 5:21 AM Salmaan Rashid Syed
> > >> <sa...@mroads.com> wrote:
> > >> >
> > >> > Hi Jason,
> > >> >
> > >> > Thanks for your prompt reply.
> > >> >
> > >> > Your code does address few of my concerns like restricting
> *solr-user*
> > >> from
> > >> > accessing the dashboard and from executing other request methods
> apart
> > >> from
> > >> > *"update"* and *"read"*.
> > >> >
> > >> > But I am still able to access other collections such as
> *"Collection3",
> > >> > "Collection4"* and so on, apart from the intended two collection
> > >> entered in
> > >> > the code. I can give *"update"* and *"read" *requests to these
> external
> > >> > Collections which solr-user should not be able to do.
> > >> >
> > >> > Moreover solr-user can look at the
> > >> > *http://localhost:8983/solr/admin/authentication
> > >> > <http://localhost:8983/solr/admin/authentication>* link which
> lists the
> > >> > users and their *SHA256* coded passwords. How can I hide this and
> > >> restrict
> > >> > access to other collections?
> > >> >
> > >> > Thanks and regards
> > >> > Salmaan
> > >> >
> > >> >
> > >> > On Wed, Aug 21, 2019 at 5:07 AM Jason Gerlowski <
> gerlowskija@gmail.com>
> > >> > wrote:
> > >> >
> > >> > > Hi Salmaan,
> > >> > >
> > >> > > Solr's RuleBasedAuthorizationPlugin allows requests through if
> none of
> > >> > > the specified permissions apply. I think that's what you're
> running
> > >> > > into in your example above. If you want to lockdown a particular
> API
> > >> > > (or set of APIs) then you need to explicitly add a permission that
> > >> > > restricts those APIs to a particular role.
> > >> > >
> > >> > > One way to get the behavior that it sounds like you're looking for
> > >> > > would be to add a catch-all permission at the bottom of your
> > >> > > permissions list that restricts all other APIs to "admin". This
> would
> > >> > > look a bit like:
> > >> > >
> > >> > > "permissions":[
> > >> > > {
> > >> > > "name":"security-edit",
> > >> > > "role":"admin"
> > >> > > },
> > >> > > {
> > >> > > "collection": ["Collection1", "Collection2"],
> > >> > > "name": ["update", "read"],
> > >> > > "role": "dev"
> > >> > > },
> > >> > > {
> > >> > > "name": "all",
> > >> > > "role": "admin"
> > >> > > }
> > >> > > ]
> > >> > >
> > >> > > Hope that helps get you started.
> > >> > >
> > >> > > Best,
> > >> > >
> > >> > > Jason
> > >> > >
> > >> > > On Tue, Aug 20, 2019 at 3:19 AM Salmaan Rashid Syed
> > >> > > <sa...@mroads.com> wrote:
> > >> > > >
> > >> > > > Hi Solr Users,
> > >> > > >
> > >> > > > I want to create a user that has restricted access to Solr. I
> did
> > >> the
> > >> > > > follwowing:-
> > >> > > >
> > >> > > >
> > >> > > > 1. {
> > >> > > > 2. "authentication":{
> > >> > > > 3. "blockUnknown": true,
> > >> > > > 4. "class":"solr.BasicAuthPlugin",
> > >> > > > 5. "credentials":{
> > >> > > > 6. "solr-admin":
> > >> > > > "2IUJD9dxRhxSXaJGdMP5z8ggSn4I285Ty9GCWeRNMUg=
> > >> > > > /sSNJJufPtj4baRizoJshJawFsWvopvZSqZpQ/Nwd78="
> > >> > > > ,
> > >> > > > 7. "solr-user":
> > >> > > > "p+XwOh15p/rvFltv2LXP1CwtbvwBgGlC9qcDKxV73B4=
> > >> > > > DcNsjfA6Wf16V1XKT+YraosSFQ5Cr3eRUX6BQnx9XKA="
> > >> > > >
> > >> > > > 8. }
> > >> > > > 9. },
> > >> > > > 10. "authorization":{
> > >> > > > 11. "class":"solr.RuleBasedAuthorizationPlugin",
> > >> > > > 12. "user-role":{"solr-admin":"admin", "solr-user":"dev"},
> > >> > > > 13. "permissions":[
> > >> > > > 14. {
> > >> > > > 15. "name":"security-edit",
> > >> > > > 16. "role":"admin"
> > >> > > > 17. },
> > >> > > > 18. {
> > >> > > > 19. "collection": ["Collection1", "Collection2"],
> > >> > > > 20. "name": ["update", "read"],
> > >> > > > 21. "role": "dev"
> > >> > > > 22. }
> > >> > > > 23. ]
> > >> > > > 24. }}
> > >> > > >
> > >> > > >
> > >> > > > But when Login intot the Solr admin dash-board using Solr-user
> > >> > > credentials,
> > >> > > > I can read, select, write, update, delete collections and do all
> > >> sorts of
> > >> > > > things like a solr-admin can do.
> > >> > > >
> > >> > > > I want solr-user to be able to access only *Collection1* and
> > >> > > *Collection2*
> > >> > > > and be able to only *update *and *read*. He should not be able
> to
> > >> access
> > >> > > > other collections and do anything apart from the above mentioned
> > >> role.
> > >> > > >
> > >> > > > Where am I exactly going wrong?
> > >> > > >
> > >> > > > Thanks and Regards,
> > >> > > > Salmaan
> > >> > >
> > >>
> > >
>
Re: Problems with restricting access to users using Basic auth
Posted by Jason Gerlowski <ge...@gmail.com>.
Ah, ok. SOLR-13355 still affects 7.6, so that explains why you're
seeing this behavior.
You could upgrade to get the new behavior, but you don't need to-
there's a workaround. You just need to add a few extra rules to your
security.json. The problem in SOLR-13355 is that the "all" permission
isn't being considered for APIs that are covered by other predefined
permissions. So the workaround is to add a permission rule for each
of the predefined permissions, locking them down to the "admin" role.
It really bloats security.json, but should do the job. So your
security.json should have a permissions section that looks like the
JSON below:
{"name": "dev-read", "collection": ["collection1", "collection2"],
"role": "dev"},
{"name": "security-edit", "role": "admin"},
{"name": "security-read", "role": "admin"},
{"name": "schema-edit", "role": "admin"},
{"name": "schema-read", "role": "admin"},
{"name": "config-edit", "role": "admin"},
{"name": "config-read", "role": "admin"},
{"name": "core-admin-edit", "role": "admin"},
{"name": "core-admin-read", "role": "admin"},
{"name": "collection-api-edit", "role": "admin"},
{"name": "collection-api-read", "role": "admin"},
{"name": "read", "role": "admin"},
{"name": "update", "role": "admin"},
{"name": "all", "role": "admin"}
Hope that helps. Let me know if that still has any problems for you.
Jason
On Wed, Aug 21, 2019 at 6:48 AM Salmaan Rashid Syed
<sa...@mroads.com> wrote:
>
> Hi Jason,
>
> Is there a way to fix this in version 7.6?
>
> Or is it mandatory to upgrade to other versions?
>
> If I have to upgrade to a higher version, then what is the best way to do
> this without effecting the current configuration and indexed data?
>
> Thanks,
> Salmaan
>
>
>
> On Wed, Aug 21, 2019 at 4:13 PM Salmaan Rashid Syed <
> salmaan.rashid@mroads.com> wrote:
>
> > Hi Jason,
> >
> > I am using version 7.6 of Solr.
> >
> > Thanks,
> > Salmaan
> >
> >
> >
> > On Wed, Aug 21, 2019 at 4:12 PM Jason Gerlowski <ge...@gmail.com>
> > wrote:
> >
> >> The "all" permissions _should_ block solr-user from accessing all of
> >> those resources, and I believe it does in newer versions of Solr.
> >> There was a bug with it that was fixed a few versions back though- it
> >> sounds like you might be running into that. (see
> >> https://issues.apache.org/jira/browse/SOLR-13355) What version of Solr
> >> are you using?
> >>
> >> Jason
> >>
> >>
> >>
> >> On Wed, Aug 21, 2019 at 5:21 AM Salmaan Rashid Syed
> >> <sa...@mroads.com> wrote:
> >> >
> >> > Hi Jason,
> >> >
> >> > Thanks for your prompt reply.
> >> >
> >> > Your code does address few of my concerns like restricting *solr-user*
> >> from
> >> > accessing the dashboard and from executing other request methods apart
> >> from
> >> > *"update"* and *"read"*.
> >> >
> >> > But I am still able to access other collections such as *"Collection3",
> >> > "Collection4"* and so on, apart from the intended two collection
> >> entered in
> >> > the code. I can give *"update"* and *"read" *requests to these external
> >> > Collections which solr-user should not be able to do.
> >> >
> >> > Moreover solr-user can look at the
> >> > *http://localhost:8983/solr/admin/authentication
> >> > <http://localhost:8983/solr/admin/authentication>* link which lists the
> >> > users and their *SHA256* coded passwords. How can I hide this and
> >> restrict
> >> > access to other collections?
> >> >
> >> > Thanks and regards
> >> > Salmaan
> >> >
> >> >
> >> > On Wed, Aug 21, 2019 at 5:07 AM Jason Gerlowski <ge...@gmail.com>
> >> > wrote:
> >> >
> >> > > Hi Salmaan,
> >> > >
> >> > > Solr's RuleBasedAuthorizationPlugin allows requests through if none of
> >> > > the specified permissions apply. I think that's what you're running
> >> > > into in your example above. If you want to lockdown a particular API
> >> > > (or set of APIs) then you need to explicitly add a permission that
> >> > > restricts those APIs to a particular role.
> >> > >
> >> > > One way to get the behavior that it sounds like you're looking for
> >> > > would be to add a catch-all permission at the bottom of your
> >> > > permissions list that restricts all other APIs to "admin". This would
> >> > > look a bit like:
> >> > >
> >> > > "permissions":[
> >> > > {
> >> > > "name":"security-edit",
> >> > > "role":"admin"
> >> > > },
> >> > > {
> >> > > "collection": ["Collection1", "Collection2"],
> >> > > "name": ["update", "read"],
> >> > > "role": "dev"
> >> > > },
> >> > > {
> >> > > "name": "all",
> >> > > "role": "admin"
> >> > > }
> >> > > ]
> >> > >
> >> > > Hope that helps get you started.
> >> > >
> >> > > Best,
> >> > >
> >> > > Jason
> >> > >
> >> > > On Tue, Aug 20, 2019 at 3:19 AM Salmaan Rashid Syed
> >> > > <sa...@mroads.com> wrote:
> >> > > >
> >> > > > Hi Solr Users,
> >> > > >
> >> > > > I want to create a user that has restricted access to Solr. I did
> >> the
> >> > > > follwowing:-
> >> > > >
> >> > > >
> >> > > > 1. {
> >> > > > 2. "authentication":{
> >> > > > 3. "blockUnknown": true,
> >> > > > 4. "class":"solr.BasicAuthPlugin",
> >> > > > 5. "credentials":{
> >> > > > 6. "solr-admin":
> >> > > > "2IUJD9dxRhxSXaJGdMP5z8ggSn4I285Ty9GCWeRNMUg=
> >> > > > /sSNJJufPtj4baRizoJshJawFsWvopvZSqZpQ/Nwd78="
> >> > > > ,
> >> > > > 7. "solr-user":
> >> > > > "p+XwOh15p/rvFltv2LXP1CwtbvwBgGlC9qcDKxV73B4=
> >> > > > DcNsjfA6Wf16V1XKT+YraosSFQ5Cr3eRUX6BQnx9XKA="
> >> > > >
> >> > > > 8. }
> >> > > > 9. },
> >> > > > 10. "authorization":{
> >> > > > 11. "class":"solr.RuleBasedAuthorizationPlugin",
> >> > > > 12. "user-role":{"solr-admin":"admin", "solr-user":"dev"},
> >> > > > 13. "permissions":[
> >> > > > 14. {
> >> > > > 15. "name":"security-edit",
> >> > > > 16. "role":"admin"
> >> > > > 17. },
> >> > > > 18. {
> >> > > > 19. "collection": ["Collection1", "Collection2"],
> >> > > > 20. "name": ["update", "read"],
> >> > > > 21. "role": "dev"
> >> > > > 22. }
> >> > > > 23. ]
> >> > > > 24. }}
> >> > > >
> >> > > >
> >> > > > But when Login intot the Solr admin dash-board using Solr-user
> >> > > credentials,
> >> > > > I can read, select, write, update, delete collections and do all
> >> sorts of
> >> > > > things like a solr-admin can do.
> >> > > >
> >> > > > I want solr-user to be able to access only *Collection1* and
> >> > > *Collection2*
> >> > > > and be able to only *update *and *read*. He should not be able to
> >> access
> >> > > > other collections and do anything apart from the above mentioned
> >> role.
> >> > > >
> >> > > > Where am I exactly going wrong?
> >> > > >
> >> > > > Thanks and Regards,
> >> > > > Salmaan
> >> > >
> >>
> >
Re: Problems with restricting access to users using Basic auth
Posted by Salmaan Rashid Syed <sa...@mroads.com>.
Hi Jason,
Is there a way to fix this in version 7.6?
Or is it mandatory to upgrade to other versions?
If I have to upgrade to a higher version, then what is the best way to do
this without effecting the current configuration and indexed data?
Thanks,
Salmaan
On Wed, Aug 21, 2019 at 4:13 PM Salmaan Rashid Syed <
salmaan.rashid@mroads.com> wrote:
> Hi Jason,
>
> I am using version 7.6 of Solr.
>
> Thanks,
> Salmaan
>
>
>
> On Wed, Aug 21, 2019 at 4:12 PM Jason Gerlowski <ge...@gmail.com>
> wrote:
>
>> The "all" permissions _should_ block solr-user from accessing all of
>> those resources, and I believe it does in newer versions of Solr.
>> There was a bug with it that was fixed a few versions back though- it
>> sounds like you might be running into that. (see
>> https://issues.apache.org/jira/browse/SOLR-13355) What version of Solr
>> are you using?
>>
>> Jason
>>
>>
>>
>> On Wed, Aug 21, 2019 at 5:21 AM Salmaan Rashid Syed
>> <sa...@mroads.com> wrote:
>> >
>> > Hi Jason,
>> >
>> > Thanks for your prompt reply.
>> >
>> > Your code does address few of my concerns like restricting *solr-user*
>> from
>> > accessing the dashboard and from executing other request methods apart
>> from
>> > *"update"* and *"read"*.
>> >
>> > But I am still able to access other collections such as *"Collection3",
>> > "Collection4"* and so on, apart from the intended two collection
>> entered in
>> > the code. I can give *"update"* and *"read" *requests to these external
>> > Collections which solr-user should not be able to do.
>> >
>> > Moreover solr-user can look at the
>> > *http://localhost:8983/solr/admin/authentication
>> > <http://localhost:8983/solr/admin/authentication>* link which lists the
>> > users and their *SHA256* coded passwords. How can I hide this and
>> restrict
>> > access to other collections?
>> >
>> > Thanks and regards
>> > Salmaan
>> >
>> >
>> > On Wed, Aug 21, 2019 at 5:07 AM Jason Gerlowski <ge...@gmail.com>
>> > wrote:
>> >
>> > > Hi Salmaan,
>> > >
>> > > Solr's RuleBasedAuthorizationPlugin allows requests through if none of
>> > > the specified permissions apply. I think that's what you're running
>> > > into in your example above. If you want to lockdown a particular API
>> > > (or set of APIs) then you need to explicitly add a permission that
>> > > restricts those APIs to a particular role.
>> > >
>> > > One way to get the behavior that it sounds like you're looking for
>> > > would be to add a catch-all permission at the bottom of your
>> > > permissions list that restricts all other APIs to "admin". This would
>> > > look a bit like:
>> > >
>> > > "permissions":[
>> > > {
>> > > "name":"security-edit",
>> > > "role":"admin"
>> > > },
>> > > {
>> > > "collection": ["Collection1", "Collection2"],
>> > > "name": ["update", "read"],
>> > > "role": "dev"
>> > > },
>> > > {
>> > > "name": "all",
>> > > "role": "admin"
>> > > }
>> > > ]
>> > >
>> > > Hope that helps get you started.
>> > >
>> > > Best,
>> > >
>> > > Jason
>> > >
>> > > On Tue, Aug 20, 2019 at 3:19 AM Salmaan Rashid Syed
>> > > <sa...@mroads.com> wrote:
>> > > >
>> > > > Hi Solr Users,
>> > > >
>> > > > I want to create a user that has restricted access to Solr. I did
>> the
>> > > > follwowing:-
>> > > >
>> > > >
>> > > > 1. {
>> > > > 2. "authentication":{
>> > > > 3. "blockUnknown": true,
>> > > > 4. "class":"solr.BasicAuthPlugin",
>> > > > 5. "credentials":{
>> > > > 6. "solr-admin":
>> > > > "2IUJD9dxRhxSXaJGdMP5z8ggSn4I285Ty9GCWeRNMUg=
>> > > > /sSNJJufPtj4baRizoJshJawFsWvopvZSqZpQ/Nwd78="
>> > > > ,
>> > > > 7. "solr-user":
>> > > > "p+XwOh15p/rvFltv2LXP1CwtbvwBgGlC9qcDKxV73B4=
>> > > > DcNsjfA6Wf16V1XKT+YraosSFQ5Cr3eRUX6BQnx9XKA="
>> > > >
>> > > > 8. }
>> > > > 9. },
>> > > > 10. "authorization":{
>> > > > 11. "class":"solr.RuleBasedAuthorizationPlugin",
>> > > > 12. "user-role":{"solr-admin":"admin", "solr-user":"dev"},
>> > > > 13. "permissions":[
>> > > > 14. {
>> > > > 15. "name":"security-edit",
>> > > > 16. "role":"admin"
>> > > > 17. },
>> > > > 18. {
>> > > > 19. "collection": ["Collection1", "Collection2"],
>> > > > 20. "name": ["update", "read"],
>> > > > 21. "role": "dev"
>> > > > 22. }
>> > > > 23. ]
>> > > > 24. }}
>> > > >
>> > > >
>> > > > But when Login intot the Solr admin dash-board using Solr-user
>> > > credentials,
>> > > > I can read, select, write, update, delete collections and do all
>> sorts of
>> > > > things like a solr-admin can do.
>> > > >
>> > > > I want solr-user to be able to access only *Collection1* and
>> > > *Collection2*
>> > > > and be able to only *update *and *read*. He should not be able to
>> access
>> > > > other collections and do anything apart from the above mentioned
>> role.
>> > > >
>> > > > Where am I exactly going wrong?
>> > > >
>> > > > Thanks and Regards,
>> > > > Salmaan
>> > >
>>
>
Re: Problems with restricting access to users using Basic auth
Posted by Salmaan Rashid Syed <sa...@mroads.com>.
Hi Jason,
I am using version 7.6 of Solr.
Thanks,
Salmaan
On Wed, Aug 21, 2019 at 4:12 PM Jason Gerlowski <ge...@gmail.com>
wrote:
> The "all" permissions _should_ block solr-user from accessing all of
> those resources, and I believe it does in newer versions of Solr.
> There was a bug with it that was fixed a few versions back though- it
> sounds like you might be running into that. (see
> https://issues.apache.org/jira/browse/SOLR-13355) What version of Solr
> are you using?
>
> Jason
>
>
>
> On Wed, Aug 21, 2019 at 5:21 AM Salmaan Rashid Syed
> <sa...@mroads.com> wrote:
> >
> > Hi Jason,
> >
> > Thanks for your prompt reply.
> >
> > Your code does address few of my concerns like restricting *solr-user*
> from
> > accessing the dashboard and from executing other request methods apart
> from
> > *"update"* and *"read"*.
> >
> > But I am still able to access other collections such as *"Collection3",
> > "Collection4"* and so on, apart from the intended two collection entered
> in
> > the code. I can give *"update"* and *"read" *requests to these external
> > Collections which solr-user should not be able to do.
> >
> > Moreover solr-user can look at the
> > *http://localhost:8983/solr/admin/authentication
> > <http://localhost:8983/solr/admin/authentication>* link which lists the
> > users and their *SHA256* coded passwords. How can I hide this and
> restrict
> > access to other collections?
> >
> > Thanks and regards
> > Salmaan
> >
> >
> > On Wed, Aug 21, 2019 at 5:07 AM Jason Gerlowski <ge...@gmail.com>
> > wrote:
> >
> > > Hi Salmaan,
> > >
> > > Solr's RuleBasedAuthorizationPlugin allows requests through if none of
> > > the specified permissions apply. I think that's what you're running
> > > into in your example above. If you want to lockdown a particular API
> > > (or set of APIs) then you need to explicitly add a permission that
> > > restricts those APIs to a particular role.
> > >
> > > One way to get the behavior that it sounds like you're looking for
> > > would be to add a catch-all permission at the bottom of your
> > > permissions list that restricts all other APIs to "admin". This would
> > > look a bit like:
> > >
> > > "permissions":[
> > > {
> > > "name":"security-edit",
> > > "role":"admin"
> > > },
> > > {
> > > "collection": ["Collection1", "Collection2"],
> > > "name": ["update", "read"],
> > > "role": "dev"
> > > },
> > > {
> > > "name": "all",
> > > "role": "admin"
> > > }
> > > ]
> > >
> > > Hope that helps get you started.
> > >
> > > Best,
> > >
> > > Jason
> > >
> > > On Tue, Aug 20, 2019 at 3:19 AM Salmaan Rashid Syed
> > > <sa...@mroads.com> wrote:
> > > >
> > > > Hi Solr Users,
> > > >
> > > > I want to create a user that has restricted access to Solr. I did the
> > > > follwowing:-
> > > >
> > > >
> > > > 1. {
> > > > 2. "authentication":{
> > > > 3. "blockUnknown": true,
> > > > 4. "class":"solr.BasicAuthPlugin",
> > > > 5. "credentials":{
> > > > 6. "solr-admin":
> > > > "2IUJD9dxRhxSXaJGdMP5z8ggSn4I285Ty9GCWeRNMUg=
> > > > /sSNJJufPtj4baRizoJshJawFsWvopvZSqZpQ/Nwd78="
> > > > ,
> > > > 7. "solr-user":
> > > > "p+XwOh15p/rvFltv2LXP1CwtbvwBgGlC9qcDKxV73B4=
> > > > DcNsjfA6Wf16V1XKT+YraosSFQ5Cr3eRUX6BQnx9XKA="
> > > >
> > > > 8. }
> > > > 9. },
> > > > 10. "authorization":{
> > > > 11. "class":"solr.RuleBasedAuthorizationPlugin",
> > > > 12. "user-role":{"solr-admin":"admin", "solr-user":"dev"},
> > > > 13. "permissions":[
> > > > 14. {
> > > > 15. "name":"security-edit",
> > > > 16. "role":"admin"
> > > > 17. },
> > > > 18. {
> > > > 19. "collection": ["Collection1", "Collection2"],
> > > > 20. "name": ["update", "read"],
> > > > 21. "role": "dev"
> > > > 22. }
> > > > 23. ]
> > > > 24. }}
> > > >
> > > >
> > > > But when Login intot the Solr admin dash-board using Solr-user
> > > credentials,
> > > > I can read, select, write, update, delete collections and do all
> sorts of
> > > > things like a solr-admin can do.
> > > >
> > > > I want solr-user to be able to access only *Collection1* and
> > > *Collection2*
> > > > and be able to only *update *and *read*. He should not be able to
> access
> > > > other collections and do anything apart from the above mentioned
> role.
> > > >
> > > > Where am I exactly going wrong?
> > > >
> > > > Thanks and Regards,
> > > > Salmaan
> > >
>
Re: Problems with restricting access to users using Basic auth
Posted by Jason Gerlowski <ge...@gmail.com>.
The "all" permissions _should_ block solr-user from accessing all of
those resources, and I believe it does in newer versions of Solr.
There was a bug with it that was fixed a few versions back though- it
sounds like you might be running into that. (see
https://issues.apache.org/jira/browse/SOLR-13355) What version of Solr
are you using?
Jason
On Wed, Aug 21, 2019 at 5:21 AM Salmaan Rashid Syed
<sa...@mroads.com> wrote:
>
> Hi Jason,
>
> Thanks for your prompt reply.
>
> Your code does address few of my concerns like restricting *solr-user* from
> accessing the dashboard and from executing other request methods apart from
> *"update"* and *"read"*.
>
> But I am still able to access other collections such as *"Collection3",
> "Collection4"* and so on, apart from the intended two collection entered in
> the code. I can give *"update"* and *"read" *requests to these external
> Collections which solr-user should not be able to do.
>
> Moreover solr-user can look at the
> *http://localhost:8983/solr/admin/authentication
> <http://localhost:8983/solr/admin/authentication>* link which lists the
> users and their *SHA256* coded passwords. How can I hide this and restrict
> access to other collections?
>
> Thanks and regards
> Salmaan
>
>
> On Wed, Aug 21, 2019 at 5:07 AM Jason Gerlowski <ge...@gmail.com>
> wrote:
>
> > Hi Salmaan,
> >
> > Solr's RuleBasedAuthorizationPlugin allows requests through if none of
> > the specified permissions apply. I think that's what you're running
> > into in your example above. If you want to lockdown a particular API
> > (or set of APIs) then you need to explicitly add a permission that
> > restricts those APIs to a particular role.
> >
> > One way to get the behavior that it sounds like you're looking for
> > would be to add a catch-all permission at the bottom of your
> > permissions list that restricts all other APIs to "admin". This would
> > look a bit like:
> >
> > "permissions":[
> > {
> > "name":"security-edit",
> > "role":"admin"
> > },
> > {
> > "collection": ["Collection1", "Collection2"],
> > "name": ["update", "read"],
> > "role": "dev"
> > },
> > {
> > "name": "all",
> > "role": "admin"
> > }
> > ]
> >
> > Hope that helps get you started.
> >
> > Best,
> >
> > Jason
> >
> > On Tue, Aug 20, 2019 at 3:19 AM Salmaan Rashid Syed
> > <sa...@mroads.com> wrote:
> > >
> > > Hi Solr Users,
> > >
> > > I want to create a user that has restricted access to Solr. I did the
> > > follwowing:-
> > >
> > >
> > > 1. {
> > > 2. "authentication":{
> > > 3. "blockUnknown": true,
> > > 4. "class":"solr.BasicAuthPlugin",
> > > 5. "credentials":{
> > > 6. "solr-admin":
> > > "2IUJD9dxRhxSXaJGdMP5z8ggSn4I285Ty9GCWeRNMUg=
> > > /sSNJJufPtj4baRizoJshJawFsWvopvZSqZpQ/Nwd78="
> > > ,
> > > 7. "solr-user":
> > > "p+XwOh15p/rvFltv2LXP1CwtbvwBgGlC9qcDKxV73B4=
> > > DcNsjfA6Wf16V1XKT+YraosSFQ5Cr3eRUX6BQnx9XKA="
> > >
> > > 8. }
> > > 9. },
> > > 10. "authorization":{
> > > 11. "class":"solr.RuleBasedAuthorizationPlugin",
> > > 12. "user-role":{"solr-admin":"admin", "solr-user":"dev"},
> > > 13. "permissions":[
> > > 14. {
> > > 15. "name":"security-edit",
> > > 16. "role":"admin"
> > > 17. },
> > > 18. {
> > > 19. "collection": ["Collection1", "Collection2"],
> > > 20. "name": ["update", "read"],
> > > 21. "role": "dev"
> > > 22. }
> > > 23. ]
> > > 24. }}
> > >
> > >
> > > But when Login intot the Solr admin dash-board using Solr-user
> > credentials,
> > > I can read, select, write, update, delete collections and do all sorts of
> > > things like a solr-admin can do.
> > >
> > > I want solr-user to be able to access only *Collection1* and
> > *Collection2*
> > > and be able to only *update *and *read*. He should not be able to access
> > > other collections and do anything apart from the above mentioned role.
> > >
> > > Where am I exactly going wrong?
> > >
> > > Thanks and Regards,
> > > Salmaan
> >
Re: Problems with restricting access to users using Basic auth
Posted by Salmaan Rashid Syed <sa...@mroads.com>.
Hi Jason,
Thanks for your prompt reply.
Your code does address few of my concerns like restricting *solr-user* from
accessing the dashboard and from executing other request methods apart from
*"update"* and *"read"*.
But I am still able to access other collections such as *"Collection3",
"Collection4"* and so on, apart from the intended two collection entered in
the code. I can give *"update"* and *"read" *requests to these external
Collections which solr-user should not be able to do.
Moreover solr-user can look at the
*http://localhost:8983/solr/admin/authentication
<http://localhost:8983/solr/admin/authentication>* link which lists the
users and their *SHA256* coded passwords. How can I hide this and restrict
access to other collections?
Thanks and regards
Salmaan
On Wed, Aug 21, 2019 at 5:07 AM Jason Gerlowski <ge...@gmail.com>
wrote:
> Hi Salmaan,
>
> Solr's RuleBasedAuthorizationPlugin allows requests through if none of
> the specified permissions apply. I think that's what you're running
> into in your example above. If you want to lockdown a particular API
> (or set of APIs) then you need to explicitly add a permission that
> restricts those APIs to a particular role.
>
> One way to get the behavior that it sounds like you're looking for
> would be to add a catch-all permission at the bottom of your
> permissions list that restricts all other APIs to "admin". This would
> look a bit like:
>
> "permissions":[
> {
> "name":"security-edit",
> "role":"admin"
> },
> {
> "collection": ["Collection1", "Collection2"],
> "name": ["update", "read"],
> "role": "dev"
> },
> {
> "name": "all",
> "role": "admin"
> }
> ]
>
> Hope that helps get you started.
>
> Best,
>
> Jason
>
> On Tue, Aug 20, 2019 at 3:19 AM Salmaan Rashid Syed
> <sa...@mroads.com> wrote:
> >
> > Hi Solr Users,
> >
> > I want to create a user that has restricted access to Solr. I did the
> > follwowing:-
> >
> >
> > 1. {
> > 2. "authentication":{
> > 3. "blockUnknown": true,
> > 4. "class":"solr.BasicAuthPlugin",
> > 5. "credentials":{
> > 6. "solr-admin":
> > "2IUJD9dxRhxSXaJGdMP5z8ggSn4I285Ty9GCWeRNMUg=
> > /sSNJJufPtj4baRizoJshJawFsWvopvZSqZpQ/Nwd78="
> > ,
> > 7. "solr-user":
> > "p+XwOh15p/rvFltv2LXP1CwtbvwBgGlC9qcDKxV73B4=
> > DcNsjfA6Wf16V1XKT+YraosSFQ5Cr3eRUX6BQnx9XKA="
> >
> > 8. }
> > 9. },
> > 10. "authorization":{
> > 11. "class":"solr.RuleBasedAuthorizationPlugin",
> > 12. "user-role":{"solr-admin":"admin", "solr-user":"dev"},
> > 13. "permissions":[
> > 14. {
> > 15. "name":"security-edit",
> > 16. "role":"admin"
> > 17. },
> > 18. {
> > 19. "collection": ["Collection1", "Collection2"],
> > 20. "name": ["update", "read"],
> > 21. "role": "dev"
> > 22. }
> > 23. ]
> > 24. }}
> >
> >
> > But when Login intot the Solr admin dash-board using Solr-user
> credentials,
> > I can read, select, write, update, delete collections and do all sorts of
> > things like a solr-admin can do.
> >
> > I want solr-user to be able to access only *Collection1* and
> *Collection2*
> > and be able to only *update *and *read*. He should not be able to access
> > other collections and do anything apart from the above mentioned role.
> >
> > Where am I exactly going wrong?
> >
> > Thanks and Regards,
> > Salmaan
>
Re: Problems with restricting access to users using Basic auth
Posted by Jason Gerlowski <ge...@gmail.com>.
Hi Salmaan,
Solr's RuleBasedAuthorizationPlugin allows requests through if none of
the specified permissions apply. I think that's what you're running
into in your example above. If you want to lockdown a particular API
(or set of APIs) then you need to explicitly add a permission that
restricts those APIs to a particular role.
One way to get the behavior that it sounds like you're looking for
would be to add a catch-all permission at the bottom of your
permissions list that restricts all other APIs to "admin". This would
look a bit like:
"permissions":[
{
"name":"security-edit",
"role":"admin"
},
{
"collection": ["Collection1", "Collection2"],
"name": ["update", "read"],
"role": "dev"
},
{
"name": "all",
"role": "admin"
}
]
Hope that helps get you started.
Best,
Jason
On Tue, Aug 20, 2019 at 3:19 AM Salmaan Rashid Syed
<sa...@mroads.com> wrote:
>
> Hi Solr Users,
>
> I want to create a user that has restricted access to Solr. I did the
> follwowing:-
>
>
> 1. {
> 2. "authentication":{
> 3. "blockUnknown": true,
> 4. "class":"solr.BasicAuthPlugin",
> 5. "credentials":{
> 6. "solr-admin":
> "2IUJD9dxRhxSXaJGdMP5z8ggSn4I285Ty9GCWeRNMUg=
> /sSNJJufPtj4baRizoJshJawFsWvopvZSqZpQ/Nwd78="
> ,
> 7. "solr-user":
> "p+XwOh15p/rvFltv2LXP1CwtbvwBgGlC9qcDKxV73B4=
> DcNsjfA6Wf16V1XKT+YraosSFQ5Cr3eRUX6BQnx9XKA="
>
> 8. }
> 9. },
> 10. "authorization":{
> 11. "class":"solr.RuleBasedAuthorizationPlugin",
> 12. "user-role":{"solr-admin":"admin", "solr-user":"dev"},
> 13. "permissions":[
> 14. {
> 15. "name":"security-edit",
> 16. "role":"admin"
> 17. },
> 18. {
> 19. "collection": ["Collection1", "Collection2"],
> 20. "name": ["update", "read"],
> 21. "role": "dev"
> 22. }
> 23. ]
> 24. }}
>
>
> But when Login intot the Solr admin dash-board using Solr-user credentials,
> I can read, select, write, update, delete collections and do all sorts of
> things like a solr-admin can do.
>
> I want solr-user to be able to access only *Collection1* and *Collection2*
> and be able to only *update *and *read*. He should not be able to access
> other collections and do anything apart from the above mentioned role.
>
> Where am I exactly going wrong?
>
> Thanks and Regards,
> Salmaan