You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@lucene.apache.org by "Dr. Daniel Georg Kirschner (Jira)" <ji...@apache.org> on 2020/11/04 16:22:00 UTC
[jira] [Created] (SOLR-14984) Solr standalone core not used as
collection in authorization
Dr. Daniel Georg Kirschner created SOLR-14984:
-------------------------------------------------
Summary: Solr standalone core not used as collection in authorization
Key: SOLR-14984
URL: https://issues.apache.org/jira/browse/SOLR-14984
Project: Solr
Issue Type: Bug
Security Level: Public (Default Security Level. Issues are Public)
Components: Authorization
Affects Versions: 8.6.3
Environment: Solr 8.6.3 (with techproducts sample as "tech").
Reporter: Dr. Daniel Georg Kirschner
In org.apache.solr.servlet.HttpSolrCall method AuthorizationContext getAuthCtx() seems not to use the core in the collectionRequests which leads to org.apache.solr.security.RuleBasedAuthorizationPluginBase method authorize() not using the core in the authorization rules. IMHO, this seems not to be what is intened security wise.
My use case seems to be solved by changing (in HttpSolrCall.getAuthCtx() ):
Org:
SolrParams params = getQueryParams();
final ArrayList<CollectionRequest> collectionRequests = new ArrayList<>();
for (String collection : getCollectionsList()) {
collectionRequests.add(new CollectionRequest(collection));
}
To New:
SolrParams params = getQueryParams();
final ArrayList<CollectionRequest> collectionRequests = new ArrayList<>();
for (String collection : getCollectionsList()) {
collectionRequests.add(new CollectionRequest(collection));
}
*if (core != null) {*
*collectionRequests.add(new CollectionRequest(core.getName()));*
*}*
I do not understand the full concept of the authorization code. Please check if this quick fix is actually working for all use cases.
Best regards,
Daniel Kirschner
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@lucene.apache.org
For additional commands, e-mail: issues-help@lucene.apache.org