You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@lucene.apache.org by "Jan Høydahl (JIRA)" <ji...@apache.org> on 2019/04/14 18:54:00 UTC
[jira] [Resolved] (SOLR-9804) Rule-Based Authorization Plugin does
not secure access for update operations
[ https://issues.apache.org/jira/browse/SOLR-9804?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jan Høydahl resolved SOLR-9804.
-------------------------------
Resolution: Not A Problem
Closing this as the real issue is handled in another JIRA
> Rule-Based Authorization Plugin does not secure access for update operations
> ----------------------------------------------------------------------------
>
> Key: SOLR-9804
> URL: https://issues.apache.org/jira/browse/SOLR-9804
> Project: Solr
> Issue Type: Bug
> Security Level: Public(Default Security Level. Issues are Public)
> Components: security
> Affects Versions: 6.3
> Environment: Linux:
> # uname -a
> Linux hostname 3.10.0-327.36.3.el7.x86_64 #1 SMP Mon Oct 24 16:09:20 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
> /solr -version
> 6.3.0
> Reporter: Sleem
> Priority: Major
> Labels: authorization, security, update
>
> It looks like the /update path is not filtered by the Rule-Based Authorization Plugin. Even if you set permission using the path permission "/update" or the pre-defined permission "update". Below is the security.json
> {code:JavaScript}
> {
> "authentication":{
> "class":"solr.BasicAuthPlugin",
> "blockUnknown":true,
> "credentials":{
> "admin":"JrcQ8Lh/xKmucz9CaGVXwTpXxGSUZOt32i6W2f4tIfY= PuAJx8DjI0Ozy2gQXteG5KfRAbOmXuRFZVjHbrIIzVk=",
> "update":"tFdQLTQd9qXAStQek5xQQPlVcmXgjI/w4+9rjAZyqTU= by0LXUAdNAtcJW+DuycI2zc4NyDjCiexOgMaqEFIklU=",
> "solr":"GglOeZytbUBCKW8QT1H7kVs0eHc0x8+iNmpz7x8DKMI= 5JR1Ul8QehmP3nb2U6Bc/N1qwrQljLfiKPTxm35FikA="}},
> "authorization":{
> "class":"solr.RuleBasedAuthorizationPlugin",
> "user-role":{
> "admin":["admin_role"],
> "update":["update_role"],
> "solr":["read_role"]},
> "permissions":[
> {
> "collection":null,
> "name":"security-edit",
> "role":["admin_role"],
> "index":1},
> {
> "collection":null,
> "name":"schema-edit",
> "role":["admin_role"],
> "index":2},
> {
> "collection":null,
> "name":"config-edit",
> "role":["admin_role"],
> "index":3},
> {
> "collection":null,
> "name":"core-admin-edit",
> "role":["admin_role"],
> "index":4},
> {
> "collection":null,
> "name":"collection-admin-edit",
> "role":["admin_role"],
> "index":5},
> {
> "collection":null,
> "name":"security-read",
> "role":["admin_role"],
> "index":6},
> {
> "collection":null,
> "name":"schema-read",
> "role":[
> "admin_role",
> "update_role"],
> "index":7},
> {
> "collection":null,
> "name":"core-admin-read",
> "role":[
> "admin_role",
> "update_role"],
> "index":8},
> {
> "collection":null,
> "name":"config-read",
> "role":[
> "admin_role",
> "update_role"],
> "index":9},
> {
> "collection":null,
> "name":"collection-admin-read",
> "role":[
> "admin_role",
> "update_role"],
> "index":10},
> {
> "collection":null,
> "name":"update",
> "role":[
> "admin_role",
> "update_role"],
> "index":11},
> {
> "collection":null,
> "name":"read",
> "role":[
> "admin_role",
> "update_role",
> "read_role"],
> "index":12},
> {
> "collection":null,
> "name":"all",
> "role":["admin_role"],
> "index":13},
> {
> "collection":null,
> "path":"/*",
> "role":["admin_role"],
> "index":14}],
> "":{"v":138}}}
> {code}
> I have tested update using SolrJ and by hitting the /update on the browser using the solr user (who has no rights to update). Both were suceeded update
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lucene.apache.org
For additional commands, e-mail: dev-help@lucene.apache.org