You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@solr.apache.org by Danilo Tomasoni <to...@cosbi.eu> on 2023/02/16 13:49:34 UTC

solr authentication configuration

Hello there,
we have issues setting up Solr authentication/authorization using /var/solr/data/security.json. We are using version 8.11.1 in standalone mode.

Here is our redacted security.json:

{
   "authentication":{
      "class":"solr.BasicAuthPlugin",
      "blockUnknown": true,
      "credentials":{
         "readuser":"...",
         "writeuser": "..."
      }
   },
   "authorization":{
      "class":"solr.RuleBasedAuthorizationPlugin",
      "user-role":{
         "readuser": "read",
         "writeuser": "write"
      },
      "permissions":[
         { "name": "read", "role": "read" },
         { "name": "all", "role": "write"}
      ]
   }
}


We want that readuser should be able to read, and writeuser to do anything... BUT, In reality, readuser can read, but we get  "403 Unauthorized request" if writeuser tries to read. If we put "{ "name": "all", "role": "write"}" in the first position of the array, then writeuser can do everything, and readuser get  "403 Unauthorized request".

Any idea of what is happening here?
Thanks


Grazie,
Matteo




Fondazione The Microsoft Research - University of Trento Centre for Computational and Systems Biology (COSBI)
Piazza Manifattura 1,  38068 Rovereto (TN), Italy
tomasoni@cosbi.eu<https://webmail.cosbi.eu/owa/redir.aspx?C=VNXi3_8-qSZTBi-FPvMwmwSB3IhCOjY8nuCBIfcNIs_5SgD-zNPWCA..&URL=mailto%3acalabro%40cosbi.eu>
http://www.cosbi.eu<https://webmail.cosbi.eu/owa/redir.aspx?C=CkilyF54_imtLHzZqF1gCGvmYXjsnf4bzGynd8OXm__5SgD-zNPWCA..&URL=http%3a%2f%2fwww.cosbi.eu%2f>

As for the European General Data Protection Regulation 2016/679 on the protection of natural persons with regard to the processing of personal data, we inform you that all the data we possess are object of treatment in the respect of the normative provided for by the cited GDPR.
It is your right to be informed on which of your data are used and how; you may ask for their correction, cancellation or you may oppose to their use by written request sent by recorded delivery to The Microsoft Research – University of Trento Centre for Computational and Systems Biology Scarl, Piazza Manifattura 1, 38068 Rovereto (TN), Italy.
P Please don't print this e-mail unless you really need to

Re: solr authentication configuration

Posted by Jan Høydahl <ja...@cominvent.com>.

Rules are evaluated top-down. So in your permissions you have said that for a read request, you need the role "read". But you have not assigned that role to the writeuser. The "all" permission means that for all other operations than read, you need the "write" role, which works. So just give your "writeuser" both roles and you should be fine.


I recommend you use the Security page of Admin UI for easier editing.

Jan                            

> 16. feb. 2023 kl. 14:49 skrev Danilo Tomasoni <to...@cosbi.eu>:
> 
> Hello there,
> we have issues setting up Solr authentication/authorization using /var/solr/data/security.json. We are using version 8.11.1 in standalone mode.
> 
> Here is our redacted security.json:
> 
> {
>   "authentication":{
>      "class":"solr.BasicAuthPlugin",
>      "blockUnknown": true,
>      "credentials":{
>         "readuser":"...",
>         "writeuser": "..."
>      }
>   },
>   "authorization":{
>      "class":"solr.RuleBasedAuthorizationPlugin",
>      "user-role":{
>         "readuser": "read",
>         "writeuser": "write"
>      },
>      "permissions":[
>         { "name": "read", "role": "read" },
>         { "name": "all", "role": "write"}
>      ]
>   }
> }
> 
> 
> We want that readuser should be able to read, and writeuser to do anything... BUT, In reality, readuser can read, but we get  "403 Unauthorized request" if writeuser tries to read. If we put "{ "name": "all", "role": "write"}" in the first position of the array, then writeuser can do everything, and readuser get  "403 Unauthorized request".
> 
> Any idea of what is happening here?
> Thanks
> 
> 
> Grazie,
> Matteo
> 
> 
> 
> 
> Fondazione The Microsoft Research - University of Trento Centre for Computational and Systems Biology (COSBI)
> Piazza Manifattura 1,  38068 Rovereto (TN), Italy
> tomasoni@cosbi.eu<https://webmail.cosbi.eu/owa/redir.aspx?C=VNXi3_8-qSZTBi-FPvMwmwSB3IhCOjY8nuCBIfcNIs_5SgD-zNPWCA..&URL=mailto%3acalabro%40cosbi.eu>
> http://www.cosbi.eu<https://webmail.cosbi.eu/owa/redir.aspx?C=CkilyF54_imtLHzZqF1gCGvmYXjsnf4bzGynd8OXm__5SgD-zNPWCA..&URL=http%3a%2f%2fwww.cosbi.eu%2f>
> 
> As for the European General Data Protection Regulation 2016/679 on the protection of natural persons with regard to the processing of personal data, we inform you that all the data we possess are object of treatment in the respect of the normative provided for by the cited GDPR.
> It is your right to be informed on which of your data are used and how; you may ask for their correction, cancellation or you may oppose to their use by written request sent by recorded delivery to The Microsoft Research – University of Trento Centre for Computational and Systems Biology Scarl, Piazza Manifattura 1, 38068 Rovereto (TN), Italy.
> P Please don't print this e-mail unless you really need to