You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@solr.apache.org by Dominique Bejean <do...@eolya.fr> on 2022/04/02 13:15:03 UTC
Rule-Based Authorization Plugins with JWT Authentication Plugin
Hi,
I am testing JWT Authentication Plugin with a keycloak IPD.
Rule-Based Authorization Plugins deny access to some Solr end points.
According to logs, I don't understand why.
For example, in this log line we see that
requested role are either "solr", "solr:admin", "consoleread"
user roles are [profile, solr, admin, email]
The determineIfPermissionPermitsPrincipal method in
RuleBasedAuthorizationPluginBase.java should allow access.
Set<String> userRoles = getUserRoles(principal);
for (String role : governingPermission.role) {
if (userRoles != null && userRoles.contains(role)) {
log.debug("Governing permission [{}] allows access to role [{}];
permitting access", governingPermission, role);
return MatchStatus.PERMITTED;
}
}
log.info("This resource is configured to have a permission {}, The
principal {} does not have the right role ", governingPermission,
principal);
return MatchStatus.FORBIDDEN;
governingPermission.role = "solr", "solr:admin", "consoleread"
userRoles = profile, solr, admin, email
"solr" role should match !?
2022-04-02 12:33:12.693 INFO (qtp1406253491-27) [ ]
o.a.s.s.RuleBasedAuthorizationPluginBase This resource is configured to
have a permission {
"collection":null,
"path":[
"/admin/info",
"/admin/info/threads",
"/admin/info/system",
"/admin/info/properties"],
"role":[
"solr",
"solr:admin",
"consoleread"],
"index":7}, The principal
JWTPrincipalWithUserRoles{username='89c48f69-eead-44ee-bf37-741e2d661b77',
token='*****', claims={exp=1648903285, iat=1648902385,
auth_time=1648902256, jti=1838b4df-801a-410e-903a-f4b9ced085fc, iss=
https://localhost:8443/auth/realms/solr,
sub=89c48f69-eead-44ee-bf37-741e2d661b77, typ=Bearer, azp=solr-app,
nonce=25kzdeinhb9dqflogqy4id8a8zmiyvpkg,
session_state=34ed4051-8cc1-45da-a25e-67054087af34, acr=0,
realm_access={roles=[solr:admin]},
resource_access={solr-app={roles=[solr:admin]}}, scope=openid profile solr
admin email, sid=34ed4051-8cc1-45da-a25e-67054087af34, email_verified=true,
preferred_username=solradmin, given_name=, family_name=}, roles=[profile,
solr, admin, email]} does not have the right role
Any suggestions ?
Regards
Dominique
Re: Rule-Based Authorization Plugins with JWT Authentication Plugin
Posted by Dominique Bejean <do...@eolya.fr>.
Hi,
I reply to myself.
I had to go in debug mode in order to see that Set<String> userRoles =
getUserRoles(principal); was returning null due to the fact the username
attribute in the principal was the keycloak user uuid (the default sub
attribute value) and not the preferred_username.
I fixed this in security.json, by adding "principalClaim":
"preferred_username" in the authentication settings.
{
"authentication":{
"blockUnknown": true,
"class":"solr.JWTAuthPlugin",
"principalClaim": "preferred_username
...
Dominique
Le sam. 2 avr. 2022 à 15:15, Dominique Bejean <do...@eolya.fr> a
écrit :
> Hi,
>
> I am testing JWT Authentication Plugin with a keycloak IPD.
>
>
> Rule-Based Authorization Plugins deny access to some Solr end points.
> According to logs, I don't understand why.
>
> For example, in this log line we see that
> requested role are either "solr", "solr:admin", "consoleread"
> user roles are [profile, solr, admin, email]
>
> The determineIfPermissionPermitsPrincipal method in
> RuleBasedAuthorizationPluginBase.java should allow access.
>
> Set<String> userRoles = getUserRoles(principal);
> for (String role : governingPermission.role) {
> if (userRoles != null && userRoles.contains(role)) {
> log.debug("Governing permission [{}] allows access to role [{}];
> permitting access", governingPermission, role);
> return MatchStatus.PERMITTED;
> }
> }
> log.info("This resource is configured to have a permission {}, The
> principal {} does not have the right role ", governingPermission,
> principal);
> return MatchStatus.FORBIDDEN;
>
> governingPermission.role = "solr", "solr:admin", "consoleread"
> userRoles = profile, solr, admin, email
>
> "solr" role should match !?
>
>
> 2022-04-02 12:33:12.693 INFO (qtp1406253491-27) [ ]
> o.a.s.s.RuleBasedAuthorizationPluginBase This resource is configured to
> have a permission {
> "collection":null,
> "path":[
> "/admin/info",
> "/admin/info/threads",
> "/admin/info/system",
> "/admin/info/properties"],
> "role":[
> "solr",
> "solr:admin",
> "consoleread"],
> "index":7}, The principal
> JWTPrincipalWithUserRoles{username='89c48f69-eead-44ee-bf37-741e2d661b77',
> token='*****', claims={exp=1648903285, iat=1648902385,
> auth_time=1648902256, jti=1838b4df-801a-410e-903a-f4b9ced085fc, iss=
> https://localhost:8443/auth/realms/solr,
> sub=89c48f69-eead-44ee-bf37-741e2d661b77, typ=Bearer, azp=solr-app,
> nonce=25kzdeinhb9dqflogqy4id8a8zmiyvpkg,
> session_state=34ed4051-8cc1-45da-a25e-67054087af34, acr=0,
> realm_access={roles=[solr:admin]},
> resource_access={solr-app={roles=[solr:admin]}}, scope=openid profile solr
> admin email, sid=34ed4051-8cc1-45da-a25e-67054087af34, email_verified=true,
> preferred_username=solradmin, given_name=, family_name=}, roles=[profile,
> solr, admin, email]} does not have the right role
>
> Any suggestions ?
>
> Regards
>
> Dominique
>
>