You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@solr.apache.org by Dominique Bejean <do...@eolya.fr> on 2022/04/02 13:15:03 UTC

Rule-Based Authorization Plugins with JWT Authentication Plugin

Hi,

I am testing JWT Authentication Plugin with a keycloak IPD.


Rule-Based Authorization Plugins deny access to some Solr end points.
According to logs, I don't understand why.

For example, in this log line we see that
requested role are either "solr", "solr:admin", "consoleread"
user roles are [profile, solr, admin, email]

The determineIfPermissionPermitsPrincipal method in
RuleBasedAuthorizationPluginBase.java should allow access.

    Set<String> userRoles = getUserRoles(principal);
    for (String role : governingPermission.role) {
      if (userRoles != null && userRoles.contains(role)) {
        log.debug("Governing permission [{}] allows access to role [{}];
permitting access", governingPermission, role);
        return MatchStatus.PERMITTED;
      }
    }
    log.info("This resource is configured to have a permission {}, The
principal {} does not have the right role ", governingPermission,
principal);
    return MatchStatus.FORBIDDEN;

governingPermission.role = "solr", "solr:admin", "consoleread"
userRoles = profile, solr, admin, email

"solr" role should match !?


2022-04-02 12:33:12.693 INFO  (qtp1406253491-27) [   ]
o.a.s.s.RuleBasedAuthorizationPluginBase This resource is configured to
have a permission {
  "collection":null,
  "path":[
    "/admin/info",
    "/admin/info/threads",
    "/admin/info/system",
    "/admin/info/properties"],
  "role":[
    "solr",
    "solr:admin",
    "consoleread"],
  "index":7}, The principal
JWTPrincipalWithUserRoles{username='89c48f69-eead-44ee-bf37-741e2d661b77',
token='*****', claims={exp=1648903285, iat=1648902385,
auth_time=1648902256, jti=1838b4df-801a-410e-903a-f4b9ced085fc, iss=
https://localhost:8443/auth/realms/solr,
sub=89c48f69-eead-44ee-bf37-741e2d661b77, typ=Bearer, azp=solr-app,
nonce=25kzdeinhb9dqflogqy4id8a8zmiyvpkg,
session_state=34ed4051-8cc1-45da-a25e-67054087af34, acr=0,
realm_access={roles=[solr:admin]},
resource_access={solr-app={roles=[solr:admin]}}, scope=openid profile solr
admin email, sid=34ed4051-8cc1-45da-a25e-67054087af34, email_verified=true,
preferred_username=solradmin, given_name=, family_name=}, roles=[profile,
solr, admin, email]} does not have the right role

Any suggestions ?

Regards

Dominique

Re: Rule-Based Authorization Plugins with JWT Authentication Plugin

Posted by Dominique Bejean <do...@eolya.fr>.

Hi,

I reply to myself.
I had to go in debug mode in order to see that Set<String> userRoles =
getUserRoles(principal); was returning null due to the fact the username
attribute in the principal was the keycloak user uuid (the default sub
attribute value) and not the preferred_username.

I fixed this in security.json, by adding "principalClaim":
"preferred_username" in the authentication settings.

{
  "authentication":{
    "blockUnknown": true,
    "class":"solr.JWTAuthPlugin",
    "principalClaim": "preferred_username
    ...

Dominique






Le sam. 2 avr. 2022 à 15:15, Dominique Bejean <do...@eolya.fr> a
écrit :

> Hi,
>
> I am testing JWT Authentication Plugin with a keycloak IPD.
>
>
> Rule-Based Authorization Plugins deny access to some Solr end points.
> According to logs, I don't understand why.
>
> For example, in this log line we see that
> requested role are either "solr", "solr:admin", "consoleread"
> user roles are [profile, solr, admin, email]
>
> The determineIfPermissionPermitsPrincipal method in
> RuleBasedAuthorizationPluginBase.java should allow access.
>
>     Set<String> userRoles = getUserRoles(principal);
>     for (String role : governingPermission.role) {
>       if (userRoles != null && userRoles.contains(role)) {
>         log.debug("Governing permission [{}] allows access to role [{}];
> permitting access", governingPermission, role);
>         return MatchStatus.PERMITTED;
>       }
>     }
>     log.info("This resource is configured to have a permission {}, The
> principal {} does not have the right role ", governingPermission,
> principal);
>     return MatchStatus.FORBIDDEN;
>
> governingPermission.role = "solr", "solr:admin", "consoleread"
> userRoles = profile, solr, admin, email
>
> "solr" role should match !?
>
>
> 2022-04-02 12:33:12.693 INFO  (qtp1406253491-27) [   ]
> o.a.s.s.RuleBasedAuthorizationPluginBase This resource is configured to
> have a permission {
>   "collection":null,
>   "path":[
>     "/admin/info",
>     "/admin/info/threads",
>     "/admin/info/system",
>     "/admin/info/properties"],
>   "role":[
>     "solr",
>     "solr:admin",
>     "consoleread"],
>   "index":7}, The principal
> JWTPrincipalWithUserRoles{username='89c48f69-eead-44ee-bf37-741e2d661b77',
> token='*****', claims={exp=1648903285, iat=1648902385,
> auth_time=1648902256, jti=1838b4df-801a-410e-903a-f4b9ced085fc, iss=
> https://localhost:8443/auth/realms/solr,
> sub=89c48f69-eead-44ee-bf37-741e2d661b77, typ=Bearer, azp=solr-app,
> nonce=25kzdeinhb9dqflogqy4id8a8zmiyvpkg,
> session_state=34ed4051-8cc1-45da-a25e-67054087af34, acr=0,
> realm_access={roles=[solr:admin]},
> resource_access={solr-app={roles=[solr:admin]}}, scope=openid profile solr
> admin email, sid=34ed4051-8cc1-45da-a25e-67054087af34, email_verified=true,
> preferred_username=solradmin, given_name=, family_name=}, roles=[profile,
> solr, admin, email]} does not have the right role
>
> Any suggestions ?
>
> Regards
>
> Dominique
>
>