You are viewing a plain text version of this content. The canonical link for it is here.

Posted to solr-user@lucene.apache.org by Isabelle Giguere <ig...@opentext.com.INVALID> on 2020/05/12 16:34:28 UTC

Rule-Based Auth - update not working

Hi;

I'm using Solr 8.5.0.

I'm having trouble setting up some permissions using the rule-based authorization plugin: https://lucene.apache.org/solr/guide/8_5/rule-based-authorization-plugin.html

I have 3 users: "admin", "search", and "indexer".

I have set permissions and user roles:
"permissions": [  {  "name": "all", "role": "admin", "index": 1  },
      { "name": "admin-luke", "collection": "*", "role": "luke", "index": 2, "path": "/admin/luke"  },
      { "name": "read", "role": "searching", "index": 3  },
      {  "name": "update", "role": "indexing", "index": 4 }    ],
    "user-role": {  "admin": "admin",
      "search": ["searching","luke"],
      "indexer": "indexing"   }  }
Attached: full output of GET /admin/authorization

So why can't user "indexer" add anything in a collection ?  I always get HTTP 403 Forbidden.
Using Postman, I click the checkbox to show the password, so I'm sure I typed the right one.

Note that user "search" can't use the /select handler either, as should be the case with permission to "read".   This user can, however, use the Luke handler, as the custom permission allows.

User "admin" can use any API.  So at least the predefined permission "all" does work.

Note that the collections were created before enabling authentication and authorization.  Could that be the cause of the permission issues ?

Thanks;

Isabelle Giguère
Computational Linguist & Java Developer
Linguiste informaticienne & développeur java

Re: Rule-Based Auth - update not working

Posted by Jason Gerlowski <ge...@gmail.com>.

One slight correction: I missed that you actually do have a
path/collection-specific permission in your list there.  So Solr will
check the permissions in descending list-order for most requests - the
exception being /luke requests when the /luke permission filters to
the top and is checked first.

We should really change this resolution order to be something more commonsense.

Jason

On Sun, May 17, 2020 at 2:52 PM Jason Gerlowski <ge...@gmail.com> wrote:
>
> Hi Isabelle,
>
> Two things to keep in mind with Solr's Rule-Based Authorization.
>
> 1. Each request is controlled by the first permission to that matches
> the request.
> 2. With the permissions you have present, Solr will check them in
> descending list order.  (This isn't always true - collection-specific
> and path-specific permissions are given precedence, so you don't need
> to consider that.)
>
> As you can imagine given the rules above - permission order is very
> important.  In your case the "all" rule will match pretty much all
> requests, which explains why an "indexing" user can't actually index.
> Generally speaking, it's best to put the most specific rules first,
> with the broader ones coming later.
>
> For more information, see the "Permission Ordering and Resolution"
> section in the page you linked to in your request.
>
> Good luck, hope that helps.
>
> Jason
>
> On Tue, May 12, 2020 at 12:34 PM Isabelle Giguere
> <ig...@opentext.com.invalid> wrote:
> >
> > Hi;
> >
> > I'm using Solr 8.5.0.
> >
> > I'm having trouble setting up some permissions using the rule-based authorization plugin: https://lucene.apache.org/solr/guide/8_5/rule-based-authorization-plugin.html
> >
> > I have 3 users: "admin", "search", and "indexer".
> >
> > I have set permissions and user roles:
> > "permissions": [  {  "name": "all", "role": "admin", "index": 1  },
> >       { "name": "admin-luke", "collection": "*", "role": "luke", "index": 2, "path": "/admin/luke"  },
> >       { "name": "read", "role": "searching", "index": 3  },
> >       {  "name": "update", "role": "indexing", "index": 4 }    ],
> >     "user-role": {  "admin": "admin",
> >       "search": ["searching","luke"],
> >       "indexer": "indexing"   }  }
> > Attached: full output of GET /admin/authorization
> >
> > So why can't user "indexer" add anything in a collection ?  I always get HTTP 403 Forbidden.
> > Using Postman, I click the checkbox to show the password, so I'm sure I typed the right one.
> >
> > Note that user "search" can't use the /select handler either, as should be the case with permission to "read".   This user can, however, use the Luke handler, as the custom permission allows.
> >
> > User "admin" can use any API.  So at least the predefined permission "all" does work.
> >
> > Note that the collections were created before enabling authentication and authorization.  Could that be the cause of the permission issues ?
> >
> > Thanks;
> >
> > Isabelle Giguère
> > Computational Linguist & Java Developer
> > Linguiste informaticienne & développeur java
> >
> >

Re: Rule-Based Auth - update not working

Posted by Jason Gerlowski <ge...@gmail.com>.

Hi Isabelle,

Two things to keep in mind with Solr's Rule-Based Authorization.

1. Each request is controlled by the first permission to that matches
the request.
2. With the permissions you have present, Solr will check them in
descending list order.  (This isn't always true - collection-specific
and path-specific permissions are given precedence, so you don't need
to consider that.)

As you can imagine given the rules above - permission order is very
important.  In your case the "all" rule will match pretty much all
requests, which explains why an "indexing" user can't actually index.
Generally speaking, it's best to put the most specific rules first,
with the broader ones coming later.

For more information, see the "Permission Ordering and Resolution"
section in the page you linked to in your request.

Good luck, hope that helps.

Jason

On Tue, May 12, 2020 at 12:34 PM Isabelle Giguere
<ig...@opentext.com.invalid> wrote:
>
> Hi;
>
> I'm using Solr 8.5.0.
>
> I'm having trouble setting up some permissions using the rule-based authorization plugin: https://lucene.apache.org/solr/guide/8_5/rule-based-authorization-plugin.html
>
> I have 3 users: "admin", "search", and "indexer".
>
> I have set permissions and user roles:
> "permissions": [  {  "name": "all", "role": "admin", "index": 1  },
>       { "name": "admin-luke", "collection": "*", "role": "luke", "index": 2, "path": "/admin/luke"  },
>       { "name": "read", "role": "searching", "index": 3  },
>       {  "name": "update", "role": "indexing", "index": 4 }    ],
>     "user-role": {  "admin": "admin",
>       "search": ["searching","luke"],
>       "indexer": "indexing"   }  }
> Attached: full output of GET /admin/authorization
>
> So why can't user "indexer" add anything in a collection ?  I always get HTTP 403 Forbidden.
> Using Postman, I click the checkbox to show the password, so I'm sure I typed the right one.
>
> Note that user "search" can't use the /select handler either, as should be the case with permission to "read".   This user can, however, use the Luke handler, as the custom permission allows.
>
> User "admin" can use any API.  So at least the predefined permission "all" does work.
>
> Note that the collections were created before enabling authentication and authorization.  Could that be the cause of the permission issues ?
>
> Thanks;
>
> Isabelle Giguère
> Computational Linguist & Java Developer
> Linguiste informaticienne & développeur java
>
>