You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@lucene.apache.org by "Jan Høydahl (JIRA)" <ji...@apache.org> on 2017/05/07 18:31:04 UTC
[jira] [Commented] (SOLR-9804) Rule-Based Authorization Plugin does
not secure access for update operations
[ https://issues.apache.org/jira/browse/SOLR-9804?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15999986#comment-15999986 ]
Jan Høydahl commented on SOLR-9804:
-----------------------------------
[~ctargett], do you want to open a separate issue for the {{collection:null}} issue, if you believe it is a real one?
Regarding this issue, we should either be explicit and return an exception, e.g. "Not updated, version N already in ZK", or we should disregard any version in the JSON and let it always succeed, with the risk of two admins editing the same config without knowing and the last one wins.
> Rule-Based Authorization Plugin does not secure access for update operations
> ----------------------------------------------------------------------------
>
> Key: SOLR-9804
> URL: https://issues.apache.org/jira/browse/SOLR-9804
> Project: Solr
> Issue Type: Bug
> Security Level: Public(Default Security Level. Issues are Public)
> Components: security
> Affects Versions: 6.3
> Environment: Linux:
> # uname -a
> Linux hostname 3.10.0-327.36.3.el7.x86_64 #1 SMP Mon Oct 24 16:09:20 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
> /solr -version
> 6.3.0
> Reporter: Sleem
> Labels: authorization, security, update
>
> It looks like the /update path is not filtered by the Rule-Based Authorization Plugin. Even if you set permission using the path permission "/update" or the pre-defined permission "update". Below is the security.json
> {code:JavaScript}
> {
> "authentication":{
> "class":"solr.BasicAuthPlugin",
> "blockUnknown":true,
> "credentials":{
> "admin":"JrcQ8Lh/xKmucz9CaGVXwTpXxGSUZOt32i6W2f4tIfY= PuAJx8DjI0Ozy2gQXteG5KfRAbOmXuRFZVjHbrIIzVk=",
> "update":"tFdQLTQd9qXAStQek5xQQPlVcmXgjI/w4+9rjAZyqTU= by0LXUAdNAtcJW+DuycI2zc4NyDjCiexOgMaqEFIklU=",
> "solr":"GglOeZytbUBCKW8QT1H7kVs0eHc0x8+iNmpz7x8DKMI= 5JR1Ul8QehmP3nb2U6Bc/N1qwrQljLfiKPTxm35FikA="}},
> "authorization":{
> "class":"solr.RuleBasedAuthorizationPlugin",
> "user-role":{
> "admin":["admin_role"],
> "update":["update_role"],
> "solr":["read_role"]},
> "permissions":[
> {
> "collection":null,
> "name":"security-edit",
> "role":["admin_role"],
> "index":1},
> {
> "collection":null,
> "name":"schema-edit",
> "role":["admin_role"],
> "index":2},
> {
> "collection":null,
> "name":"config-edit",
> "role":["admin_role"],
> "index":3},
> {
> "collection":null,
> "name":"core-admin-edit",
> "role":["admin_role"],
> "index":4},
> {
> "collection":null,
> "name":"collection-admin-edit",
> "role":["admin_role"],
> "index":5},
> {
> "collection":null,
> "name":"security-read",
> "role":["admin_role"],
> "index":6},
> {
> "collection":null,
> "name":"schema-read",
> "role":[
> "admin_role",
> "update_role"],
> "index":7},
> {
> "collection":null,
> "name":"core-admin-read",
> "role":[
> "admin_role",
> "update_role"],
> "index":8},
> {
> "collection":null,
> "name":"config-read",
> "role":[
> "admin_role",
> "update_role"],
> "index":9},
> {
> "collection":null,
> "name":"collection-admin-read",
> "role":[
> "admin_role",
> "update_role"],
> "index":10},
> {
> "collection":null,
> "name":"update",
> "role":[
> "admin_role",
> "update_role"],
> "index":11},
> {
> "collection":null,
> "name":"read",
> "role":[
> "admin_role",
> "update_role",
> "read_role"],
> "index":12},
> {
> "collection":null,
> "name":"all",
> "role":["admin_role"],
> "index":13},
> {
> "collection":null,
> "path":"/*",
> "role":["admin_role"],
> "index":14}],
> "":{"v":138}}}
> {code}
> I have tested update using SolrJ and by hitting the /update on the browser using the solr user (who has no rights to update). Both were suceeded update
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lucene.apache.org
For additional commands, e-mail: dev-help@lucene.apache.org