You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@lucene.apache.org by "Ken Liccardo (Jira)" <ji...@apache.org> on 2021/02/26 21:18:00 UTC
[jira] [Created] (SOLR-15202) Rule-Based Authorization Plugin not
honoring "collection" permission parameter
Ken Liccardo created SOLR-15202:
-----------------------------------
Summary: Rule-Based Authorization Plugin not honoring "collection" permission parameter
Key: SOLR-15202
URL: https://issues.apache.org/jira/browse/SOLR-15202
Project: Solr
Issue Type: Bug
Security Level: Public (Default Security Level. Issues are Public)
Components: Authorization
Affects Versions: 8.8.1
Environment: Debian Buster, openjdk 11, Solr 8.8.1 stand-alone, installed as a service
Reporter: Ken Liccardo
It appears the "collection" parameter of authorization.permissions in security.json is not honored. That is, a request made to a collection endpoint by an unauthorized user(role) is allowed. For example, consider the following permissions entry in authorization section of security.json:
{{"permissions":[\{"name":"p1","collection":"col1","path":"/select","role":"col1-query"}]}}
A user who is NOT assigned role "col1-query" may still query this collection at the following endpoint:
{{[/solr/col1/select?q=id%3A*|http://myserver/solr/col1/select?q=id%3A*]}}
However, if the "collection" parameter is removed from the permissions as follows:
{{"permissions":[\{"name":"p1","path":"/select","role":"col1-query}]}}
then a user who is NOT assigned role "col1-query" is rightfully blocked from the endpoint with error 403.
In other words, the "collection" parameter, when present in security.json authorization.permissions section, is not being matched against the request, and therefore the restriction represented by this permissions entry is not enacted.
After further investigation by turning on debug logging for the RuleBasedAuthorizationPlugin and RuleBasedAuthorizationPluginBase, the authorization request is logged as follows:
{{o.a.s.s.RuleBasedAuthorizationPluginBase Attempting to authorize request to [/select] of type: [READ], associated with collections[[]]}}
So, even thought the request was made to collection "col1", for some reason this information is not being passed to the plugin, as represented by the empty collections array in the log message "... associated with collections [[ ]]". In the java code, RuleBasedAuthorizationPluginBase.java, this information appears to come from context.getCollectionRequests(), which appears to be returning an empty array [ ] instead of, I suppose, ["col1"] that one might expect from the request /solr/col1/select.
Whether this is a problem in solr.RuleBasedAuthorizationPlugin, or in whatever module passes the context object to the Plugin, I do not know at this point. But whatever the case, it renders impotent the potentially highly useful "collection" parameter that would allow us to restrict access by collection name.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@lucene.apache.org
For additional commands, e-mail: issues-help@lucene.apache.org