You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@lucene.apache.org by "Jason Gerlowski (Jira)" <ji...@apache.org> on 2019/10/10 13:19:00 UTC

[jira] [Comment Edited] (SOLR-13472) HTTP requests to a node that does not hold a core of the collection are unauthorized

    [ https://issues.apache.org/jira/browse/SOLR-13472?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16948570#comment-16948570 ] 

Jason Gerlowski edited comment on SOLR-13472 at 10/10/19 1:18 PM:
------------------------------------------------------------------

For those on Solr versions without this fix, there is a (partial) workaround worth trying out.

As best as I can tell, this issue only affected Rule-Based Auth's "predefined" permissions - custom permissions still work as expected.  So to workaround this, administrators may replace their predefined permissions with equivalent custom permissions.  For example, the {{read}} predefined permission can be replaced with the following custom permissions:

{code}
      {   
        "name": "custom-read-all-verbs",
        "role": [ ... ],
        "collection": "*",
        "path": ["/analytics", "/graph", "/sql", "/stream", "/export", "/get", "/terms", "/update/extract", "/select", "/query", "/browse", "/spell", "/tvrh", "/elevate"]
      },  
      {   
        "name": "custom-read-get-only",
        "role": [ ... ],
        "collection": "*",
        "method": "GET",
        "path": ["/blob"]
      },
{code}


was (Author: gerlowskija):
For those on Solr versions without this fix, there is a (partial) workaround worth trying out.

As best as I can tell, this issue only affected Rule-Based Auth's "predefined" permissions - custom permissions still work as expected.  So to workaround this, administrators may replace their predefined permissions with equivalent custom permissions.  For example, the {[read}} predefined permission can be replaced with the following custom permissions:

{code}
      {   
        "name": "custom-read-all-verbs",
        "role": [ ... ],
        "collection": "*",
        "path": ["/analytics", "/graph", "/sql", "/stream", "/export", "/get", "/terms", "/update/extract", "/select", "/query", "/browse", "/spell", "/tvrh", "/elevate"]
      },  
      {   
        "name": "custom-read-get-only",
        "role": [ ... ],
        "collection": "*",
        "method": "GET",
        "path": ["/blob"]
      },
{code}

> HTTP requests to a node that does not hold a core of the collection are unauthorized
> ------------------------------------------------------------------------------------
>
>                 Key: SOLR-13472
>                 URL: https://issues.apache.org/jira/browse/SOLR-13472
>             Project: Solr
>          Issue Type: Bug
>          Components: Authorization
>    Affects Versions: 7.7.1, 8.0
>            Reporter: adfel
>            Assignee: Ishan Chattopadhyaya
>            Priority: Minor
>              Labels: security
>             Fix For: 8.2
>
>         Attachments: SOLR-13472.patch, SOLR-13472.patch
>
>          Time Spent: 1h 10m
>  Remaining Estimate: 0h
>
> When creating collection in SolrCloud, collection is available for queries and updates through all Solr nodes, in particular nodes that does not hold one of collection's cores. This is expected behaviour that works when using SolrJ client or HTTP requests.
> When enabling authorization rules it seems that this behaviour is broken for HTTP requests:
>  - executing request to a node that holds part of the collection (core) obey to authorization rules as expected.
>  - other nodes respond with code 403 - unauthorized request.
> SolrJ still works as expected.
> Tested both with BasicAuthPlugin and KerberosPlugin authentication plugins.
> +Steps for reproduce:+
> 1. Create a cloud made of 2 nodes (node_1, node_2).
> 2. Configure authentication and authorization by uploading following security.json file to zookeeper:
>  
> {code:java}
> {
>  "authentication": {
>    "blockUnknown": true,
>    "class": "solr.BasicAuthPlugin",
>    "credentials": {
>      "solr": "'solr' user password_hash",
>      "indexer_app": "'indexer_app' password_hash",
>      "read_user": "'read_user' password_hash"
>    }
>  },
>  "authorization": {
>    "class": "solr.RuleBasedAuthorizationPlugin",
>    "permissions": [
>      {
>        "name": "read",
>        "role": "*"
>      },
>      {
>        "name": "update",
>        "role": [
>          "indexer",
>          "admin"
>        ]
>      },
>      {
>        "name": "all",
>        "role": "admin"
>      }
>    ],
>    "user-role": {
>      "solr": "admin",
>      "indexer_app": "indexer"
>    }
>  }
> }{code}
>  
> 3. create 'test' collection with one shard on *node_1*.
> -- 
> The following requests expected to succeed but return 403 status (unauthorized request):
> {code:java}
> curl -u read_user:read_user "http://node_2/solr/test/select?q=*:*"
> curl -u indexer_app:indexer_app "http://node_2/solr/test/select?q=*:*"
> curl -u indexer_app:indexer_app "http://node_2/solr/test/update?commit=true"
> {code}
>  
> Authenticated '_solr_' user requests works as expected. My guess is due to the special '_all_' role.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@lucene.apache.org
For additional commands, e-mail: issues-help@lucene.apache.org