You are viewing a plain text version of this content. The canonical link for it is here.
Posted to solr-user@lucene.apache.org by Jason Gerlowski <ge...@gmail.com> on 2020/11/25 13:30:52 UTC

Re: security.json help

Hi Mark,

It looks like you're using the "path" wildcard as it's intended, but
some bug is causing the behavior you're seeing.  It should be working
as you expected, but evidently it's not.

One potential workaround might be to leave out the "path" property
entirely in your "custom-example" permission.  When I do that (on Solr
8.6.2), I get the following behavior in the following pastebin link,
which looks close to what you're after: https://paste.apache.org/ygndt

Hope that helps!

Jason

On Mon, Oct 19, 2020 at 3:49 PM Mark Dadisman
<Ma...@dordt.edu.invalid> wrote:
>
> Hey, I'm new to configuring Solr. I'm trying to configure Solr with Rule Based Authorization. https://lucene.apache.org/solr/guide/8_6/rule-based-authorization-plugin.html
>
> I have permissions working if I allow everything with "all", but I want to limit access so that a site can only access its own collection, in addition to a server ping path, so I'm trying to add the collection-specific permission at the top:
>
>     "permissions": [
>       {
>         "name": "custom-example",
>         "collection": "example",
>         "path": "*",
>         "role": [
>           "admin",
>           "example"
>         ]
>       },
>       {
>         "name": "custom-collection",
>         "collection": "*",
>         "path": [
>           "/admin/luke",
>           "/admin/mbeans",
>           "/admin/system"
>         ],
>         "role": "*"
>       },
>       {
>         "name": "custom-ping",
>         "collection": null,
>         "path": [
>           "/admin/info/system"
>         ],
>         "role": "*"
>       },
>       {
>         "name": "all",
>         "role": "admin"
>       }
>     ]
>
> The rule "custom-ping" works, and "all" works. But when the above permissions are used, access is denied to the "example" user-role for collection "example" at the path "/solr/example/select". If I specify paths explicitly, the permissions work, but I can't get permissions to work with path wildcards for a specific collection.
>
> I also had to declare "custom-collection" with the specific paths needed to get collection info in order for those paths to work. I would've expected that these paths would be included in the collection-specific paths and be covered by the first rule, but they aren't. For example, the call to "/solr/example/admin/luke" will fail if the path is removed from this rule.
>
> I don't really want to specify every single path I might need to use. Am I using the path wildcard wrong somehow? Is there a better way to do collection-specific authorizations for a collection "example"?
>
> Thanks.
> - M
>