You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@solr.apache.org by "Clemens Fuchslocher (Jira)" <ji...@apache.org> on 2022/03/28 14:47:00 UTC
[jira] [Comment Edited] (SOLR-13097) RuleBasedAuthorizationPlugin is not fully fonctionnal in Solr standalone mode
[ https://issues.apache.org/jira/browse/SOLR-13097?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17513424#comment-17513424 ]
Clemens Fuchslocher edited comment on SOLR-13097 at 3/28/22, 2:46 PM:
----------------------------------------------------------------------
Is there really no way to limit the access of a user to a specific core in standalone mode?
Isn't this a very common use case?
I tried the following security.json with Solr 8.11.1 but it doesn't work as expected:
{noformat}
$ cat /srv/solr/cores/security.json
{
"authentication": {
"class": "solr.BasicAuthPlugin",
"credentials": {
"earth": "4c5xodAKcIQ80W/5DpI2ozHLk6jWxzJud/m8VkZI44E= YnlnMUZDRnNNUw==",
"moon": "mIKfAsu2By/DyxFFklEx0jmHTpjyP/TjXQH0+UN86gQ= QkxDcjJKSVREaA==",
"admin": "I0nDN1AwXieTf9rMw6+CmJ+CtxKqjfNi2f3JwmRTk3c= eDZqMVZ5VWFFVw=="
},
"blockUnknown": true
},
"authorization": {
"class": "solr.RuleBasedAuthorizationPlugin",
"user-role": {
"earth": "earth_role",
"moon": "moon_role",
"admin": "admin_role"
},
"permissions": [
{ "role": "earth_role", "collection": "earth_core", "name": "read" },
{ "role": "earth_role", "collection": "earth_core", "name": "update" },
{ "role": "moon_role", "collection": "moon_core", "name": "read" },
{ "role": "moon_role", "collection": "moon_core", "name": "update" },
{ "role": "admin_role", "name": "all" }
]
}
}
{noformat}
{noformat}
$ cat /srv/solr/cores/earth_core/core.properties
name=earth_core
collection=earth_core
{noformat}
{noformat}
$ cat /srv/solr/cores/moon_core/core.properties
name=moon_core
collection=moon_core
{noformat}
h4. 1. (/) User admin should be able to access the earth_core:
{noformat}
$ curl 'http://admin:...@127.0.0.1:8983/solr/earth_core/query?q=*:*&indent=true'
{
"responseHeader":{
"status":0,
"QTime":0,
"params":{
"q":"*:*",
"indent":"true"}},
"response":{"numFound":0,"start":0,"numFoundExact":true,"docs":[]
}}
{noformat}
solr.log:
{noformat}
DEBUG (qtp1910936570-19) [ x:earth_core] o.a.s.s.RuleBasedAuthorizationPluginBase Attempting to authorize request to [/query] of type: [UNKNOWN], associated with collections [[]]
DEBUG (qtp1910936570-19) [ x:earth_core] o.a.s.s.RuleBasedAuthorizationPluginBase Authorizing collection-aware request, checking perms applicable to all (*) collections
DEBUG (qtp1910936570-19) [ x:earth_core] o.a.s.s.RuleBasedAuthorizationPluginBase Found perm [{
"role":"admin_role",
"name":"all"}] to govern resource [/query]
DEBUG (qtp1910936570-19) [ x:earth_core] o.a.s.s.RuleBasedAuthorizationPluginBase Governing permission [{
"role":"admin_role",
"name":"all"}] allows access to role [admin_role]; permitting access
...
INFO (qtp1910936570-19) [ x:earth_core] o.a.s.c.S.Request [earth_core] webapp=/solr path=/query params={q=*:*&indent=true} hits=0 status=0 QTime=152
...
{noformat}
h4. 2. (/) User admin should be able to access the moon_core:
{noformat}
$ curl 'http://admin:...@127.0.0.1:8983/solr/moon_core/query?q=*:*&indent=true'
{
"responseHeader":{
"status":0,
"QTime":1,
"params":{
"q":"*:*",
"indent":"true"}},
"response":{"numFound":0,"start":0,"numFoundExact":true,"docs":[]
}}
{noformat}
solr.log:
{noformat}
...
DEBUG (qtp1910936570-23) [ x:moon_core] o.a.s.s.RuleBasedAuthorizationPluginBase Attempting to authorize request to [/query] of type: [UNKNOWN], associated with collections [[]]
DEBUG (qtp1910936570-23) [ x:moon_core] o.a.s.s.RuleBasedAuthorizationPluginBase Authorizing collection-aware request, checking perms applicable to all (*) collections
DEBUG (qtp1910936570-23) [ x:moon_core] o.a.s.s.RuleBasedAuthorizationPluginBase Found perm [{
"role":"admin_role",
"name":"all"}] to govern resource [/query]
DEBUG (qtp1910936570-23) [ x:moon_core] o.a.s.s.RuleBasedAuthorizationPluginBase Governing permission [{
"role":"admin_role",
"name":"all"}] allows access to role [admin_role]; permitting access
...
INFO (qtp1910936570-23) [ x:moon_core] o.a.s.c.S.Request [moon_core] webapp=/solr path=/query params={q=*:*&indent=true} hits=0 status=0 QTime=0
...
{noformat}
h4. 1. (x) User earth should be able to access the earth_core:
This doesn't work.
{noformat}
$ curl 'http://earth:...@127.0.0.1:8983/solr/earth_core/query?q=*:*&indent=true'
...
<title>Error 403 Unauthorized request, Response code: 403</title>
...
{noformat}
solr.log:
{noformat}
...
DEBUG (qtp1910936570-15) [ x:earth_core] o.a.s.s.RuleBasedAuthorizationPluginBase Attempting to authorize request to [/query] of type: [UNKNOWN], associated with collections [[]]
DEBUG (qtp1910936570-15) [ x:earth_core] o.a.s.s.RuleBasedAuthorizationPluginBase Authorizing collection-aware request, checking perms applicable to all (*) collections
DEBUG (qtp1910936570-15) [ x:earth_core] o.a.s.s.RuleBasedAuthorizationPluginBase Found perm [{
"role":"admin_role",
"name":"all"}] to govern resource [/query]
INFO (qtp1910936570-15) [ x:earth_core] o.a.s.s.RuleBasedAuthorizationPluginBase This resource is configured to have a permission {
"role":"admin_role",
"name":"all"}, The principal org.apache.solr.security.BasicAuthPlugin$BasicAuthUserPrincipal@655d88ca[username=earth,pwd=*****] does not have the right role
...
{noformat}
h4. 2. (/) User earth should not be able to access the moon_core:
{noformat}
$ curl 'http://earth:...@127.0.0.1:8983/solr/moon_core/query?q=*:*&indent=true'
...
<title>Error 403 Unauthorized request, Response code: 403</title>
...
{noformat}
solr.log:
{noformat}
...
DEBUG (qtp1910936570-19) [ x:moon_core] o.a.s.s.RuleBasedAuthorizationPluginBase Attempting to authorize request to [/query] of type: [UNKNOWN], associated with collections [[]]
DEBUG (qtp1910936570-19) [ x:moon_core] o.a.s.s.RuleBasedAuthorizationPluginBase Authorizing collection-aware request, checking perms applicable to all (*) collections
DEBUG (qtp1910936570-19) [ x:moon_core] o.a.s.s.RuleBasedAuthorizationPluginBase Found perm [{
"role":"admin_role",
"name":"all"}] to govern resource [/query]
INFO (qtp1910936570-19) [ x:moon_core] o.a.s.s.RuleBasedAuthorizationPluginBase This resource is configured to have a permission {
"role":"admin_role",
"name":"all"}, The principal org.apache.solr.security.BasicAuthPlugin$BasicAuthUserPrincipal@596514d2[username=earth,pwd=*****] does not have the right role
...
{noformat}
h4. 3. (x) User moon should be able to access the moon_core:
This doesn't work.
{noformat}
$ curl 'http://moon:...@127.0.0.1:8983/solr/moon_core/query?q=*:*&indent=true'
...
<body><h2>HTTP ERROR 403 Unauthorized request, Response code: 403</h2>
...
{noformat}
solr.log:
{noformat}
...
DEBUG (qtp1910936570-19) [ x:moon_core] o.a.s.s.RuleBasedAuthorizationPluginBase Attempting to authorize request to [/query] of type: [UNKNOWN], associated with collections [[]]
DEBUG (qtp1910936570-19) [ x:moon_core] o.a.s.s.RuleBasedAuthorizationPluginBase Authorizing collection-aware request, checking perms applicable to all (*) collections
DEBUG (qtp1910936570-19) [ x:moon_core] o.a.s.s.RuleBasedAuthorizationPluginBase Found perm [{
"role":"admin_role",
"name":"all"}] to govern resource [/query]
INFO (qtp1910936570-19) [ x:moon_core] o.a.s.s.RuleBasedAuthorizationPluginBase This resource is configured to have a permission {
"role":"admin_role",
"name":"all"}, The principal org.apache.solr.security.BasicAuthPlugin$BasicAuthUserPrincipal@2e6cb515[username=moon,pwd=*****] does not have the right role
...
{noformat}
h4. 4. (/) User moon should not be able to access the earth_core:
{noformat}
$ curl 'http://moon:...@127.0.0.1:8983/solr/earth_core/query?q=*:*&indent=true'
...
<title>Error 403 Unauthorized request, Response code: 403</title>
...
{noformat}
solr.log:
{noformat}
...
DEBUG (qtp1910936570-22) [ x:earth_core] o.a.s.s.RuleBasedAuthorizationPluginBase Attempting to authorize request to [/query] of type: [UNKNOWN], associated with collections [[]]
DEBUG (qtp1910936570-22) [ x:earth_core] o.a.s.s.RuleBasedAuthorizationPluginBase Authorizing collection-aware request, checking perms applicable to all (*) collections
DEBUG (qtp1910936570-22) [ x:earth_core] o.a.s.s.RuleBasedAuthorizationPluginBase Found perm [{
"role":"admin_role",
"name":"all"}] to govern resource [/query]
INFO (qtp1910936570-22) [ x:earth_core] o.a.s.s.RuleBasedAuthorizationPluginBase This resource is configured to have a permission {
"role":"admin_role",
"name":"all"}, The principal org.apache.solr.security.BasicAuthPlugin$BasicAuthUserPrincipal@68706e69[username=moon,pwd=*****] does not have the right role
...
{noformat}
was (Author: JIRAUSER287205):
Is there really no way to limit the access of a user to a specific core in standalone mode?
Isn't this a very common use case?
I tried the following security.json but it doesn't work as expected:
{noformat}
$ cat /srv/solr/cores/security.json
{
"authentication": {
"class": "solr.BasicAuthPlugin",
"credentials": {
"earth": "4c5xodAKcIQ80W/5DpI2ozHLk6jWxzJud/m8VkZI44E= YnlnMUZDRnNNUw==",
"moon": "mIKfAsu2By/DyxFFklEx0jmHTpjyP/TjXQH0+UN86gQ= QkxDcjJKSVREaA==",
"admin": "I0nDN1AwXieTf9rMw6+CmJ+CtxKqjfNi2f3JwmRTk3c= eDZqMVZ5VWFFVw=="
},
"blockUnknown": true
},
"authorization": {
"class": "solr.RuleBasedAuthorizationPlugin",
"user-role": {
"earth": "earth_role",
"moon": "moon_role",
"admin": "admin_role"
},
"permissions": [
{ "role": "earth_role", "collection": "earth_core", "name": "read" },
{ "role": "earth_role", "collection": "earth_core", "name": "update" },
{ "role": "moon_role", "collection": "moon_core", "name": "read" },
{ "role": "moon_role", "collection": "moon_core", "name": "update" },
{ "role": "admin_role", "name": "all" }
]
}
}
{noformat}
{noformat}
$ cat /srv/solr/cores/earth_core/core.properties
name=earth_core
collection=earth_core
{noformat}
{noformat}
$ cat /srv/solr/cores/moon_core/core.properties
name=moon_core
collection=moon_core
{noformat}
h4. 1. (/) User admin should be able to access the earth_core:
{noformat}
$ curl 'http://admin:...@127.0.0.1:8983/solr/earth_core/query?q=*:*&indent=true'
{
"responseHeader":{
"status":0,
"QTime":0,
"params":{
"q":"*:*",
"indent":"true"}},
"response":{"numFound":0,"start":0,"numFoundExact":true,"docs":[]
}}
{noformat}
solr.log:
{noformat}
DEBUG (qtp1910936570-19) [ x:earth_core] o.a.s.s.RuleBasedAuthorizationPluginBase Attempting to authorize request to [/query] of type: [UNKNOWN], associated with collections [[]]
DEBUG (qtp1910936570-19) [ x:earth_core] o.a.s.s.RuleBasedAuthorizationPluginBase Authorizing collection-aware request, checking perms applicable to all (*) collections
DEBUG (qtp1910936570-19) [ x:earth_core] o.a.s.s.RuleBasedAuthorizationPluginBase Found perm [{
"role":"admin_role",
"name":"all"}] to govern resource [/query]
DEBUG (qtp1910936570-19) [ x:earth_core] o.a.s.s.RuleBasedAuthorizationPluginBase Governing permission [{
"role":"admin_role",
"name":"all"}] allows access to role [admin_role]; permitting access
...
INFO (qtp1910936570-19) [ x:earth_core] o.a.s.c.S.Request [earth_core] webapp=/solr path=/query params={q=*:*&indent=true} hits=0 status=0 QTime=152
...
{noformat}
h4. 2. (/) User admin should be able to access the moon_core:
{noformat}
$ curl 'http://admin:...@127.0.0.1:8983/solr/moon_core/query?q=*:*&indent=true'
{
"responseHeader":{
"status":0,
"QTime":1,
"params":{
"q":"*:*",
"indent":"true"}},
"response":{"numFound":0,"start":0,"numFoundExact":true,"docs":[]
}}
{noformat}
solr.log:
{noformat}
...
DEBUG (qtp1910936570-23) [ x:moon_core] o.a.s.s.RuleBasedAuthorizationPluginBase Attempting to authorize request to [/query] of type: [UNKNOWN], associated with collections [[]]
DEBUG (qtp1910936570-23) [ x:moon_core] o.a.s.s.RuleBasedAuthorizationPluginBase Authorizing collection-aware request, checking perms applicable to all (*) collections
DEBUG (qtp1910936570-23) [ x:moon_core] o.a.s.s.RuleBasedAuthorizationPluginBase Found perm [{
"role":"admin_role",
"name":"all"}] to govern resource [/query]
DEBUG (qtp1910936570-23) [ x:moon_core] o.a.s.s.RuleBasedAuthorizationPluginBase Governing permission [{
"role":"admin_role",
"name":"all"}] allows access to role [admin_role]; permitting access
...
INFO (qtp1910936570-23) [ x:moon_core] o.a.s.c.S.Request [moon_core] webapp=/solr path=/query params={q=*:*&indent=true} hits=0 status=0 QTime=0
...
{noformat}
h4. 1. (x) User earth should be able to access the earth_core:
This doesn't work.
{noformat}
$ curl 'http://earth:...@127.0.0.1:8983/solr/earth_core/query?q=*:*&indent=true'
...
<title>Error 403 Unauthorized request, Response code: 403</title>
...
{noformat}
solr.log:
{noformat}
...
DEBUG (qtp1910936570-15) [ x:earth_core] o.a.s.s.RuleBasedAuthorizationPluginBase Attempting to authorize request to [/query] of type: [UNKNOWN], associated with collections [[]]
DEBUG (qtp1910936570-15) [ x:earth_core] o.a.s.s.RuleBasedAuthorizationPluginBase Authorizing collection-aware request, checking perms applicable to all (*) collections
DEBUG (qtp1910936570-15) [ x:earth_core] o.a.s.s.RuleBasedAuthorizationPluginBase Found perm [{
"role":"admin_role",
"name":"all"}] to govern resource [/query]
INFO (qtp1910936570-15) [ x:earth_core] o.a.s.s.RuleBasedAuthorizationPluginBase This resource is configured to have a permission {
"role":"admin_role",
"name":"all"}, The principal org.apache.solr.security.BasicAuthPlugin$BasicAuthUserPrincipal@655d88ca[username=earth,pwd=*****] does not have the right role
...
{noformat}
h4. 2. (/) User earth should not be able to access the moon_core:
{noformat}
$ curl 'http://earth:...@127.0.0.1:8983/solr/moon_core/query?q=*:*&indent=true'
...
<title>Error 403 Unauthorized request, Response code: 403</title>
...
{noformat}
solr.log:
{noformat}
...
DEBUG (qtp1910936570-19) [ x:moon_core] o.a.s.s.RuleBasedAuthorizationPluginBase Attempting to authorize request to [/query] of type: [UNKNOWN], associated with collections [[]]
DEBUG (qtp1910936570-19) [ x:moon_core] o.a.s.s.RuleBasedAuthorizationPluginBase Authorizing collection-aware request, checking perms applicable to all (*) collections
DEBUG (qtp1910936570-19) [ x:moon_core] o.a.s.s.RuleBasedAuthorizationPluginBase Found perm [{
"role":"admin_role",
"name":"all"}] to govern resource [/query]
INFO (qtp1910936570-19) [ x:moon_core] o.a.s.s.RuleBasedAuthorizationPluginBase This resource is configured to have a permission {
"role":"admin_role",
"name":"all"}, The principal org.apache.solr.security.BasicAuthPlugin$BasicAuthUserPrincipal@596514d2[username=earth,pwd=*****] does not have the right role
...
{noformat}
h4. 3. (x) User moon should be able to access the moon_core:
This doesn't work.
{noformat}
$ curl 'http://moon:...@127.0.0.1:8983/solr/moon_core/query?q=*:*&indent=true'
...
<body><h2>HTTP ERROR 403 Unauthorized request, Response code: 403</h2>
...
{noformat}
solr.log:
{noformat}
...
DEBUG (qtp1910936570-19) [ x:moon_core] o.a.s.s.RuleBasedAuthorizationPluginBase Attempting to authorize request to [/query] of type: [UNKNOWN], associated with collections [[]]
DEBUG (qtp1910936570-19) [ x:moon_core] o.a.s.s.RuleBasedAuthorizationPluginBase Authorizing collection-aware request, checking perms applicable to all (*) collections
DEBUG (qtp1910936570-19) [ x:moon_core] o.a.s.s.RuleBasedAuthorizationPluginBase Found perm [{
"role":"admin_role",
"name":"all"}] to govern resource [/query]
INFO (qtp1910936570-19) [ x:moon_core] o.a.s.s.RuleBasedAuthorizationPluginBase This resource is configured to have a permission {
"role":"admin_role",
"name":"all"}, The principal org.apache.solr.security.BasicAuthPlugin$BasicAuthUserPrincipal@2e6cb515[username=moon,pwd=*****] does not have the right role
...
{noformat}
h4. 4. (/) User moon should not be able to access the earth_core:
{noformat}
$ curl 'http://moon:...@127.0.0.1:8983/solr/earth_core/query?q=*:*&indent=true'
...
<title>Error 403 Unauthorized request, Response code: 403</title>
...
{noformat}
solr.log:
{noformat}
...
DEBUG (qtp1910936570-22) [ x:earth_core] o.a.s.s.RuleBasedAuthorizationPluginBase Attempting to authorize request to [/query] of type: [UNKNOWN], associated with collections [[]]
DEBUG (qtp1910936570-22) [ x:earth_core] o.a.s.s.RuleBasedAuthorizationPluginBase Authorizing collection-aware request, checking perms applicable to all (*) collections
DEBUG (qtp1910936570-22) [ x:earth_core] o.a.s.s.RuleBasedAuthorizationPluginBase Found perm [{
"role":"admin_role",
"name":"all"}] to govern resource [/query]
INFO (qtp1910936570-22) [ x:earth_core] o.a.s.s.RuleBasedAuthorizationPluginBase This resource is configured to have a permission {
"role":"admin_role",
"name":"all"}, The principal org.apache.solr.security.BasicAuthPlugin$BasicAuthUserPrincipal@68706e69[username=moon,pwd=*****] does not have the right role
...
{noformat}
> RuleBasedAuthorizationPlugin is not fully fonctionnal in Solr standalone mode
> -----------------------------------------------------------------------------
>
> Key: SOLR-13097
> URL: https://issues.apache.org/jira/browse/SOLR-13097
> Project: Solr
> Issue Type: Bug
> Components: Authentication
> Affects Versions: 6.6.5, 7.5
> Environment: Solr standalone
> Reporter: Dominique Béjean
> Priority: Major
>
> In Solr standalone mode, the collections element of the request context is not populated by the core name.
> For instance, the following request:
> {code:java}
> http://user1:xxxxxx@localhost:8983/solr/biblio/select?indent=on&q=*:*&wt=json{code}
> reports this in log:
> {code:java}
> 2018-12-30 12:24:52.102 INFO (qtp1731656333-20) [ x:biblio] o.a.s.s.HttpSolrCall USER_REQUIRED auth header Basic Mjox context : userPrincipal: [[principal: 2]] type: [READ], collections: [], Path: [/select] path : /select params :q=:&indent=on&wt=json{code}
> The consequence is that RuleBasedAuthorizationPlugin is not able to apply this kind of permission:
> {code:java}
> {"name":"read-biblio",
> "path":"/select",
> "role":["admin","read","r1"],
> "collection":"biblio",
> "index":2}{code}
> In Solrcloud mode in the init() method of HttpSolrCall.java, the collections element is populated with either the collection name matching the core name in the request or the collection names provided in the collection parameter.
> {code:java}
> if (cores.isZooKeeperAware()) {
> // init collectionList (usually one name but not when there are aliases)
> String def = core != null ? core.getCoreDescriptor().getCollectionName() : origCorename;
> collectionsList = resolveCollectionListOrAlias(queryParams.get(COLLECTION_PROP, def)); // &collection= takes precedence
> ...
> }{code}
>
> I expect init() method could be improved in order to populate collections element with the core name for Solr standalone mode.
>
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org
For additional commands, e-mail: issues-help@solr.apache.org