You are viewing a plain text version of this content. The canonical link for it is here.
Posted to solr-user@lucene.apache.org by Chris Ulicny <cu...@iq.media> on 2018/04/05 16:02:36 UTC
Basic Security Plugin and Collection Shard Distribution
Hi all,
I've been periodically running into a strange permissions issues and have
finally some useful information on it. We've run into the issue on v6.3.0
and v7.X clusters.
Assume we have 2 hosts (1 instance on each) with 2 collections. Collection
c1 has 2 shards, and collection c2 has 1 shard. Each only has one copy of
each shard. The distribution is as follows:
host1: c1-shard1
host2: c1-shard2, c2-shard1
We have security enabled on it where the authorization section looks like:
"authorization":{
"class":"solr.RuleBasedAuthorizationPlugin",
"permissions":[
{"name":"read","role":"reader"},
{"name":"security-read","role":"reader"},
{"name":"schema-read","role":"reader"},
{"name":"config-read","role":"reader"},
{"name":"core-admin-read","role":"reader"},
{"name":"collection-admin-read","role":"reader"},
{"name":"update","role":"writer"},
{"name":"security-edit","role":"admin"},
{"name":"schema-edit","role":"admin"},
{"name":"config-edit","role":"admin"},
{"name":"core-admin-edit","role":"admin"},
{"name":"collection-admin-edit","role":"admin"},
{"name":"all","role":"admin"}],
"user-role":{
"solradmin":["reader","writer","admin"],
"solrreader":["reader"],
"solrwriter":["reader","writer"]}}
When sending the query http://host1:8983/solr/c2/select?q=*:* as
solrreader or solrwriter a 403 response is returned
However, when sending the query as solradmin, the expected results are returned.
So what are we missing to allow the reader role to query a collection
that is part of the solrcloud instance, but not actually present on
the host?
Thanks,
Chris
Re: Basic Security Plugin and Collection Shard Distribution
Posted by Chris Ulicny <cu...@iq.media>.
As far as logging goes. When setting PKIAuthenticationPlugin,
RuleBasedAuthorizationPlugin, and HttpSolrCall to TRACE. The following is
all that is seen in the log file of host1 for the above request:
2018-04-06 14:51:34.775 DEBUG (qtp329611835-8790) [ ]
o.a.s.s.HttpSolrCall PkiAuthenticationPlugin says authorization required :
true
2018-04-06 14:51:34.775 DEBUG (qtp329611835-8790) [ ]
o.a.s.s.HttpSolrCall AuthorizationContext : userPrincipal: [[principal:
solrreader]] type: [READ], collections: [c2, c2,], Path: [/select] path :
/select params :null
2018-04-06 14:51:34.776 INFO (qtp329611835-8790) [ ]
o.a.s.s.RuleBasedAuthorizationPlugin This resource is configured to have a
permission {
"name":"all",
"role":"admin"}, The principal [principal: solrreader] does not have the
right role
2018-04-06 14:51:34.776 INFO (qtp329611835-8790) [ ]
o.a.s.s.HttpSolrCall USER_REQUIRED auth header Basic <hash_val> context :
userPrincipal: [[principal: solrreader]] type: [READ], collections: [c2,
c2,], Path: [/select] path : /select params :null
On Thu, Apr 5, 2018 at 12:02 PM Chris Ulicny <cu...@iq.media> wrote:
> Hi all,
>
> I've been periodically running into a strange permissions issues and have
> finally some useful information on it. We've run into the issue on v6.3.0
> and v7.X clusters.
>
> Assume we have 2 hosts (1 instance on each) with 2 collections. Collection
> c1 has 2 shards, and collection c2 has 1 shard. Each only has one copy of
> each shard. The distribution is as follows:
>
> host1: c1-shard1
> host2: c1-shard2, c2-shard1
>
> We have security enabled on it where the authorization section looks like:
>
> "authorization":{
> "class":"solr.RuleBasedAuthorizationPlugin",
> "permissions":[
> {"name":"read","role":"reader"},
> {"name":"security-read","role":"reader"},
> {"name":"schema-read","role":"reader"},
> {"name":"config-read","role":"reader"},
> {"name":"core-admin-read","role":"reader"},
> {"name":"collection-admin-read","role":"reader"},
> {"name":"update","role":"writer"},
> {"name":"security-edit","role":"admin"},
> {"name":"schema-edit","role":"admin"},
> {"name":"config-edit","role":"admin"},
> {"name":"core-admin-edit","role":"admin"},
> {"name":"collection-admin-edit","role":"admin"},
> {"name":"all","role":"admin"}],
> "user-role":{
> "solradmin":["reader","writer","admin"],
> "solrreader":["reader"],
> "solrwriter":["reader","writer"]}}
>
> When sending the query http://host1:8983/solr/c2/select?q=*:* as solrreader or solrwriter a 403 response is returned
>
> However, when sending the query as solradmin, the expected results are returned.
>
> So what are we missing to allow the reader role to query a collection that is part of the solrcloud instance, but not actually present on the host?
>
> Thanks,
> Chris
>
>
>
>