You are viewing a plain text version of this content. The canonical link for it is here.

Posted to solr-user@lucene.apache.org by Chris Ulicny <cu...@iq.media> on 2018/04/05 16:02:36 UTC

Basic Security Plugin and Collection Shard Distribution

Hi all,

I've been periodically running into a strange permissions issues and have
finally some useful information on it. We've run into the issue on v6.3.0
and v7.X clusters.

Assume we have 2 hosts (1 instance on each) with 2 collections. Collection
c1 has 2 shards, and collection c2 has 1 shard. Each only has one copy of
each shard. The distribution is as follows:

host1: c1-shard1
host2: c1-shard2, c2-shard1

We have security enabled on it where the authorization section looks like:

  "authorization":{
    "class":"solr.RuleBasedAuthorizationPlugin",
    "permissions":[
      {"name":"read","role":"reader"},
      {"name":"security-read","role":"reader"},
      {"name":"schema-read","role":"reader"},
      {"name":"config-read","role":"reader"},
      {"name":"core-admin-read","role":"reader"},
      {"name":"collection-admin-read","role":"reader"},
      {"name":"update","role":"writer"},
      {"name":"security-edit","role":"admin"},
      {"name":"schema-edit","role":"admin"},
      {"name":"config-edit","role":"admin"},
      {"name":"core-admin-edit","role":"admin"},
      {"name":"collection-admin-edit","role":"admin"},
      {"name":"all","role":"admin"}],
    "user-role":{
      "solradmin":["reader","writer","admin"],
      "solrreader":["reader"],
      "solrwriter":["reader","writer"]}}

When sending the query http://host1:8983/solr/c2/select?q=*:* as
solrreader or solrwriter a 403 response is returned

However, when sending the query as solradmin, the expected results are returned.

So what are we missing to allow the reader role to query a collection
that is part of the solrcloud instance, but not actually present on
the host?

Thanks,
Chris

Re: Basic Security Plugin and Collection Shard Distribution

Posted by Chris Ulicny <cu...@iq.media>.

As far as logging goes. When setting PKIAuthenticationPlugin,
RuleBasedAuthorizationPlugin, and HttpSolrCall to TRACE. The following is
all that is seen in the log file of host1 for the above request:

2018-04-06 14:51:34.775 DEBUG (qtp329611835-8790) [   ]
o.a.s.s.HttpSolrCall PkiAuthenticationPlugin says authorization required :
true
2018-04-06 14:51:34.775 DEBUG (qtp329611835-8790) [   ]
o.a.s.s.HttpSolrCall AuthorizationContext : userPrincipal: [[principal:
solrreader]] type: [READ], collections: [c2, c2,], Path: [/select] path :
/select params :null
2018-04-06 14:51:34.776 INFO  (qtp329611835-8790) [   ]
o.a.s.s.RuleBasedAuthorizationPlugin This resource is configured to have a
permission {
  "name":"all",
  "role":"admin"}, The principal [principal: solrreader] does not have the
right role
2018-04-06 14:51:34.776 INFO  (qtp329611835-8790) [   ]
o.a.s.s.HttpSolrCall USER_REQUIRED auth header Basic <hash_val> context :
userPrincipal: [[principal: solrreader]] type: [READ], collections: [c2,
c2,], Path: [/select] path : /select params :null


On Thu, Apr 5, 2018 at 12:02 PM Chris Ulicny <cu...@iq.media> wrote:

> Hi all,
>
> I've been periodically running into a strange permissions issues and have
> finally some useful information on it. We've run into the issue on v6.3.0
> and v7.X clusters.
>
> Assume we have 2 hosts (1 instance on each) with 2 collections. Collection
> c1 has 2 shards, and collection c2 has 1 shard. Each only has one copy of
> each shard. The distribution is as follows:
>
> host1: c1-shard1
> host2: c1-shard2, c2-shard1
>
> We have security enabled on it where the authorization section looks like:
>
>   "authorization":{
>     "class":"solr.RuleBasedAuthorizationPlugin",
>     "permissions":[
>       {"name":"read","role":"reader"},
>       {"name":"security-read","role":"reader"},
>       {"name":"schema-read","role":"reader"},
>       {"name":"config-read","role":"reader"},
>       {"name":"core-admin-read","role":"reader"},
>       {"name":"collection-admin-read","role":"reader"},
>       {"name":"update","role":"writer"},
>       {"name":"security-edit","role":"admin"},
>       {"name":"schema-edit","role":"admin"},
>       {"name":"config-edit","role":"admin"},
>       {"name":"core-admin-edit","role":"admin"},
>       {"name":"collection-admin-edit","role":"admin"},
>       {"name":"all","role":"admin"}],
>     "user-role":{
>       "solradmin":["reader","writer","admin"],
>       "solrreader":["reader"],
>       "solrwriter":["reader","writer"]}}
>
> When sending the query http://host1:8983/solr/c2/select?q=*:* as solrreader or solrwriter a 403 response is returned
>
> However, when sending the query as solradmin, the expected results are returned.
>
> So what are we missing to allow the reader role to query a collection that is part of the solrcloud instance, but not actually present on the host?
>
> Thanks,
> Chris
>
>
>
>