You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@lucene.apache.org by "Jan Høydahl (JIRA)" <ji...@apache.org> on 2019/04/14 23:41:00 UTC

[jira] [Resolved] (SOLR-11089) RuleBasedAuthorization plugin ignores permissions.

     [ https://issues.apache.org/jira/browse/SOLR-11089?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Jan Høydahl resolved SOLR-11089.
--------------------------------
    Resolution: Information Provided

Closing old issue from early days of the security framework, this is proven to work. If you manage to reproduce in newer versions, please re-open or create a new issue.

> RuleBasedAuthorization plugin ignores permissions.
> --------------------------------------------------
>
>                 Key: SOLR-11089
>                 URL: https://issues.apache.org/jira/browse/SOLR-11089
>             Project: Solr
>          Issue Type: Bug
>      Security Level: Public(Default Security Level. Issues are Public) 
>          Components: Authentication
>    Affects Versions: 5.5.4
>         Environment: SolrCloud with 3 nodes and test collection. No data. Single shard.
> Zookeper v.3.4.5
>            Reporter: Suage 1981
>            Priority: Critical
>
> Expected behavior (as described in docs):
> - Unauthenticated users should not get access to /admin/authentication and /admin/authentication
> Demonstrated behavior:
> - /admin/authentication and /admin/authentication are publicly available. So it looks like permissions are ignored totally: 
> {code}
> 2017-07-16T17:36:39.379Z [DEBUG] [org.apache.solr.servlet.SolrDispatchFilter#authenticateRequest] Request to authenticate: (GET /solr/admin/authorization)@2095474071 org.eclipse.jetty.server.Request@7ce66597, domain: 10.0.1.31, port: 8983
> 2017-07-16T17:36:39.379Z [DEBUG] [org.apache.solr.servlet.SolrDispatchFilter#doFilter] User principal: null
> 2017-07-16T17:36:39.380Z [DEBUG] [org.apache.solr.servlet.HttpSolrCall#call] AuthorizationContext : userPrincipal: [null] type: [ADMIN], collections: [], Path: [/admin/authorization] path : /admin/authorization params :
> 2017-07-16T17:36:39.380Z [DEBUG] [org.apache.solr.security.RuleBasedAuthorizationPlugin#checkPathPerm] No permissions configured for the resource /admin/authorization . So allowed to access
> 2017-07-16T17:36:39.380Z [INFO] [org.apache.solr.servlet.HttpSolrCall#handleAdminRequest] [admin] webapp=null path=/admin/authorization params={} status=0 QTime=0
> {code}
> {{zkcli -cmd get /security.json | grep -v '^2'|grep -v '^$'}}:
> {code}
> {
>   "authentication": 
>     "class": "solr.BasicAuthPlugin",
>     "credentials": {
>       "SOLR_TEST": "tiBhLoJSYJP1meUp7zgaiRXnZp52tXQM7PttV62CV5k= c2hhaXRodTFmdWxvaXBoOXVlbGFzaGk2T29nZWl5YWlQM2Y="
>     }
>   },
>   "authorization": {
>     "class": "solr.RuleBasedAuthorizationPlugin",
>     "permissions": [{
>         "name": "security-read",
>         "role": "administrator"
>       }, {
>         "name": "security-edit",
>         "role": "administrator"
>       }, {
>         "name": "schema-edit",
>         "role": "administrator"
>       }, {
>         "name": "config-edit",
>         "role": "administrator"
>       }, {
>         "name": "collection-admin-edit",
>         "role": "administrator"
>       }, {
>         "name": "collection-admin-read",
>         "role": "administrator"
>       }
>     ],
>     "user-role": {
>       "SOLR_TEST": "administrator"
>     }
>   }
> }
> {code}



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lucene.apache.org
For additional commands, e-mail: dev-help@lucene.apache.org