Sanket Shelar created RANGER-5540:
-------------------------------------
Summary: Unexpected behaviour with wildcards for users with no
ranger roles when using document level authorisation in Solr collection.
Key: RANGER-5540
URL: https://issues.apache.org/jira/browse/RANGER-5540
Project: Ranger
Issue Type: Bug
Components: Ranger
Reporter: Sanket Shelar
Assignee: Sanket Shelar
If we have documents that have a wildcard "*" in the field that is used for
matching roles during authorisation, we expect users that are not associated
with any Ranger role to see those documents that have a wildcard.
Explanation of current behaviour
The user has query access to the collection but does not have any ranger roles
and gets a "permission denied" for all documents including thos with a wildcard.
Reproduction steps
00-setup-collection/test5-config/conf/schema.xml
<field name="id" type="string" indexed="true" stored="true" required="true"
multiValued="false" />
<!-- docValues are enabled by default for long type so we don't need to index
the version field -->
<field name="{_}version{_}" type="plong" indexed="false" stored="false"/>
<!-- If you don't use child/nested documents, then you should remove the next
two fields: -->
<!-- for nested documents (minimal; points to root document) -->
<field name="{_}root{_}" type="string" indexed="true" stored="false"
docValues="false" />
<!-- for nested documents (relationship tracking) -->
<field name="{_}nest_path{_}" type="{_}nest_path{_}" /><fieldType
name="{_}nest_path{_}" class="solr.NestPathField" />
<field name="{_}text{_}" type="text_general" indexed="true" stored="false"
multiValued="true"/>
<field name="fname" type="string" indexed="true" stored="true" />
<field name="lname" type="string" indexed="true" stored="true" />
<field name="department" type="string" indexed="true" stored="true"
multiValued="true" />
<field name="department_count" type="pint" stored="true" />
00-setup-collection/test5-config/conf/solrconfig.xml
<searchComponent name="queryDocAuthorization"
class="org.apache.ranger.authorization.solr.authorizer.RangerSolrAuthorizer">
<str name="enabled">true</str>
<str name="rangerAuthField">ranger_auth</str>
<str name="allRolesToken">*</str>
</searchComponent>
records_new.json
[
{ "fname": "alice", "lname": "bloggs", "department": ["hr", "payroll"],
"ranger_auth": ["hr", "payroll"] },
{ "fname": "gemma", "lname": "bloggs", "department": ["hr", "payroll"],
"ranger_auth": ["payroll"] },
{ "fname": "bob", "lname": "bloggs", "department": ["hr"], "ranger_auth":
["hr"] },
{ "fname": "bill", "lname": "bloggs", "department": ["it"], "ranger_auth":
["it"] },
{ "fname": "hubert", "lname": "bloggs", "department": ["public relations"],
"ranger_auth": ["public relations"] },
{ "fname": "pip", "lname": "bloggs", "department": ["board"], "ranger_auth":
["*"] },
{ "fname": "anne", "lname": "bloggs", "department": ["board"], "ranger_auth":
[""] }
]
User john has query permission to collection
{
"responseHeader":{
"zkConnected":true,
"status":401,
"QTime":110,
"params":{
"q":"{*}:{*}",
"debug":"true",
"fq":"{*}:{*}",
"_forwardedCount":"1"}},
"error":{
"metadata":[
"error-class","org.apache.solr.common.SolrException",
"root-error-class","org.apache.solr.common.SolrException"],
"msg":"Permission denied for user: john",
"code":401}}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
