[
https://issues.apache.org/jira/browse/RANGER-5540?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Sanket Shelar resolved RANGER-5540.
-----------------------------------
Fix Version/s: NA
Resolution: Not A Bug
> Unexpected behaviour with wildcards for users with no ranger roles when using
> document level authorisation in Solr collection.
> ------------------------------------------------------------------------------------------------------------------------------
>
> Key: RANGER-5540
> URL: https://issues.apache.org/jira/browse/RANGER-5540
> Project: Ranger
> Issue Type: Bug
> Components: Ranger
> Reporter: Sanket Shelar
> Assignee: Sanket Shelar
> Priority: Major
> Fix For: NA
>
>
> If we have documents that have a wildcard "*" in the field that is used for
> matching roles during authorisation, we expect users that are not associated
> with any Ranger role to see those documents that have a wildcard.
> Explanation of current behaviour
> The user has query access to the collection but does not have any ranger
> roles and gets a "permission denied" for all documents including thos with a
> wildcard.
> Reproduction steps
> 00-setup-collection/test5-config/conf/schema.xml
> <field name="id" type="string" indexed="true" stored="true" required="true"
> multiValued="false" />
> <!-- docValues are enabled by default for long type so we don't need to index
> the version field -->
> <field name="{_}version{_}" type="plong" indexed="false" stored="false"/>
> <!-- If you don't use child/nested documents, then you should remove the next
> two fields: -->
> <!-- for nested documents (minimal; points to root document) -->
> <field name="{_}root{_}" type="string" indexed="true" stored="false"
> docValues="false" />
> <!-- for nested documents (relationship tracking) -->
> <field name="{_}nest_path{_}" type="{_}nest_path{_}" /><fieldType
> name="{_}nest_path{_}" class="solr.NestPathField" />
> <field name="{_}text{_}" type="text_general" indexed="true" stored="false"
> multiValued="true"/>
> <field name="fname" type="string" indexed="true" stored="true" />
> <field name="lname" type="string" indexed="true" stored="true" />
> <field name="department" type="string" indexed="true" stored="true"
> multiValued="true" />
> <field name="department_count" type="pint" stored="true" />
> 00-setup-collection/test5-config/conf/solrconfig.xml
> <searchComponent name="queryDocAuthorization"
> class="org.apache.ranger.authorization.solr.authorizer.RangerSolrAuthorizer">
> <str name="enabled">true</str>
> <str name="rangerAuthField">ranger_auth</str>
> <str name="allRolesToken">*</str>
> </searchComponent>
> records_new.json
> [
> { "fname": "alice", "lname": "bloggs", "department": ["hr", "payroll"],
> "ranger_auth": ["hr", "payroll"] },
> { "fname": "gemma", "lname": "bloggs", "department": ["hr", "payroll"],
> "ranger_auth": ["payroll"] },
> { "fname": "bob", "lname": "bloggs", "department": ["hr"], "ranger_auth":
> ["hr"] },
> { "fname": "bill", "lname": "bloggs", "department": ["it"], "ranger_auth":
> ["it"] },
> { "fname": "hubert", "lname": "bloggs", "department": ["public relations"],
> "ranger_auth": ["public relations"] },
> { "fname": "pip", "lname": "bloggs", "department": ["board"], "ranger_auth":
> ["*"] },
> { "fname": "anne", "lname": "bloggs", "department": ["board"], "ranger_auth":
> [""] }
> ]
> User john has query permission to collection
> {
> "responseHeader":{
> "zkConnected":true,
> "status":401,
> "QTime":110,
> "params":{
> "q":"{*}:{*}",
> "debug":"true",
> "fq":"{*}:{*}",
> "_forwardedCount":"1"}},
> "error":{
> "metadata":[
> "error-class","org.apache.solr.common.SolrException",
> "root-error-class","org.apache.solr.common.SolrException"],
> "msg":"Permission denied for user: john",
> "code":401}}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
