Hi all,
I've been periodically running into a strange permissions issues and have
finally some useful information on it. We've run into the issue on v6.3.0
and v7.X clusters.
Assume we have 2 hosts (1 instance on each) with 2 collections. Collection
c1 has 2 shards, and collection c2 has 1 shard. Each only has one copy of
each shard. The distribution is as follows:
host1: c1-shard1
host2: c1-shard2, c2-shard1
We have security enabled on it where the authorization section looks like:
"authorization":{
"class":"solr.RuleBasedAuthorizationPlugin",
"permissions":[
{"name":"read","role":"reader"},
{"name":"security-read","role":"reader"},
{"name":"schema-read","role":"reader"},
{"name":"config-read","role":"reader"},
{"name":"core-admin-read","role":"reader"},
{"name":"collection-admin-read","role":"reader"},
{"name":"update","role":"writer"},
{"name":"security-edit","role":"admin"},
{"name":"schema-edit","role":"admin"},
{"name":"config-edit","role":"admin"},
{"name":"core-admin-edit","role":"admin"},
{"name":"collection-admin-edit","role":"admin"},
{"name":"all","role":"admin"}],
"user-role":{
"solradmin":["reader","writer","admin"],
"solrreader":["reader"],
"solrwriter":["reader","writer"]}}
When sending the query http://host1:8983/solr/c2/select?q=*:* as
solrreader or solrwriter a 403 response is returned
However, when sending the query as solradmin, the expected results are returned.
So what are we missing to allow the reader role to query a collection
that is part of the solrcloud instance, but not actually present on
the host?
Thanks,
Chris
