There was some other issues with the "all" permission as well lately, see
https://issues.apache.org/jira/browse/SOLR-13344
<https://issues.apache.org/jira/browse/SOLR-13344>
Order matters in permissions, the first permission matching is used, but I
don't know how that would change anything here.
One thing to try could be to start with an empty RuleBasedAuth and then use the
REST API to add all the permissions and roles,
in that way you are sure that they are syntactically correct, and hopefully you
get some errors if you do something wrong?
--
Jan Høydahl, search solution architect
Cominvent AS - www.cominvent.com
> 28. mar. 2019 kl. 20:24 skrev Jason Gerlowski <gerlowsk...@gmail.com>:
>
> Hi all,
>
> Diving into the RuleBasedAuthorizationPlugin for the first time in
> awhile, and found that the predefined permission "all" isn't behaving
> the way I'd expect it to. I'm trying to figure out whether it doesn't
> work the way I think, whether I'm just making a dumb mistake, or
> whether it's currently broken on master (and some 7x versions)
>
> My intent is to create two users, one with readonly access, and an
> admin user with access to all APIs. I'm trying to achieve this with
> the security.json below:
>
> {
> "authentication": {
> "blockUnknown": true,
> "class": "solr.BasicAuthPlugin",
> "credentials": {
> "readonly": "<pw>",
> "admin": "<pw>"}},
> "authorization": {
> "class": "solr.RuleBasedAuthorizationPlugin",
> "permissions": [
> {"name":"read","role": "*"},
> {"name":"schema-read", "role":"*"},
> {"name":"config-read", "role":"*"},
> {"name":"collection-admin-read", "role":"*"},
> {"name":"metrics-read", "role":"*"},
> {"name":"core-admin-read","role":"*"},
> {"name": "all", "role": "admin_role"}
> ],
> "user-role": {
> "readonly": "readonly_role",
> "admin": "admin_role"
> }}}
>
> When I go to test this though, I'm surprised to find that the
> "readonly" user is still able to access APIs that I would expect to be
> locked down. The "readonly" user can even update security permissions
> with the curl command below!
>
> curl -X POST -H 'Content-Type: application/json' -u
> "readonly:readonlyPassword"
> http://localhost:8983/solr/admin/authorization --d
> @some_auth_json.json
>
> My expectation was that the predefined "all" permission would act as a
> catch all, and restrict all requests to "admin_role" that require
> permissions I didn't explicitly give to my "readonly" user. But it
> doesn't seem to work that way. Am I misunderstanding what the "all"
> permission does, or is this a bug?
>
> Thanks for any help or clarification.
>
> Jason
