Hey Jeremy,
One important thing to remember about the RuleBasedAuthorizationPlugin
is that if it doesn't find any rules matching a particular API call,
it will allow the request. I think that's what you're running into
here. Let's trace through how RBAP will process your rules:
1. Solr receives an API call. For this example, let's say its a new
doc sent to /solr/someCollection/update
2. Solr fetches security.json and parses the auth rules. It'll look
at each of these in turn.
3. First Rule: Solr checks "/solr/someCollection/update" against the
"read" rule. /update isn't a read API, so this rule doesn't apply to
our request.
4. Second Rule: Solr checks "/solr/someCollection/update" agains the
"security-edit" rule. /update isn't a security-related API, so this
rule doesn't apply to our request either.
5. Solr is out of rules to try. Since no rules locked down /update to
a particular user/role, Solr allows the request.
This is pretty unintuitive and rarely is what people expect. The way
that RBAP works, you almost always will want to have the last rule in
your security.json be a "catch-all" rule of some sort. You can do
this by appending a rule entry with the wildcard path "*". In the
latest Solr releases, you can also use the predefined "all" permission
(but beware of SOLR-13355 in earlier version). e.g.
{
"name": "read",
"role": "readonly"
},
{
"name": "security-edit",
"role": "admin"
},
{
"path": "*",
"role": "admin"
}
Hope that helps.
Jason
On Fri, May 3, 2019 at 5:23 PM Jérémy <mer...@gmail.com> wrote:
>
> Hi,
>
> I hope that this question wasn't answered already, but I couldn't find what
> I was looking for in the archives.
>
> I'm having a hard time to use solr with the BasicAuth and
> RoleBasedAuthorization plugins.
> The auth part works well but I have issues with the RoleBasedAuthorization
> part. I'd like to have an admin role and a readonly one. I have two users,
> each having one role. However both of them can create cores, delete
> documents etc...
>
> Here's my security.json:
> {
> "authentication": {
> "blockUnknown": true,
> "class": "solr.BasicAuthPlugin",
> "credentials": {
> "adminuser": "adminpwd",
> "readuser": "readpwd"
> }
> },
> "authorization": {
> "class": "solr.RuleBasedAuthorizationPlugin",
> "permissions": [
> {
> "name": "read",
> "role": "readonly"
> },
> {
> "name": "security-edit",
> "role": "admin"
> }
> ],
> "user-role": {
> "readuser": "readonly",
> "adminuser": "admin"
> }
> }
> }
>
> I tried that with Solr 7.7.0 and 8.0.0, in cloud and standalone mode. I
> can't figure out why the readuser can delete documents.
>
> Any help is appreciated!
>
> Thanks,
> Jeremy
