Thanks Jason. We are awaiting the 7.7.2 release. I will send out a note describing how the documentation is easy to mess-up. Maybe this is worth writing a blog for folks like yourselves who are experts in this :)
> On May 28, 2019, at 4:31 AM, Jason Gerlowski <gerlowsk...@gmail.com> wrote: > > Hey Aroop, > > The fix in SOLR-13355 is available starting in 8.1. It will also be > available in 7.7.2 once that is released. (Jan Hoydahl started the > release process for 7.7.2, but held off for a number of other ongoing > releases. He's recently resumed work on the release though, and I > expect we'll see 7.7.2 in a week or two.) > > RuleBasedAuthorizationPlugin does have some coverage in the ref-guide, > as you've likely seen: > https://lucene.apache.org/solr/guide/7_7/rule-based-authorization-plugin.html. > I don't think SOLR-13355 involved any changes to that documentation: > it fixed a bug that deviated from what was described in the ref-guide, > so there were no changes required when that bug was fixed. That said, > if you see something I've missed, or think that page could be improved > more generally, it's definitely worth raising a JIRA for. RBAP > permission matching/processing can be subtle for those using it for > the first time, so any improvement to the docs will go a long way. > > Jason > > On Sat, May 25, 2019 at 3:12 AM Aroop Ganguly <aroopgang...@icloud.com> wrote: >> >> hi jason >> >> which version of solr has the definitive fix for the rbap again ? >> also is there a jira to fix or create a documentation for the same that >> works :) ? >> >> aroop >> >> >>> On May 24, 2019, at 9:55 AM, Jason Gerlowski <gerlowsk...@gmail.com> wrote: >>> >>> Hi Sotiris, >>> >>> First, what version of Solr are you running? We've made some fixes >>> recently (esp. SOLR-13355) to RBAP, and they might affect the behavior >>> you're seeing or any fixes we can recommend. >>> >>> Second, the order of permissions in security.json has a huge effect on >>> how . Solr always uses the first permission rule that matches a given >>> API...later rules are ignored if a match is found in earlier ones. >>> The first rule in your permissions block ({"name": "all", "role": >>> "admin"}) will match all APIs and will only allow requests through if >>> the requesting user has the "admin" role. So "user" being unable to >>> query an alias makes sense. Usually "all" and other catchall >>> permissions are best used at the very bottom of your permissions list. >>> That way the catchall is the last rule to be checked, giving other >>> rules a chance to match first. >>> >>> Hope that helps. >>> >>> Jason >>> >>> On Wed, May 22, 2019 at 6:21 AM Sotiris Fragkiskos <sfra...@gmail.com> >>> wrote: >>>> >>>> Hi everyone! >>>> I've been trying unsuccessfully to read an alias to a collection with a >>>> curl command. >>>> The command only works when I put in the admin credentials, although the >>>> user I want access for also has the required role for accessing. >>>> Is this perhaps built-in, or should anyone be able to access an alias from >>>> the API? >>>> >>>> The command I'm using is: >>>> curl http:// >>>> <user>:<pass>@<solrhostname>/solr/<AliasName>/select?q=<field>:<value> >>>> This fails for the user but succeeds for the admin >>>> >>>> My minimum working example of security.json follows. >>>> Many thanks! >>>> >>>> { >>>> "authentication":{ >>>> "blockUnknown":true, >>>> "class":"solr.BasicAuthPlugin", >>>> "credentials":{ >>>> "admin":"blahblahblah", >>>> "user":"blahblah"}, >>>> "":{"v":13}}, >>>> "authorization":{ >>>> "class":"solr.RuleBasedAuthorizationPlugin", >>>> "permissions":[ >>>> { >>>> "name":"all", >>>> "role":"admin", >>>> "index":1}, >>>> { >>>> "name":"readColl", >>>> "collection":"Coll", >>>> "path":"/select/*", >>>> "role":"readColl", >>>> "index":2}, >>>> { >>>> "name":"readSCollAlias", >>>> "collection":"sCollAlias", >>>> "path":"/select/*", >>>> "role":"readSCollAlias", >>>> "index":3}], >>>> "user-role":{ >>>> "admin":[ >>>> "admin", >>>> "readSCollAlias"], >>>> "user":["readSCollAlias"]}, >>>> "":{"v":21}}} >>
