it's 7.2.1. Thanks!
On Mon, Jun 3, 2019 at 6:26 PM Jason Gerlowski <gerlowsk...@gmail.com>
wrote:
> Hi Sotiris,
>
> What version of Solr are you running? The behavior has changed some
> over time, both intentionally and due to bugs that have come and gone
> over time. I (or someone else) can explain things and offer you
> better help once we know your Solr version.
>
> Jason
>
> On Mon, Jun 3, 2019 at 12:13 PM Sotiris Fragkiskos <sfra...@gmail.com>
> wrote:
> >
> > Hi again,
> >
> > I moved the "all" permission to the bottom as suggested, but it still
> > doesn't work. Actually, i tried all possible combinations that I could
> > think of, but I just can't get it to work.
> > Could there be something else that I'm doing wrong? I'm a complete
> newbie,
> > so pretty much anything is a possibility at this point :(
> > Could it be because I use getfile/putfile commands to update the
> > security.json file? (it seems to be working, i.e. what i put with putfile
> > is later retrieved successfully with getfile)
> > Could there be some system update/refresh mechanism that I'm not aware of
> > and is currently not taking place?
> > Could someone please ELI5 going through the rules one by one? I can't
> > exactly understand the "narrative" that's going on,
> >
> > My security.json file's "authorization" at this point looks like the
> > snippet below, and almost nothing is working (except admin, and userC
> who,
> > for some weird reason, can access readCollC55b , which is tied to a role
> > that the userC is NOT tied to..
> > I'm completely lost.... any pointers, anyone?
> > Mind you, i'm testing whether it works either directly in the browser by
> > prepending a "username:password@" to the URL or from the cmdline with a
> > curl command like so:
> > *curl http://<user:pass>@IP/solr/collName/select?q=field:value*
> >
> > Many thanks!
> > Sotiri
> >
> > "authorization":{
> > "class":"solr.RuleBasedAuthorizationPlugin",
> > "permissions":[
> > {
> > "name":"readCollA",
> > "collection":"CollA",
> > "path":"/select/*",
> > "role":"readCollA",
> > "index":1},
> > {
> > "name":"readCollB",
> > "collection":"CollB",
> > "path":"/select/*",
> > "role":"readCollB",
> > "index":2},
> > {
> > "name":"readCollC55b",
> > "collection":"CollC55b",
> > "path":"/select/*",
> > "role":"readCollC55b",
> > "index":3},
> > {
> > "name":"readCollCProduction",
> > "collection":"CollCProd",
> > "path":"/select/*",
> > "role":"readCollCProduction",
> > "index":4},
> > {
> > "name":"all",
> > "role":"admin",
> > "index":5}],
> > "user-role":{
> > "admin":[
> > "admin",
> > "readCollB",
> > "readCollA",
> > "readCollC55b",
> > "readCollCProduction"],
> > "userA":["readCollC55b"],
> > "userB":["readCollC55b"],
> > "userC":["readCollCProduction"],
> > "userD":[
> > "readCollCProduction",
> > "readCollC55b",
> > "readCollB",
> > "readCollA"]},
> >
> >
> >
> > On Fri, May 31, 2019 at 9:07 PM Sotiris Fragkiskos <sfra...@gmail.com>
> > wrote:
> >
> > > Terribly sorry about the duplicate post. It was just when i had first
> > > subscribed, i mustn't have verified my subscription because i never
> > > received any posts. I could also not find my post in the mailing list
> > > archive, so I thought it never arrived. It was only today that I tried
> > > subscribing again (+verifying) that I started receiving emails.
> > > Thanks for your explanation, I had read this in the manual but it
> didn't
> > > make much sense to me. I intepreted my order as: "first rule, the
> request
> > > is not from an admin so fail, check the next rule, it's from role
> readColl
> > > trying to access Coll, go ahead"
> > > I will try it as soon as I can. Thanks very much.
> > > I'm currently using 7.2.
> > >
> > > On Fri, May 31, 2019 at 8:27 PM Jason Gerlowski <gerlowsk...@gmail.com
> >
> > > wrote:
> > >
> > >> Hi Sotiris,
> > >>
> > >> Is this your second time asking this question here, or is there a
> > >> subtle difference I'm missing? You asked a very similar question a
> > >> week or so ago, and I replied with a few suggestions for changing your
> > >> security.json and with a few questions. In case you missed it for
> > >> whatever reason, I'll include my original response below:
> > >>
> > >> -----
> > >>
> > >> Hi Sotiris,
> > >>
> > >> First, what version of Solr are you running? We've made some fixes
> > >> recently (esp. SOLR-13355) to RBAP, and they might affect the behavior
> > >> you're seeing or any fixes we can recommend.
> > >>
> > >> Second, the order of permissions in security.json has a huge effect on
> > >> how . Solr always uses the first permission rule that matches a given
> > >> API...later rules are ignored if a match is found in earlier ones.
> > >> The first rule in your permissions block ({"name": "all", "role":
> > >> "admin"}) will match all APIs and will only allow requests through if
> > >> the requesting user has the "admin" role. So "user" being unable to
> > >> query an alias makes sense. Usually "all" and other catchall
> > >> permissions are best used at the very bottom of your permissions list.
> > >> That way the catchall is the last rule to be checked, giving other
> > >> rules a chance to match first.
> > >>
> > >> Hope that helps.
> > >>
> > >> On Fri, May 31, 2019 at 9:34 AM Sotiris Fragkiskos <sfra...@gmail.com
> >
> > >> wrote:
> > >> >
> > >> > Hi everyone!
> > >> > I've been trying unsuccessfully to read an alias to a collection
> with a
> > >> > curl command.
> > >> > The command only works when I put in the admin credentials,
> although the
> > >> > user I want access for also has the required role for accessing.
> > >> > Is this perhaps built-in, or should anyone be able to access an
> alias
> > >> from
> > >> > the API?
> > >> >
> > >> > The command I'm using is:
> > >> > curl http://<user>:<pass>@<solrhostname>/solr
> > >> > /<AliasName>/select?q=<field>:<value>
> > >> > This fails for the user but succeeds for the admin
> > >> >
> > >> > My minimum working example of security.json follows.
> > >> > Many thanks!
> > >> >
> > >> > {
> > >> > "authentication":{
> > >> > "blockUnknown":true,
> > >> > "class":"solr.BasicAuthPlugin",
> > >> > "credentials":{
> > >> > "admin":"blahblahblah",
> > >> > "user":"blahblah"},
> > >> > "":{"v":13}},
> > >> > "authorization":{
> > >> > "class":"solr.RuleBasedAuthorizationPlugin",
> > >> > "permissions":[
> > >> > {
> > >> > "name":"all",
> > >> > "role":"admin",
> > >> > "index":1},
> > >> > {
> > >> > "name":"readColl",
> > >> > "collection":"Coll",
> > >> > "path":"/select/*",
> > >> > "role":"readColl",
> > >> > "index":2},
> > >> > {
> > >> > "name":"readSCollAlias",
> > >> > "collection":"sCollAlias",
> > >> > "path":"/select/*",
> > >> > "role":"readSCollAlias",
> > >> > "index":3}],
> > >> > "user-role":{
> > >> > "admin":[
> > >> > "admin",
> > >> > "readSCollAlias"],
> > >> > "user":["readSCollAlias"]},
> > >> > "":{"v":21}}}
> > >>
> > >
>
