Re: Problems with restricting access to users using Basic auth

Tue, 20 Aug 2019 16:37:47 -0700 

Hi Salmaan,

Solr's RuleBasedAuthorizationPlugin allows requests through if none of
the specified permissions apply.  I think that's what you're running
into in your example above.  If you want to lockdown a particular API
(or set of APIs) then you need to explicitly add a permission that
restricts those APIs to a particular role.

One way to get the behavior that it sounds like you're looking for
would be to add a catch-all permission at the bottom of your
permissions list that restricts all other APIs to "admin".  This would
look a bit like:

 "permissions":[
    {
        "name":"security-edit",
        "role":"admin"
    },
    {
        "collection": ["Collection1", "Collection2"],
        "name": ["update", "read"],
        "role": "dev"
    },
    {
        "name": "all",
        "role": "admin"
    }
]

Hope that helps get you started.

Best,

Jason

On Tue, Aug 20, 2019 at 3:19 AM Salmaan Rashid Syed
<salmaan.ras...@mroads.com> wrote:
>
> Hi Solr Users,
>
> I want to create a user that has restricted access to Solr. I did the
> follwowing:-
>
>
>    1. {
>    2. "authentication":{
>    3.    "blockUnknown": true,
>    4.    "class":"solr.BasicAuthPlugin",
>    5.    "credentials":{
>    6. "solr-admin":
>    "2IUJD9dxRhxSXaJGdMP5z8ggSn4I285Ty9GCWeRNMUg=
> /sSNJJufPtj4baRizoJshJawFsWvopvZSqZpQ/Nwd78="
>    ,
>    7. "solr-user":
>    "p+XwOh15p/rvFltv2LXP1CwtbvwBgGlC9qcDKxV73B4=
> DcNsjfA6Wf16V1XKT+YraosSFQ5Cr3eRUX6BQnx9XKA="
>
>    8.                  }
>    9. },
>    10. "authorization":{
>    11.    "class":"solr.RuleBasedAuthorizationPlugin",
>    12.    "user-role":{"solr-admin":"admin", "solr-user":"dev"},
>    13.    "permissions":[
>    14.       {
>    15.        "name":"security-edit",
>    16.        "role":"admin"
>    17.       },
>    18.       {
>    19.         "collection": ["Collection1", "Collection2"],
>    20.         "name": ["update", "read"],
>    21.         "role": "dev"
>    22.       }
>    23.       ]
>    24. }}
>
>
> But when Login intot the Solr admin dash-board using Solr-user credentials,
> I can read, select, write, update, delete collections and do all sorts of
> things like a solr-admin can do.
>
> I want solr-user to be able to access only *Collection1* and *Collection2*
> and be able to only *update *and *read*. He should not be able to access
> other collections and do anything apart from the above mentioned role.
>
> Where am I exactly going wrong?
>
> Thanks and Regards,
> Salmaan

Reply via email to