Hi Jason, Is there a way to fix this in version 7.6?
Or is it mandatory to upgrade to other versions? If I have to upgrade to a higher version, then what is the best way to do this without effecting the current configuration and indexed data? Thanks, Salmaan On Wed, Aug 21, 2019 at 4:13 PM Salmaan Rashid Syed < salmaan.ras...@mroads.com> wrote: > Hi Jason, > > I am using version 7.6 of Solr. > > Thanks, > Salmaan > > > > On Wed, Aug 21, 2019 at 4:12 PM Jason Gerlowski <gerlowsk...@gmail.com> > wrote: > >> The "all" permissions _should_ block solr-user from accessing all of >> those resources, and I believe it does in newer versions of Solr. >> There was a bug with it that was fixed a few versions back though- it >> sounds like you might be running into that. (see >> https://issues.apache.org/jira/browse/SOLR-13355) What version of Solr >> are you using? >> >> Jason >> >> >> >> On Wed, Aug 21, 2019 at 5:21 AM Salmaan Rashid Syed >> <salmaan.ras...@mroads.com> wrote: >> > >> > Hi Jason, >> > >> > Thanks for your prompt reply. >> > >> > Your code does address few of my concerns like restricting *solr-user* >> from >> > accessing the dashboard and from executing other request methods apart >> from >> > *"update"* and *"read"*. >> > >> > But I am still able to access other collections such as *"Collection3", >> > "Collection4"* and so on, apart from the intended two collection >> entered in >> > the code. I can give *"update"* and *"read" *requests to these external >> > Collections which solr-user should not be able to do. >> > >> > Moreover solr-user can look at the >> > *http://localhost:8983/solr/admin/authentication >> > <http://localhost:8983/solr/admin/authentication>* link which lists the >> > users and their *SHA256* coded passwords. How can I hide this and >> restrict >> > access to other collections? >> > >> > Thanks and regards >> > Salmaan >> > >> > >> > On Wed, Aug 21, 2019 at 5:07 AM Jason Gerlowski <gerlowsk...@gmail.com> >> > wrote: >> > >> > > Hi Salmaan, >> > > >> > > Solr's RuleBasedAuthorizationPlugin allows requests through if none of >> > > the specified permissions apply. I think that's what you're running >> > > into in your example above. If you want to lockdown a particular API >> > > (or set of APIs) then you need to explicitly add a permission that >> > > restricts those APIs to a particular role. >> > > >> > > One way to get the behavior that it sounds like you're looking for >> > > would be to add a catch-all permission at the bottom of your >> > > permissions list that restricts all other APIs to "admin". This would >> > > look a bit like: >> > > >> > > "permissions":[ >> > > { >> > > "name":"security-edit", >> > > "role":"admin" >> > > }, >> > > { >> > > "collection": ["Collection1", "Collection2"], >> > > "name": ["update", "read"], >> > > "role": "dev" >> > > }, >> > > { >> > > "name": "all", >> > > "role": "admin" >> > > } >> > > ] >> > > >> > > Hope that helps get you started. >> > > >> > > Best, >> > > >> > > Jason >> > > >> > > On Tue, Aug 20, 2019 at 3:19 AM Salmaan Rashid Syed >> > > <salmaan.ras...@mroads.com> wrote: >> > > > >> > > > Hi Solr Users, >> > > > >> > > > I want to create a user that has restricted access to Solr. I did >> the >> > > > follwowing:- >> > > > >> > > > >> > > > 1. { >> > > > 2. "authentication":{ >> > > > 3. "blockUnknown": true, >> > > > 4. "class":"solr.BasicAuthPlugin", >> > > > 5. "credentials":{ >> > > > 6. "solr-admin": >> > > > "2IUJD9dxRhxSXaJGdMP5z8ggSn4I285Ty9GCWeRNMUg= >> > > > /sSNJJufPtj4baRizoJshJawFsWvopvZSqZpQ/Nwd78=" >> > > > , >> > > > 7. "solr-user": >> > > > "p+XwOh15p/rvFltv2LXP1CwtbvwBgGlC9qcDKxV73B4= >> > > > DcNsjfA6Wf16V1XKT+YraosSFQ5Cr3eRUX6BQnx9XKA=" >> > > > >> > > > 8. } >> > > > 9. }, >> > > > 10. "authorization":{ >> > > > 11. "class":"solr.RuleBasedAuthorizationPlugin", >> > > > 12. "user-role":{"solr-admin":"admin", "solr-user":"dev"}, >> > > > 13. "permissions":[ >> > > > 14. { >> > > > 15. "name":"security-edit", >> > > > 16. "role":"admin" >> > > > 17. }, >> > > > 18. { >> > > > 19. "collection": ["Collection1", "Collection2"], >> > > > 20. "name": ["update", "read"], >> > > > 21. "role": "dev" >> > > > 22. } >> > > > 23. ] >> > > > 24. }} >> > > > >> > > > >> > > > But when Login intot the Solr admin dash-board using Solr-user >> > > credentials, >> > > > I can read, select, write, update, delete collections and do all >> sorts of >> > > > things like a solr-admin can do. >> > > > >> > > > I want solr-user to be able to access only *Collection1* and >> > > *Collection2* >> > > > and be able to only *update *and *read*. He should not be able to >> access >> > > > other collections and do anything apart from the above mentioned >> role. >> > > > >> > > > Where am I exactly going wrong? >> > > > >> > > > Thanks and Regards, >> > > > Salmaan >> > > >> >
