Ah, ok. SOLR-13355 still affects 7.6, so that explains why you're
seeing this behavior.
You could upgrade to get the new behavior, but you don't need to-
there's a workaround. You just need to add a few extra rules to your
security.json. The problem in SOLR-13355 is that the "all" permission
isn't being considered for APIs that are covered by other predefined
permissions. So the workaround is to add a permission rule for each
of the predefined permissions, locking them down to the "admin" role.
It really bloats security.json, but should do the job. So your
security.json should have a permissions section that looks like the
JSON below:
{"name": "dev-read", "collection": ["collection1", "collection2"],
"role": "dev"},
{"name": "security-edit", "role": "admin"},
{"name": "security-read", "role": "admin"},
{"name": "schema-edit", "role": "admin"},
{"name": "schema-read", "role": "admin"},
{"name": "config-edit", "role": "admin"},
{"name": "config-read", "role": "admin"},
{"name": "core-admin-edit", "role": "admin"},
{"name": "core-admin-read", "role": "admin"},
{"name": "collection-api-edit", "role": "admin"},
{"name": "collection-api-read", "role": "admin"},
{"name": "read", "role": "admin"},
{"name": "update", "role": "admin"},
{"name": "all", "role": "admin"}
Hope that helps. Let me know if that still has any problems for you.
Jason
On Wed, Aug 21, 2019 at 6:48 AM Salmaan Rashid Syed
<salmaan.ras...@mroads.com> wrote:
>
> Hi Jason,
>
> Is there a way to fix this in version 7.6?
>
> Or is it mandatory to upgrade to other versions?
>
> If I have to upgrade to a higher version, then what is the best way to do
> this without effecting the current configuration and indexed data?
>
> Thanks,
> Salmaan
>
>
>
> On Wed, Aug 21, 2019 at 4:13 PM Salmaan Rashid Syed <
> salmaan.ras...@mroads.com> wrote:
>
> > Hi Jason,
> >
> > I am using version 7.6 of Solr.
> >
> > Thanks,
> > Salmaan
> >
> >
> >
> > On Wed, Aug 21, 2019 at 4:12 PM Jason Gerlowski <gerlowsk...@gmail.com>
> > wrote:
> >
> >> The "all" permissions _should_ block solr-user from accessing all of
> >> those resources, and I believe it does in newer versions of Solr.
> >> There was a bug with it that was fixed a few versions back though- it
> >> sounds like you might be running into that. (see
> >> https://issues.apache.org/jira/browse/SOLR-13355) What version of Solr
> >> are you using?
> >>
> >> Jason
> >>
> >>
> >>
> >> On Wed, Aug 21, 2019 at 5:21 AM Salmaan Rashid Syed
> >> <salmaan.ras...@mroads.com> wrote:
> >> >
> >> > Hi Jason,
> >> >
> >> > Thanks for your prompt reply.
> >> >
> >> > Your code does address few of my concerns like restricting *solr-user*
> >> from
> >> > accessing the dashboard and from executing other request methods apart
> >> from
> >> > *"update"* and *"read"*.
> >> >
> >> > But I am still able to access other collections such as *"Collection3",
> >> > "Collection4"* and so on, apart from the intended two collection
> >> entered in
> >> > the code. I can give *"update"* and *"read" *requests to these external
> >> > Collections which solr-user should not be able to do.
> >> >
> >> > Moreover solr-user can look at the
> >> > *http://localhost:8983/solr/admin/authentication
> >> > <http://localhost:8983/solr/admin/authentication>* link which lists the
> >> > users and their *SHA256* coded passwords. How can I hide this and
> >> restrict
> >> > access to other collections?
> >> >
> >> > Thanks and regards
> >> > Salmaan
> >> >
> >> >
> >> > On Wed, Aug 21, 2019 at 5:07 AM Jason Gerlowski <gerlowsk...@gmail.com>
> >> > wrote:
> >> >
> >> > > Hi Salmaan,
> >> > >
> >> > > Solr's RuleBasedAuthorizationPlugin allows requests through if none of
> >> > > the specified permissions apply. I think that's what you're running
> >> > > into in your example above. If you want to lockdown a particular API
> >> > > (or set of APIs) then you need to explicitly add a permission that
> >> > > restricts those APIs to a particular role.
> >> > >
> >> > > One way to get the behavior that it sounds like you're looking for
> >> > > would be to add a catch-all permission at the bottom of your
> >> > > permissions list that restricts all other APIs to "admin". This would
> >> > > look a bit like:
> >> > >
> >> > > "permissions":[
> >> > > {
> >> > > "name":"security-edit",
> >> > > "role":"admin"
> >> > > },
> >> > > {
> >> > > "collection": ["Collection1", "Collection2"],
> >> > > "name": ["update", "read"],
> >> > > "role": "dev"
> >> > > },
> >> > > {
> >> > > "name": "all",
> >> > > "role": "admin"
> >> > > }
> >> > > ]
> >> > >
> >> > > Hope that helps get you started.
> >> > >
> >> > > Best,
> >> > >
> >> > > Jason
> >> > >
> >> > > On Tue, Aug 20, 2019 at 3:19 AM Salmaan Rashid Syed
> >> > > <salmaan.ras...@mroads.com> wrote:
> >> > > >
> >> > > > Hi Solr Users,
> >> > > >
> >> > > > I want to create a user that has restricted access to Solr. I did
> >> the
> >> > > > follwowing:-
> >> > > >
> >> > > >
> >> > > > 1. {
> >> > > > 2. "authentication":{
> >> > > > 3. "blockUnknown": true,
> >> > > > 4. "class":"solr.BasicAuthPlugin",
> >> > > > 5. "credentials":{
> >> > > > 6. "solr-admin":
> >> > > > "2IUJD9dxRhxSXaJGdMP5z8ggSn4I285Ty9GCWeRNMUg=
> >> > > > /sSNJJufPtj4baRizoJshJawFsWvopvZSqZpQ/Nwd78="
> >> > > > ,
> >> > > > 7. "solr-user":
> >> > > > "p+XwOh15p/rvFltv2LXP1CwtbvwBgGlC9qcDKxV73B4=
> >> > > > DcNsjfA6Wf16V1XKT+YraosSFQ5Cr3eRUX6BQnx9XKA="
> >> > > >
> >> > > > 8. }
> >> > > > 9. },
> >> > > > 10. "authorization":{
> >> > > > 11. "class":"solr.RuleBasedAuthorizationPlugin",
> >> > > > 12. "user-role":{"solr-admin":"admin", "solr-user":"dev"},
> >> > > > 13. "permissions":[
> >> > > > 14. {
> >> > > > 15. "name":"security-edit",
> >> > > > 16. "role":"admin"
> >> > > > 17. },
> >> > > > 18. {
> >> > > > 19. "collection": ["Collection1", "Collection2"],
> >> > > > 20. "name": ["update", "read"],
> >> > > > 21. "role": "dev"
> >> > > > 22. }
> >> > > > 23. ]
> >> > > > 24. }}
> >> > > >
> >> > > >
> >> > > > But when Login intot the Solr admin dash-board using Solr-user
> >> > > credentials,
> >> > > > I can read, select, write, update, delete collections and do all
> >> sorts of
> >> > > > things like a solr-admin can do.
> >> > > >
> >> > > > I want solr-user to be able to access only *Collection1* and
> >> > > *Collection2*
> >> > > > and be able to only *update *and *read*. He should not be able to
> >> access
> >> > > > other collections and do anything apart from the above mentioned
> >> role.
> >> > > >
> >> > > > Where am I exactly going wrong?
> >> > > >
> >> > > > Thanks and Regards,
> >> > > > Salmaan
> >> > >
> >>
> >
