Thanks a lot Jason,
I will try this out and let you know.
Thanks again.
On Wed 28 Aug, 2019, 7:45 PM Jason Gerlowski, <gerlowsk...@gmail.com> wrote:
> Hi Salmaan,
>
> Are you still seeing this behavior, or were you able to figure things out?
>
> I just got a chance to try out the security.json in Solr 7.6 myself,
> and I can't reproduce the behavior you're seeing.
>
> It might be helpful to level set here. Make sure that our
> security.json settings and our test requests are exactly the same.
>
> This is the security.json I used in my test deployment:
>
> {
> "authentication":{
> "blockUnknown": true,
> "class":"solr.BasicAuthPlugin",
> "credentials":{
> "solr":"gP31s0FQevh3k0i0y6g9AP/TZLWctxfZjtC9sOh8vZU=
> J7an406gVyx4v4CkR8YLgmhClk9Yv/fIBSfZoi1f0kY=",
> "solr-user":"gP31s0FQevh3k0i0y6g9AP/TZLWctxfZjtC9sOh8vZU=
> J7an406gVyx4v4CkR8YLgmhClk9Yv/fIBSfZoi1f0kY="
> }
> },
> "authorization":{
> "class":"solr.RuleBasedAuthorizationPlugin",
> "permissions":[
> {"name": "dev-read", "collection": ["collection1",
> "collection2"], "role": ["dev", "admin"] },
> {"name": "security-edit", "role": "admin"},
> {"name": "security-read", "role": "admin"},
> {"name": "schema-edit", "role": "admin"},
> {"name": "schema-read", "role": "admin"},
> {"name": "config-edit", "role": "admin"},
> {"name": "config-read", "role": "admin"},
> {"name": "core-admin-edit", "role": "admin"},
> {"name": "core-admin-read", "role": "admin"},
> {"name": "collection-api-edit", "role": "admin"},
> {"name": "collection-api-read", "role": "admin"},
> {"name": "read", "role": "admin"},
> {"name": "update", "role": "admin"},
> {"name": "all", "role": "admin"}
> ],
> "user-role":{
> "solr":"admin",
> "solr-user": "dev"
> }
> }
> }
>
> And this is the output of a script I use to test permissions quickly:
>
> $ ./test-security.sh
>
> Testing permissions for user [solr]
> Request [/admin/collections?action=LIST] returned status [200]
> Request [/collection1/select?q=*:*] returned status [200]
> Request [/collection2/select?q=*:*] returned status [200]
> Request [/collection3/select?q=*:*] returned status [200]
>
> Testing permissions for user [solr-user]
> Request [/admin/collections?action=LIST] returned status [403]
> Request [/collection1/select?q=*:*] returned status [200]
> Request [/collection2/select?q=*:*] returned status [200]
> Request [/collection3/select?q=*:*] returned status [403]
>
> You can find this script here, to see the exact curl commands being
> used and run it yourself: https://paste.apache.org/tjtdg
>
> That output looks correct to me. solr-user is prevented from
> accessing other APIs and other collections, but can access collection1
> and collection2.
>
> Does your security.json match mine, or do the permissions differ in
> some way? Can you still reproduce the behavior using my script?
>
> Good luck,
>
> Jason
>
> On Thu, Aug 22, 2019 at 2:13 AM Salmaan Rashid Syed
> <salmaan.ras...@mroads.com> wrote:
> >
> > Hi,
> >
> > Any suggestions as to what can be done?
> >
> > Regards,
> > Salmaan
> >
> >
> > On Wed, Aug 21, 2019 at 4:33 PM Jason Gerlowski <gerlowsk...@gmail.com>
> > wrote:
> >
> > > Ah, ok. SOLR-13355 still affects 7.6, so that explains why you're
> > > seeing this behavior.
> > >
> > > You could upgrade to get the new behavior, but you don't need to-
> > > there's a workaround. You just need to add a few extra rules to your
> > > security.json. The problem in SOLR-13355 is that the "all" permission
> > > isn't being considered for APIs that are covered by other predefined
> > > permissions. So the workaround is to add a permission rule for each
> > > of the predefined permissions, locking them down to the "admin" role.
> > > It really bloats security.json, but should do the job. So your
> > > security.json should have a permissions section that looks like the
> > > JSON below:
> > >
> > > {"name": "dev-read", "collection": ["collection1", "collection2"],
> > > "role": "dev"},
> > > {"name": "security-edit", "role": "admin"},
> > > {"name": "security-read", "role": "admin"},
> > > {"name": "schema-edit", "role": "admin"},
> > > {"name": "schema-read", "role": "admin"},
> > > {"name": "config-edit", "role": "admin"},
> > > {"name": "config-read", "role": "admin"},
> > > {"name": "core-admin-edit", "role": "admin"},
> > > {"name": "core-admin-read", "role": "admin"},
> > > {"name": "collection-api-edit", "role": "admin"},
> > > {"name": "collection-api-read", "role": "admin"},
> > > {"name": "read", "role": "admin"},
> > > {"name": "update", "role": "admin"},
> > > {"name": "all", "role": "admin"}
> > >
> > > Hope that helps. Let me know if that still has any problems for you.
> > >
> > > Jason
> > >
> > > On Wed, Aug 21, 2019 at 6:48 AM Salmaan Rashid Syed
> > > <salmaan.ras...@mroads.com> wrote:
> > > >
> > > > Hi Jason,
> > > >
> > > > Is there a way to fix this in version 7.6?
> > > >
> > > > Or is it mandatory to upgrade to other versions?
> > > >
> > > > If I have to upgrade to a higher version, then what is the best way
> to do
> > > > this without effecting the current configuration and indexed data?
> > > >
> > > > Thanks,
> > > > Salmaan
> > > >
> > > >
> > > >
> > > > On Wed, Aug 21, 2019 at 4:13 PM Salmaan Rashid Syed <
> > > > salmaan.ras...@mroads.com> wrote:
> > > >
> > > > > Hi Jason,
> > > > >
> > > > > I am using version 7.6 of Solr.
> > > > >
> > > > > Thanks,
> > > > > Salmaan
> > > > >
> > > > >
> > > > >
> > > > > On Wed, Aug 21, 2019 at 4:12 PM Jason Gerlowski <
> gerlowsk...@gmail.com
> > > >
> > > > > wrote:
> > > > >
> > > > >> The "all" permissions _should_ block solr-user from accessing all
> of
> > > > >> those resources, and I believe it does in newer versions of Solr.
> > > > >> There was a bug with it that was fixed a few versions back
> though- it
> > > > >> sounds like you might be running into that. (see
> > > > >> https://issues.apache.org/jira/browse/SOLR-13355) What version of
> > > Solr
> > > > >> are you using?
> > > > >>
> > > > >> Jason
> > > > >>
> > > > >>
> > > > >>
> > > > >> On Wed, Aug 21, 2019 at 5:21 AM Salmaan Rashid Syed
> > > > >> <salmaan.ras...@mroads.com> wrote:
> > > > >> >
> > > > >> > Hi Jason,
> > > > >> >
> > > > >> > Thanks for your prompt reply.
> > > > >> >
> > > > >> > Your code does address few of my concerns like restricting
> > > *solr-user*
> > > > >> from
> > > > >> > accessing the dashboard and from executing other request methods
> > > apart
> > > > >> from
> > > > >> > *"update"* and *"read"*.
> > > > >> >
> > > > >> > But I am still able to access other collections such as
> > > *"Collection3",
> > > > >> > "Collection4"* and so on, apart from the intended two collection
> > > > >> entered in
> > > > >> > the code. I can give *"update"* and *"read" *requests to these
> > > external
> > > > >> > Collections which solr-user should not be able to do.
> > > > >> >
> > > > >> > Moreover solr-user can look at the
> > > > >> > *http://localhost:8983/solr/admin/authentication
> > > > >> > <http://localhost:8983/solr/admin/authentication>* link which
> > > lists the
> > > > >> > users and their *SHA256* coded passwords. How can I hide this
> and
> > > > >> restrict
> > > > >> > access to other collections?
> > > > >> >
> > > > >> > Thanks and regards
> > > > >> > Salmaan
> > > > >> >
> > > > >> >
> > > > >> > On Wed, Aug 21, 2019 at 5:07 AM Jason Gerlowski <
> > > gerlowsk...@gmail.com>
> > > > >> > wrote:
> > > > >> >
> > > > >> > > Hi Salmaan,
> > > > >> > >
> > > > >> > > Solr's RuleBasedAuthorizationPlugin allows requests through if
> > > none of
> > > > >> > > the specified permissions apply. I think that's what you're
> > > running
> > > > >> > > into in your example above. If you want to lockdown a
> particular
> > > API
> > > > >> > > (or set of APIs) then you need to explicitly add a permission
> that
> > > > >> > > restricts those APIs to a particular role.
> > > > >> > >
> > > > >> > > One way to get the behavior that it sounds like you're
> looking for
> > > > >> > > would be to add a catch-all permission at the bottom of your
> > > > >> > > permissions list that restricts all other APIs to "admin".
> This
> > > would
> > > > >> > > look a bit like:
> > > > >> > >
> > > > >> > > "permissions":[
> > > > >> > > {
> > > > >> > > "name":"security-edit",
> > > > >> > > "role":"admin"
> > > > >> > > },
> > > > >> > > {
> > > > >> > > "collection": ["Collection1", "Collection2"],
> > > > >> > > "name": ["update", "read"],
> > > > >> > > "role": "dev"
> > > > >> > > },
> > > > >> > > {
> > > > >> > > "name": "all",
> > > > >> > > "role": "admin"
> > > > >> > > }
> > > > >> > > ]
> > > > >> > >
> > > > >> > > Hope that helps get you started.
> > > > >> > >
> > > > >> > > Best,
> > > > >> > >
> > > > >> > > Jason
> > > > >> > >
> > > > >> > > On Tue, Aug 20, 2019 at 3:19 AM Salmaan Rashid Syed
> > > > >> > > <salmaan.ras...@mroads.com> wrote:
> > > > >> > > >
> > > > >> > > > Hi Solr Users,
> > > > >> > > >
> > > > >> > > > I want to create a user that has restricted access to Solr.
> I
> > > did
> > > > >> the
> > > > >> > > > follwowing:-
> > > > >> > > >
> > > > >> > > >
> > > > >> > > > 1. {
> > > > >> > > > 2. "authentication":{
> > > > >> > > > 3. "blockUnknown": true,
> > > > >> > > > 4. "class":"solr.BasicAuthPlugin",
> > > > >> > > > 5. "credentials":{
> > > > >> > > > 6. "solr-admin":
> > > > >> > > > "2IUJD9dxRhxSXaJGdMP5z8ggSn4I285Ty9GCWeRNMUg=
> > > > >> > > > /sSNJJufPtj4baRizoJshJawFsWvopvZSqZpQ/Nwd78="
> > > > >> > > > ,
> > > > >> > > > 7. "solr-user":
> > > > >> > > > "p+XwOh15p/rvFltv2LXP1CwtbvwBgGlC9qcDKxV73B4=
> > > > >> > > > DcNsjfA6Wf16V1XKT+YraosSFQ5Cr3eRUX6BQnx9XKA="
> > > > >> > > >
> > > > >> > > > 8. }
> > > > >> > > > 9. },
> > > > >> > > > 10. "authorization":{
> > > > >> > > > 11. "class":"solr.RuleBasedAuthorizationPlugin",
> > > > >> > > > 12. "user-role":{"solr-admin":"admin",
> "solr-user":"dev"},
> > > > >> > > > 13. "permissions":[
> > > > >> > > > 14. {
> > > > >> > > > 15. "name":"security-edit",
> > > > >> > > > 16. "role":"admin"
> > > > >> > > > 17. },
> > > > >> > > > 18. {
> > > > >> > > > 19. "collection": ["Collection1", "Collection2"],
> > > > >> > > > 20. "name": ["update", "read"],
> > > > >> > > > 21. "role": "dev"
> > > > >> > > > 22. }
> > > > >> > > > 23. ]
> > > > >> > > > 24. }}
> > > > >> > > >
> > > > >> > > >
> > > > >> > > > But when Login intot the Solr admin dash-board using
> Solr-user
> > > > >> > > credentials,
> > > > >> > > > I can read, select, write, update, delete collections and
> do all
> > > > >> sorts of
> > > > >> > > > things like a solr-admin can do.
> > > > >> > > >
> > > > >> > > > I want solr-user to be able to access only *Collection1* and
> > > > >> > > *Collection2*
> > > > >> > > > and be able to only *update *and *read*. He should not be
> able
> > > to
> > > > >> access
> > > > >> > > > other collections and do anything apart from the above
> mentioned
> > > > >> role.
> > > > >> > > >
> > > > >> > > > Where am I exactly going wrong?
> > > > >> > > >
> > > > >> > > > Thanks and Regards,
> > > > >> > > > Salmaan
> > > > >> > >
> > > > >>
> > > > >
> > >
>
