Hi Jason,
Apologies for the late reply. My laptop was broken and I got it today from
service centre.
I am still having issues with solr-user able to view the Collections list
as follow.
Testing permissions for user [solr]
Request [/admin/collections?action=LIST] returned status [200]
Request [/collection1/select?q=*:*] returned status [200]
Request [/collection2/select?q=*:*] returned status [200]
Request [/collection3/select?q=*:*] returned status [200]
Testing permissions for user [solr-user]
Request [/admin/collections?action=LIST] returned status [200]
Request [/collection1/select?q=*:*] returned status [200]
Request [/collection2/select?q=*:*] returned status [200]
Request [/collection3/select?q=*:*] returned status [403]
I am still wondering wher I am going wrong.
Thanks,
Salmaan
On Thu, Aug 29, 2019 at 1:34 PM Salmaan Rashid Syed <
[email protected]> wrote:
> Thanks a lot Jason,
>
> I will try this out and let you know.
>
> Thanks again.
>
> On Wed 28 Aug, 2019, 7:45 PM Jason Gerlowski, <[email protected]>
> wrote:
>
>> Hi Salmaan,
>>
>> Are you still seeing this behavior, or were you able to figure things out?
>>
>> I just got a chance to try out the security.json in Solr 7.6 myself,
>> and I can't reproduce the behavior you're seeing.
>>
>> It might be helpful to level set here. Make sure that our
>> security.json settings and our test requests are exactly the same.
>>
>> This is the security.json I used in my test deployment:
>>
>> {
>> "authentication":{
>> "blockUnknown": true,
>> "class":"solr.BasicAuthPlugin",
>> "credentials":{
>> "solr":"gP31s0FQevh3k0i0y6g9AP/TZLWctxfZjtC9sOh8vZU=
>> J7an406gVyx4v4CkR8YLgmhClk9Yv/fIBSfZoi1f0kY=",
>> "solr-user":"gP31s0FQevh3k0i0y6g9AP/TZLWctxfZjtC9sOh8vZU=
>> J7an406gVyx4v4CkR8YLgmhClk9Yv/fIBSfZoi1f0kY="
>> }
>> },
>> "authorization":{
>> "class":"solr.RuleBasedAuthorizationPlugin",
>> "permissions":[
>> {"name": "dev-read", "collection": ["collection1",
>> "collection2"], "role": ["dev", "admin"] },
>> {"name": "security-edit", "role": "admin"},
>> {"name": "security-read", "role": "admin"},
>> {"name": "schema-edit", "role": "admin"},
>> {"name": "schema-read", "role": "admin"},
>> {"name": "config-edit", "role": "admin"},
>> {"name": "config-read", "role": "admin"},
>> {"name": "core-admin-edit", "role": "admin"},
>> {"name": "core-admin-read", "role": "admin"},
>> {"name": "collection-api-edit", "role": "admin"},
>> {"name": "collection-api-read", "role": "admin"},
>> {"name": "read", "role": "admin"},
>> {"name": "update", "role": "admin"},
>> {"name": "all", "role": "admin"}
>> ],
>> "user-role":{
>> "solr":"admin",
>> "solr-user": "dev"
>> }
>> }
>> }
>>
>> And this is the output of a script I use to test permissions quickly:
>>
>> $ ./test-security.sh
>>
>> Testing permissions for user [solr]
>> Request [/admin/collections?action=LIST] returned status [200]
>> Request [/collection1/select?q=*:*] returned status [200]
>> Request [/collection2/select?q=*:*] returned status [200]
>> Request [/collection3/select?q=*:*] returned status [200]
>>
>> Testing permissions for user [solr-user]
>> Request [/admin/collections?action=LIST] returned status [403]
>> Request [/collection1/select?q=*:*] returned status [200]
>> Request [/collection2/select?q=*:*] returned status [200]
>> Request [/collection3/select?q=*:*] returned status [403]
>>
>> You can find this script here, to see the exact curl commands being
>> used and run it yourself: https://paste.apache.org/tjtdg
>>
>> That output looks correct to me. solr-user is prevented from
>> accessing other APIs and other collections, but can access collection1
>> and collection2.
>>
>> Does your security.json match mine, or do the permissions differ in
>> some way? Can you still reproduce the behavior using my script?
>>
>> Good luck,
>>
>> Jason
>>
>> On Thu, Aug 22, 2019 at 2:13 AM Salmaan Rashid Syed
>> <[email protected]> wrote:
>> >
>> > Hi,
>> >
>> > Any suggestions as to what can be done?
>> >
>> > Regards,
>> > Salmaan
>> >
>> >
>> > On Wed, Aug 21, 2019 at 4:33 PM Jason Gerlowski <[email protected]>
>> > wrote:
>> >
>> > > Ah, ok. SOLR-13355 still affects 7.6, so that explains why you're
>> > > seeing this behavior.
>> > >
>> > > You could upgrade to get the new behavior, but you don't need to-
>> > > there's a workaround. You just need to add a few extra rules to your
>> > > security.json. The problem in SOLR-13355 is that the "all" permission
>> > > isn't being considered for APIs that are covered by other predefined
>> > > permissions. So the workaround is to add a permission rule for each
>> > > of the predefined permissions, locking them down to the "admin" role.
>> > > It really bloats security.json, but should do the job. So your
>> > > security.json should have a permissions section that looks like the
>> > > JSON below:
>> > >
>> > > {"name": "dev-read", "collection": ["collection1", "collection2"],
>> > > "role": "dev"},
>> > > {"name": "security-edit", "role": "admin"},
>> > > {"name": "security-read", "role": "admin"},
>> > > {"name": "schema-edit", "role": "admin"},
>> > > {"name": "schema-read", "role": "admin"},
>> > > {"name": "config-edit", "role": "admin"},
>> > > {"name": "config-read", "role": "admin"},
>> > > {"name": "core-admin-edit", "role": "admin"},
>> > > {"name": "core-admin-read", "role": "admin"},
>> > > {"name": "collection-api-edit", "role": "admin"},
>> > > {"name": "collection-api-read", "role": "admin"},
>> > > {"name": "read", "role": "admin"},
>> > > {"name": "update", "role": "admin"},
>> > > {"name": "all", "role": "admin"}
>> > >
>> > > Hope that helps. Let me know if that still has any problems for you.
>> > >
>> > > Jason
>> > >
>> > > On Wed, Aug 21, 2019 at 6:48 AM Salmaan Rashid Syed
>> > > <[email protected]> wrote:
>> > > >
>> > > > Hi Jason,
>> > > >
>> > > > Is there a way to fix this in version 7.6?
>> > > >
>> > > > Or is it mandatory to upgrade to other versions?
>> > > >
>> > > > If I have to upgrade to a higher version, then what is the best way
>> to do
>> > > > this without effecting the current configuration and indexed data?
>> > > >
>> > > > Thanks,
>> > > > Salmaan
>> > > >
>> > > >
>> > > >
>> > > > On Wed, Aug 21, 2019 at 4:13 PM Salmaan Rashid Syed <
>> > > > [email protected]> wrote:
>> > > >
>> > > > > Hi Jason,
>> > > > >
>> > > > > I am using version 7.6 of Solr.
>> > > > >
>> > > > > Thanks,
>> > > > > Salmaan
>> > > > >
>> > > > >
>> > > > >
>> > > > > On Wed, Aug 21, 2019 at 4:12 PM Jason Gerlowski <
>> [email protected]
>> > > >
>> > > > > wrote:
>> > > > >
>> > > > >> The "all" permissions _should_ block solr-user from accessing
>> all of
>> > > > >> those resources, and I believe it does in newer versions of Solr.
>> > > > >> There was a bug with it that was fixed a few versions back
>> though- it
>> > > > >> sounds like you might be running into that. (see
>> > > > >> https://issues.apache.org/jira/browse/SOLR-13355) What version
>> of
>> > > Solr
>> > > > >> are you using?
>> > > > >>
>> > > > >> Jason
>> > > > >>
>> > > > >>
>> > > > >>
>> > > > >> On Wed, Aug 21, 2019 at 5:21 AM Salmaan Rashid Syed
>> > > > >> <[email protected]> wrote:
>> > > > >> >
>> > > > >> > Hi Jason,
>> > > > >> >
>> > > > >> > Thanks for your prompt reply.
>> > > > >> >
>> > > > >> > Your code does address few of my concerns like restricting
>> > > *solr-user*
>> > > > >> from
>> > > > >> > accessing the dashboard and from executing other request
>> methods
>> > > apart
>> > > > >> from
>> > > > >> > *"update"* and *"read"*.
>> > > > >> >
>> > > > >> > But I am still able to access other collections such as
>> > > *"Collection3",
>> > > > >> > "Collection4"* and so on, apart from the intended two
>> collection
>> > > > >> entered in
>> > > > >> > the code. I can give *"update"* and *"read" *requests to these
>> > > external
>> > > > >> > Collections which solr-user should not be able to do.
>> > > > >> >
>> > > > >> > Moreover solr-user can look at the
>> > > > >> > *http://localhost:8983/solr/admin/authentication
>> > > > >> > <http://localhost:8983/solr/admin/authentication>* link which
>> > > lists the
>> > > > >> > users and their *SHA256* coded passwords. How can I hide this
>> and
>> > > > >> restrict
>> > > > >> > access to other collections?
>> > > > >> >
>> > > > >> > Thanks and regards
>> > > > >> > Salmaan
>> > > > >> >
>> > > > >> >
>> > > > >> > On Wed, Aug 21, 2019 at 5:07 AM Jason Gerlowski <
>> > > [email protected]>
>> > > > >> > wrote:
>> > > > >> >
>> > > > >> > > Hi Salmaan,
>> > > > >> > >
>> > > > >> > > Solr's RuleBasedAuthorizationPlugin allows requests through
>> if
>> > > none of
>> > > > >> > > the specified permissions apply. I think that's what you're
>> > > running
>> > > > >> > > into in your example above. If you want to lockdown a
>> particular
>> > > API
>> > > > >> > > (or set of APIs) then you need to explicitly add a
>> permission that
>> > > > >> > > restricts those APIs to a particular role.
>> > > > >> > >
>> > > > >> > > One way to get the behavior that it sounds like you're
>> looking for
>> > > > >> > > would be to add a catch-all permission at the bottom of your
>> > > > >> > > permissions list that restricts all other APIs to "admin".
>> This
>> > > would
>> > > > >> > > look a bit like:
>> > > > >> > >
>> > > > >> > > "permissions":[
>> > > > >> > > {
>> > > > >> > > "name":"security-edit",
>> > > > >> > > "role":"admin"
>> > > > >> > > },
>> > > > >> > > {
>> > > > >> > > "collection": ["Collection1", "Collection2"],
>> > > > >> > > "name": ["update", "read"],
>> > > > >> > > "role": "dev"
>> > > > >> > > },
>> > > > >> > > {
>> > > > >> > > "name": "all",
>> > > > >> > > "role": "admin"
>> > > > >> > > }
>> > > > >> > > ]
>> > > > >> > >
>> > > > >> > > Hope that helps get you started.
>> > > > >> > >
>> > > > >> > > Best,
>> > > > >> > >
>> > > > >> > > Jason
>> > > > >> > >
>> > > > >> > > On Tue, Aug 20, 2019 at 3:19 AM Salmaan Rashid Syed
>> > > > >> > > <[email protected]> wrote:
>> > > > >> > > >
>> > > > >> > > > Hi Solr Users,
>> > > > >> > > >
>> > > > >> > > > I want to create a user that has restricted access to
>> Solr. I
>> > > did
>> > > > >> the
>> > > > >> > > > follwowing:-
>> > > > >> > > >
>> > > > >> > > >
>> > > > >> > > > 1. {
>> > > > >> > > > 2. "authentication":{
>> > > > >> > > > 3. "blockUnknown": true,
>> > > > >> > > > 4. "class":"solr.BasicAuthPlugin",
>> > > > >> > > > 5. "credentials":{
>> > > > >> > > > 6. "solr-admin":
>> > > > >> > > > "2IUJD9dxRhxSXaJGdMP5z8ggSn4I285Ty9GCWeRNMUg=
>> > > > >> > > > /sSNJJufPtj4baRizoJshJawFsWvopvZSqZpQ/Nwd78="
>> > > > >> > > > ,
>> > > > >> > > > 7. "solr-user":
>> > > > >> > > > "p+XwOh15p/rvFltv2LXP1CwtbvwBgGlC9qcDKxV73B4=
>> > > > >> > > > DcNsjfA6Wf16V1XKT+YraosSFQ5Cr3eRUX6BQnx9XKA="
>> > > > >> > > >
>> > > > >> > > > 8. }
>> > > > >> > > > 9. },
>> > > > >> > > > 10. "authorization":{
>> > > > >> > > > 11. "class":"solr.RuleBasedAuthorizationPlugin",
>> > > > >> > > > 12. "user-role":{"solr-admin":"admin",
>> "solr-user":"dev"},
>> > > > >> > > > 13. "permissions":[
>> > > > >> > > > 14. {
>> > > > >> > > > 15. "name":"security-edit",
>> > > > >> > > > 16. "role":"admin"
>> > > > >> > > > 17. },
>> > > > >> > > > 18. {
>> > > > >> > > > 19. "collection": ["Collection1",
>> "Collection2"],
>> > > > >> > > > 20. "name": ["update", "read"],
>> > > > >> > > > 21. "role": "dev"
>> > > > >> > > > 22. }
>> > > > >> > > > 23. ]
>> > > > >> > > > 24. }}
>> > > > >> > > >
>> > > > >> > > >
>> > > > >> > > > But when Login intot the Solr admin dash-board using
>> Solr-user
>> > > > >> > > credentials,
>> > > > >> > > > I can read, select, write, update, delete collections and
>> do all
>> > > > >> sorts of
>> > > > >> > > > things like a solr-admin can do.
>> > > > >> > > >
>> > > > >> > > > I want solr-user to be able to access only *Collection1*
>> and
>> > > > >> > > *Collection2*
>> > > > >> > > > and be able to only *update *and *read*. He should not be
>> able
>> > > to
>> > > > >> access
>> > > > >> > > > other collections and do anything apart from the above
>> mentioned
>> > > > >> role.
>> > > > >> > > >
>> > > > >> > > > Where am I exactly going wrong?
>> > > > >> > > >
>> > > > >> > > > Thanks and Regards,
>> > > > >> > > > Salmaan
>> > > > >> > >
>> > > > >>
>> > > > >
>> > >
>>
>
