Hi Isabelle, Two things to keep in mind with Solr's Rule-Based Authorization.
1. Each request is controlled by the first permission to that matches the request. 2. With the permissions you have present, Solr will check them in descending list order. (This isn't always true - collection-specific and path-specific permissions are given precedence, so you don't need to consider that.) As you can imagine given the rules above - permission order is very important. In your case the "all" rule will match pretty much all requests, which explains why an "indexing" user can't actually index. Generally speaking, it's best to put the most specific rules first, with the broader ones coming later. For more information, see the "Permission Ordering and Resolution" section in the page you linked to in your request. Good luck, hope that helps. Jason On Tue, May 12, 2020 at 12:34 PM Isabelle Giguere <igigu...@opentext.com.invalid> wrote: > > Hi; > > I'm using Solr 8.5.0. > > I'm having trouble setting up some permissions using the rule-based > authorization plugin: > https://lucene.apache.org/solr/guide/8_5/rule-based-authorization-plugin.html > > I have 3 users: "admin", "search", and "indexer". > > I have set permissions and user roles: > "permissions": [ { "name": "all", "role": "admin", "index": 1 }, > { "name": "admin-luke", "collection": "*", "role": "luke", "index": 2, > "path": "/admin/luke" }, > { "name": "read", "role": "searching", "index": 3 }, > { "name": "update", "role": "indexing", "index": 4 } ], > "user-role": { "admin": "admin", > "search": ["searching","luke"], > "indexer": "indexing" } } > Attached: full output of GET /admin/authorization > > So why can't user "indexer" add anything in a collection ? I always get HTTP > 403 Forbidden. > Using Postman, I click the checkbox to show the password, so I'm sure I typed > the right one. > > Note that user "search" can't use the /select handler either, as should be > the case with permission to "read". This user can, however, use the Luke > handler, as the custom permission allows. > > User "admin" can use any API. So at least the predefined permission "all" > does work. > > Note that the collections were created before enabling authentication and > authorization. Could that be the cause of the permission issues ? > > Thanks; > > Isabelle Giguère > Computational Linguist & Java Developer > Linguiste informaticienne & développeur java > >
