One slight correction: I missed that you actually do have a path/collection-specific permission in your list there. So Solr will check the permissions in descending list-order for most requests - the exception being /luke requests when the /luke permission filters to the top and is checked first.
We should really change this resolution order to be something more commonsense. Jason On Sun, May 17, 2020 at 2:52 PM Jason Gerlowski <gerlowsk...@gmail.com> wrote: > > Hi Isabelle, > > Two things to keep in mind with Solr's Rule-Based Authorization. > > 1. Each request is controlled by the first permission to that matches > the request. > 2. With the permissions you have present, Solr will check them in > descending list order. (This isn't always true - collection-specific > and path-specific permissions are given precedence, so you don't need > to consider that.) > > As you can imagine given the rules above - permission order is very > important. In your case the "all" rule will match pretty much all > requests, which explains why an "indexing" user can't actually index. > Generally speaking, it's best to put the most specific rules first, > with the broader ones coming later. > > For more information, see the "Permission Ordering and Resolution" > section in the page you linked to in your request. > > Good luck, hope that helps. > > Jason > > On Tue, May 12, 2020 at 12:34 PM Isabelle Giguere > <igigu...@opentext.com.invalid> wrote: > > > > Hi; > > > > I'm using Solr 8.5.0. > > > > I'm having trouble setting up some permissions using the rule-based > > authorization plugin: > > https://lucene.apache.org/solr/guide/8_5/rule-based-authorization-plugin.html > > > > I have 3 users: "admin", "search", and "indexer". > > > > I have set permissions and user roles: > > "permissions": [ { "name": "all", "role": "admin", "index": 1 }, > > { "name": "admin-luke", "collection": "*", "role": "luke", "index": > > 2, "path": "/admin/luke" }, > > { "name": "read", "role": "searching", "index": 3 }, > > { "name": "update", "role": "indexing", "index": 4 } ], > > "user-role": { "admin": "admin", > > "search": ["searching","luke"], > > "indexer": "indexing" } } > > Attached: full output of GET /admin/authorization > > > > So why can't user "indexer" add anything in a collection ? I always get > > HTTP 403 Forbidden. > > Using Postman, I click the checkbox to show the password, so I'm sure I > > typed the right one. > > > > Note that user "search" can't use the /select handler either, as should be > > the case with permission to "read". This user can, however, use the Luke > > handler, as the custom permission allows. > > > > User "admin" can use any API. So at least the predefined permission "all" > > does work. > > > > Note that the collections were created before enabling authentication and > > authorization. Could that be the cause of the permission issues ? > > > > Thanks; > > > > Isabelle Giguère > > Computational Linguist & Java Developer > > Linguiste informaticienne & développeur java > > > >
