I am interested in disallowing delete through security.json
After seeing the "method" section in
lucene.apache.org/solr/guide/8_4/rule-based-authorization-plugin.html my first
attempt was as follows:
{"set-permission":{
"name":"NO_delete",
"path":["/update/*","/update"],
"collection":col_name,
"role":"NoSuchRole",
"method":"DELETE",
"before":4}}
I found, however, that this did not disallow deleted: I could still run
curl -u ... "http://.../solr/col_name/update?commit=true"; --data
"<delete><query>id:11</query></delete>"
After further experimentation, I seemed to have success with
{"set-permission":
{"name":"NO_delete6",
"path":"/update/*",
"collection":"col_name",
"role":"NoSuchRole",
"method":["REGEX:(?i)DELETE"],
"before":4}}
My initial impression was that this did what I wanted; but now I find that this
disallows *any* updates to this collection (which had previously been allowed).
Other attempts to tweak this strategy, such as granting permissions for
"/update/*" for methods other than DELETE to a role which is granted to the
desired user, have not yet been successful.
Does anyone have an example of security.json disallowing a delete while still
allowing an update?
Thanks
