Hi Mark, It looks like you're using the "path" wildcard as it's intended, but some bug is causing the behavior you're seeing. It should be working as you expected, but evidently it's not.
One potential workaround might be to leave out the "path" property entirely in your "custom-example" permission. When I do that (on Solr 8.6.2), I get the following behavior in the following pastebin link, which looks close to what you're after: https://paste.apache.org/ygndt Hope that helps! Jason On Mon, Oct 19, 2020 at 3:49 PM Mark Dadisman <mark.dadis...@dordt.edu.invalid> wrote: > > Hey, I'm new to configuring Solr. I'm trying to configure Solr with Rule > Based Authorization. > https://lucene.apache.org/solr/guide/8_6/rule-based-authorization-plugin.html > > I have permissions working if I allow everything with "all", but I want to > limit access so that a site can only access its own collection, in addition > to a server ping path, so I'm trying to add the collection-specific > permission at the top: > > "permissions": [ > { > "name": "custom-example", > "collection": "example", > "path": "*", > "role": [ > "admin", > "example" > ] > }, > { > "name": "custom-collection", > "collection": "*", > "path": [ > "/admin/luke", > "/admin/mbeans", > "/admin/system" > ], > "role": "*" > }, > { > "name": "custom-ping", > "collection": null, > "path": [ > "/admin/info/system" > ], > "role": "*" > }, > { > "name": "all", > "role": "admin" > } > ] > > The rule "custom-ping" works, and "all" works. But when the above permissions > are used, access is denied to the "example" user-role for collection > "example" at the path "/solr/example/select". If I specify paths explicitly, > the permissions work, but I can't get permissions to work with path wildcards > for a specific collection. > > I also had to declare "custom-collection" with the specific paths needed to > get collection info in order for those paths to work. I would've expected > that these paths would be included in the collection-specific paths and be > covered by the first rule, but they aren't. For example, the call to > "/solr/example/admin/luke" will fail if the path is removed from this rule. > > I don't really want to specify every single path I might need to use. Am I > using the path wildcard wrong somehow? Is there a better way to do > collection-specific authorizations for a collection "example"? > > Thanks. > - M >
