[jira] [Commented] (SOLR-13097) RuleBasedAuthorizationPlugin is not fully fonctionnal in Solr standalone mode

[Clemens Fuchslocher (Jira)]

    [ 
https://issues.apache.org/jira/browse/SOLR-13097?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17513424#comment-17513424
 ] 

Clemens Fuchslocher commented on SOLR-13097:
--------------------------------------------

Is there really no way to limit the access of a user to a specific core in 
standalone mode?

Isn't this a very common use case?

I tried the following security.json but it doesn't work as expected:

{noformat}
$ cat /srv/solr/cores/security.json
{
  "authentication": {
    "class": "solr.BasicAuthPlugin",
    "credentials": {
      "earth": "4c5xodAKcIQ80W/5DpI2ozHLk6jWxzJud/m8VkZI44E= YnlnMUZDRnNNUw==",
      "moon": "mIKfAsu2By/DyxFFklEx0jmHTpjyP/TjXQH0+UN86gQ= QkxDcjJKSVREaA==",
      "admin": "I0nDN1AwXieTf9rMw6+CmJ+CtxKqjfNi2f3JwmRTk3c= eDZqMVZ5VWFFVw=="
    },
    "blockUnknown": true
  },

  "authorization": {
    "class": "solr.RuleBasedAuthorizationPlugin",
    "user-role": {
      "earth": "earth_role",
      "moon": "moon_role",
      "admin": "admin_role"
    },

    "permissions": [
      { "role": "earth_role", "collection": "earth_core", "name": "read" },
      { "role": "earth_role", "collection": "earth_core", "name": "update" },
      { "role": "moon_role", "collection": "moon_core", "name": "read" },
      { "role": "moon_role", "collection": "moon_core", "name": "update" },
      { "role": "admin_role", "name": "all" }
    ]
  }
}
{noformat}

{noformat}
$ cat /srv/solr/cores/earth_core/core.properties 
name=earth_core
collection=earth_core
{noformat}

{noformat}
$ cat /srv/solr/cores/moon_core/core.properties
name=moon_core
collection=moon_core
{noformat}

h4. 1. (/) User admin should be able to access the earth_core:

{noformat}
$ curl 'http://admin:...@127.0.0.1:8983/solr/earth_core/query?q=*:*&indent=true'
{
  "responseHeader":{
    "status":0,
    "QTime":0,
    "params":{
      "q":"*:*",
      "indent":"true"}},
  "response":{"numFound":0,"start":0,"numFoundExact":true,"docs":[]
  }}
{noformat}

solr.log:

{noformat}
DEBUG (qtp1910936570-19) [   x:earth_core] 
o.a.s.s.RuleBasedAuthorizationPluginBase Attempting to authorize request to 
[/query] of type: [UNKNOWN], associated with collections [[]]
DEBUG (qtp1910936570-19) [   x:earth_core] 
o.a.s.s.RuleBasedAuthorizationPluginBase Authorizing collection-aware request, 
checking perms applicable to all (*) collections
DEBUG (qtp1910936570-19) [   x:earth_core] 
o.a.s.s.RuleBasedAuthorizationPluginBase Found perm [{
  "role":"admin_role",
  "name":"all"}] to govern resource [/query]
DEBUG (qtp1910936570-19) [   x:earth_core] 
o.a.s.s.RuleBasedAuthorizationPluginBase Governing permission [{
  "role":"admin_role",
  "name":"all"}] allows access to role [admin_role]; permitting access
...
INFO  (qtp1910936570-19) [   x:earth_core] o.a.s.c.S.Request [earth_core]  
webapp=/solr path=/query params={q=*:*&indent=true} hits=0 status=0 QTime=152
...
{noformat}

h4. 2. (/) User admin should be able to access the moon_core:

{noformat}
$ curl 'http://admin:...@127.0.0.1:8983/solr/moon_core/query?q=*:*&indent=true'
{
"responseHeader":{
"status":0,
"QTime":1,
"params":{
  "q":"*:*",
  "indent":"true"}},
"response":{"numFound":0,"start":0,"numFoundExact":true,"docs":[]
}}
{noformat}

solr.log:

{noformat}
...
DEBUG (qtp1910936570-23) [   x:moon_core] 
o.a.s.s.RuleBasedAuthorizationPluginBase Attempting to authorize request to 
[/query] of type: [UNKNOWN], associated with collections [[]]
DEBUG (qtp1910936570-23) [   x:moon_core] 
o.a.s.s.RuleBasedAuthorizationPluginBase Authorizing collection-aware request, 
checking perms applicable to all (*) collections
DEBUG (qtp1910936570-23) [   x:moon_core] 
o.a.s.s.RuleBasedAuthorizationPluginBase Found perm [{
  "role":"admin_role",
  "name":"all"}] to govern resource [/query]
DEBUG (qtp1910936570-23) [   x:moon_core] 
o.a.s.s.RuleBasedAuthorizationPluginBase Governing permission [{
  "role":"admin_role",
  "name":"all"}] allows access to role [admin_role]; permitting access
...
INFO  (qtp1910936570-23) [   x:moon_core] o.a.s.c.S.Request [moon_core]  
webapp=/solr path=/query params={q=*:*&indent=true} hits=0 status=0 QTime=0
...
{noformat}

h4. 1. (x) User earth should be able to access the earth_core:

This doesn't work.

{noformat}
$ curl 'http://earth:...@127.0.0.1:8983/solr/earth_core/query?q=*:*&indent=true'
...
<title>Error 403 Unauthorized request, Response code: 403</title>
...
{noformat}

solr.log:

{noformat}
...
DEBUG (qtp1910936570-15) [   x:earth_core] 
o.a.s.s.RuleBasedAuthorizationPluginBase Attempting to authorize request to 
[/query] of type: [UNKNOWN], associated with collections [[]]
DEBUG (qtp1910936570-15) [   x:earth_core] 
o.a.s.s.RuleBasedAuthorizationPluginBase Authorizing collection-aware request, 
checking perms applicable to all (*) collections
DEBUG (qtp1910936570-15) [   x:earth_core] 
o.a.s.s.RuleBasedAuthorizationPluginBase Found perm [{
  "role":"admin_role",
  "name":"all"}] to govern resource [/query]
INFO  (qtp1910936570-15) [   x:earth_core] 
o.a.s.s.RuleBasedAuthorizationPluginBase This resource is configured to have a 
permission {
  "role":"admin_role",
  "name":"all"}, The principal 
org.apache.solr.security.BasicAuthPlugin$BasicAuthUserPrincipal@655d88ca[username=earth,pwd=*****]
 does not have the right role
...
{noformat}

h4. 2. (/) User earth should not be able to access the moon_core:

{noformat}
$ curl 'http://earth:...@127.0.0.1:8983/solr/moon_core/query?q=*:*&indent=true'
...
<title>Error 403 Unauthorized request, Response code: 403</title>
...
{noformat}

solr.log:

{noformat}
...
DEBUG (qtp1910936570-19) [   x:moon_core] 
o.a.s.s.RuleBasedAuthorizationPluginBase Attempting to authorize request to 
[/query] of type: [UNKNOWN], associated with collections [[]]
DEBUG (qtp1910936570-19) [   x:moon_core] 
o.a.s.s.RuleBasedAuthorizationPluginBase Authorizing collection-aware request, 
checking perms applicable to all (*) collections
DEBUG (qtp1910936570-19) [   x:moon_core] 
o.a.s.s.RuleBasedAuthorizationPluginBase Found perm [{
  "role":"admin_role",
  "name":"all"}] to govern resource [/query]
INFO  (qtp1910936570-19) [   x:moon_core] 
o.a.s.s.RuleBasedAuthorizationPluginBase This resource is configured to have a 
permission {
  "role":"admin_role",
  "name":"all"}, The principal 
org.apache.solr.security.BasicAuthPlugin$BasicAuthUserPrincipal@596514d2[username=earth,pwd=*****]
 does not have the right role
...
{noformat}

h4. 3. (x) User moon should be able to access the moon_core:

This doesn't work.

{noformat}
$ curl 'http://moon:...@127.0.0.1:8983/solr/moon_core/query?q=*:*&indent=true'
...
<body><h2>HTTP ERROR 403 Unauthorized request, Response code: 403</h2>
...
{noformat}

solr.log:

{noformat}
...
DEBUG (qtp1910936570-19) [   x:moon_core] 
o.a.s.s.RuleBasedAuthorizationPluginBase Attempting to authorize request to 
[/query] of type: [UNKNOWN], associated with collections [[]]
DEBUG (qtp1910936570-19) [   x:moon_core] 
o.a.s.s.RuleBasedAuthorizationPluginBase Authorizing collection-aware request, 
checking perms applicable to all (*) collections
DEBUG (qtp1910936570-19) [   x:moon_core] 
o.a.s.s.RuleBasedAuthorizationPluginBase Found perm [{
  "role":"admin_role",
  "name":"all"}] to govern resource [/query]
INFO  (qtp1910936570-19) [   x:moon_core] 
o.a.s.s.RuleBasedAuthorizationPluginBase This resource is configured to have a 
permission {
  "role":"admin_role",
  "name":"all"}, The principal 
org.apache.solr.security.BasicAuthPlugin$BasicAuthUserPrincipal@2e6cb515[username=moon,pwd=*****]
 does not have the right role
...
{noformat}

h4. 4. (/) User moon should not be able to access the earth_core:

{noformat}
$ curl 'http://moon:...@127.0.0.1:8983/solr/earth_core/query?q=*:*&indent=true'
...
<title>Error 403 Unauthorized request, Response code: 403</title>
...
{noformat}

solr.log:

{noformat}
...
DEBUG (qtp1910936570-22) [   x:earth_core] 
o.a.s.s.RuleBasedAuthorizationPluginBase Attempting to authorize request to 
[/query] of type: [UNKNOWN], associated with collections [[]]
DEBUG (qtp1910936570-22) [   x:earth_core] 
o.a.s.s.RuleBasedAuthorizationPluginBase Authorizing collection-aware request, 
checking perms applicable to all (*) collections
DEBUG (qtp1910936570-22) [   x:earth_core] 
o.a.s.s.RuleBasedAuthorizationPluginBase Found perm [{
  "role":"admin_role",
  "name":"all"}] to govern resource [/query]
INFO  (qtp1910936570-22) [   x:earth_core] 
o.a.s.s.RuleBasedAuthorizationPluginBase This resource is configured to have a 
permission {
  "role":"admin_role",
  "name":"all"}, The principal 
org.apache.solr.security.BasicAuthPlugin$BasicAuthUserPrincipal@68706e69[username=moon,pwd=*****]
 does not have the right role
...
{noformat}

> RuleBasedAuthorizationPlugin is not fully fonctionnal in Solr standalone mode
> -----------------------------------------------------------------------------
>
>                 Key: SOLR-13097
>                 URL: https://issues.apache.org/jira/browse/SOLR-13097
>             Project: Solr
>          Issue Type: Bug
>          Components: Authentication
>    Affects Versions: 6.6.5, 7.5
>         Environment: Solr standalone
>            Reporter: Dominique Béjean
>            Priority: Major
>
> In Solr standalone mode, the collections element of the request context is 
> not populated by the core name.
> For instance, the following request:
> {code:java}
> http://user1:xxxxxx@localhost:8983/solr/biblio/select?indent=on&q=*:*&wt=json{code}
> reports this in log:
> {code:java}
> 2018-12-30 12:24:52.102 INFO (qtp1731656333-20) [ x:biblio] 
> o.a.s.s.HttpSolrCall USER_REQUIRED auth header Basic Mjox context : 
> userPrincipal: [[principal: 2]] type: [READ], collections: [], Path: 
> [/select] path : /select params :q=:&indent=on&wt=json{code}
> The consequence is that RuleBasedAuthorizationPlugin is not able to apply 
> this kind of permission:
> {code:java}
> {"name":"read-biblio",
>  "path":"/select",
>  "role":["admin","read","r1"],
>  "collection":"biblio",
>  "index":2}{code}
> In Solrcloud mode in the init() method of HttpSolrCall.java, the collections 
> element is populated with either the collection name matching the core name 
> in the request or the collection names provided in the collection parameter.
> {code:java}
> if (cores.isZooKeeperAware()) {
>      // init collectionList (usually one name but not when there are aliases)
>      String def = core != null ? core.getCoreDescriptor().getCollectionName() 
> : origCorename;
>      collectionsList = 
> resolveCollectionListOrAlias(queryParams.get(COLLECTION_PROP, def)); // 
> &collection= takes precedence
>     ...
> }{code}
>  
> I expect init() method could be improved in order to populate collections 
> element with the core name for Solr standalone mode.
>  



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org
For additional commands, e-mail: issues-h...@solr.apache.org