
Clemens Fuchslocher edited comment on SOLR-13097 at 3/28/22, 2:46 PM:

Is there really no way to limit the access of a user to a specific core in 
standalone mode?

Isn't this a very common use case?

I tried the following security.json with Solr 8.11.1 but it doesn't work as 

$ cat /srv/solr/cores/security.json
  "authentication": {
    "class": "solr.BasicAuthPlugin",
    "credentials": {
      "earth": "4c5xodAKcIQ80W/5DpI2ozHLk6jWxzJud/m8VkZI44E= YnlnMUZDRnNNUw==",
      "moon": "mIKfAsu2By/DyxFFklEx0jmHTpjyP/TjXQH0+UN86gQ= QkxDcjJKSVREaA==",
      "admin": "I0nDN1AwXieTf9rMw6+CmJ+CtxKqjfNi2f3JwmRTk3c= eDZqMVZ5VWFFVw=="
    "blockUnknown": true

  "authorization": {
    "class": "solr.RuleBasedAuthorizationPlugin",
    "user-role": {
      "earth": "earth_role",
      "moon": "moon_role",
      "admin": "admin_role"

    "permissions": [
      { "role": "earth_role", "collection": "earth_core", "name": "read" },
      { "role": "earth_role", "collection": "earth_core", "name": "update" },
      { "role": "moon_role", "collection": "moon_core", "name": "read" },
      { "role": "moon_role", "collection": "moon_core", "name": "update" },
      { "role": "admin_role", "name": "all" }

$ cat /srv/solr/cores/earth_core/core.properties 

$ cat /srv/solr/cores/moon_core/core.properties

h4. 1. (/) User admin should be able to access the earth_core:

$ curl 'http://admin:...@*:*&indent=true'


DEBUG (qtp1910936570-19) [   x:earth_core] 
o.a.s.s.RuleBasedAuthorizationPluginBase Attempting to authorize request to 
[/query] of type: [UNKNOWN], associated with collections [[]]
DEBUG (qtp1910936570-19) [   x:earth_core] 
o.a.s.s.RuleBasedAuthorizationPluginBase Authorizing collection-aware request, 
checking perms applicable to all (*) collections
DEBUG (qtp1910936570-19) [   x:earth_core] 
o.a.s.s.RuleBasedAuthorizationPluginBase Found perm [{
  "name":"all"}] to govern resource [/query]
DEBUG (qtp1910936570-19) [   x:earth_core] 
o.a.s.s.RuleBasedAuthorizationPluginBase Governing permission [{
  "name":"all"}] allows access to role [admin_role]; permitting access
INFO  (qtp1910936570-19) [   x:earth_core] o.a.s.c.S.Request [earth_core]  
webapp=/solr path=/query params={q=*:*&indent=true} hits=0 status=0 QTime=152

h4. 2. (/) User admin should be able to access the moon_core:

$ curl 'http://admin:...@*:*&indent=true'


DEBUG (qtp1910936570-23) [   x:moon_core] 
o.a.s.s.RuleBasedAuthorizationPluginBase Attempting to authorize request to 
[/query] of type: [UNKNOWN], associated with collections [[]]
DEBUG (qtp1910936570-23) [   x:moon_core] 
o.a.s.s.RuleBasedAuthorizationPluginBase Authorizing collection-aware request, 
checking perms applicable to all (*) collections
DEBUG (qtp1910936570-23) [   x:moon_core] 
o.a.s.s.RuleBasedAuthorizationPluginBase Found perm [{
  "name":"all"}] to govern resource [/query]
DEBUG (qtp1910936570-23) [   x:moon_core] 
o.a.s.s.RuleBasedAuthorizationPluginBase Governing permission [{
  "name":"all"}] allows access to role [admin_role]; permitting access
INFO  (qtp1910936570-23) [   x:moon_core] o.a.s.c.S.Request [moon_core]  
webapp=/solr path=/query params={q=*:*&indent=true} hits=0 status=0 QTime=0

h4. 1. (x) User earth should be able to access the earth_core:

This doesn't work.

$ curl 'http://earth:...@*:*&indent=true'
<title>Error 403 Unauthorized request, Response code: 403</title>


DEBUG (qtp1910936570-15) [   x:earth_core] 
o.a.s.s.RuleBasedAuthorizationPluginBase Attempting to authorize request to 
[/query] of type: [UNKNOWN], associated with collections [[]]
DEBUG (qtp1910936570-15) [   x:earth_core] 
o.a.s.s.RuleBasedAuthorizationPluginBase Authorizing collection-aware request, 
checking perms applicable to all (*) collections
DEBUG (qtp1910936570-15) [   x:earth_core] 
o.a.s.s.RuleBasedAuthorizationPluginBase Found perm [{
  "name":"all"}] to govern resource [/query]
INFO  (qtp1910936570-15) [   x:earth_core] 
o.a.s.s.RuleBasedAuthorizationPluginBase This resource is configured to have a 
permission {
  "name":"all"}, The principal 
 does not have the right role

h4. 2. (/) User earth should not be able to access the moon_core:

$ curl 'http://earth:...@*:*&indent=true'
<title>Error 403 Unauthorized request, Response code: 403</title>


DEBUG (qtp1910936570-19) [   x:moon_core] 
o.a.s.s.RuleBasedAuthorizationPluginBase Attempting to authorize request to 
[/query] of type: [UNKNOWN], associated with collections [[]]
DEBUG (qtp1910936570-19) [   x:moon_core] 
o.a.s.s.RuleBasedAuthorizationPluginBase Authorizing collection-aware request, 
checking perms applicable to all (*) collections
DEBUG (qtp1910936570-19) [   x:moon_core] 
o.a.s.s.RuleBasedAuthorizationPluginBase Found perm [{
  "name":"all"}] to govern resource [/query]
INFO  (qtp1910936570-19) [   x:moon_core] 
o.a.s.s.RuleBasedAuthorizationPluginBase This resource is configured to have a 
permission {
  "name":"all"}, The principal 
 does not have the right role

h4. 3. (x) User moon should be able to access the moon_core:

This doesn't work.

$ curl 'http://moon:...@*:*&indent=true'
<body><h2>HTTP ERROR 403 Unauthorized request, Response code: 403</h2>


DEBUG (qtp1910936570-19) [   x:moon_core] 
o.a.s.s.RuleBasedAuthorizationPluginBase Attempting to authorize request to 
[/query] of type: [UNKNOWN], associated with collections [[]]
DEBUG (qtp1910936570-19) [   x:moon_core] 
o.a.s.s.RuleBasedAuthorizationPluginBase Authorizing collection-aware request, 
checking perms applicable to all (*) collections
DEBUG (qtp1910936570-19) [   x:moon_core] 
o.a.s.s.RuleBasedAuthorizationPluginBase Found perm [{
  "name":"all"}] to govern resource [/query]
INFO  (qtp1910936570-19) [   x:moon_core] 
o.a.s.s.RuleBasedAuthorizationPluginBase This resource is configured to have a 
permission {
  "name":"all"}, The principal 
 does not have the right role

h4. 4. (/) User moon should not be able to access the earth_core:

$ curl 'http://moon:...@*:*&indent=true'
<title>Error 403 Unauthorized request, Response code: 403</title>


DEBUG (qtp1910936570-22) [   x:earth_core] 
o.a.s.s.RuleBasedAuthorizationPluginBase Attempting to authorize request to 
[/query] of type: [UNKNOWN], associated with collections [[]]
DEBUG (qtp1910936570-22) [   x:earth_core] 
o.a.s.s.RuleBasedAuthorizationPluginBase Authorizing collection-aware request, 
checking perms applicable to all (*) collections
DEBUG (qtp1910936570-22) [   x:earth_core] 
o.a.s.s.RuleBasedAuthorizationPluginBase Found perm [{
  "name":"all"}] to govern resource [/query]
INFO  (qtp1910936570-22) [   x:earth_core] 
o.a.s.s.RuleBasedAuthorizationPluginBase This resource is configured to have a 
permission {
  "name":"all"}, The principal 
 does not have the right role

was (Author: JIRAUSER287205):
Is there really no way to limit the access of a user to a specific core in 
standalone mode?

Isn't this a very common use case?

I tried the following security.json but it doesn't work as expected:

$ cat /srv/solr/cores/security.json
  "authentication": {
    "class": "solr.BasicAuthPlugin",
    "credentials": {
      "earth": "4c5xodAKcIQ80W/5DpI2ozHLk6jWxzJud/m8VkZI44E= YnlnMUZDRnNNUw==",
      "moon": "mIKfAsu2By/DyxFFklEx0jmHTpjyP/TjXQH0+UN86gQ= QkxDcjJKSVREaA==",
      "admin": "I0nDN1AwXieTf9rMw6+CmJ+CtxKqjfNi2f3JwmRTk3c= eDZqMVZ5VWFFVw=="
    "blockUnknown": true

  "authorization": {
    "class": "solr.RuleBasedAuthorizationPlugin",
    "user-role": {
      "earth": "earth_role",
      "moon": "moon_role",
      "admin": "admin_role"

    "permissions": [
      { "role": "earth_role", "collection": "earth_core", "name": "read" },
      { "role": "earth_role", "collection": "earth_core", "name": "update" },
      { "role": "moon_role", "collection": "moon_core", "name": "read" },
      { "role": "moon_role", "collection": "moon_core", "name": "update" },
      { "role": "admin_role", "name": "all" }

$ cat /srv/solr/cores/earth_core/core.properties 

$ cat /srv/solr/cores/moon_core/core.properties

h4. 1. (/) User admin should be able to access the earth_core:

$ curl 'http://admin:...@*:*&indent=true'


DEBUG (qtp1910936570-19) [   x:earth_core] 
o.a.s.s.RuleBasedAuthorizationPluginBase Attempting to authorize request to 
[/query] of type: [UNKNOWN], associated with collections [[]]
DEBUG (qtp1910936570-19) [   x:earth_core] 
o.a.s.s.RuleBasedAuthorizationPluginBase Authorizing collection-aware request, 
checking perms applicable to all (*) collections
DEBUG (qtp1910936570-19) [   x:earth_core] 
o.a.s.s.RuleBasedAuthorizationPluginBase Found perm [{
  "name":"all"}] to govern resource [/query]
DEBUG (qtp1910936570-19) [   x:earth_core] 
o.a.s.s.RuleBasedAuthorizationPluginBase Governing permission [{
  "name":"all"}] allows access to role [admin_role]; permitting access
INFO  (qtp1910936570-19) [   x:earth_core] o.a.s.c.S.Request [earth_core]  
webapp=/solr path=/query params={q=*:*&indent=true} hits=0 status=0 QTime=152

h4. 2. (/) User admin should be able to access the moon_core:

$ curl 'http://admin:...@*:*&indent=true'


DEBUG (qtp1910936570-23) [   x:moon_core] 
o.a.s.s.RuleBasedAuthorizationPluginBase Attempting to authorize request to 
[/query] of type: [UNKNOWN], associated with collections [[]]
DEBUG (qtp1910936570-23) [   x:moon_core] 
o.a.s.s.RuleBasedAuthorizationPluginBase Authorizing collection-aware request, 
checking perms applicable to all (*) collections
DEBUG (qtp1910936570-23) [   x:moon_core] 
o.a.s.s.RuleBasedAuthorizationPluginBase Found perm [{
  "name":"all"}] to govern resource [/query]
DEBUG (qtp1910936570-23) [   x:moon_core] 
o.a.s.s.RuleBasedAuthorizationPluginBase Governing permission [{
  "name":"all"}] allows access to role [admin_role]; permitting access
INFO  (qtp1910936570-23) [   x:moon_core] o.a.s.c.S.Request [moon_core]  
webapp=/solr path=/query params={q=*:*&indent=true} hits=0 status=0 QTime=0

h4. 1. (x) User earth should be able to access the earth_core:

This doesn't work.

$ curl 'http://earth:...@*:*&indent=true'
<title>Error 403 Unauthorized request, Response code: 403</title>


DEBUG (qtp1910936570-15) [   x:earth_core] 
o.a.s.s.RuleBasedAuthorizationPluginBase Attempting to authorize request to 
[/query] of type: [UNKNOWN], associated with collections [[]]
DEBUG (qtp1910936570-15) [   x:earth_core] 
o.a.s.s.RuleBasedAuthorizationPluginBase Authorizing collection-aware request, 
checking perms applicable to all (*) collections
DEBUG (qtp1910936570-15) [   x:earth_core] 
o.a.s.s.RuleBasedAuthorizationPluginBase Found perm [{
  "name":"all"}] to govern resource [/query]
INFO  (qtp1910936570-15) [   x:earth_core] 
o.a.s.s.RuleBasedAuthorizationPluginBase This resource is configured to have a 
permission {
  "name":"all"}, The principal 
 does not have the right role

h4. 2. (/) User earth should not be able to access the moon_core:

$ curl 'http://earth:...@*:*&indent=true'
<title>Error 403 Unauthorized request, Response code: 403</title>


DEBUG (qtp1910936570-19) [   x:moon_core] 
o.a.s.s.RuleBasedAuthorizationPluginBase Attempting to authorize request to 
[/query] of type: [UNKNOWN], associated with collections [[]]
DEBUG (qtp1910936570-19) [   x:moon_core] 
o.a.s.s.RuleBasedAuthorizationPluginBase Authorizing collection-aware request, 
checking perms applicable to all (*) collections
DEBUG (qtp1910936570-19) [   x:moon_core] 
o.a.s.s.RuleBasedAuthorizationPluginBase Found perm [{
  "name":"all"}] to govern resource [/query]
INFO  (qtp1910936570-19) [   x:moon_core] 
o.a.s.s.RuleBasedAuthorizationPluginBase This resource is configured to have a 
permission {
  "name":"all"}, The principal 
 does not have the right role

h4. 3. (x) User moon should be able to access the moon_core:

This doesn't work.

$ curl 'http://moon:...@*:*&indent=true'
<body><h2>HTTP ERROR 403 Unauthorized request, Response code: 403</h2>


DEBUG (qtp1910936570-19) [   x:moon_core] 
o.a.s.s.RuleBasedAuthorizationPluginBase Attempting to authorize request to 
[/query] of type: [UNKNOWN], associated with collections [[]]
DEBUG (qtp1910936570-19) [   x:moon_core] 
o.a.s.s.RuleBasedAuthorizationPluginBase Authorizing collection-aware request, 
checking perms applicable to all (*) collections
DEBUG (qtp1910936570-19) [   x:moon_core] 
o.a.s.s.RuleBasedAuthorizationPluginBase Found perm [{
  "name":"all"}] to govern resource [/query]
INFO  (qtp1910936570-19) [   x:moon_core] 
o.a.s.s.RuleBasedAuthorizationPluginBase This resource is configured to have a 
permission {
  "name":"all"}, The principal 
 does not have the right role

h4. 4. (/) User moon should not be able to access the earth_core:

$ curl 'http://moon:...@*:*&indent=true'
<title>Error 403 Unauthorized request, Response code: 403</title>


DEBUG (qtp1910936570-22) [   x:earth_core] 
o.a.s.s.RuleBasedAuthorizationPluginBase Attempting to authorize request to 
[/query] of type: [UNKNOWN], associated with collections [[]]
DEBUG (qtp1910936570-22) [   x:earth_core] 
o.a.s.s.RuleBasedAuthorizationPluginBase Authorizing collection-aware request, 
checking perms applicable to all (*) collections
DEBUG (qtp1910936570-22) [   x:earth_core] 
o.a.s.s.RuleBasedAuthorizationPluginBase Found perm [{
  "name":"all"}] to govern resource [/query]
INFO  (qtp1910936570-22) [   x:earth_core] 
o.a.s.s.RuleBasedAuthorizationPluginBase This resource is configured to have a 
permission {
  "name":"all"}, The principal 
 does not have the right role

> RuleBasedAuthorizationPlugin is not fully fonctionnal in Solr standalone mode
> -----------------------------------------------------------------------------
>                 Key: SOLR-13097
>                 URL: https://issues.apache.org/jira/browse/SOLR-13097
>             Project: Solr
>          Issue Type: Bug
>          Components: Authentication
>    Affects Versions: 6.6.5, 7.5
>         Environment: Solr standalone
>            Reporter: Dominique Béjean
>            Priority: Major
> In Solr standalone mode, the collections element of the request context is 
> not populated by the core name.
> For instance, the following request:
> {code:java}
> http://user1:xxxxxx@localhost:8983/solr/biblio/select?indent=on&q=*:*&wt=json{code}
> reports this in log:
> {code:java}
> 2018-12-30 12:24:52.102 INFO (qtp1731656333-20) [ x:biblio] 
> o.a.s.s.HttpSolrCall USER_REQUIRED auth header Basic Mjox context : 
> userPrincipal: [[principal: 2]] type: [READ], collections: [], Path: 
> [/select] path : /select params :q=:&indent=on&wt=json{code}
> The consequence is that RuleBasedAuthorizationPlugin is not able to apply 
> this kind of permission:
> {code:java}
> {"name":"read-biblio",
>  "path":"/select",
>  "role":["admin","read","r1"],
>  "collection":"biblio",
>  "index":2}{code}
> In Solrcloud mode in the init() method of HttpSolrCall.java, the collections 
> element is populated with either the collection name matching the core name 
> in the request or the collection names provided in the collection parameter.
> {code:java}
> if (cores.isZooKeeperAware()) {
>      // init collectionList (usually one name but not when there are aliases)
>      String def = core != null ? core.getCoreDescriptor().getCollectionName() 
> : origCorename;
>      collectionsList = 
> resolveCollectionListOrAlias(queryParams.get(COLLECTION_PROP, def)); // 
> &collection= takes precedence
>     ...
> }{code}
> I expect init() method could be improved in order to populate collections 
> element with the core name for Solr standalone mode.

This message was sent by Atlassian Jira

To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org
For additional commands, e-mail: issues-h...@solr.apache.org

Reply via email to