[GitHub] [solr] epugh commented on a diff in pull request #1851: SOLR-15771: bin/solr auth enable should model best practices for security.json

Tue, 22 Aug 2023 12:49:34 -0700 


epugh commented on code in PR #1851:
URL: https://github.com/apache/solr/pull/1851#discussion_r1302120050


##########
solr/core/src/java/org/apache/solr/cli/AuthTool.java:
##########
@@ -347,37 +352,21 @@ private int handleBasicAuth(CommandLine cli) throws 
Exception {
 
         boolean blockUnknown = 
Boolean.parseBoolean(cli.getOptionValue("blockUnknown", "true"));
 
-        String securityJson =
-            "{"
-                + "\n  \"authentication\":{"
-                + "\n   \"blockUnknown\": "
-                + blockUnknown
-                + ","
-                + "\n   \"class\":\"solr.BasicAuthPlugin\","
-                + "\n   \"credentials\":{\""
-                + username
-                + "\":\""
-                + Sha256AuthenticationProvider.getSaltedHashedValue(password)
-                + "\"}"
-                + "\n  },"
-                + "\n  \"authorization\":{"
-                + "\n   \"class\":\"solr.RuleBasedAuthorizationPlugin\","
-                + "\n   \"permissions\":["
-                + "\n {\"name\":\"security-edit\", \"role\":\"admin\"},"
-                + "\n {\"name\":\"security-read\", \"role\":\"admin\"},"
-                + "\n {\"name\":\"config-edit\", \"role\":\"admin\"},"
-                + "\n {\"name\":\"config-read\", \"role\":\"admin\"},"
-                + "\n {\"name\":\"collection-admin-edit\", 
\"role\":\"admin\"},"
-                + "\n {\"name\":\"collection-admin-read\", 
\"role\":\"admin\"},"
-                + "\n {\"name\":\"core-admin-edit\", \"role\":\"admin\"},"
-                + "\n {\"name\":\"core-admin-read\", \"role\":\"admin\"},"
-                + "\n {\"name\":\"all\", \"role\":\"admin\"}"
-                + "\n   ],"
-                + "\n   \"user-role\":{\""
-                + username
-                + "\":\"admin\"}"
-                + "\n  }"
-                + "\n}";
+        String resourceName = "security.json";
+        final URL resource = 
SolrCore.class.getClassLoader().getResource(resourceName);
+        if (null == resource) {
+          throw new IllegalArgumentException("invalid resource name: " + 
resourceName);
+        }
+
+        ObjectMapper mapper = new ObjectMapper();
+        JsonNode securityJson1 = mapper.readTree(resource.openStream());
+        ((ObjectNode) securityJson1).put("blockUnknown", blockUnknown);
+        JsonNode credentialsNode = 
securityJson1.get("authentication").get("credentials");
+        ((ObjectNode) credentialsNode)
+            .put(username, 
Sha256AuthenticationProvider.getSaltedHashedValue(password));
+        JsonNode userRoleNode = 
securityJson1.get("authorization").get("user-role");
+        ((ObjectNode) userRoleNode).put(username, "admin");

Review Comment:
   Good question.   I think, that if you are able to run bin/solr auth, then 
you probably are a "superadmin" and we should set you to that role, and 
document it in the Ref Guide.   I wonder if a feedback message "User X,Y has 
been granted superadmin permissions" would be useful.....



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org
For additional commands, e-mail: issues-h...@solr.apache.org

Reply via email to