Hello everybody,
I'm trying to deploy the "RBAP" plugin on a really basic solr 8.8.2
installation that was done using the Ansible galaxy module by Jeff
Geerling : https://galaxy.ansible.com/geerlingguy/solr
This is pretty straightforward : standalone, started through systemd.
I've kept the default 'collection1' core and created a 'collection2'
core to perform my testing of permissions/roles, following the
documentation. Basically, I'm trying to create rules with only one
collection scope, and two users having permissions only on one of the
cores/collection. And for now, i'm focusing on read permissions as other
will follow naturally.
But this is not going as expected. In the permission ordering section
(https://solr.apache.org/guide/8_8/rule-based-authorization-plugin.html#permission-ordering-and-resolution),
it states that rules mentioning explicit collection names are taken
first. Here is my security.json resulting of API calls to create users,
permissions and roles :
{
"authentication": {
"class": "solr.BasicAuthPlugin",
"blockUnknown": true,
"credentials": {
"solr": "XXXXXXXXX== YYYYYYYYYY=",
"seb": "AAAAAAAA= BBBBBBBBBBB=",
"Osman": "JJJJJJJJJJJJ== KKKKKKKKKKKK="
},
"": {
"v": 0
}
},
"authorization": {
"class": "solr.RuleBasedAuthorizationPlugin",
"permissions": [
{
"name": "security-edit",
"role": "admin",
"index": 1
},
{
"name": "read",
"role": [
"admin",
"Osman"
],
"index": 2
},
{
"name": "update",
"role": [
"admin"
],
"index": 3
},
{
"name": "coll_read",
"role": [
"read_sve"
],
"collection": [
"collection2"
],
"path": "/select",
"index": 4
}
],
"user-role": {
"solr": "admin",
"seb": [
"read_sve"
],
"Osman": [
"Osman"
]
},
"": {
"v": 0
}
}
}
I'm querying collection2 with user seb :
curl -u seb:xxx -H "Content-Type: application/json"
"http://127.0.0.1:12001/solr/collection2/select?q=*delete*";
I get a 403 error, with corresponding message in solr.log :
2021-07-13 13:23:53.934 INFO (qtp208684473-17) [ x:collection2]
o.a.s.s.RuleBasedAuthorizationPluginBase This resource is configured to
have a permission {
"name":"read",
"role":[
"admin",
"Osman"],
"index":2}, The principal
org.apache.solr.security.BasicAuthPlugin$BasicAuthUserPrincipal@54a23304[username=seb,pwd=*****]
does not have the right role
It takes the "global rule" instead of the collection specific one. I'ved
try to change orders (as there are indexes), always with api calls (by
deleting/recreating), even restarting the solr service between changes,
to no luck. "Global" permissions assignation works correctly, but as
soon as we want to focus on one collection, we are in the dark.
Many searches with different terms leads to almost no resources around
this plugin, so it's complicated to tackle. Did anyone already hav this
problem, and can share how it can be worked on ?
--
Regards,
_____________________________________________________
*Sebastien VERDET*
Linux Systems and Applications Integrator – PID
----------------------------------------------------
*LINKBYNET*
*Web : https://www.linkbynet.com <https://www.linkbynet.com>**
*_____________________________________________________
*Before printing this e-mail, think about environment.*
