Hello Sebastien, Unfortunately rules can only have a collection scope in SolrCloud, not a core scope in standalone Solr.
Thomas Op di 13 jul. 2021 om 16:17 schreef Sebastien VERDET <s.ver...@linkbynet.com >: > Hello everybody, > > I'm trying to deploy the "RBAP" plugin on a really basic solr 8.8.2 > installation that was done using the Ansible galaxy module by Jeff > Geerling : https://galaxy.ansible.com/geerlingguy/solr > > This is pretty straightforward : standalone, started through systemd. > I've kept the default 'collection1' core and created a 'collection2' > core to perform my testing of permissions/roles, following the > documentation. Basically, I'm trying to create rules with only one > collection scope, and two users having permissions only on one of the > cores/collection. And for now, i'm focusing on read permissions as other > will follow naturally. > > But this is not going as expected. In the permission ordering section > ( > https://solr.apache.org/guide/8_8/rule-based-authorization-plugin.html#permission-ordering-and-resolution), > > it states that rules mentioning explicit collection names are taken > first. Here is my security.json resulting of API calls to create users, > permissions and roles : > > { > "authentication": { > "class": "solr.BasicAuthPlugin", > "blockUnknown": true, > "credentials": { > "solr": "XXXXXXXXX== YYYYYYYYYY=", > "seb": "AAAAAAAA= BBBBBBBBBBB=", > "Osman": "JJJJJJJJJJJJ== KKKKKKKKKKKK=" > }, > "": { > "v": 0 > } > }, > "authorization": { > "class": "solr.RuleBasedAuthorizationPlugin", > "permissions": [ > { > "name": "security-edit", > "role": "admin", > "index": 1 > }, > { > "name": "read", > "role": [ > "admin", > "Osman" > ], > "index": 2 > }, > { > "name": "update", > "role": [ > "admin" > ], > "index": 3 > }, > { > "name": "coll_read", > "role": [ > "read_sve" > ], > "collection": [ > "collection2" > ], > "path": "/select", > "index": 4 > } > ], > "user-role": { > "solr": "admin", > "seb": [ > "read_sve" > ], > "Osman": [ > "Osman" > ] > }, > "": { > "v": 0 > } > } > } > > I'm querying collection2 with user seb : > > curl -u seb:xxx -H "Content-Type: application/json" > "http://127.0.0.1:12001/solr/collection2/select?q=*delete*"; > > I get a 403 error, with corresponding message in solr.log : > > 2021-07-13 13:23:53.934 INFO (qtp208684473-17) [ x:collection2] > o.a.s.s.RuleBasedAuthorizationPluginBase This resource is configured to > have a permission { > "name":"read", > "role":[ > "admin", > "Osman"], > "index":2}, The principal > org.apache.solr.security.BasicAuthPlugin$BasicAuthUserPrincipal@54a23304[username=seb,pwd=*****] > > does not have the right role > > It takes the "global rule" instead of the collection specific one. I'ved > try to change orders (as there are indexes), always with api calls (by > deleting/recreating), even restarting the solr service between changes, > to no luck. "Global" permissions assignation works correctly, but as > soon as we want to focus on one collection, we are in the dark. > > Many searches with different terms leads to almost no resources around > this plugin, so it's complicated to tackle. Did anyone already hav this > problem, and can share how it can be worked on ? > > > -- > > Regards, > _____________________________________________________ > *Sebastien VERDET* > Linux Systems and Applications Integrator – PID > ---------------------------------------------------- > *LINKBYNET* > *Web : https://www.linkbynet.com <https://www.linkbynet.com>** > *_____________________________________________________ > > *Before printing this e-mail, think about environment.* > >
