Hello,
thanks for the reply, even if it makes me sad. I could not find any
reference to this limitation anywhere in the documentation, and the
parameter/attribute does not generate any error in this case (and the
rule is just ignored without notice). Or maybe it's just in the only
piece of documentation I haven't read yet regarding authentication and
authorization in solr ?
--
Regards,
_____________________________________________________
*Sebastien VERDET*
Linux Systems and Applications Integrator – PID
----------------------------------------------------
*LINKBYNET*
*Web : https://www.linkbynet.com <https://www.linkbynet.com>**
*_____________________________________________________
*Before printing this e-mail, think about environment.*
On 2021/07/13 16:00:31, Thomas Corthals <t...@klascement.net> wrote:
> Hello Sebastien,>
>
> Unfortunately rules can only have a collection scope in SolrCloud,
not a>
> core scope in standalone Solr.>
>
> Thomas>
>
> Op di 13 jul. 2021 om 16:17 schreef Sebastien VERDET
<s.ver...@linkbynet.com>
> >:>
>
> > Hello everybody,>
> >>
> > I'm trying to deploy the "RBAP" plugin on a really basic solr 8.8.2>
> > installation that was done using the Ansible galaxy module by Jeff>
> > Geerling : https://galaxy.ansible.com/geerlingguy/solr>
> >>
> > This is pretty straightforward : standalone, started through systemd.>
> > I've kept the default 'collection1' core and created a 'collection2'>
> > core to perform my testing of permissions/roles, following the>
> > documentation. Basically, I'm trying to create rules with only one>
> > collection scope, and two users having permissions only on one of the>
> > cores/collection. And for now, i'm focusing on read permissions as
other>
> > will follow naturally.>
> >>
> > But this is not going as expected. In the permission ordering section>
> > (>
> >
https://solr.apache.org/guide/8_8/rule-based-authorization-plugin.html#permission-ordering-and-resolution),>
> >>
> > it states that rules mentioning explicit collection names are taken>
> > first. Here is my security.json resulting of API calls to create
users,>
> > permissions and roles :>
> >>
> > {>
> > "authentication": {>
> > "class": "solr.BasicAuthPlugin",>
> > "blockUnknown": true,>
> > "credentials": {>
> > "solr": "XXXXXXXXX== YYYYYYYYYY=",>
> > "seb": "AAAAAAAA= BBBBBBBBBBB=",>
> > "Osman": "JJJJJJJJJJJJ== KKKKKKKKKKKK=">
> > },>
> > "": {>
> > "v": 0>
> > }>
> > },>
> > "authorization": {>
> > "class": "solr.RuleBasedAuthorizationPlugin",>
> > "permissions": [>
> > {>
> > "name": "security-edit",>
> > "role": "admin",>
> > "index": 1>
> > },>
> > {>
> > "name": "read",>
> > "role": [>
> > "admin",>
> > "Osman">
> > ],>
> > "index": 2>
> > },>
> > {>
> > "name": "update",>
> > "role": [>
> > "admin">
> > ],>
> > "index": 3>
> > },>
> > {>
> > "name": "coll_read",>
> > "role": [>
> > "read_sve">
> > ],>
> > "collection": [>
> > "collection2">
> > ],>
> > "path": "/select",>
> > "index": 4>
> > }>
> > ],>
> > "user-role": {>
> > "solr": "admin",>
> > "seb": [>
> > "read_sve">
> > ],>
> > "Osman": [>
> > "Osman">
> > ]>
> > },>
> > "": {>
> > "v": 0>
> > }>
> > }>
> > }>
> >>
> > I'm querying collection2 with user seb :>
> >>
> > curl -u seb:xxx -H "Content-Type: application/json">
> > "http://127.0.0.1:12001/solr/collection2/select?q=*delete*";>
> >>
> > I get a 403 error, with corresponding message in solr.log :>
> >>
> > 2021-07-13 13:23:53.934 INFO (qtp208684473-17) [ x:collection2]>
> > o.a.s.s.RuleBasedAuthorizationPluginBase This resource is
configured to>
> > have a permission {>
> > "name":"read",>
> > "role":[>
> > "admin",>
> > "Osman"],>
> > "index":2}, The principal>
> >
org.apache.solr.security.BasicAuthPlugin$BasicAuthUserPrincipal@54a23304[username=seb,pwd=*****]>
> >>
> > does not have the right role>
> >>
> > It takes the "global rule" instead of the collection specific one.
I'ved>
> > try to change orders (as there are indexes), always with api calls
(by>
> > deleting/recreating), even restarting the solr service between
changes,>
> > to no luck. "Global" permissions assignation works correctly, but as>
> > soon as we want to focus on one collection, we are in the dark.>
> >>
> > Many searches with different terms leads to almost no resources
around>
> > this plugin, so it's complicated to tackle. Did anyone already hav
this>
> > problem, and can share how it can be worked on ?>
> >>
> >>
> > -->
> >>
> > Regards,>
> > _____________________________________________________>
> > *Sebastien VERDET*>
> > Linux Systems and Applications Integrator – PID>
> > ---------------------------------------------------->
> > *LINKBYNET*>
> > *Web : https://www.linkbynet.com <https://www.linkbynet.com>**>
> > *_____________________________________________________>
> >>
> > *Before printing this e-mail, think about environment.*>
> >>
> >>
>
