The docs are technically correct in consistently talking about "collection" and not "core" in this regard. They could make it a bit clearer that it doesn't apply equally to cores though. Just like you, I assumed they would be interchangeable and found out the hard way.
I asked about core specific rules recently: http://mail-archives.apache.org/mod_mbox/solr-users/202105.mbox/%3ccabewpvezzmf5kkaekoik7o-uvxiqzi43e-j7thsf0p213gy...@mail.gmail.com%3e Thomas Op do 15 jul. 2021 om 09:01 schreef Sebastien VERDET <s.ver...@linkbynet.com >: > Hello, > > thanks for the reply, even if it makes me sad. I could not find any > reference to this limitation anywhere in the documentation, and the > parameter/attribute does not generate any error in this case (and the > rule is just ignored without notice). Or maybe it's just in the only > piece of documentation I haven't read yet regarding authentication and > authorization in solr ? > > -- > Regards, > _____________________________________________________ > *Sebastien VERDET* > Linux Systems and Applications Integrator – PID > ---------------------------------------------------- > *LINKBYNET* > *Web : https://www.linkbynet.com <https://www.linkbynet.com>** > *_____________________________________________________ > > *Before printing this e-mail, think about environment.* > > > On 2021/07/13 16:00:31, Thomas Corthals <t...@klascement.net> wrote: > > Hello Sebastien,> > > > > Unfortunately rules can only have a collection scope in SolrCloud, > not a> > > core scope in standalone Solr.> > > > > Thomas> > > > > Op di 13 jul. 2021 om 16:17 schreef Sebastien VERDET > <s.ver...@linkbynet.com> > > >:> > > > > > Hello everybody,> > > >> > > > I'm trying to deploy the "RBAP" plugin on a really basic solr 8.8.2> > > > installation that was done using the Ansible galaxy module by Jeff> > > > Geerling : https://galaxy.ansible.com/geerlingguy/solr> > > >> > > > This is pretty straightforward : standalone, started through systemd.> > > > I've kept the default 'collection1' core and created a 'collection2'> > > > core to perform my testing of permissions/roles, following the> > > > documentation. Basically, I'm trying to create rules with only one> > > > collection scope, and two users having permissions only on one of the> > > > cores/collection. And for now, i'm focusing on read permissions as > other> > > > will follow naturally.> > > >> > > > But this is not going as expected. In the permission ordering section> > > > (> > > > > > https://solr.apache.org/guide/8_8/rule-based-authorization-plugin.html#permission-ordering-and-resolution),> > > > > >> > > > it states that rules mentioning explicit collection names are taken> > > > first. Here is my security.json resulting of API calls to create > users,> > > > permissions and roles :> > > >> > > > {> > > > "authentication": {> > > > "class": "solr.BasicAuthPlugin",> > > > "blockUnknown": true,> > > > "credentials": {> > > > "solr": "XXXXXXXXX== YYYYYYYYYY=",> > > > "seb": "AAAAAAAA= BBBBBBBBBBB=",> > > > "Osman": "JJJJJJJJJJJJ== KKKKKKKKKKKK="> > > > },> > > > "": {> > > > "v": 0> > > > }> > > > },> > > > "authorization": {> > > > "class": "solr.RuleBasedAuthorizationPlugin",> > > > "permissions": [> > > > {> > > > "name": "security-edit",> > > > "role": "admin",> > > > "index": 1> > > > },> > > > {> > > > "name": "read",> > > > "role": [> > > > "admin",> > > > "Osman"> > > > ],> > > > "index": 2> > > > },> > > > {> > > > "name": "update",> > > > "role": [> > > > "admin"> > > > ],> > > > "index": 3> > > > },> > > > {> > > > "name": "coll_read",> > > > "role": [> > > > "read_sve"> > > > ],> > > > "collection": [> > > > "collection2"> > > > ],> > > > "path": "/select",> > > > "index": 4> > > > }> > > > ],> > > > "user-role": {> > > > "solr": "admin",> > > > "seb": [> > > > "read_sve"> > > > ],> > > > "Osman": [> > > > "Osman"> > > > ]> > > > },> > > > "": {> > > > "v": 0> > > > }> > > > }> > > > }> > > >> > > > I'm querying collection2 with user seb :> > > >> > > > curl -u seb:xxx -H "Content-Type: application/json"> > > > "http://127.0.0.1:12001/solr/collection2/select?q=*delete*";> > > >> > > > I get a 403 error, with corresponding message in solr.log :> > > >> > > > 2021-07-13 13:23:53.934 INFO (qtp208684473-17) [ x:collection2]> > > > o.a.s.s.RuleBasedAuthorizationPluginBase This resource is > configured to> > > > have a permission {> > > > "name":"read",> > > > "role":[> > > > "admin",> > > > "Osman"],> > > > "index":2}, The principal> > > > > org.apache.solr.security.BasicAuthPlugin$BasicAuthUserPrincipal@54a23304[username=seb,pwd=*****]> > > > > >> > > > does not have the right role> > > >> > > > It takes the "global rule" instead of the collection specific one. > I'ved> > > > try to change orders (as there are indexes), always with api calls > (by> > > > deleting/recreating), even restarting the solr service between > changes,> > > > to no luck. "Global" permissions assignation works correctly, but as> > > > soon as we want to focus on one collection, we are in the dark.> > > >> > > > Many searches with different terms leads to almost no resources > around> > > > this plugin, so it's complicated to tackle. Did anyone already hav > this> > > > problem, and can share how it can be worked on ?> > > >> > > >> > > > --> > > >> > > > Regards,> > > > _____________________________________________________> > > > *Sebastien VERDET*> > > > Linux Systems and Applications Integrator – PID> > > > ----------------------------------------------------> > > > *LINKBYNET*> > > > *Web : https://www.linkbynet.com <https://www.linkbynet.com>**> > > > *_____________________________________________________> > > >> > > > *Before printing this e-mail, think about environment.*> > > >> > > >> > > > >
