When you send a read request for the test2Collection collection, the logs
do not display as a collection, and I get 10 entries with admin_x rights
attached log with description
ср, 29 мар. 2023 г., 16:39 Jan Høydahl <jan....@cominvent.com>:
> Permissions are evaluated in order from top to bottom.
> The first "read" permission found requires roles "admin_ro", "admin_rwx",
> "solr-internal-traffic", so that should be selected.
>
> Do you have any logs that can shed light over what happens?
>
> Jan
>
> > 29. mar. 2023 kl. 14:27 skrev MEXANIK <irkuev...@gmail.com>:
> >
> > I logged in using the john_sl user in Solr UI, and sent a request to read
> > the collection, but I can read some of the collections, but I don't want
> > them to be read.
> >
> > If I replace the admin user's rights from admin_rwx to admin_x, then the
> > john_sl user can't read either
> >
> > How do I make it so that john_sl cannot read collections with admin_x
> > rights, but at the same time so that the admin user has admin_rwx
> rights??
> >
> > Help!!
> >
> > Example security.json http://replit.com/@irkuev666/Test#data.json
>
>
----- WARNING!---
-------------CASE SEND REQUEST READ test2Collection----WITH USERS
john_sl-----------------
----------------NOT CORRECT RESPONSE--I CAN READ DATA THE COLLECTION WITH
admin_x rights------------------------------
2023-03-30 15:30:55.897 DEBUG (qtp1299327689-177) [ ] o.e.j.i.ManagedSelector
updates 0
2023-03-30 15:30:55.897 DEBUG (qtp1299327689-177) [ ] o.e.j.i.ManagedSelector
Selector sun.nio.ch.EPollSelectorImpl@5f7185e3 waiting with 2 keys
2023-03-30 15:30:55.897 DEBUG (qtp1299327689-150) [ ]
o.a.s.s.RuleBasedAuthorizationPluginBase Attempting to authorize request to
[/____v2/schema-designer/configs] of type: [ADMIN], associated with collections
[[]]
2023-03-30 15:30:55.897 DEBUG (qtp1299327689-150) [ ]
o.a.s.s.RuleBasedAuthorizationPluginBase Authorizing an ADMIN request, checking
admin permissions
2023-03-30 15:30:55.897 DEBUG (qtp1299327689-150) [ ]
o.a.s.s.RuleBasedAuthorizationPluginBase Found perm [{
"name":"config-edit",
"role":[
"admin_rwx",
"admin_x",
"solr-internal-traffic"]}] to govern resource
[/____v2/schema-designer/configs]
2023-03-30 15:30:55.897 DEBUG (qtp1299327689-150) [ ]
o.a.s.s.RuleBasedAuthorizationPluginBase Governing permission [{
"name":"config-edit",
"role":[
"admin_rwx",
"admin_x",
"solr-internal-traffic"]}] allows access to role [admin_x]; permitting
access
2023-03-30 15:30:55.876 DEBUG (qtp1299327689-173) [ ]
o.a.s.s.RuleBasedAuthorizationPluginBase Attempting to authorize request to
[/admin/collections] of type: [ADMIN], associated with collections [[]]
2023-03-30 15:30:55.876 DEBUG (qtp1299327689-150) [ ]
o.e.j.i.ManagedSelector Selector sun.nio.ch.EPollSelectorImpl@5f7185e3 waiting
with 2 keys
2023-03-30 15:30:55.876 DEBUG (qtp1299327689-173) [ ]
o.a.s.s.RuleBasedAuthorizationPluginBase Authorizing an ADMIN request, checking
admin permissions
2023-03-30 15:30:55.876 DEBUG (qtp1299327689-173) [ ]
o.a.s.s.RuleBasedAuthorizationPluginBase Found perm [{
"collection":null,
"path":"/admin/collections",
"params":{"action":[
"LIST",
"LISTALIASES",
"CLUSTERSTATUS"]},
"role":[
"admin_ro",
"admin_x",
"admin_rwx",
"solr-internal-traffic"]}] to govern resource [/admin/collections]
2023-03-30 15:30:55.876 DEBUG (qtp1299327689-173) [ ]
o.a.s.s.RuleBasedAuthorizationPluginBase Governing permission [{
"collection":null,
"path":"/admin/collections",
"params":{"action":[
"LIST",
"LISTALIASES",
"CLUSTERSTATUS"]},
"role":[
"admin_ro",
"admin_x",
"admin_rwx",
"solr-internal-traffic"]}] allows access to role [admin_x]; permitting
access
2023-03-30 15:30:55.876 DEBUG (qtp1299327689-173) [ ]
o.a.s.h.a.CollectionsHandler Invoked Collection Action :listaliases with params
action=LISTALIASES&wt=json&_=1680176979652 and sendToOCPQueue=true
2023-03-30 15:30:55.808 DEBUG (qtp1299327689-21) [ ]
o.a.s.s.RuleBasedAuthorizationPluginBase Attempting to authorize request to
[/admin/info/system] of type: [ADMIN], associated with collections [[]]
2023-03-30 15:30:55.808 DEBUG (qtp1299327689-21) [ ]
o.a.s.s.RuleBasedAuthorizationPluginBase Authorizing an ADMIN request, checking
admin permissions
2023-03-30 15:30:55.808 DEBUG (qtp1299327689-59) [ ]
o.e.j.h.HTTP2Connection Processing
HeadersFrame@50cec7e7#97{end=true}+PriorityFrame@4f576204#97/#5{weight=22,exclusive=false}
on
HTTP2Stream@25c48b4f#97@9d00611{sendWindow=131072,recvWindow=524288,reset=false/false,REMOTELY_CLOSED,age=0,attachment=null}
2023-03-30 15:30:55.808 DEBUG (qtp1299327689-59) [ ]
o.e.j.h.s.HttpTransportOverHTTP2
org.eclipse.jetty.http2.server.HttpTransportOverHTTP2@5463412d setStream 97
2023-03-30 15:30:55.808 DEBUG (qtp1299327689-21) [ ]
o.a.s.s.RuleBasedAuthorizationPluginBase Found perm [{
"name":"all",
"role":[
"admin_ro",
"admin_x",
"admin_rwx",
"solr-internal-traffic"]}] to govern resource [/admin/info/system]
2023-03-30 15:30:55.808 DEBUG (qtp1299327689-21) [ ]
o.a.s.s.RuleBasedAuthorizationPluginBase Governing permission [{
"name":"all",
"role":[
"admin_ro",
"admin_x",
"admin_rwx",
"solr-internal-traffic"]}] allows access to role [admin_x]; permitting
access
2023-03-30 15:30:55.806 DEBUG (qtp1299327689-145) [ ]
o.a.s.s.SolrDispatchFilter Request to authenticate:
org.apache.solr.servlet.SolrDispatchFilter$1@2e4d085f, domain: 10.56.103.108,
port: 13700
2023-03-30 15:30:55.806 DEBUG (qtp1299327689-145) [ ]
o.a.s.s.SolrDispatchFilter User principal:
us.ssl.CustomSSLAuthenticationPlugin$1$$Lambda$769/0x00000008406ae040@2e5ea716
2023-03-30 15:30:55.806 DEBUG (qtp1299327689-145) [ ]
o.a.s.s.RuleBasedAuthorizationPluginBase Attempting to authorize request to
[/admin/cores] of type: [ADMIN], associated with collections [[]]
2023-03-30 15:30:55.806 DEBUG (qtp1299327689-145) [ ]
o.a.s.s.RuleBasedAuthorizationPluginBase Authorizing an ADMIN request, checking
admin permissions
2023-03-30 15:30:55.806 DEBUG (qtp1299327689-145) [ ]
o.a.s.s.RuleBasedAuthorizationPluginBase Found perm [{
"name":"core-admin-read",
"role":[
"admin_ro",
"admin_x",
"admin_rwx",
"solr-internal-traffic"]}] to govern resource [/admin/cores]
2023-03-30 15:30:55.806 DEBUG (qtp1299327689-145) [ ]
o.a.s.s.RuleBasedAuthorizationPluginBase Governing permission [{
"name":"core-admin-read",
"role":[
"admin_ro",
"admin_x",
"admin_rwx",
"solr-internal-traffic"]}] allows access to role [admin_x];
permitting access
----- WARNING!---
-----------------------CASE SEND REQUEST READ test1Collection--------------WITH
USER john_sl---------------
---------CORRECT RESPONSE 403 with role admin_x-------------------
2023-03-30 16:20:23.400 DEBUG (qtp1299327689-156) [ ] o.e.j.i.ManagedSelector
Selector sun.nio.ch.EPollSelectorImpl@5f7185e3 waiting with 2 keys
2023-03-30 16:20:23.400 DEBUG (qtp1299327689-146) [ ]
o.a.s.s.SolrDispatchFilter User principal:
us.ssl.CustomSSLAuthenticationPlugin$1$$Lambda$769/0x00000008406ae040@778d0b82
2023-03-30 16:20:23.401 DEBUG (qtp1299327689-146) [c:test1Collection.0 s:shard8
r:core_node35 x:test1Collection.0_shard8_replica_n33]
o.a.s.s.RuleBasedAuthorizationPluginBase Attempting to authorize request to
[/select] of type: [READ], associated with collections
[[CollectionRequest(test1Collection.0)]]
2023-03-30 16:20:23.401 DEBUG (qtp1299327689-146) [c:test1Collection.0 s:shard8
r:core_node35 x:test1Collection.0_shard8_replica_n33]
o.a.s.s.RuleBasedAuthorizationPluginBase Authorizing collection-aware request,
checking perms applicable to specific collection [test1Collection.0]
2023-03-30 16:20:23.401 DEBUG (qtp1299327689-146) [c:test1Collection.0 s:shard8
r:core_node35 x:test1Collection.0_shard8_replica_n33]
o.a.s.s.RuleBasedAuthorizationPluginBase Authorizing collection-aware request,
checking perms applicable to all (*) collections
2023-03-30 16:20:23.401 DEBUG (qtp1299327689-146) [c:test1Collection.0 s:shard8
r:core_node35 x:test1Collection.0_shard8_replica_n33]
o.a.s.s.RuleBasedAuthorizationPluginBase No perms configured for the resource
/select . So allowed to access
2023-03-30 16:20:23.401 DEBUG (qtp1299327689-146) [c:test1Collection.0 s:shard8
r:core_node35 x:test1Collection.0_shard8_replica_n33]
o.a.s.s.RuleBasedAuthorizationPluginBase Found perm [{
"name":"collection-query",
"role":[
"admin_ro",
"admin_rwx"]}] to govern resource [/select]
2023-03-30 16:20:23.401 INFO (qtp1299327689-146) [c:test1Collection.0 s:shard8
r:core_node35 x:test1Collection.0_shard8_replica_n33]
o.a.s.s.RuleBasedAuthorizationPluginBase This resource is configured to have a
permission {
"name":"collection-query",
"role":[
"admin_ro",
"admin_rwx"]}, The principal
us.ssl.CustomSSLAuthenticationPlugin$1$$Lambda$769/0x00000008406ae040@3b33128b
does not have the right role
2023-03-30 16:20:23.401 DEBUG (qtp1299327689-146) [c:test1Collection.0 s:shard8
r:core_node35 x:test1Collection.0_shard8_replica_n33] o.e.j.s.HttpChannelState
sendError HttpChannelState@6bce1579{s=HANDLING rs=BLOCKING os=OPEN is=IDLE
awp=false se=false i=true al=0}
