Hi, I recommend reading the docs thoroughly and then clean up your config somewhat: https://solr.apache.org/guide/solr/latest/deployment-guide/rule-based-authorization-plugin.html
Solr's authz works differently than most other RBAC products. You may be confused by order of evaluation, which is a bit upside down. Solr does NOT start with the user's role and then evaluate what paths/permissions he can do. On the contrary, Solr starts with the request path, e.g. <collection>/select, then hunts through your permissions:[] array top-to-bottom to find ONE SINGLE permission that matches the path (and optionally collection name), and once it finds that permission, it will check that the user has one of the roles listed in that permission (or "all"). Also, if you do not list every single path or predefined permission, then any path not listed will be allowed by default, which is scary. It is common practice to have an "all" permission at the very end, and have that one require some kind of admin role. Looks like you have that. In your security.json you list a "read" permission several times, and also other permissions several times. Solr will only consider the FIRST which satisfies the request. So make sure to place the more specific and restrictive permissions on top, and then you can have "fall-through" permissions near the end. I also see that you use a custom Auth plugin, but I assume that one works. If you face continued problems I recommend creating a reproduction case with BasicAuth and as few roles/permissions as possible to reproduce your issue. Then others can try out your config and help you find flaws. Jan > 3. apr. 2023 kl. 12:24 skrev MEXANIK <irkuev...@gmail.com>: > > Jan, Hi, Thank you > > Need more information so you can help? > > > > пт, 31 мар. 2023 г., 12:16 MEXANIK <irkuev...@gmail.com>: > >> Sorry, test1Collection* >> >> чт, 30 мар. 2023 г., 17:14 MEXANIK <irkuev...@gmail.com>: >> >>> When you send a read request for the test2Collection collection, the logs >>> do not display as a collection, and I get 10 entries with admin_x rights >>> >>> >>> attached log with description >>> >>> >>> >>> ср, 29 мар. 2023 г., 16:39 Jan Høydahl <jan....@cominvent.com>: >>> >>>> Permissions are evaluated in order from top to bottom. >>>> The first "read" permission found requires roles "admin_ro", >>>> "admin_rwx", "solr-internal-traffic", so that should be selected. >>>> >>>> Do you have any logs that can shed light over what happens? >>>> >>>> Jan >>>> >>>>> 29. mar. 2023 kl. 14:27 skrev MEXANIK <irkuev...@gmail.com>: >>>>> >>>>> I logged in using the john_sl user in Solr UI, and sent a request to >>>> read >>>>> the collection, but I can read some of the collections, but I don't >>>> want >>>>> them to be read. >>>>> >>>>> If I replace the admin user's rights from admin_rwx to admin_x, then >>>> the >>>>> john_sl user can't read either >>>>> >>>>> How do I make it so that john_sl cannot read collections with admin_x >>>>> rights, but at the same time so that the admin user has admin_rwx >>>> rights?? >>>>> >>>>> Help!! >>>>> >>>>> Example security.json http://replit.com/@irkuev666/Test#data.json >>>> >>>>
