Jan, Hi!! I have such a problem that out of 5 collections, 2 of them can be read using the john_sl user with admin_x accesses. But if the "admin_rwx" accesses are taken away from the "admin" user, then the john_sl user will not be able to read 2 collections previously available for reading ... How is this understand? any ideas?
пн, 3 апр. 2023 г., 23:34 Jan Høydahl <jan....@cominvent.com>: > Hi, > > I recommend reading the docs thoroughly and then clean up your config > somewhat: > https://solr.apache.org/guide/solr/latest/deployment-guide/rule-based-authorization-plugin.html > > Solr's authz works differently than most other RBAC products. You may be > confused by order of evaluation, which is a bit upside down. > > Solr does NOT start with the user's role and then evaluate what > paths/permissions he can do. > On the contrary, Solr starts with the request path, e.g. > <collection>/select, then hunts through your permissions:[] array > top-to-bottom to find ONE SINGLE permission that matches the path (and > optionally collection name), and once it finds that permission, it will > check that the user has one of the roles listed in that permission (or > "all"). > > Also, if you do not list every single path or predefined permission, then > any path not listed will be allowed by default, which is scary. It is > common practice to have an "all" permission at the very end, and have that > one require some kind of admin role. Looks like you have that. > > In your security.json you list a "read" permission several times, and also > other permissions several times. Solr will only consider the FIRST which > satisfies the request. So make sure to place the more specific and > restrictive permissions on top, and then you can have "fall-through" > permissions near the end. > > I also see that you use a custom Auth plugin, but I assume that one works. > If you face continued problems I recommend creating a reproduction case > with BasicAuth and as few roles/permissions as possible to reproduce your > issue. Then others can try out your config and help you find flaws. > > Jan > > > 3. apr. 2023 kl. 12:24 skrev MEXANIK <irkuev...@gmail.com>: > > > > Jan, Hi, Thank you > > > > Need more information so you can help? > > > > > > > > пт, 31 мар. 2023 г., 12:16 MEXANIK <irkuev...@gmail.com>: > > > >> Sorry, test1Collection* > >> > >> чт, 30 мар. 2023 г., 17:14 MEXANIK <irkuev...@gmail.com>: > >> > >>> When you send a read request for the test2Collection collection, the > logs > >>> do not display as a collection, and I get 10 entries with admin_x > rights > >>> > >>> > >>> attached log with description > >>> > >>> > >>> > >>> ср, 29 мар. 2023 г., 16:39 Jan Høydahl <jan....@cominvent.com>: > >>> > >>>> Permissions are evaluated in order from top to bottom. > >>>> The first "read" permission found requires roles "admin_ro", > >>>> "admin_rwx", "solr-internal-traffic", so that should be selected. > >>>> > >>>> Do you have any logs that can shed light over what happens? > >>>> > >>>> Jan > >>>> > >>>>> 29. mar. 2023 kl. 14:27 skrev MEXANIK <irkuev...@gmail.com>: > >>>>> > >>>>> I logged in using the john_sl user in Solr UI, and sent a request to > >>>> read > >>>>> the collection, but I can read some of the collections, but I don't > >>>> want > >>>>> them to be read. > >>>>> > >>>>> If I replace the admin user's rights from admin_rwx to admin_x, then > >>>> the > >>>>> john_sl user can't read either > >>>>> > >>>>> How do I make it so that john_sl cannot read collections with admin_x > >>>>> rights, but at the same time so that the admin user has admin_rwx > >>>> rights?? > >>>>> > >>>>> Help!! > >>>>> > >>>>> Example security.json http://replit.com/@irkuev666/Test#data.json > >>>> > >>>> > >
