I think the way forward here is to create a minimal re-production example for others to try. Ideally using a setup with basic auth, you could help us reproduce with a script like this:
Copy my-security.json into current folder bin/solr start -c (or using docker) solr create -c coll1 solr create -c coll2 solr create -c coll3 # Enable security with custom config bin/solr zk cp my-security.json zk:/security.json Browse to http://localhost:8983 and login with user 'foo' Verify that user 'foo' can search collection coll1: curl "http://localhost:8983/solr/coll1/select?q=*:*"; Verify that user 'foo cannot search collection coll2: curl "http://localhost:8983/solr/coll2/select?q=*:*"; Jan > 4. apr. 2023 kl. 12:27 skrev MEXANIK <irkuev...@gmail.com>: > > Jan, Hi!! > > I have such a problem that out of 5 collections, 2 of them can be read > using the john_sl user with admin_x accesses. But if the "admin_rwx" > accesses are taken away from the "admin" user, then the john_sl user will > not be able to read 2 collections previously available for reading ... How > is this understand? any ideas? > > пн, 3 апр. 2023 г., 23:34 Jan Høydahl <jan....@cominvent.com>: > >> Hi, >> >> I recommend reading the docs thoroughly and then clean up your config >> somewhat: >> https://solr.apache.org/guide/solr/latest/deployment-guide/rule-based-authorization-plugin.html >> >> Solr's authz works differently than most other RBAC products. You may be >> confused by order of evaluation, which is a bit upside down. >> >> Solr does NOT start with the user's role and then evaluate what >> paths/permissions he can do. >> On the contrary, Solr starts with the request path, e.g. >> <collection>/select, then hunts through your permissions:[] array >> top-to-bottom to find ONE SINGLE permission that matches the path (and >> optionally collection name), and once it finds that permission, it will >> check that the user has one of the roles listed in that permission (or >> "all"). >> >> Also, if you do not list every single path or predefined permission, then >> any path not listed will be allowed by default, which is scary. It is >> common practice to have an "all" permission at the very end, and have that >> one require some kind of admin role. Looks like you have that. >> >> In your security.json you list a "read" permission several times, and also >> other permissions several times. Solr will only consider the FIRST which >> satisfies the request. So make sure to place the more specific and >> restrictive permissions on top, and then you can have "fall-through" >> permissions near the end. >> >> I also see that you use a custom Auth plugin, but I assume that one works. >> If you face continued problems I recommend creating a reproduction case >> with BasicAuth and as few roles/permissions as possible to reproduce your >> issue. Then others can try out your config and help you find flaws. >> >> Jan >> >>> 3. apr. 2023 kl. 12:24 skrev MEXANIK <irkuev...@gmail.com>: >>> >>> Jan, Hi, Thank you >>> >>> Need more information so you can help? >>> >>> >>> >>> пт, 31 мар. 2023 г., 12:16 MEXANIK <irkuev...@gmail.com>: >>> >>>> Sorry, test1Collection* >>>> >>>> чт, 30 мар. 2023 г., 17:14 MEXANIK <irkuev...@gmail.com>: >>>> >>>>> When you send a read request for the test2Collection collection, the >> logs >>>>> do not display as a collection, and I get 10 entries with admin_x >> rights >>>>> >>>>> >>>>> attached log with description >>>>> >>>>> >>>>> >>>>> ср, 29 мар. 2023 г., 16:39 Jan Høydahl <jan....@cominvent.com>: >>>>> >>>>>> Permissions are evaluated in order from top to bottom. >>>>>> The first "read" permission found requires roles "admin_ro", >>>>>> "admin_rwx", "solr-internal-traffic", so that should be selected. >>>>>> >>>>>> Do you have any logs that can shed light over what happens? >>>>>> >>>>>> Jan >>>>>> >>>>>>> 29. mar. 2023 kl. 14:27 skrev MEXANIK <irkuev...@gmail.com>: >>>>>>> >>>>>>> I logged in using the john_sl user in Solr UI, and sent a request to >>>>>> read >>>>>>> the collection, but I can read some of the collections, but I don't >>>>>> want >>>>>>> them to be read. >>>>>>> >>>>>>> If I replace the admin user's rights from admin_rwx to admin_x, then >>>>>> the >>>>>>> john_sl user can't read either >>>>>>> >>>>>>> How do I make it so that john_sl cannot read collections with admin_x >>>>>>> rights, but at the same time so that the admin user has admin_rwx >>>>>> rights?? >>>>>>> >>>>>>> Help!! >>>>>>> >>>>>>> Example security.json http://replit.com/@irkuev666/Test#data.json >>>>>> >>>>>> >> >>
