Uploaded image for project: 'Solr'
  1. Solr
  2. SOLR-11089

RuleBasedAuthorization plugin ignores permissions.

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Critical
    • Resolution: Information Provided
    • Affects Version/s: 5.5.4
    • Fix Version/s: None
    • Component/s: Authentication
    • Labels:
      None
    • Environment:

      SolrCloud with 3 nodes and test collection. No data. Single shard.
      Zookeper v.3.4.5

      Description

      Expected behavior (as described in docs):

      • Unauthenticated users should not get access to /admin/authentication and /admin/authentication

      Demonstrated behavior:

      • /admin/authentication and /admin/authentication are publicly available. So it looks like permissions are ignored totally:
        2017-07-16T17:36:39.379Z [DEBUG] [org.apache.solr.servlet.SolrDispatchFilter#authenticateRequest] Request to authenticate: (GET /solr/admin/authorization)@2095474071 org.eclipse.jetty.server.Request@7ce66597, domain: 10.0.1.31, port: 8983
        2017-07-16T17:36:39.379Z [DEBUG] [org.apache.solr.servlet.SolrDispatchFilter#doFilter] User principal: null
        2017-07-16T17:36:39.380Z [DEBUG] [org.apache.solr.servlet.HttpSolrCall#call] AuthorizationContext : userPrincipal: [null] type: [ADMIN], collections: [], Path: [/admin/authorization] path : /admin/authorization params :
        2017-07-16T17:36:39.380Z [DEBUG] [org.apache.solr.security.RuleBasedAuthorizationPlugin#checkPathPerm] No permissions configured for the resource /admin/authorization . So allowed to access
        2017-07-16T17:36:39.380Z [INFO] [org.apache.solr.servlet.HttpSolrCall#handleAdminRequest] [admin] webapp=null path=/admin/authorization params={} status=0 QTime=0
        

      zkcli -cmd get /security.json | grep -v '2'|grep -v '$':

      {
        "authentication": 
          "class": "solr.BasicAuthPlugin",
          "credentials": {
            "SOLR_TEST": "tiBhLoJSYJP1meUp7zgaiRXnZp52tXQM7PttV62CV5k= c2hhaXRodTFmdWxvaXBoOXVlbGFzaGk2T29nZWl5YWlQM2Y="
          }
        },
        "authorization": {
          "class": "solr.RuleBasedAuthorizationPlugin",
          "permissions": [{
              "name": "security-read",
              "role": "administrator"
            }, {
              "name": "security-edit",
              "role": "administrator"
            }, {
              "name": "schema-edit",
              "role": "administrator"
            }, {
              "name": "config-edit",
              "role": "administrator"
            }, {
              "name": "collection-admin-edit",
              "role": "administrator"
            }, {
              "name": "collection-admin-read",
              "role": "administrator"
            }
          ],
          "user-role": {
            "SOLR_TEST": "administrator"
          }
        }
      }
      

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              Suage1981 Suage 1981
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: