Uploaded image for project: 'Solr'
  1. Solr
  2. SOLR-11089

RuleBasedAuthorization plugin ignores permissions.

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Critical
    • Resolution: Information Provided
    • 5.5.4
    • None
    • Authentication
    • None

    • SolrCloud with 3 nodes and test collection. No data. Single shard.
      Zookeper v.3.4.5

    Description

      Expected behavior (as described in docs):

      • Unauthenticated users should not get access to /admin/authentication and /admin/authentication

      Demonstrated behavior:

      • /admin/authentication and /admin/authentication are publicly available. So it looks like permissions are ignored totally: 
        2017-07-16T17:36:39.379Z [DEBUG] [org.apache.solr.servlet.SolrDispatchFilter#authenticateRequest] Request to authenticate: (GET /solr/admin/authorization)@2095474071 org.eclipse.jetty.server.Request@7ce66597, domain: 10.0.1.31, port: 8983
2017-07-16T17:36:39.379Z [DEBUG] [org.apache.solr.servlet.SolrDispatchFilter#doFilter] User principal: null
2017-07-16T17:36:39.380Z [DEBUG] [org.apache.solr.servlet.HttpSolrCall#call] AuthorizationContext : userPrincipal: [null] type: [ADMIN], collections: [], Path: [/admin/authorization] path : /admin/authorization params :
2017-07-16T17:36:39.380Z [DEBUG] [org.apache.solr.security.RuleBasedAuthorizationPlugin#checkPathPerm] No permissions configured for the resource /admin/authorization . So allowed to access
2017-07-16T17:36:39.380Z [INFO] [org.apache.solr.servlet.HttpSolrCall#handleAdminRequest] [admin] webapp=null path=/admin/authorization params={} status=0 QTime=0

      zkcli -cmd get /security.json | grep -v '2'|grep -v '$':

      {
  "authentication": 
    "class": "solr.BasicAuthPlugin",
    "credentials": {
      "SOLR_TEST": "tiBhLoJSYJP1meUp7zgaiRXnZp52tXQM7PttV62CV5k= c2hhaXRodTFmdWxvaXBoOXVlbGFzaGk2T29nZWl5YWlQM2Y="
    }
  },
  "authorization": {
    "class": "solr.RuleBasedAuthorizationPlugin",
    "permissions": [{
        "name": "security-read",
        "role": "administrator"
      }, {
        "name": "security-edit",
        "role": "administrator"
      }, {
        "name": "schema-edit",
        "role": "administrator"
      }, {
        "name": "config-edit",
        "role": "administrator"
      }, {
        "name": "collection-admin-edit",
        "role": "administrator"
      }, {
        "name": "collection-admin-read",
        "role": "administrator"
      }
    ],
    "user-role": {
      "SOLR_TEST": "administrator"
    }
  }
}

      Attachments

        Activity

          People

            Unassigned Unassigned
            Suage1981 Suage 1981
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: