Uploaded image for project: 'Solr'
  1. Solr
  2. SOLR-12042

Authorization rules do not work as expected.

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 6.6.2
    • Fix Version/s: None
    • Component/s: Authentication
    • Labels:
      None
    • Environment:

      SolrCloud, Linux.

      Description

      Authentication rules do not work as expected: more permissions are given than desired.

      This is an example of security.json:

      {
       "authentication":{
         "blockUnknown":false,
         "class":"solr.BasicAuthPlugin",
         "credentials":{"admin":"XvyR9ddaDk/kVNBrhJHkeWhqTFQ2uAsv8tDOmkSDwkg= 3EiRiSQVKYnGDgOwBoY6NJNlOcoRuYZOoUMYB9hgpGw="},
         "":{"v":56}},
       "authorization":{
         "class":"solr.RuleBasedAuthorizationPlugin",
         "user-role":{"admin":["admin"]},
         "":{"v":66},
         "permissions":[
           {
             "name":"read",
             "role":null,
             "index":1},
           {
             "path":"/admin/info/system",
             "collection":null,
             "role":null,
             "index":2},
           {
             "name":"all",
             "role":"admin",
             "index":3}]}}
      

      With this not authentication is required to create or delete collection.
      If one removes second rule (one with path) then authentication is required to create or destroy collection.

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              mar-kolya Nikolay Martynov
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated: