Solr serves client requests going throught 3 steps - init(), authorize() and handle-request (link git-link).
init() initializes all required information to be used by authorize(). init() skips initializing if request is to be served remotely, which leads to skipping authorization step (link git-link).
init() relies on 'cores' object which only has information of local node (which is perfect as per design). It should actually be getting security information (security.json) from zookeeper, which has global view of the cluster.
SolrCloud setup consists of 2 nodes (solr-7.3.1):
Two collections are created - 'collection-rf-1' with RF=1 and 'collection-rf-2' with RF=2.
Two users are created - 'collection-rf-1-user' and 'collection-rf-2-user'.
Security configuration is as below (security.json attached):
Basically, its setup to that 'collection-rf-1-user' user can only access 'collection-rf-1' collection and 'collection-rf-2-user' user can only access 'collection-rf-2' collection.
Also note that 'collection-rf-1' collection replica is only on 'localhost:8983_solr' node, whereas ''collection-rf-2' collection replica is on both live nodes.
Authorization does not work as expected for 'collection-rf-1' collection:
$ curl -u collection-rf-2-user:password 'http://localhost:8983/solr/collection-rf-1/select?q=:'
$ curl -u collection-rf-2-user:password 'http://localhost:8984/solr/collection-rf-1/select?q=:'
Whereas authorization works perfectly for 'collection-rf-2' collection (as both nodes have replica):
$ curl -u collection-rf-1-user:password 'http://localhost:8984/solr/collection-rf-2/select?q=:'
$ curl -u collection-rf-1-user:password 'http://localhost:8983/solr/collection-rf-2/select?q=:'