Uploaded image for project: 'Solr'
  1. Solr
  2. SOLR-13472

HTTP requests to a node that does not hold a core of the collection are unauthorized

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: 7.7.1, 8.0
    • Fix Version/s: 7.7.3, 8.2
    • Component/s: Authorization
    • Labels:

      Description

      When creating collection in SolrCloud, collection is available for queries and updates through all Solr nodes, in particular nodes that does not hold one of collection's cores. This is expected behaviour that works when using SolrJ client or HTTP requests.
      When enabling authorization rules it seems that this behaviour is broken for HTTP requests:

      • executing request to a node that holds part of the collection (core) obey to authorization rules as expected.
      • other nodes respond with code 403 - unauthorized request.

      SolrJ still works as expected.
      Tested both with BasicAuthPlugin and KerberosPlugin authentication plugins.

      Steps for reproduce:
      1. Create a cloud made of 2 nodes (node_1, node_2).
      2. Configure authentication and authorization by uploading following security.json file to zookeeper:

       

      {
       "authentication": {
         "blockUnknown": true,
         "class": "solr.BasicAuthPlugin",
         "credentials": {
           "solr": "'solr' user password_hash",
           "indexer_app": "'indexer_app' password_hash",
           "read_user": "'read_user' password_hash"
         }
       },
       "authorization": {
         "class": "solr.RuleBasedAuthorizationPlugin",
         "permissions": [
           {
             "name": "read",
             "role": "*"
           },
           {
             "name": "update",
             "role": [
               "indexer",
               "admin"
             ]
           },
           {
             "name": "all",
             "role": "admin"
           }
         ],
         "user-role": {
           "solr": "admin",
           "indexer_app": "indexer"
         }
       }
      }

       

      3. create 'test' collection with one shard on node_1.

      -- 

      The following requests expected to succeed but return 403 status (unauthorized request):

      curl -u read_user:read_user "http://node_2/solr/test/select?q=*:*"
      curl -u indexer_app:indexer_app "http://node_2/solr/test/select?q=*:*"
      curl -u indexer_app:indexer_app "http://node_2/solr/test/update?commit=true"
      

       

      Authenticated 'solr' user requests works as expected. My guess is due to the special 'all' role.

        Attachments

        1. SOLR-13472.patch
          5 kB
          Ishan Chattopadhyaya
        2. SOLR-13472.patch
          4 kB
          Ishan Chattopadhyaya

          Issue Links

            Activity

              People

              • Assignee:
                ichattopadhyaya Ishan Chattopadhyaya
                Reporter:
                adfel70 adfel
              • Votes:
                0 Vote for this issue
                Watchers:
                7 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0h
                  0h
                  Logged:
                  Time Spent - 1h 10m
                  1h 10m