Details
-
Bug
-
Status: Open
-
Trivial
-
Resolution: Unresolved
-
8.6.3
-
None
-
Solr 8.6.3 (with techproducts sample as "tech").
Description
In org.apache.solr.servlet.HttpSolrCall method AuthorizationContext getAuthCtx() seems not to use the core in the collectionRequests which leads to org.apache.solr.security.RuleBasedAuthorizationPluginBase method authorize() not using the core in the authorization rules. IMHO, this seems not to be what is intened security wise.
My use case seems to be solved by changing (in HttpSolrCall.getAuthCtx() ):
Org:
SolrParams params = getQueryParams();
final ArrayList<CollectionRequest> collectionRequests = new ArrayList<>();
for (String collection : getCollectionsList())
To New:
SolrParams params = getQueryParams();
final ArrayList<CollectionRequest> collectionRequests = new ArrayList<>();
for (String collection : getCollectionsList()) { collectionRequests.add(new CollectionRequest(collection)); }
if (core != null) {
collectionRequests.add(new CollectionRequest(core.getName()));
}
I do not understand the full concept of the authorization code. Please check if this quick fix is actually working for all use cases.
Best regards,
Daniel Kirschner