Uploaded image for project: 'Solr'
  1. Solr
  2. SOLR-14984

Solr standalone core not used as collection in authorization

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Open
    • Trivial
    • Resolution: Unresolved
    • 8.6.3
    • None
    • Authorization
    • Solr 8.6.3 (with techproducts sample as "tech").

    Description

      In org.apache.solr.servlet.HttpSolrCall method AuthorizationContext getAuthCtx() seems not to use the core in the collectionRequests which leads to org.apache.solr.security.RuleBasedAuthorizationPluginBase method authorize() not using the core in the authorization rules. IMHO, this seems not to be what is intened security wise.

       

      My use case seems to be solved by changing (in HttpSolrCall.getAuthCtx() ):

       

      Org:

      SolrParams params = getQueryParams();
      final ArrayList<CollectionRequest> collectionRequests = new ArrayList<>();
      for (String collection : getCollectionsList())

      { collectionRequests.add(new CollectionRequest(collection)); }

       

      To New:

       

      SolrParams params = getQueryParams();
      final ArrayList<CollectionRequest> collectionRequests = new ArrayList<>();
      for (String collection : getCollectionsList()) { collectionRequests.add(new CollectionRequest(collection)); }

      if (core != null) {
      collectionRequests.add(new CollectionRequest(core.getName()));
      }

       

      I do not understand the full concept of the authorization code. Please check if this quick fix is actually working for all use cases.

       

      Best regards,

       

      Daniel Kirschner

      Attachments

        Activity

          People

            Unassigned Unassigned
            Daniel.Kirschner Dr. Daniel Georg Kirschner
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated: