Details

    • Type: Sub-task Sub-task
    • Status: Closed
    • Priority: Blocker Blocker
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 5.3, 6.0
    • Component/s: None
    • Labels:
      None

      Description

      authorization plugin

      This would store the roles of various users and their privileges in ZK

      sample authorization.json

      {
        "authorization": {
          "class": "solr.ZKAuthorization",
         "user-role" :{
        "john" : ["admin", "guest"]
        "tom" : 'dev'
         }
          "permissions": [
             {"name":"collection-edit",
               "role": "admin" 
             },
             {"name":"coreadmin",
               "role":"admin"
             },
             {"name": "mycoll_update",
              "collection": "mycoll",
              "path":["/update/*"],
              "role": ["guest","admin"]
            }]
          }
        }
      }
      

      This also supports editing of the configuration through APIs
      Example 1: add or remove roles

      curl --user solr:SolrRocks http://localhost:8983/solr/admin/authorization -H 'Content-type:application/json' -d '{ 
        "set-user-role": {"tom":["admin","dev"},
      "set-user-role": {"harry":null}
      }'
      

      Example 2: add or remove permissions

      curl --user solr:SolrRocks http://localhost:8983/solr/admin/authorization -H 'Content-type:application/json'-d '{ 
      
        "set-permission": { "name":"a-custom-permission-name",
                            "collection":"gettingstarted",
                            "path":"/handler-name",
                            "before": "name-of-another-permission"
         },
      
       "delete-permission":"permission-name"
      
      }'
      

      Use the 'before' property to re-order your permissions

      Example 3: Restrict collection admin operations (writes only) to be performed by an admin only

      curl --user solr:SolrRocks http://localhost:8983/solr/admin/authorization -H 'Content-type:application/json' -d '{
      "set-permission" : {"name":"collection-admin-edit", "role":"admin"}}'
      
      

        Activity

        Hide
        ASF subversion and git services added a comment -

        Commit 1694553 from Noble Paul in branch 'dev/trunk'
        [ https://svn.apache.org/r1694553 ]

        SOLR-7838: An authorizationPlugin interface where the access control rules are stored/managed in ZooKeeper

        Show
        ASF subversion and git services added a comment - Commit 1694553 from Noble Paul in branch 'dev/trunk' [ https://svn.apache.org/r1694553 ] SOLR-7838 : An authorizationPlugin interface where the access control rules are stored/managed in ZooKeeper
        Hide
        ASF subversion and git services added a comment -

        Commit 1694554 from Noble Paul in branch 'dev/trunk'
        [ https://svn.apache.org/r1694554 ]

        SOLR-7838: CHANGES

        Show
        ASF subversion and git services added a comment - Commit 1694554 from Noble Paul in branch 'dev/trunk' [ https://svn.apache.org/r1694554 ] SOLR-7838 : CHANGES
        Hide
        ASF subversion and git services added a comment -

        Commit 1694557 from Noble Paul in branch 'dev/branches/branch_5x'
        [ https://svn.apache.org/r1694557 ]

        SOLR-7838: An authorizationPlugin interface where the access control rules are stored/managed in ZooKeeper

        Show
        ASF subversion and git services added a comment - Commit 1694557 from Noble Paul in branch 'dev/branches/branch_5x' [ https://svn.apache.org/r1694557 ] SOLR-7838 : An authorizationPlugin interface where the access control rules are stored/managed in ZooKeeper
        Hide
        ASF subversion and git services added a comment -

        Commit 1694559 from Noble Paul in branch 'dev/branches/branch_5x'
        [ https://svn.apache.org/r1694559 ]

        SOLR-7838: Predicate is not available in Java 7

        Show
        ASF subversion and git services added a comment - Commit 1694559 from Noble Paul in branch 'dev/branches/branch_5x' [ https://svn.apache.org/r1694559 ] SOLR-7838 : Predicate is not available in Java 7
        Hide
        Jan Høydahl added a comment -

        What's this? A JIRA without description. Commits without fixVersion and Assignee. No clue on how to use it... No attached patches or discussion of solution before commit.

        PS: I have not looked at the code, so the committed stuff may be perfectly OK and wanted. Just felt like giving a friendly reminder about working "The Apache-Way".

        Show
        Jan Høydahl added a comment - What's this? A JIRA without description. Commits without fixVersion and Assignee. No clue on how to use it... No attached patches or discussion of solution before commit. PS: I have not looked at the code, so the committed stuff may be perfectly OK and wanted. Just felt like giving a friendly reminder about working " The Apache-Way ".
        Hide
        Noble Paul added a comment -

        Sorry for the trouble. The description is same as that in SOLR-7692 (the parent ticket) other committers insisted on splitting this into multiple pieces. So I just created a ticket for committing stuff. I'll copy the description over

        Show
        Noble Paul added a comment - Sorry for the trouble. The description is same as that in SOLR-7692 (the parent ticket) other committers insisted on splitting this into multiple pieces. So I just created a ticket for committing stuff. I'll copy the description over
        Hide
        Jan Høydahl added a comment -

        Cool, I did not notice the parent when I wrote the comment, it all makes sense now. Sorry for jumping to conclusions

        Show
        Jan Høydahl added a comment - Cool, I did not notice the parent when I wrote the comment, it all makes sense now. Sorry for jumping to conclusions
        Hide
        ASF subversion and git services added a comment -

        Commit 1694864 from Noble Paul in branch 'dev/branches/lucene_solr_5_3'
        [ https://svn.apache.org/r1694864 ]

        SOLR-7757: Improved security framework where security components can be edited/reloaded, Solr now watches /security.json. Components can choose to make their config editable, SOLR-7838: An authorizationPlugin interface where the access control rules are stored/managed in ZooKeeper , SOLR-7837: An AuthenticationPlugin which implements the HTTP BasicAuth protocol and stores credentials securely in ZooKeeper

        Show
        ASF subversion and git services added a comment - Commit 1694864 from Noble Paul in branch 'dev/branches/lucene_solr_5_3' [ https://svn.apache.org/r1694864 ] SOLR-7757 : Improved security framework where security components can be edited/reloaded, Solr now watches /security.json. Components can choose to make their config editable, SOLR-7838 : An authorizationPlugin interface where the access control rules are stored/managed in ZooKeeper , SOLR-7837 : An AuthenticationPlugin which implements the HTTP BasicAuth protocol and stores credentials securely in ZooKeeper
        Hide
        Shalin Shekhar Mangar added a comment -

        Sorry to be so late in reviewing this. One thing that I noticed was that the "permissions" section (both in security.json and in the output of /admin/authorization) is a JSON object but order is very important here. Now some JSON parsers adhere to JSON standard (keys in map/object are unordered) and some do not. But if we do not change this from a object/map to an array before the release, there'd be no way to change it in a back-compatible manner later.

        I'd vote to delay the release by a day or two and fix this now.

        Show
        Shalin Shekhar Mangar added a comment - Sorry to be so late in reviewing this. One thing that I noticed was that the "permissions" section (both in security.json and in the output of /admin/authorization) is a JSON object but order is very important here. Now some JSON parsers adhere to JSON standard (keys in map/object are unordered) and some do not. But if we do not change this from a object/map to an array before the release, there'd be no way to change it in a back-compatible manner later. I'd vote to delay the release by a day or two and fix this now.
        Hide
        Noble Paul added a comment -

        need to fix the syntax as per the feedback

        Show
        Noble Paul added a comment - need to fix the syntax as per the feedback
        Hide
        ASF subversion and git services added a comment -

        Commit 1695308 from Noble Paul in branch 'dev/trunk'
        [ https://svn.apache.org/r1695308 ]

        SOLR-7838: changed the permissions froma map to an array so that order is obvious

        Show
        ASF subversion and git services added a comment - Commit 1695308 from Noble Paul in branch 'dev/trunk' [ https://svn.apache.org/r1695308 ] SOLR-7838 : changed the permissions froma map to an array so that order is obvious
        Hide
        ASF subversion and git services added a comment -

        Commit 1695324 from Noble Paul in branch 'dev/branches/branch_5x'
        [ https://svn.apache.org/r1695324 ]

        SOLR-7838: changed the permissions froma map to an array so that order is obvious

        Show
        ASF subversion and git services added a comment - Commit 1695324 from Noble Paul in branch 'dev/branches/branch_5x' [ https://svn.apache.org/r1695324 ] SOLR-7838 : changed the permissions froma map to an array so that order is obvious
        Hide
        ASF subversion and git services added a comment -

        Commit 1695325 from Noble Paul in branch 'dev/branches/branch_5x'
        [ https://svn.apache.org/r1695325 ]

        SOLR-7838: changed the permissions froma map to an array so that order is obvious

        Show
        ASF subversion and git services added a comment - Commit 1695325 from Noble Paul in branch 'dev/branches/branch_5x' [ https://svn.apache.org/r1695325 ] SOLR-7838 : changed the permissions froma map to an array so that order is obvious
        Hide
        ASF subversion and git services added a comment -

        Commit 1695330 from Noble Paul in branch 'dev/branches/lucene_solr_5_3'
        [ https://svn.apache.org/r1695330 ]

        SOLR-7838: changed the permissions from a map to an array so that order is obvious

        Show
        ASF subversion and git services added a comment - Commit 1695330 from Noble Paul in branch 'dev/branches/lucene_solr_5_3' [ https://svn.apache.org/r1695330 ] SOLR-7838 : changed the permissions from a map to an array so that order is obvious
        Hide
        ASF subversion and git services added a comment -

        Commit 1695331 from Noble Paul in branch 'dev/branches/lucene_solr_5_3'
        [ https://svn.apache.org/r1695331 ]

        SOLR-7838: changed the permissions from a map to an array so that order is obvious

        Show
        ASF subversion and git services added a comment - Commit 1695331 from Noble Paul in branch 'dev/branches/lucene_solr_5_3' [ https://svn.apache.org/r1695331 ] SOLR-7838 : changed the permissions from a map to an array so that order is obvious
        Hide
        Shalin Shekhar Mangar added a comment -

        Bulk close for 5.3.0 release

        Show
        Shalin Shekhar Mangar added a comment - Bulk close for 5.3.0 release

          People

          • Assignee:
            Noble Paul
            Reporter:
            Noble Paul
          • Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development