Uploaded image for project: 'Solr'
  1. Solr
  2. SOLR-9804

Rule-Based Authorization Plugin does not secure access for update operations

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Major
    • Resolution: Not A Problem
    • 6.3
    • None
    • security

    • Linux:

      1. uname -a
        Linux hostname 3.10.0-327.36.3.el7.x86_64 #1 SMP Mon Oct 24 16:09:20 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
        /solr -version
        6.3.0

    Description

      It looks like the /update path is not filtered by the Rule-Based Authorization Plugin. Even if you set permission using the path permission "/update" or the pre-defined permission "update". Below is the security.json

          {
  "authentication":{
    "class":"solr.BasicAuthPlugin",
    "blockUnknown":true,
    "credentials":{
      "admin":"JrcQ8Lh/xKmucz9CaGVXwTpXxGSUZOt32i6W2f4tIfY= PuAJx8DjI0Ozy2gQXteG5KfRAbOmXuRFZVjHbrIIzVk=",
      "update":"tFdQLTQd9qXAStQek5xQQPlVcmXgjI/w4+9rjAZyqTU= by0LXUAdNAtcJW+DuycI2zc4NyDjCiexOgMaqEFIklU=",
      "solr":"GglOeZytbUBCKW8QT1H7kVs0eHc0x8+iNmpz7x8DKMI= 5JR1Ul8QehmP3nb2U6Bc/N1qwrQljLfiKPTxm35FikA="}},
  "authorization":{
    "class":"solr.RuleBasedAuthorizationPlugin",
    "user-role":{
      "admin":["admin_role"],
      "update":["update_role"],
      "solr":["read_role"]},
    "permissions":[
      {
        "collection":null,
        "name":"security-edit",
        "role":["admin_role"],
        "index":1},
      {
        "collection":null,
        "name":"schema-edit",
        "role":["admin_role"],
        "index":2},
      {
        "collection":null,
        "name":"config-edit",
        "role":["admin_role"],
        "index":3},
      {
        "collection":null,
        "name":"core-admin-edit",
        "role":["admin_role"],
        "index":4},
      {
        "collection":null,
        "name":"collection-admin-edit",
        "role":["admin_role"],
        "index":5},
      {
        "collection":null,
        "name":"security-read",
        "role":["admin_role"],
        "index":6},
      {
        "collection":null,
        "name":"schema-read",
        "role":[
          "admin_role",
          "update_role"],
        "index":7},
      {
        "collection":null,
        "name":"core-admin-read",
        "role":[
          "admin_role",
          "update_role"],
        "index":8},
      {
        "collection":null,
        "name":"config-read",
        "role":[
          "admin_role",
          "update_role"],
        "index":9},
      {
        "collection":null,
        "name":"collection-admin-read",
        "role":[
          "admin_role",
          "update_role"],
        "index":10},
      {
        "collection":null,
        "name":"update",
        "role":[
          "admin_role",
          "update_role"],
        "index":11},
      {
        "collection":null,
        "name":"read",
        "role":[
          "admin_role",
          "update_role",
          "read_role"],
        "index":12},
      {
        "collection":null,
        "name":"all",
        "role":["admin_role"],
        "index":13},
      {
        "collection":null,
        "path":"/*",
        "role":["admin_role"],
        "index":14}],
    "":{"v":138}}}

      I have tested update using SolrJ and by hitting the /update on the browser using the solr user (who has no rights to update). Both were suceeded update

      Attachments

        Issue Links

          is duplicated by

          Bug - A problem which impairs or prevents the functions of the product. SOLR-12161 CloudSolrClient with basic auth enabled will update even if no credentials supplied

          • Major - Major loss of function.
          • Open

          Activity

            People

              Unassigned Unassigned
              sleem Sleem
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: