Uploaded image for project: 'Solr'
  1. Solr
  2. SOLR-9804

Rule-Based Authorization Plugin does not secure access for update operations

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Not A Problem
    • Affects Version/s: 6.3
    • Fix Version/s: None
    • Component/s: security
    • Environment:

      Linux:

      1. uname -a
        Linux hostname 3.10.0-327.36.3.el7.x86_64 #1 SMP Mon Oct 24 16:09:20 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
        /solr -version
        6.3.0

      Description

      It looks like the /update path is not filtered by the Rule-Based Authorization Plugin. Even if you set permission using the path permission "/update" or the pre-defined permission "update". Below is the security.json

          {
        "authentication":{
          "class":"solr.BasicAuthPlugin",
          "blockUnknown":true,
          "credentials":{
            "admin":"JrcQ8Lh/xKmucz9CaGVXwTpXxGSUZOt32i6W2f4tIfY= PuAJx8DjI0Ozy2gQXteG5KfRAbOmXuRFZVjHbrIIzVk=",
            "update":"tFdQLTQd9qXAStQek5xQQPlVcmXgjI/w4+9rjAZyqTU= by0LXUAdNAtcJW+DuycI2zc4NyDjCiexOgMaqEFIklU=",
            "solr":"GglOeZytbUBCKW8QT1H7kVs0eHc0x8+iNmpz7x8DKMI= 5JR1Ul8QehmP3nb2U6Bc/N1qwrQljLfiKPTxm35FikA="}},
        "authorization":{
          "class":"solr.RuleBasedAuthorizationPlugin",
          "user-role":{
            "admin":["admin_role"],
            "update":["update_role"],
            "solr":["read_role"]},
          "permissions":[
            {
              "collection":null,
              "name":"security-edit",
              "role":["admin_role"],
              "index":1},
            {
              "collection":null,
              "name":"schema-edit",
              "role":["admin_role"],
              "index":2},
            {
              "collection":null,
              "name":"config-edit",
              "role":["admin_role"],
              "index":3},
            {
              "collection":null,
              "name":"core-admin-edit",
              "role":["admin_role"],
              "index":4},
            {
              "collection":null,
              "name":"collection-admin-edit",
              "role":["admin_role"],
              "index":5},
            {
              "collection":null,
              "name":"security-read",
              "role":["admin_role"],
              "index":6},
            {
              "collection":null,
              "name":"schema-read",
              "role":[
                "admin_role",
                "update_role"],
              "index":7},
            {
              "collection":null,
              "name":"core-admin-read",
              "role":[
                "admin_role",
                "update_role"],
              "index":8},
            {
              "collection":null,
              "name":"config-read",
              "role":[
                "admin_role",
                "update_role"],
              "index":9},
            {
              "collection":null,
              "name":"collection-admin-read",
              "role":[
                "admin_role",
                "update_role"],
              "index":10},
            {
              "collection":null,
              "name":"update",
              "role":[
                "admin_role",
                "update_role"],
              "index":11},
            {
              "collection":null,
              "name":"read",
              "role":[
                "admin_role",
                "update_role",
                "read_role"],
              "index":12},
            {
              "collection":null,
              "name":"all",
              "role":["admin_role"],
              "index":13},
            {
              "collection":null,
              "path":"/*",
              "role":["admin_role"],
              "index":14}],
          "":{"v":138}}}
      

      I have tested update using SolrJ and by hitting the /update on the browser using the solr user (who has no rights to update). Both were suceeded update

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                sleem Sleem
              • Votes:
                0 Vote for this issue
                Watchers:
                5 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: