Basic Auth Permission

classic Classic list List threaded Threaded
13 messages Options
Reply | Threaded
Open this post in threaded view
|

Basic Auth Permission

Antony A
Hello,

I am trying to get the path/params restricted to users of individual
collection through Solr UI.

Here is the permission that I have for an user.

{"collection": "collection_name", "path": "/admin/file", "role": ["
collection_user"]}

I am still not able to restrict another user from accessing other
collection files like solrconfig, solr-data-config etc.

If it possible to define permission at collection-level to this path?

Thanks,
Antony
Reply | Threaded
Open this post in threaded view
|

Re: Basic Auth Permission

yydpkm
Hi Antony,

Have you solved this? I am facing the same thing. Other users can still do
/select after I set the permission path and collection.

Best,
Rick



--
Sent from: http://lucene.472066.n3.nabble.com/Solr-User-f472068.html
Reply | Threaded
Open this post in threaded view
|

Re: Basic Auth Permission

Terry Steichen
In setting his permission, Antony said he set "path": "/admin/file".  I
use "path":"/*" - that may be too restrictive for you, but it works fine
(for me).

On 12/4/18 9:55 AM, yydpkm wrote:

> Hi Antony,
>
> Have you solved this? I am facing the same thing. Other users can still do
> /select after I set the permission path and collection.
>
> Best,
> Rick
>
>
>
> --
> Sent from: http://lucene.472066.n3.nabble.com/Solr-User-f472068.html
>
Reply | Threaded
Open this post in threaded view
|

Re: Basic Auth Permission

Antony A
Hi Rick,

This is how I was able to restrict permissions to user-role ( user1  ) to
its own collection. Hopefully it helps.

   "permissions": [
     {"name": "*", "path": "/dataimport", "params": {"command":
["status"]}, "role": "*"},
     {"collection": "name", "path": "/admin/file", "role": ["user1",
"admin"]},
     {"collection": "name", "path": "/files", "role": ["user1", "admin"]},
     {"collection": "name", "path": "/admin/collections", "params":
{"action": ["LIST"]}, "role": ["user1", "admin"]},
     {"collection": "name", "path": "/dataimport", "role": ["user1",
"admin"]},
     {"collection": "name", "path": "/select", "role": ["user1", "admin"]},
     {"collection": "name", "name": "update", "role": ["user1", "admin"]},
     {"collection": "name", "name": "collection-admin-read", "role":
["user1", "admin"]},
     {"collection": "name", "name": "schema-read", "role": ["user1",
"admin"]},
     {"collection": "name", "name": "core-admin-read", "role": ["user1",
"admin"]},
     {"collection": "null", "path": "/admin/zookeeper", "role": ["admin"]},
     {"name": "security-read", "role": ["admin"]},
     {"name": "schema-edit", "role": ["admin"]},
     {"name": "config-edit", "role": ["admin"]},
     {"name": "core-admin-edit", "role": ["admin"]},
     {"name": "security-read", "role": ["admin"]},
     {"name": "collection-admin-edit", "role": ["admin"]},
     {"name": "security-edit", "role": ["admin"]}
    ]

Thanks,
Antony


On Tue, Dec 4, 2018 at 10:07 AM Terry Steichen <[hidden email]> wrote:

> In setting his permission, Antony said he set "path": "/admin/file".  I
> use "path":"/*" - that may be too restrictive for you, but it works fine
> (for me).
>
> On 12/4/18 9:55 AM, yydpkm wrote:
> > Hi Antony,
> >
> > Have you solved this? I am facing the same thing. Other users can still
> do
> > /select after I set the permission path and collection.
> >
> > Best,
> > Rick
> >
> >
> >
> > --
> > Sent from: http://lucene.472066.n3.nabble.com/Solr-User-f472068.html
> >
>
Reply | Threaded
Open this post in threaded view
|

Re: Basic Auth Permission

yydpkm
In reply to this post by Terry Steichen
I tried to replace "/select" with "/*" but user B can still access collection
A.
    "permissions":[
      {
        "name":"security-edit",
        "role":"admin",
        "index":1},
      {
        "name":"PermA",
        "collection":CollectionA"",
        "path":"/*",
        "role":["ReadCollectionA","admin"],
        "index":3},
      {
        "name":"schema-read",
        "role":"*",
        "index":4},
      {
        "name":"config-read",
        "role":"*",
        "index":5},
      {
        "name":"collection-admin-read",
        "role":"admin",
        "index":6},
      {
        "name":"metrics-read",
        "role":"*",
        "index":7},
      {
        "name":"core-admin-read",
        "role":"*",
        "index":8}]



--
Sent from: http://lucene.472066.n3.nabble.com/Solr-User-f472068.html
Reply | Threaded
Open this post in threaded view
|

Re: Basic Auth Permission

yydpkm
In reply to this post by Antony A
Thank you for your replay. I use your format and failed. User2 can still
visit collection "name"
Could that because I am using standalone Solr not Solrcloud?



--
Sent from: http://lucene.472066.n3.nabble.com/Solr-User-f472068.html
Reply | Threaded
Open this post in threaded view
|

Re: Basic Auth Permission

Terry Steichen
What Solr version are you using?

On 12/4/18 2:47 PM, yydpkm wrote:
> Thank you for your replay. I use your format and failed. User2 can still
> visit collection "name"
> Could that because I am using standalone Solr not Solrcloud?
>
>
>
> --
> Sent from: http://lucene.472066.n3.nabble.com/Solr-User-f472068.html
>
Reply | Threaded
Open this post in threaded view
|

Re: Basic Auth Permission

yydpkm
I am using standalone Solr 7.4.0. Are you using cloud or standalone? Not sure
if that cause the problem or not.



--
Sent from: http://lucene.472066.n3.nabble.com/Solr-User-f472068.html
Reply | Threaded
Open this post in threaded view
|

Re: Basic Auth Permission

Terry Steichen
I think there's been some confusion on which standalone versions support
authentication.  I'm using 6.6 in cloud mode (purely so the
authentication will work).  Some of the documentation seems to say that
only cloud implementations support it, but others (like the experts on
this forum) say that later versions (including yours) support it in
standalone mode.

On 12/4/18 4:14 PM, yydpkm wrote:
> I am using standalone Solr 7.4.0. Are you using cloud or standalone? Not sure
> if that cause the problem or not.
>
>
>
> --
> Sent from: http://lucene.472066.n3.nabble.com/Solr-User-f472068.html
>
Reply | Threaded
Open this post in threaded view
|

Re: Basic Auth Permission

Antony A
I run on Solr cloud 7.2.1

Sent from my mobile. Please excuse any typos.

> On Dec 4, 2018, at 2:57 PM, Terry Steichen <[hidden email]> wrote:
>
> I think there's been some confusion on which standalone versions support
> authentication.  I'm using 6.6 in cloud mode (purely so the
> authentication will work).  Some of the documentation seems to say that
> only cloud implementations support it, but others (like the experts on
> this forum) say that later versions (including yours) support it in
> standalone mode.
>
>> On 12/4/18 4:14 PM, yydpkm wrote:
>> I am using standalone Solr 7.4.0. Are you using cloud or standalone? Not sure
>> if that cause the problem or not.
>>
>>
>>
>> --
>> Sent from: http://lucene.472066.n3.nabble.com/Solr-User-f472068.html
>>
Reply | Threaded
Open this post in threaded view
|

Re: Basic Auth Permission

yydpkm
In reply to this post by Terry Steichen
Authentication does work and authorization for general is working fine. But
nothing authorization works when specified certain collection. That's so
frustrating. It is weird that even I just do simple "path":"/*" won't do
anything if I add "collection":"a".



--
Sent from: http://lucene.472066.n3.nabble.com/Solr-User-f472068.html
Reply | Threaded
Open this post in threaded view
|

Re: Basic Auth Permission

Noble Paul നോബിള്‍  नोब्ळ्
In reply to this post by Antony A
You can't restrict access to static files.

You can only restrict access to Solr content.

However you can use the "blockUnknown" property in your security.json
to restrict access to all files

https://lucene.apache.org/solr/guide/7_5/basic-authentication-plugin.html
--Noble
On Sat, Jun 9, 2018 at 2:43 AM Antony A <[hidden email]> wrote:

>
> Hello,
>
> I am trying to get the path/params restricted to users of individual
> collection through Solr UI.
>
> Here is the permission that I have for an user.
>
> {"collection": "collection_name", "path": "/admin/file", "role": ["
> collection_user"]}
>
> I am still not able to restrict another user from accessing other
> collection files like solrconfig, solr-data-config etc.
>
> If it possible to define permission at collection-level to this path?
>
> Thanks,
> Antony



--
-----------------------------------------------------
Noble Paul
Reply | Threaded
Open this post in threaded view
|

Re: Basic Auth Permission

Terry Steichen
In reply to this post by Antony A
What Noble Paul says is true: Solr can't - directly - restrict access to
static files.

However, if you set your file repository's permissions to a minimal
level (so, for example, users can't do a directory search), then they
must know the precise name and location of the file they're trying to
retrieve.  And, depending on your system implementation, that
information may be only available via a Solr search result (the access
to which can be restricted).

Terry Steichen

On 12/8/18 12:06 AM, Noble Paul wrote:

> You can't restrict access to static files.
>
> You can only restrict access to Solr content.
>
> However you can use the "blockUnknown" property in your security.json
> to restrict access to all files
>
> https://lucene.apache.org/solr/guide/7_5/basic-authentication-plugin.html
> --Noble
> On Sat, Jun 9, 2018 at 2:43 AM Antony A <[hidden email]> wrote:
>> Hello,
>>
>> I am trying to get the path/params restricted to users of individual
>> collection through Solr UI.
>>
>> Here is the permission that I have for an user.
>>
>> {"collection": "collection_name", "path": "/admin/file", "role": ["
>> collection_user"]}
>>
>> I am still not able to restrict another user from accessing other
>> collection files like solrconfig, solr-data-config etc.
>>
>> If it possible to define permission at collection-level to this path?
>>
>> Thanks,
>> Antony
>
>