Protect a collection to be deleted

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

Protect a collection to be deleted

Yago Riveiro
Hi,

Is it possible in Solr protect a collection to be deleted through a
property?

Regards
 



-----
Best regards

/Yago
--
Sent from: http://lucene.472066.n3.nabble.com/Solr-User-f472068.html
Best regards /Yago
Reply | Threaded
Open this post in threaded view
|

RE: Protect a collection to be deleted

Markus Jelsma-2
Hello,

Well, you could remove the write permission for all segment files. Or, make a custom UpdateProcessor that intercepts *:* operations and stops a delete in its tracks. This is what we did, protect the search against me. Keep in mind that a negative query can also delete everything, so you can check if the numRows of the proposed delete query is equals to the number of documents.

Regards,
Markus

-----Original message-----

> From:Yago Riveiro <[hidden email]>
> Sent: Tuesday 12th December 2017 18:28
> To: [hidden email]
> Subject: Protect a collection to be deleted
>
> Hi,
>
> Is it possible in Solr protect a collection to be deleted through a
> property?
>
> Regards
>  
>
>
>
> -----
> Best regards
>
> /Yago
> --
> Sent from: http://lucene.472066.n3.nabble.com/Solr-User-f472068.html
>
Reply | Threaded
Open this post in threaded view
|

RE: Protect a collection to be deleted

Yago Riveiro
I don’t know if it’s possible but, if we can mark the collection like protected, we can avoid DELETE command to remove de collection.

Maybe set the flag when CREATE command is executed?

This is an interesting feature to avoid human errors, and relatively easy to implement.

Regards

--

Yago Riveiro

On 12 Dec 2017 17:45 +0000, Markus Jelsma <[hidden email]>, wrote:

> Hello,
>
> Well, you could remove the write permission for all segment files. Or, make a custom UpdateProcessor that intercepts *:* operations and stops a delete in its tracks. This is what we did, protect the search against me. Keep in mind that a negative query can also delete everything, so you can check if the numRows of the proposed delete query is equals to the number of documents.
>
> Regards,
> Markus
>
> -----Original message-----
> > From:Yago Riveiro <[hidden email]
> > Sent: Tuesday 12th December 2017 18:28
> > To: [hidden email]
> > Subject: Protect a collection to be deleted
> >
> > Hi,
> >
> > Is it possible in Solr protect a collection to be deleted through a
> > property?
> >
> > Regards
> >
> >
> >
> >
> > -----
> > Best regards
> >
> > /Yago
> > --
> > Sent from: http://lucene.472066.n3.nabble.com/Solr-User-f472068.html
> >
Best regards /Yago
Reply | Threaded
Open this post in threaded view
|

Re: Protect a collection to be deleted

Shawn Heisey-2
In reply to this post by Yago Riveiro
On 12/12/2017 10:27 AM, Yago Riveiro wrote:
> Is it possible in Solr protect a collection to be deleted through a
> property?

I doubt that this is possible at the moment.

The suggestion from Markus to change permissions on the index files
would prevent the actual index from being deleted, but I suspect that a
Collections API delete would still remove the collection from the
cloud.  Also, it would prevent any changes to the index, which reduces
Solr's usefulness.

An update processor to block mistakes is an interesting idea, but again,
doesn't keep you from deleting the collection entirely with the
collections API.

I've opened an issue for an idea to achieve what I *think* you're after:

https://issues.apache.org/jira/browse/SOLR-11751

Thanks,
Shawn

Reply | Threaded
Open this post in threaded view
|

Re: Protect a collection to be deleted

Yago Riveiro
Thanks Shawn for address the question to Jira.

Indeed I want to continue to insert data in the collection.

I found that delete a collection by mistake using the API it’s to easy and prone to human error.

Regards,

--

Yago Riveiro

On 12 Dec 2017 19:05 +0000, Shawn Heisey <[hidden email]>, wrote:

> On 12/12/2017 10:27 AM, Yago Riveiro wrote:
> > Is it possible in Solr protect a collection to be deleted through a
> > property?
>
> I doubt that this is possible at the moment.
>
> The suggestion from Markus to change permissions on the index files
> would prevent the actual index from being deleted, but I suspect that a
> Collections API delete would still remove the collection from the
> cloud.  Also, it would prevent any changes to the index, which reduces
> Solr's usefulness.
>
> An update processor to block mistakes is an interesting idea, but again,
> doesn't keep you from deleting the collection entirely with the
> collections API.
>
> I've opened an issue for an idea to achieve what I *think* you're after:
>
> https://issues.apache.org/jira/browse/SOLR-11751
>
> Thanks,
> Shawn
>
Best regards /Yago
Reply | Threaded
Open this post in threaded view
|

Re: Protect a collection to be deleted

Anshum Gupta-3
In reply to this post by Yago Riveiro
You might want to explore Rule based authorization in Solr and stop non-admin users from deleting collections etc. Here’s the link to the documentation: https://lucene.apache.org/solr/guide/6_6/rule-based-authorization-plugin.html 

-Anshum



On Dec 12, 2017, at 9:27 AM, Yago Riveiro <[hidden email]> wrote:

Hi,

Is it possible in Solr protect a collection to be deleted through a
property?

Regards




-----
Best regards

/Yago
--
Sent from: http://lucene.472066.n3.nabble.com/Solr-User-f472068.html


signature.asc (891 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Protect a collection to be deleted

Yago Riveiro
That can work, but the goal it’s to avoid human error (like the UI that enforce you to type de name of the collection on delete) independently of the access level.

Regards

--

/Yago Riveiro

On 12 Dec 2017 20:24 +0000, Anshum Gupta <[hidden email]>, wrote:

> You might want to explore Rule based authorization in Solr and stop non-admin users from deleting collections etc. Here’s the link to the documentation: https://lucene.apache.org/solr/guide/6_6/rule-based-authorization-plugin.html
>
> -Anshum
>
>
>
> > On Dec 12, 2017, at 9:27 AM, Yago Riveiro <[hidden email]> wrote:
> >
> > Hi,
> >
> > Is it possible in Solr protect a collection to be deleted through a
> > property?
> >
> > Regards
> >
> >
> >
> >
> > -----
> > Best regards
> >
> > /Yago
> > --
> > Sent from: http://lucene.472066.n3.nabble.com/Solr-User-f472068.html
>
Best regards /Yago
Reply | Threaded
Open this post in threaded view
|

Re: Protect a collection to be deleted

Shawn Heisey-2
In reply to this post by Anshum Gupta-3
On 12/12/2017 1:23 PM, Anshum Gupta wrote:
> You might want to explore Rule based authorization in Solr and stop
> non-admin users from deleting collections etc. Here’s the link to the
> documentation: https://lucene.apache.org/solr/guide/6_6/rule-based-authorization-plugin.html 

Because I've never used the authentication plugins, I have to ask: What
kind of granularity does this offer?  Can it protect individual
collections from being deleted, while allowing others to be deleted? 
When I read the documentation, I see something saying that the
permission affects ALL collections, so I suspect that kind of
granularity is not possible.

If authorization can be extended to allow per-collection permissions,
that is one way to handle the use case, if the admin is already using
authentication on their Solr instances.  I don't use authentication, and
it would be quite painful for my ecosystem if I were to turn it on, so I
would want to have something else available to protect collections from
API actions.

Thanks,
Shawn

Reply | Threaded
Open this post in threaded view
|

Re: Protect a collection to be deleted

Anshum Gupta-3
From what I remember, you can set a custom permission for a specific user to be able to delete a collection, or not allow anyone to delete a specific collection.

Check out the “user defined permissions” section here: https://lucidworks.com/2015/08/17/securing-solr-basic-auth-permission-rules/

-Anshum



On Dec 13, 2017, at 7:20 AM, Shawn Heisey <[hidden email]> wrote:

On 12/12/2017 1:23 PM, Anshum Gupta wrote:
You might want to explore Rule based authorization in Solr and stop
non-admin users from deleting collections etc. Here’s the link to the
documentation: https://lucene.apache.org/solr/guide/6_6/rule-based-authorization-plugin.html 

Because I've never used the authentication plugins, I have to ask: What
kind of granularity does this offer?  Can it protect individual
collections from being deleted, while allowing others to be deleted? 
When I read the documentation, I see something saying that the
permission affects ALL collections, so I suspect that kind of
granularity is not possible.

If authorization can be extended to allow per-collection permissions,
that is one way to handle the use case, if the admin is already using
authentication on their Solr instances.  I don't use authentication, and
it would be quite painful for my ecosystem if I were to turn it on, so I
would want to have something else available to protect collections from
API actions.

Thanks,
Shawn



signature.asc (891 bytes) Download Attachment