alias read access impossible for anyone other than admin?

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

alias read access impossible for anyone other than admin?

Sotiris Fragkiskos
Hi everyone!
I've been trying unsuccessfully to read an alias to a collection with a
curl command.
The command only works when I put in the admin credentials, although the
user I want access for also has the required role for accessing.
Is this perhaps built-in, or should anyone be able to access an alias from
the API?

The command I'm using is:
curl http://
<user>:<pass>@<solrhostname>/solr/<AliasName>/select?q=<field>:<value>
This fails for the user but succeeds for the admin

My minimum working example of security.json follows.
Many thanks!

{
  "authentication":{
    "blockUnknown":true,
    "class":"solr.BasicAuthPlugin",
    "credentials":{
      "admin":"blahblahblah",
      "user":"blahblah"},
    "":{"v":13}},
  "authorization":{
    "class":"solr.RuleBasedAuthorizationPlugin",
    "permissions":[
      {
        "name":"all",
        "role":"admin",
        "index":1},
      {
        "name":"readColl",
        "collection":"Coll",
        "path":"/select/*",
        "role":"readColl",
        "index":2},
      {
        "name":"readSCollAlias",
        "collection":"sCollAlias",
        "path":"/select/*",
        "role":"readSCollAlias",
        "index":3}],
    "user-role":{
      "admin":[
        "admin",
        "readSCollAlias"],
      "user":["readSCollAlias"]},
    "":{"v":21}}}
Reply | Threaded
Open this post in threaded view
|

Re: alias read access impossible for anyone other than admin?

Jason Gerlowski
Hi Sotiris,

First, what version of Solr are you running?  We've made some fixes
recently (esp. SOLR-13355) to RBAP, and they might affect the behavior
you're seeing or any fixes we can recommend.

Second, the order of permissions in security.json has a huge effect on
how .  Solr always uses the first permission rule that matches a given
API...later rules are ignored if a match is found in earlier ones.
The first rule in your permissions block ({"name": "all", "role":
"admin"}) will match all APIs and will only allow requests through if
the requesting user has the "admin" role.  So "user" being unable to
query an alias makes sense.  Usually "all" and other catchall
permissions are best used at the very bottom of your permissions list.
That way the catchall is the last rule to be checked, giving other
rules a chance to match first.

Hope that helps.

Jason

On Wed, May 22, 2019 at 6:21 AM Sotiris Fragkiskos <[hidden email]> wrote:

>
> Hi everyone!
> I've been trying unsuccessfully to read an alias to a collection with a
> curl command.
> The command only works when I put in the admin credentials, although the
> user I want access for also has the required role for accessing.
> Is this perhaps built-in, or should anyone be able to access an alias from
> the API?
>
> The command I'm using is:
> curl http://
> <user>:<pass>@<solrhostname>/solr/<AliasName>/select?q=<field>:<value>
> This fails for the user but succeeds for the admin
>
> My minimum working example of security.json follows.
> Many thanks!
>
> {
>   "authentication":{
>     "blockUnknown":true,
>     "class":"solr.BasicAuthPlugin",
>     "credentials":{
>       "admin":"blahblahblah",
>       "user":"blahblah"},
>     "":{"v":13}},
>   "authorization":{
>     "class":"solr.RuleBasedAuthorizationPlugin",
>     "permissions":[
>       {
>         "name":"all",
>         "role":"admin",
>         "index":1},
>       {
>         "name":"readColl",
>         "collection":"Coll",
>         "path":"/select/*",
>         "role":"readColl",
>         "index":2},
>       {
>         "name":"readSCollAlias",
>         "collection":"sCollAlias",
>         "path":"/select/*",
>         "role":"readSCollAlias",
>         "index":3}],
>     "user-role":{
>       "admin":[
>         "admin",
>         "readSCollAlias"],
>       "user":["readSCollAlias"]},
>     "":{"v":21}}}
Reply | Threaded
Open this post in threaded view
|

Re: alias read access impossible for anyone other than admin?

Aroop Ganguly
hi jason

which version of solr has the definitive fix for the rbap again ?
also is there a jira to fix or create a documentation for the same that works :) ?

aroop


> On May 24, 2019, at 9:55 AM, Jason Gerlowski <[hidden email]> wrote:
>
> Hi Sotiris,
>
> First, what version of Solr are you running?  We've made some fixes
> recently (esp. SOLR-13355) to RBAP, and they might affect the behavior
> you're seeing or any fixes we can recommend.
>
> Second, the order of permissions in security.json has a huge effect on
> how .  Solr always uses the first permission rule that matches a given
> API...later rules are ignored if a match is found in earlier ones.
> The first rule in your permissions block ({"name": "all", "role":
> "admin"}) will match all APIs and will only allow requests through if
> the requesting user has the "admin" role.  So "user" being unable to
> query an alias makes sense.  Usually "all" and other catchall
> permissions are best used at the very bottom of your permissions list.
> That way the catchall is the last rule to be checked, giving other
> rules a chance to match first.
>
> Hope that helps.
>
> Jason
>
> On Wed, May 22, 2019 at 6:21 AM Sotiris Fragkiskos <[hidden email]> wrote:
>>
>> Hi everyone!
>> I've been trying unsuccessfully to read an alias to a collection with a
>> curl command.
>> The command only works when I put in the admin credentials, although the
>> user I want access for also has the required role for accessing.
>> Is this perhaps built-in, or should anyone be able to access an alias from
>> the API?
>>
>> The command I'm using is:
>> curl http://
>> <user>:<pass>@<solrhostname>/solr/<AliasName>/select?q=<field>:<value>
>> This fails for the user but succeeds for the admin
>>
>> My minimum working example of security.json follows.
>> Many thanks!
>>
>> {
>>  "authentication":{
>>    "blockUnknown":true,
>>    "class":"solr.BasicAuthPlugin",
>>    "credentials":{
>>      "admin":"blahblahblah",
>>      "user":"blahblah"},
>>    "":{"v":13}},
>>  "authorization":{
>>    "class":"solr.RuleBasedAuthorizationPlugin",
>>    "permissions":[
>>      {
>>        "name":"all",
>>        "role":"admin",
>>        "index":1},
>>      {
>>        "name":"readColl",
>>        "collection":"Coll",
>>        "path":"/select/*",
>>        "role":"readColl",
>>        "index":2},
>>      {
>>        "name":"readSCollAlias",
>>        "collection":"sCollAlias",
>>        "path":"/select/*",
>>        "role":"readSCollAlias",
>>        "index":3}],
>>    "user-role":{
>>      "admin":[
>>        "admin",
>>        "readSCollAlias"],
>>      "user":["readSCollAlias"]},
>>    "":{"v":21}}}

Reply | Threaded
Open this post in threaded view
|

Re: alias read access impossible for anyone other than admin?

Jason Gerlowski
Hey Aroop,

The fix in SOLR-13355 is available starting in 8.1.  It will also be
available in 7.7.2 once that is released.  (Jan Hoydahl started the
release process for 7.7.2, but held off for a number of other ongoing
releases.  He's recently resumed work on the release though, and I
expect we'll see 7.7.2 in a week or two.)

RuleBasedAuthorizationPlugin does have some coverage in the ref-guide,
as you've likely seen:
https://lucene.apache.org/solr/guide/7_7/rule-based-authorization-plugin.html.
I don't think SOLR-13355 involved any changes to that documentation:
it fixed a bug that deviated from what was described in the ref-guide,
so there were no changes required when that bug was fixed.  That said,
if you see something I've missed, or think that page could be improved
more generally, it's definitely worth raising a JIRA for.  RBAP
permission matching/processing can be subtle for those using it for
the first time, so any improvement to the docs will go a long way.

Jason

On Sat, May 25, 2019 at 3:12 AM Aroop Ganguly <[hidden email]> wrote:

>
> hi jason
>
> which version of solr has the definitive fix for the rbap again ?
> also is there a jira to fix or create a documentation for the same that works :) ?
>
> aroop
>
>
> > On May 24, 2019, at 9:55 AM, Jason Gerlowski <[hidden email]> wrote:
> >
> > Hi Sotiris,
> >
> > First, what version of Solr are you running?  We've made some fixes
> > recently (esp. SOLR-13355) to RBAP, and they might affect the behavior
> > you're seeing or any fixes we can recommend.
> >
> > Second, the order of permissions in security.json has a huge effect on
> > how .  Solr always uses the first permission rule that matches a given
> > API...later rules are ignored if a match is found in earlier ones.
> > The first rule in your permissions block ({"name": "all", "role":
> > "admin"}) will match all APIs and will only allow requests through if
> > the requesting user has the "admin" role.  So "user" being unable to
> > query an alias makes sense.  Usually "all" and other catchall
> > permissions are best used at the very bottom of your permissions list.
> > That way the catchall is the last rule to be checked, giving other
> > rules a chance to match first.
> >
> > Hope that helps.
> >
> > Jason
> >
> > On Wed, May 22, 2019 at 6:21 AM Sotiris Fragkiskos <[hidden email]> wrote:
> >>
> >> Hi everyone!
> >> I've been trying unsuccessfully to read an alias to a collection with a
> >> curl command.
> >> The command only works when I put in the admin credentials, although the
> >> user I want access for also has the required role for accessing.
> >> Is this perhaps built-in, or should anyone be able to access an alias from
> >> the API?
> >>
> >> The command I'm using is:
> >> curl http://
> >> <user>:<pass>@<solrhostname>/solr/<AliasName>/select?q=<field>:<value>
> >> This fails for the user but succeeds for the admin
> >>
> >> My minimum working example of security.json follows.
> >> Many thanks!
> >>
> >> {
> >>  "authentication":{
> >>    "blockUnknown":true,
> >>    "class":"solr.BasicAuthPlugin",
> >>    "credentials":{
> >>      "admin":"blahblahblah",
> >>      "user":"blahblah"},
> >>    "":{"v":13}},
> >>  "authorization":{
> >>    "class":"solr.RuleBasedAuthorizationPlugin",
> >>    "permissions":[
> >>      {
> >>        "name":"all",
> >>        "role":"admin",
> >>        "index":1},
> >>      {
> >>        "name":"readColl",
> >>        "collection":"Coll",
> >>        "path":"/select/*",
> >>        "role":"readColl",
> >>        "index":2},
> >>      {
> >>        "name":"readSCollAlias",
> >>        "collection":"sCollAlias",
> >>        "path":"/select/*",
> >>        "role":"readSCollAlias",
> >>        "index":3}],
> >>    "user-role":{
> >>      "admin":[
> >>        "admin",
> >>        "readSCollAlias"],
> >>      "user":["readSCollAlias"]},
> >>    "":{"v":21}}}
>
Reply | Threaded
Open this post in threaded view
|

Re: alias read access impossible for anyone other than admin?

Aroop Ganguly-2
Thanks Jason.
We are awaiting the 7.7.2 release.

I will send out a note describing how the documentation is easy to mess-up.
Maybe this is worth writing a blog for folks like yourselves who are experts in this :)


> On May 28, 2019, at 4:31 AM, Jason Gerlowski <[hidden email]> wrote:
>
> Hey Aroop,
>
> The fix in SOLR-13355 is available starting in 8.1.  It will also be
> available in 7.7.2 once that is released.  (Jan Hoydahl started the
> release process for 7.7.2, but held off for a number of other ongoing
> releases.  He's recently resumed work on the release though, and I
> expect we'll see 7.7.2 in a week or two.)
>
> RuleBasedAuthorizationPlugin does have some coverage in the ref-guide,
> as you've likely seen:
> https://lucene.apache.org/solr/guide/7_7/rule-based-authorization-plugin.html.
> I don't think SOLR-13355 involved any changes to that documentation:
> it fixed a bug that deviated from what was described in the ref-guide,
> so there were no changes required when that bug was fixed.  That said,
> if you see something I've missed, or think that page could be improved
> more generally, it's definitely worth raising a JIRA for.  RBAP
> permission matching/processing can be subtle for those using it for
> the first time, so any improvement to the docs will go a long way.
>
> Jason
>
> On Sat, May 25, 2019 at 3:12 AM Aroop Ganguly <[hidden email]> wrote:
>>
>> hi jason
>>
>> which version of solr has the definitive fix for the rbap again ?
>> also is there a jira to fix or create a documentation for the same that works :) ?
>>
>> aroop
>>
>>
>>> On May 24, 2019, at 9:55 AM, Jason Gerlowski <[hidden email]> wrote:
>>>
>>> Hi Sotiris,
>>>
>>> First, what version of Solr are you running?  We've made some fixes
>>> recently (esp. SOLR-13355) to RBAP, and they might affect the behavior
>>> you're seeing or any fixes we can recommend.
>>>
>>> Second, the order of permissions in security.json has a huge effect on
>>> how .  Solr always uses the first permission rule that matches a given
>>> API...later rules are ignored if a match is found in earlier ones.
>>> The first rule in your permissions block ({"name": "all", "role":
>>> "admin"}) will match all APIs and will only allow requests through if
>>> the requesting user has the "admin" role.  So "user" being unable to
>>> query an alias makes sense.  Usually "all" and other catchall
>>> permissions are best used at the very bottom of your permissions list.
>>> That way the catchall is the last rule to be checked, giving other
>>> rules a chance to match first.
>>>
>>> Hope that helps.
>>>
>>> Jason
>>>
>>> On Wed, May 22, 2019 at 6:21 AM Sotiris Fragkiskos <[hidden email]> wrote:
>>>>
>>>> Hi everyone!
>>>> I've been trying unsuccessfully to read an alias to a collection with a
>>>> curl command.
>>>> The command only works when I put in the admin credentials, although the
>>>> user I want access for also has the required role for accessing.
>>>> Is this perhaps built-in, or should anyone be able to access an alias from
>>>> the API?
>>>>
>>>> The command I'm using is:
>>>> curl http://
>>>> <user>:<pass>@<solrhostname>/solr/<AliasName>/select?q=<field>:<value>
>>>> This fails for the user but succeeds for the admin
>>>>
>>>> My minimum working example of security.json follows.
>>>> Many thanks!
>>>>
>>>> {
>>>> "authentication":{
>>>>   "blockUnknown":true,
>>>>   "class":"solr.BasicAuthPlugin",
>>>>   "credentials":{
>>>>     "admin":"blahblahblah",
>>>>     "user":"blahblah"},
>>>>   "":{"v":13}},
>>>> "authorization":{
>>>>   "class":"solr.RuleBasedAuthorizationPlugin",
>>>>   "permissions":[
>>>>     {
>>>>       "name":"all",
>>>>       "role":"admin",
>>>>       "index":1},
>>>>     {
>>>>       "name":"readColl",
>>>>       "collection":"Coll",
>>>>       "path":"/select/*",
>>>>       "role":"readColl",
>>>>       "index":2},
>>>>     {
>>>>       "name":"readSCollAlias",
>>>>       "collection":"sCollAlias",
>>>>       "path":"/select/*",
>>>>       "role":"readSCollAlias",
>>>>       "index":3}],
>>>>   "user-role":{
>>>>     "admin":[
>>>>       "admin",
>>>>       "readSCollAlias"],
>>>>     "user":["readSCollAlias"]},
>>>>   "":{"v":21}}}
>>