Basic Auth Permission

Discussion:

Antony A

2018-06-08 16:43:17 UTC

Hello,

I am trying to get the path/params restricted to users of individual
collection through Solr UI.

Here is the permission that I have for an user.

{"collection": "collection_name", "path": "/admin/file", "role": ["
collection_user"]}

I am still not able to restrict another user from accessing other
collection files like solrconfig, solr-data-config etc.

If it possible to define permission at collection-level to this path?

Thanks,
Antony

yydpkm

2018-12-04 14:55:41 UTC

Permalink

Hi Antony,

Have you solved this? I am facing the same thing. Other users can still do
/select after I set the permission path and collection.

Best,
Rick

--
Sent from: http://lucene.472066.n3.nabble.com/Solr-User-f472068.html

Terry Steichen

2018-12-04 17:06:48 UTC

Permalink

In setting his permission, Antony said he set "path": "/admin/file". I
use "path":"/*" - that may be too restrictive for you, but it works fine
(for me).

Post by yydpkm
Hi Antony,
Have you solved this? I am facing the same thing. Other users can still do
/select after I set the permission path and collection.
Best,
Rick
--
Sent from: http://lucene.472066.n3.nabble.com/Solr-User-f472068.html

Antony A

2018-12-04 17:34:02 UTC

Permalink

Hi Rick,

This is how I was able to restrict permissions to user-role ( user1 ) to
its own collection. Hopefully it helps.

"permissions": [
{"name": "*", "path": "/dataimport", "params": {"command":
["status"]}, "role": "*"},
{"collection": "name", "path": "/admin/file", "role": ["user1",
"admin"]},
{"collection": "name", "path": "/files", "role": ["user1", "admin"]},
{"collection": "name", "path": "/admin/collections", "params":
{"action": ["LIST"]}, "role": ["user1", "admin"]},
{"collection": "name", "path": "/dataimport", "role": ["user1",
"admin"]},
{"collection": "name", "path": "/select", "role": ["user1", "admin"]},
{"collection": "name", "name": "update", "role": ["user1", "admin"]},
{"collection": "name", "name": "collection-admin-read", "role":
["user1", "admin"]},
{"collection": "name", "name": "schema-read", "role": ["user1",
"admin"]},
{"collection": "name", "name": "core-admin-read", "role": ["user1",
"admin"]},
{"collection": "null", "path": "/admin/zookeeper", "role": ["admin"]},
{"name": "security-read", "role": ["admin"]},
{"name": "schema-edit", "role": ["admin"]},
{"name": "config-edit", "role": ["admin"]},
{"name": "core-admin-edit", "role": ["admin"]},
{"name": "security-read", "role": ["admin"]},
{"name": "collection-admin-edit", "role": ["admin"]},
{"name": "security-edit", "role": ["admin"]}
]

Thanks,
Antony

In setting his permission, Antony said he set "path": "/admin/file". I
use "path":"/*" - that may be too restrictive for you, but it works fine
(for me).

Post by yydpkm
Hi Antony,
Have you solved this? I am facing the same thing. Other users can still

Post by yydpkm
/select after I set the permission path and collection.
Best,
Rick
--
Sent from: http://lucene.472066.n3.nabble.com/Solr-User-f472068.html

yydpkm

2018-12-04 19:47:04 UTC

Permalink

Thank you for your replay. I use your format and failed. User2 can still
visit collection "name"
Could that because I am using standalone Solr not Solrcloud?

--
Sent from: http://lucene.472066.n3.nabble.com/Solr-User-f472068.html

Terry Steichen

2018-12-04 20:39:06 UTC

Permalink

What Solr version are you using?

Post by yydpkm
Thank you for your replay. I use your format and failed. User2 can still
visit collection "name"
Could that because I am using standalone Solr not Solrcloud?
--
Sent from: http://lucene.472066.n3.nabble.com/Solr-User-f472068.html

yydpkm

2018-12-04 21:14:11 UTC

Permalink

I am using standalone Solr 7.4.0. Are you using cloud or standalone? Not sure
if that cause the problem or not.

--
Sent from: http://lucene.472066.n3.nabble.com/Solr-User-f472068.html

Terry Steichen

2018-12-04 21:57:46 UTC

Permalink

I think there's been some confusion on which standalone versions support
authentication. I'm using 6.6 in cloud mode (purely so the
authentication will work). Some of the documentation seems to say that
only cloud implementations support it, but others (like the experts on
this forum) say that later versions (including yours) support it in
standalone mode.

Post by yydpkm
I am using standalone Solr 7.4.0. Are you using cloud or standalone? Not sure
if that cause the problem or not.
--
Sent from: http://lucene.472066.n3.nabble.com/Solr-User-f472068.html

Antony A

2018-12-05 01:06:15 UTC

Permalink

I run on Solr cloud 7.2.1

Sent from my mobile. Please excuse any typos.

Post by Terry Steichen
I think there's been some confusion on which standalone versions support
authentication. I'm using 6.6 in cloud mode (purely so the
authentication will work). Some of the documentation seems to say that
only cloud implementations support it, but others (like the experts on
this forum) say that later versions (including yours) support it in
standalone mode.

yydpkm

2018-12-05 19:19:45 UTC

Permalink

Authentication does work and authorization for general is working fine. But
nothing authorization works when specified certain collection. That's so
frustrating. It is weird that even I just do simple "path":"/*" won't do
anything if I add "collection":"a".

--
Sent from: http://lucene.472066.n3.nabble.com/Solr-User-f472068.html

yydpkm

2018-12-04 19:26:22 UTC

Permalink

I tried to replace "/select" with "/*" but user B can still access collection
A.
"permissions":[
{
"name":"security-edit",
"role":"admin",
"index":1},
{
"name":"PermA",
"collection":CollectionA"",
"path":"/*",
"role":["ReadCollectionA","admin"],
"index":3},
{
"name":"schema-read",
"role":"*",
"index":4},
{
"name":"config-read",
"role":"*",
"index":5},
{
"name":"collection-admin-read",
"role":"admin",
"index":6},
{
"name":"metrics-read",
"role":"*",
"index":7},
{
"name":"core-admin-read",
"role":"*",
"index":8}]

--
Sent from: http://lucene.472066.n3.nabble.com/Solr-User-f472068.html

Noble Paul

2018-12-08 05:06:03 UTC

Permalink

You can't restrict access to static files.

You can only restrict access to Solr content.

However you can use the "blockUnknown" property in your security.json
to restrict access to all files

https://lucene.apache.org/solr/guide/7_5/basic-authentication-plugin.html
--Noble

Post by Antony A
Hello,
I am trying to get the path/params restricted to users of individual
collection through Solr UI.
Here is the permission that I have for an user.
{"collection": "collection_name", "path": "/admin/file", "role": ["
collection_user"]}
I am still not able to restrict another user from accessing other
collection files like solrconfig, solr-data-config etc.
If it possible to define permission at collection-level to this path?
Thanks,
Antony

--
-----------------------------------------------------
Noble Paul

Terry Steichen

2018-12-08 16:14:36 UTC

Permalink

What Noble Paul says is true: Solr can't - directly - restrict access to
static files.

However, if you set your file repository's permissions to a minimal
level (so, for example, users can't do a directory search), then they
must know the precise name and location of the file they're trying to
retrieve. And, depending on your system implementation, that
information may be only available via a Solr search result (the access
to which can be restricted).

Terry Steichen

Post by Noble Paul
You can't restrict access to static files.
You can only restrict access to Solr content.
However you can use the "blockUnknown" property in your security.json
to restrict access to all files
https://lucene.apache.org/solr/guide/7_5/basic-authentication-plugin.html
--Noble