Uploaded image for project: 'Solr'
  1. Solr
  2. SOLR-8439

Solr Security - Permission read does not work as expected

Attach filesAttach ScreenshotVotersWatch issueWatchersCreate sub-taskLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Critical
    • Resolution: Duplicate
    • 5.3.1
    • None
    • security
    • None

    • Linux, Solr Cloud

    Description

      I enabled security on my solr cloud and added basic authentication and authorization to allow only specific users to read and update the records. What I observed that update works fine but read does not stop from anonymous access.

      On digging deeper I saw that RuleBasedAuthorizationPlugin.java has incorrectly defined the read permissions as follows:

      read :

      {" + " path:['/update/*', '/get']}

      ," +

      It should be /select/* rather than /update/*

      Attachments

        Issue Links

        duplicates

        Bug - A problem which impairs or prevents the functions of the product. SOLR-8167 RuleBasedAuthorization plugin bypass with POST requests

        • Major - Major loss of function.
        • Resolved

        Activity
          This comment will be Viewable by All Users Viewable by All Users
          Cancel

          People

            Unassigned Unassigned
            gkumar48@yahoo.com Gaurav Kumar
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Time Tracking

                Estimated:
                Original Estimate - 3h
                3h
                Remaining:
                Remaining Estimate - 3h
                3h
                Logged:
                Time Spent - Not Specified
                Not Specified

                Slack

                  Issue deployment