Support Questions

Find answers, ask questions, and share your expertise
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

How to limit user access to Solr indexes?

avatar
Contributor

I'm interested in being able to prohibit users from interacting with, or even being aware of the existence of, specific indexes in Solr. For example, when a user in HUE looks at available indexes in HUE, they can only see the indexes they have permission to interact with.

 

Is this possible with the Cloudera distribution? I'm running CDH 5.10.

 

Thanks!!

1 ACCEPTED SOLUTION

avatar
There isn't any current functionality to handle this. Part of the issue is, for a newly created collection, what is considered 'appropriate' permissions? Someone normally needs to determine what those are for that new specific collection

-pd

View solution in original post

4 REPLIES 4

avatar
Champion

avatar
Contributor

Can this be done at the collections/parent level in HUE/Sentry so that any time a user creates an index in Solr only the user who created it has access?

 

In other words, what I'm trying to avoid having to do is setting permissions each time an index is created by a user. So if a user creates an index, Sentry automatically adds/updates the appropriate permissions.

 

I don't see any explicit reference to this capability in the docs.

 

avatar
There isn't any current functionality to handle this. Part of the issue is, for a newly created collection, what is considered 'appropriate' permissions? Someone normally needs to determine what those are for that new specific collection

-pd

avatar
Contributor

That is a fair question of what is 'appropriate'. I was hoping there would be an option to select a default behavior to do so. For example, upon 'usr1' creating an index, the following permission would be generated:

 

collection='the_new_idx"->user=usr1->action=*

 

I imagine other global default behaviors could exist such that the auto-generated permission sets access for new collections at a role level instead of user level.