Reply
Expert Contributor
Posts: 129
Registered: ‎08-08-2013
Accepted Solution

SOLR collection accessible for everyone, although Sentry-ACLs are configured

Hello,

 

I am working on providing privileges to access Solr collection via Sentry-ACL.

Environment is CDH5.9, Kerberos enabled, Sentry & Solr are up and running, Sentry roles have been configured and privileges are granted:
1 role for "Query"-ing the collection

1 role for "Update"-ing the collection

1 role for "All" privileges

 

If I now login to Hue, and click "Search" => "Indizes" => <collection-name> => "Search" , then I can see all documents in the collection, _BUT_ this is the case for _ANY_ user. Even users which are not part of the (OS-)group that is assigned to a Sentry role can see all documents. This is something I didn't expect after having Sentry-ACLs in place...?!?!

 

I just created a user 'test' within Hue, this user doesn't even exist as OS user, but he can see all documents from th SOLR collection. WHY ?

 

If I login as user 'test' into Hue and click on "Search" => "Indizes", the Solr-log shows an (expected) error:

ERROR org.apache.solr.core.SolrCore: org.apache.solr.common.SolrException: org.apache.sentry.binding.solr.authz.SentrySolrAuthorizationException: User test does not have privileges for admin

but nevertheless, I can proceed clicking on the collection-name and then "Search" to see all the documents (which I didn't expect ;) ). The Solr-log just shows:

 

INFO org.apache.solr.core.SolrCore.Request: [...collection-name...] webapp=/solr path=/select params={hl.snippets=5&q=*:*&doAs=test&hl=true&fl=*&start=0&hl.fragsize=1000&hl.fl=*&rows=10&wt=json} hits=2 status=0 QTime=2

 

What am I missing here to _really_ protect the Solr collection from being accessed by everyone ?!?!

 

The same behaviour can be reproduced by executing curl commandline calls by a user which has a valid kerberos ticket, but is _NOT_ part of any group which is part of a Sentry policy. All those users can select the collection, which shouldn't be the case.

 

 

THanks in advance...

New Contributor
Posts: 3
Registered: ‎04-28-2017

Re: SOLR collection accessible for everyone, although Sentry-ACLs are configured

Hello ge-ko,

Have you been able to resolve this issue?

I am experiencing the same issue here.

I enabled Kerberos+Ldap authentication for solr.

Solr is using "policy file " to enforce sentry authentication.

everyone can query any collection though I only have enebaled query permission for one particular user only.

PS as for update or deleting collections everything works fine

 

 

Highlighted
New Contributor
Posts: 3
Registered: ‎04-28-2017

Re: SOLR collection accessible for everyone, although Sentry-ACLs are configured

I have resolved the issue for Solr.

1: I replaced solrconfig.xml with solrconfig.xml.secure

2: solrctl instancedir --update employee  /home/Solr/employee/conf/

3: solrctl collection --reload employee

 

 

Announcements