SOLR collection accessible for everyone, although Sentry-ACLs are configured

geko — Fri, 16 Sep 2022 11:31:43 GMT

Hello,

I am working on providing privileges to access Solr collection via Sentry-ACL.

Environment is CDH5.9, Kerberos enabled, Sentry & Solr are up and running, Sentry roles have been configured and privileges are granted:
1 role for "Query"-ing the collection

1 role for "Update"-ing the collection

1 role for "All" privileges

If I now login to Hue, and click "Search" => "Indizes" => <collection-name> => "Search" , then I can see all documents in the collection, _BUT_ this is the case for _ANY_ user. Even users which are not part of the (OS-)group that is assigned to a Sentry role can see all documents. This is something I didn't expect after having Sentry-ACLs in place...?!?!

I just created a user 'test' within Hue, this user doesn't even exist as OS user, but he can see all documents from th SOLR collection. WHY ?

If I login as user 'test' into Hue and click on "Search" => "Indizes", the Solr-log shows an (expected) error:

ERROR org.apache.solr.core.SolrCore: org.apache.solr.common.SolrException: org.apache.sentry.binding.solr.authz.SentrySolrAuthorizationException: User test does not have privileges for admin

but nevertheless, I can proceed clicking on the collection-name and then "Search" to see all the documents (which I didn't expect 😉 ). The Solr-log just shows:

INFO org.apache.solr.core.SolrCore.Request: [...collection-name...] webapp=/solr path=/select params={hl.snippets=5&q=*:*&doAs=test&hl=true&fl=*&start=0&hl.fragsize=1000&hl.fl=*&rows=10&wt=json} hits=2 status=0 QTime=2

What am I missing here to _really_ protect the Solr collection from being accessed by everyone ?!?!

The same behaviour can be reproduced by executing curl commandline calls by a user which has a valid kerberos ticket, but is _NOT_ part of any group which is part of a Sentry policy. All those users can select the collection, which shouldn't be the case.

THanks in advance...

Re: SOLR collection accessible for everyone, although Sentry-ACLs are configured

GeorgeG — Tue, 07 Nov 2017 18:41:09 GMT

Hello ge-ko,

Have you been able to resolve this issue?

I am experiencing the same issue here.

I enabled Kerberos+Ldap authentication for solr.

Solr is using "policy file " to enforce sentry authentication.

everyone can query any collection though I only have enebaled query permission for one particular user only.

PS as for update or deleting collections everything works fine

Re: SOLR collection accessible for everyone, although Sentry-ACLs are configured

GeorgeG — Thu, 09 Nov 2017 22:54:20 GMT

I have resolved the issue for Solr.

1: I replaced solrconfig.xml with solrconfig.xml.secure

2: solrctl instancedir --update employee /home/Solr/employee/conf/

3: solrctl collection --reload employee

question Re: SOLR collection accessible for everyone, although Sentry-ACLs are configured in Archives of Support Questions (Read Only)

SOLR collection accessible for everyone, although Sentry-ACLs are configured

Re: SOLR collection accessible for everyone, although Sentry-ACLs are configured

Re: SOLR collection accessible for everyone, although Sentry-ACLs are configured