Support Questions
Find answers, ask questions, and share your expertise
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

SOLR collection accessible for everyone, although Sentry-ACLs are configured

SOLR collection accessible for everyone, although Sentry-ACLs are configured




I am working on providing privileges to access Solr collection via Sentry-ACL.

Environment is CDH5.9, Kerberos enabled, Sentry & Solr are up and running, Sentry roles have been configured and privileges are granted:
1 role for "Query"-ing the collection

1 role for "Update"-ing the collection

1 role for "All" privileges


If I now login to Hue, and click "Search" => "Indizes" => <collection-name> => "Search" , then I can see all documents in the collection, _BUT_ this is the case for _ANY_ user. Even users which are not part of the (OS-)group that is assigned to a Sentry role can see all documents. This is something I didn't expect after having Sentry-ACLs in place...?!?!


I just created a user 'test' within Hue, this user doesn't even exist as OS user, but he can see all documents from th SOLR collection. WHY ?


If I login as user 'test' into Hue and click on "Search" => "Indizes", the Solr-log shows an (expected) error:

ERROR org.apache.solr.core.SolrCore: org.apache.solr.common.SolrException: org.apache.sentry.binding.solr.authz.SentrySolrAuthorizationException: User test does not have privileges for admin

but nevertheless, I can proceed clicking on the collection-name and then "Search" to see all the documents (which I didn't expect ;) ). The Solr-log just shows:


INFO org.apache.solr.core.SolrCore.Request: [...collection-name...] webapp=/solr path=/select params={hl.snippets=5&q=*:*&doAs=test&hl=true&fl=*&start=0&hl.fragsize=1000&hl.fl=*&rows=10&wt=json} hits=2 status=0 QTime=2


What am I missing here to _really_ protect the Solr collection from being accessed by everyone ?!?!


THanks in advance...


PS: how could I access the Solr collection besides using Hue, since via curl commandline I am facing another issue (Kerberos enctype stuff, reported here)