Support Questions

Find answers, ask questions, and share your expertise
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

Who agreed with this topic

SOLR collection accessible for everyone, although Sentry-ACLs are configured

avatar
Guru

Hello,

 

I am working on providing privileges to access Solr collection via Sentry-ACL.

Environment is CDH5.9, Kerberos enabled, Sentry & Solr are up and running, Sentry roles have been configured and privileges are granted:
1 role for "Query"-ing the collection

1 role for "Update"-ing the collection

1 role for "All" privileges

 

If I now login to Hue, and click "Search" => "Indizes" => <collection-name> => "Search" , then I can see all documents in the collection, _BUT_ this is the case for _ANY_ user. Even users which are not part of the (OS-)group that is assigned to a Sentry role can see all documents. This is something I didn't expect after having Sentry-ACLs in place...?!?!

 

I just created a user 'test' within Hue, this user doesn't even exist as OS user, but he can see all documents from th SOLR collection. WHY ?

 

If I login as user 'test' into Hue and click on "Search" => "Indizes", the Solr-log shows an (expected) error:

ERROR org.apache.solr.core.SolrCore: org.apache.solr.common.SolrException: org.apache.sentry.binding.solr.authz.SentrySolrAuthorizationException: User test does not have privileges for admin

but nevertheless, I can proceed clicking on the collection-name and then "Search" to see all the documents (which I didn't expect 😉 ). The Solr-log just shows:

 

INFO org.apache.solr.core.SolrCore.Request: [...collection-name...] webapp=/solr path=/select params={hl.snippets=5&q=*:*&doAs=test&hl=true&fl=*&start=0&hl.fragsize=1000&hl.fl=*&rows=10&wt=json} hits=2 status=0 QTime=2

 

What am I missing here to _really_ protect the Solr collection from being accessed by everyone ?!?!

 

The same behaviour can be reproduced by executing curl commandline calls by a user which has a valid kerberos ticket, but is _NOT_ part of any group which is part of a Sentry policy. All those users can select the collection, which shouldn't be the case.

 

 

THanks in advance...

Who agreed with this topic