I tried to combine a predefined permission with a custom permission in Solr's security.json. That does not seem to work with Solr 7.1.0.
security.json:
{
"authentication":{
"blockUnknown": true,
"class":"solr.BasicAuthPlugin",
"credentials":{"user1":"IV0EHq1OnNrj6gvRCwvFwTrZ1+z1oBbnQdiVC3otuq0= Ndd7LKvVBAaZIF0QAVi1ekCfAJXr1GGfLtRUXhgrF8c=",
"user2":"IV0EHq1OnNrj6gvRCwvFwTrZ1+z1oBbnQdiVC3otuq0= Ndd7LKvVBAaZIF0QAVi1ekCfAJXr1GGfLtRUXhgrF8c="}
},
"authorization":{
"class":"solr.RuleBasedAuthorizationPlugin",
"user-role":{"user1":"admin","user2":"user"}
"permissions":[{"name":"shard-management","role":"*","path":"/admin/collections","params":{"action":["CREATESHARD", "DELETESHARD"]}},
{"name":"collection-admin-edit","role":"admin"}],
}}
This configuration tries to assign collection-admin-edit permission to user1 and give access to CREATESHARD and DELETESHARD to user2. (Password is "SolrRocks" for both users, btw)
Effectively, user2 cannot call DELETESHARD:
o.a.s.s.RuleBasedAuthorizationPlugin This resource is configured to have a permission {
"name":"collection-admin-edit",
"role":"admin"}, The principal [principal: user2] does not have the right role
o.a.s.s.HttpSolrCall USER_REQUIRED auth header Basic dXNlcjI6U29sclJvY2tz context : userPrincipal: [[principal: user2]] type: [ADMIN], collections: [TeamSlide, TeamSlide,], Path: [/admin/collections] path : /admin/collections params :indent=true&action=DELETESHARD&shard=TestShard&collection=TestColl&wt=json
Same result when changing the order of permissions. Any way to solve this?
Related
I have created an app using Jhipster and after running backend with './mvnw' and frontend as 'npm start'.
And then I go to the login page
My authorities array is empty for the admin.
And due to that, it has no authority to see anything else and that's why I am getting an error as follows.
"You are not authorized to access this page."
My response.
activated: true
authorities: []
createdBy: "system"
createdDate: null
email: "admin#localhost"
firstName: "Administrator"
id: 3
imageUrl: ""
langKey: "en"
lastModifiedBy: "system"
lastModifiedDate: null
lastName: "Administrator"
login: "admin"
Any help will be appreciated
It should the settings and active sessions page.
security.yml:
role_hierarchy:
admin: [test, simple]
providers:
database:
entity: { class: UserBundle:User, property: username }
firewalls:
dev:
pattern: ^/(_(profiler|wdt|error)|css|images|js)/
security: false
prod:
pattern: ^/
provider: database
anonymous: true
form_login:
login_path: public_login
check_path: public_login_check
default_target_path: dashboard
always_use_default_target_path: true
csrf_provider: form.csrf_provider
logout:
path: logout
target: public_login
access_control:
- { path: ^/(.+), roles: admin }
- { path: ^/$, roles: IS_AUTHENTICATED_ANONYMOUSLY }
When i login, I get 403 forbidden exception. Then i check profiler/security, and roles looks like that:
Roles [ROLE_USER, admin]
When i switch access control to:
- { path: ^/(.+), roles: ROLE_USER }
It works fine.
Why the hell my access control doesn't allow me to access pages with "admin" role, but does with "ROLE_USER" ?
My goal is to drop built-in roles (like ROLE_USER, ROLE_ADMIN etc), because I'm writing application for existing database, which contains already defined roles for users, so i want to use them.
I have confirmed that 'ROLE_' prefix is required - its because symfony by default use its own RoleVoter implementation.
To get rid of this prefix, custom RoleVoter is needed. To do that you need to create custom class implementing RoleVoterInterface, make it service and tag it with 'security.voter', to enforce security layer to use it instead of default one.
Read more about implementing own RoleVoters on this example.
You are not using the right syntax for roles in the Security configuration
you should change
- { path: ^/(.+), roles: admin }
To:
- { path: ^/(.+), roles: ROLE_ADMIN }
I have a "little" problem with the Symfony2 security system. This is what I need to achieve:
/ needs a HTTP auth BEFORE any page can be seen. I want to protect the whole page with a constant user / pass pair. After the user has entered the right pair, he should be a guest (and not ROLE_USER) und be able to login via the FOSUserBundle form
/api needs a separate login via HTTP auth, independent from FOSUserBundle and the other HTTP auth
I already managed to provide a separate login for the API. This is my complete security.yml:
security:
encoders:
FOS\UserBundle\Model\UserInterface: sha512
Symfony\Component\Security\Core\User\User: plaintext
role_hierarchy:
ROLE_ADMIN: ROLE_USER
ROLE_SUPER_ADMIN: [ROLE_USER, ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH]
providers:
in_memory_http:
memory:
users:
User1: { password: PW1, roles: ROLE_HTTP }
in_memory_api:
memory:
users:
User2: { password: PW2, roles: ROLE_API }
fos_userbundle:
id: fos_user.user_provider.username_email
firewalls:
api:
pattern: ^/api
http_basic:
provider: in_memory_api
realm: "API login"
http:
pattern: ^/
provider: in_memory_http
http_basic:
realm: "Hello"
context: primary_auth
main:
pattern: ^/
form_login:
provider: fos_userbundle
login_path: fos_user_security_login
csrf_provider: form.csrf_provider
check_path: fos_user_security_check
logout:
path: fos_user_security_logout
target: home
anonymous: true
context: primary_auth
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
login:
security: false
secured_area:
anonymous: ~
access_control:
- { path: ^/api, roles: ROLE_API }
- { path: ^/user/login.html, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/user/logout.html, roles: IS_AUTHENTICATED_REMEMBERED }
This works nearly as expected, but unfortunately not completely...
The /api part works like I wanted it to work. Nothing to do here, I hope.
But when I navigate to /, enter User1/PW1 and send the credentials, I get access to the page, just like expected. The only problem is that the User1 gets logged in! But I want User1 not to be handled like a normal user. He should just be required to access the normal login form and the rest of / except of /api. I can't even log out this user. If I navigate to /user/login.html while User1 is logged in (due to the required http auth) and enter valid user data of a real fosuserbundle user, I get: "You must configure the check path to be handled by the firewall using form_login in your security firewall configuration."
If I want to log out, I get: "You must activate the logout in your security firewall configuration."
What I want is kind of a two step authentication.
First HTTP Auth, then the FOSUserBundle form.
Can somebody help me? :) The documentation is not very good at this point...
So.....
After several hours of pure pain I gave up on trying it with the Symfony2 Security Component. I also did not manage to realize what I want with Apache (Tried SetEnvIf and FilesMatch).
So I wrote a request listener that does what I want. If anybody has the same problem, here is my solution!
use Symfony\Component\HttpKernel\Event\GetResponseEvent;
use Symfony\Component\HttpFoundation\Response;
class RequestListener
{
/**
* Returns true iff the specified $password belongs to the $user and the $user has access to the specified $area
*/
private function hasAccess($user, $password, $area) {
$users = array("User1" => array("password" => "PW1",
"areas" => array("portal")),
"User2" => array("password" => "PW2",
"areas" => array("API", "portal"))
);
return $user
&& array_key_exists($user, $users)
&& $users[$user]["password"] == $password
&& in_array($area, $users[$user]["areas"]);
}
/**
* Extracts the area out of the $path
*/
public function getArea($path) {
if (substr($path, 0, 4) == "/api") {
return "API";
} else {
return "portal";
}
}
/**
* Service handler
*/
public function onKernelRequest(GetResponseEvent $event) {
$request = $event->getRequest();
# $path cointains the path to the virtual resource the user requested!
# If the user calls app_dev.php/api/users, then $path is "/api/users"
# If the user calls app.php/api/users, then $path is "/api/users"
# If the user calls /api/users, then $path is "/api/users"
# If the user calls /app_dev.php, then $path is "/"
# If the user calls /, then $path is "/"
# and so on
#
# ==> $path abstracts the front controller away
$path = $request->getPathInfo();
$area = $this->getArea($path);
# $user, $password are null if no AUTH data is sent
$user = $request->server->get("PHP_AUTH_USER");
$password = $request->server->get("PHP_AUTH_PW");
# If the user has no access, he must log in as another user
if (!$this->hasAccess($user, $password, $area)) {
# In case the response already exists (in most cases not) we use it and modify it
$response = $event->hasResponse() ? $event->getResponse() : new Response();
$response->setStatusCode(Response::HTTP_UNAUTHORIZED); # Code 401
$response->headers->set("WWW-Authenticate", "Basic realm=\"".$area."\"");
$response->setContent("Please provide valid data");
$response->send();
die(); # To make sure the page is not shown!
}
}
}
Now everything seems to work...
I request a permission by this code:
chrome.permissions.request({permissions:["<all_urls>"]},function(granted){
if(granted) {
;;
}
});
But I'm getting this error:
Unchecked runtime.lastError while running permissions.request: '<all_urls>' is not a recognized permission.
Is this a bug?
<all_urls> is an origin permission. You have to request the optional permission using "origins" instead of "permissions":
chrome.permissions.request({origins: ["<all_urls>"] }, function(granted) {
// ...
});
I start a new mongo instance, create a user, authorize it, but when I run "show collections", the system says that the id is not authorized. I do not know why?
# mongo admin
MongoDB shell version: 2.4.3
connecting to: admin
Server has startup warnings:
Thu May 23 18:23:56.735 [initandlisten]
Thu May 23 18:23:56.735 [initandlisten] ** NOTE: This is a 32 bit MongoDB binary.
Thu May 23 18:23:56.735 [initandlisten] ** 32 bit builds are limited to less than 2GB of data (or less with --journal).
Thu May 23 18:23:56.735 [initandlisten] ** See http://dochub.mongodb.org/core/32bit
Thu May 23 18:23:56.735 [initandlisten]
> db = db.getSiblingDB("admin")
admin
> db.addUser({user:"sa",pwd:"sa",roles:["userAdminAnyDatabase"]})
{
"user" : "sa",
"pwd" : "75692b1d11c072c6c79332e248c4f699",
"roles" : [
"userAdminAnyDatabase"
],
"_id" : ObjectId("519deedff788eb914bc429b5")
}
> show collections\
Thu May 23 18:26:50.103 JavaScript execution failed: SyntaxError: Unexpected token ILLEGAL
> show collections
Thu May 23 18:26:52.418 JavaScript execution failed: error: {
"$err" : "not authorized for query on admin.system.namespaces",
"code" : 16550
} at src/mongo/shell/query.js:L128
> db.auth("sa","sa")
1
> show collections
Thu May 23 18:27:22.307 JavaScript execution failed: error: {
"$err" : "not authorized for query on admin.system.namespaces",
"code" : 16550
} at src/mongo/shell/query.js:L128
I had the same problem, but I found this tutorial and it helped me.
http://www.hacksparrow.com/mongodb-add-users-and-authenticate.html
use:
db.addUser('sa', 'sa')
instead of
db.addUser({user:"sa",pwd:"sa",roles:["userAdminAnyDatabase"]})
{
"user" : "sa",
"pwd" : "75692b1d11c072c6c79332e248c4f699",
"roles" : [
"userAdminAnyDatabase"
],
"_id" : ObjectId("519deedff788eb914bc429b5")
}
As Robert says, admin users has only rights to admin, not to write in databases.
So you have to create a custom user for your database. There's different ways. I have choose the dbOwner way.
(I use Ubuntu Server, mongo 2.6.3 and Robomongo)
So to do this, fisrt create your admin user like mongo says :
type mongo in your linux shell
and these command in the mongo shell :
use admin
db.createUser({user:"mongoadmin",pwd:"chooseyouradminpassword",roles:[{role:"userAdminAnyDatabase",db:"admin"}]})
db.auth("mongoadmin","chooseyouradminpassword")
exit
edit the mongo conf file with :
nano /etc/mongod.conf
You can use vi if nano is not installed.
activate authentication by uncommented/adding these line auth=true
if you want to use Robomongo from other machine change the line bind_ip=127.0.0.1 by bind_ip=0.0.0.0 (maybe you should add more protection in production).
type in linux shell :
service mongod restart
mongo
And in mongo shell :
use admin
db.auth("mongoadmin","pwd:"chooseyouradminpassword")
use doomnewdatabase
db.createUser({user:"doom",pwd:"chooseyourdoompassword",customData:{desc:"Just me as I am"},roles : [{role:"dbOwner",db:"doomnewdatabase"}]})
db.auth("doom","chooseyourdoompassword")
show collections
(customData is not required).
If you want to try if it works, type this in the mongo shell :
db.products.insert( { item: "card", qty: 15 } )
show collections
db.products.find()
Good luck ! Hope it will help you and others !
I have search this informations for hours.
I had the same problem and this is how I solved it:
db = db.getSiblingDB('admin')
db.addUser(
{ user: "mongoadmin",
pwd: "adminpass",
roles: ['clusterAdmin', 'userAdminAnyDatabase', 'readAnyDatabase'] } )
For MongoDB version 2.6 use:
db.createUser(
{
user: "testUser"
pwd: "password",
roles: [{role: "readWrite", db:"yourdatabase"}]
})
See the docs
I solved it like so
for mongoDB 2.6 + currently 3
db.createUser(
{
user: "username",
pwd: "password",
roles: [ { role: "root", db: "admin" } ]
}
)
note that for the role filed instead of userAdminAnyDatabase we use root
I would try granting the read role to the user. userAdminAnyDatabase grants the ability to administer users.