Can't get authorization plugin to work with Solr JWTAuthPlugin - solr

I have secured Solr (8.7.0) using JWTAuthTPlugin so I can use AAD from auth. I want to whitelist healthcheck metrics. I get 401 on all whitelisted request. I can login on Solr Admin using AAD
here's my security.json
{
"authentication": {
"class": "solr.JWTAuthPlugin",
"blockUnknown": false,
"wellKnownUrl": "https://login.microsoftonline.com/myTenant/v2.0/.well-known/openid-configuration",
"clientId": "myClientId",
"adminUiScope": "openid api://myAPIid/solr"
},
"authorization":{
"class":"solr.RuleBasedAuthorizationPlugin",
"permissions":[ {
"collection": null,
"name": "healthcheckv2",
"path": "/api/node/health",
"role": null
}, {
"collection": null,
"name": "healthcheckv1",
"path": "/solr/admin/info/health",
"role": null
}, {
"collection": null,
"name": "infosystem",
"path": "/solr/admin/info/system",
"role": null
}, {
"collection": null,
"name": "metrics",
"path": "/admin/metrics",
"role": null
}, {
"name": "security-edit",
"role": "admin"
}, {
"name": "collection-admin-edit",
"role": "admin"
}, {
"name": "core-admin-edit",
"role": "admin"
}, {
"name": "all",
"role": "*"
}],
"user-role": {
"solr": "admin"
}
}
}
What I'm missing?
Thanks!

After debugging Solr, seems that a RuleContainer rewrote the path to health check :
2021-06-14 18:19:52.941 DEBUG (qtp1581267786-21) [ ] o.e.j.r.h.RuleContainer rewrote /api/node/health to /solr/____v2/node/health
so we need to adjust the permission accordingly:
{
"collection": null,
"name": "healthcheckv2Rewrite",
"path": "/____v2/node/health",
"role": null
}

Related

Invalid response from webhook: Failed to translate JSON to ExecuteHttpResponse

I have a webhook from my google assistant new actions builder platform. Webhook code is written in the dotnet vs2019. I have followed the webhook request and response format and sample jsons provided in the below links.
https://developers.google.com/assistant/conversational/reference/rest/v1/TopLevel/fulfill#User
https://developers.google.com/assistant/conversational/webhooks#request-json_1
But when I test assistant action, it is failing. Below is request and response json from logs in the google assistant test simulator.Error message just says"Invalid response from webhook: Failed to translate JSON to ExecuteHttpResponse." I don't know why it is not valid. Can someone help me resolving this.
{
"requestJson": {
"handler": {
"name": "agentcube"
},
"intent": {
"name": "",
"params": {
"phone": {
"original": "1234562869",
"resolved": 1234562869
}
},
"query": "1234562869"
},
"scene": {
"name": "Start",
"slotFillingStatus": "FINAL",
"slots": {
"Zip": {
"mode": "REQUIRED",
"status": "SLOT_UNSPECIFIED",
"updated": false,
"value": 37122
},
"Phone": {
"mode": "REQUIRED",
"status": "SLOT_UNSPECIFIED",
"updated": true,
"value": 1234562869
},
"FName": {
"mode": "REQUIRED",
"status": "SLOT_UNSPECIFIED",
"updated": false,
"value": "john doe"
}
},
"next": {
"name": "actions.scene.END_CONVERSATION"
}
},
"session": {
"id": "ABwppHFkFuGBF-UawPmIkxWpkfM1Hb5An7h8KnjR302zukmBoKA1NqDp7DfePGzYsyxT5oy--wg5Jkjj",
"params": {
"Phone": 1234562869,
"FName": "john doe",
"Zip": 37122
},
"typeOverrides": [],
"languageCode": ""
},
"user": {
"locale": "en-US",
"params": {},
"accountLinkingStatus": "NOT_LINKED",
"verificationStatus": "VERIFIED",
"packageEntitlements": [],
"gaiamint": "",
"permissions": [],
"lastSeenTime": "2021-01-28T19:21:28Z"
},
"home": {
"params": {}
},
"device": {
"capabilities": [
"SPEECH",
"RICH_RESPONSE",
"LONG_FORM_AUDIO"
]
}
}
}
Invalid response from webhook: Failed to translate JSON to ExecuteHttpResponse..
{
"responseJson": {
"Session": {
"Id": "ABwppHFkFuGBF-UawPmIkxWpkfM1Hb5An7h8KnjR302zukmBoKA1NqDp7DfePGzYsyxT5oy--wg5Jkjj",
"Params": {
"Phone": 1234562869,
"Zip": 37122,
"FName": "john doe"
}
},
"Prompt": {
"Override": false,
"FirstSimple": {
"Speech": "My webhook response",
"Text": "My response from webhook"
}
},
"Scene": {
"Name": "Start",
"SlotFillingStatus": "FINAL",
"Slots": {
"Phone": {
"Mode": "REQUIRED",
"Status": "SLOT_UNSPECIFIED",
"Updated": true,
"value": 1234562869
},
"FName": {
"Mode": "REQUIRED",
"Status": "SLOT_UNSPECIFIED",
"Updated": false,
"value": "john doe"
},
"Zip": {
"Mode": "REQUIRED",
"Status": "SLOT_UNSPECIFIED",
"Updated": false,
"value": 37122
}
},
"Next": {
"Name": "actions.scene.END_CONVERSATION"
}
}
}
}
Make sure the response that you code is returning is json by checking with a linter, which this seems to checks (i.e. everything inside the ResponseJson {}
Please see my response to a similar issue at https://stackoverflow.com/a/66512370/10537202 to use the webhook playground.

400 Bad Request on Alexa AddOrUpdateReport using JSON from documentation

My issue is basically described in title but I'll add a little bit more details here.
I'm trying to proactively send an update report to Alexa's Event Hub for Smart Home skills, however this fails with a 400 Bad Request error, and this is what the server responds:
{
"header": {
"namespace": "System",
"name": "Exception",
"messageId": "a154410c-2364-4c5b-9028-accde5048e1e"
},
"payload": {
"code": "INVALID_REQUEST_EXCEPTION",
"description": "Event or endpoint is missing in the request."
}
}
I decided then to check if my request was wrong by sending the one that can be found on their documentation, and I'm getting the very same error.
This is the JSON copied from Amazon's documentation (I just replaced device metadata and the token):
{
"event": {
"header": {
"namespace": "Alexa.Discovery",
"name": "AddOrUpdateReport",
"payloadVersion": "3",
"messageId": "5f8a426e-01e4-4cc9-8b79-65f8bd0fd8a4"
},
"payload": {
"endpoints": [
{
"endpointId": "<unique ID of the endpoint>",
"manufacturerName": "Sample Manufacturer",
"description": "Smart Light by Sample Manufacturer",
"friendlyName": "Kitchen Light",
"additionalAttributes": {
"manufacturer" : "Sample Manufacturer",
"model" : "Sample Model",
"serialNumber": "<the serial number of the device>",
"firmwareVersion" : "<the firmware version of the device>",
"softwareVersion": "<the software version of the device>",
"customIdentifier": "<your custom identifier for the device>"
},
"displayCategories": [
"LIGHT"
],
"capabilities": [
{
"type": "AlexaInterface",
"interface": "Alexa.PowerController",
"version": "3",
"properties": {
"supported": [
{
"name": "powerState"
}
],
"proactivelyReported": true,
"retrievable": true
}
},
{
"type": "AlexaInterface",
"interface": "Alexa.BrightnessController",
"version": "3",
"properties": {
"supported": [
{
"name": "brightness"
}
],
"proactivelyReported": true,
"retrievable": true
}
}
],
"connections": [
],
"cookie": {
}
}
],
"scope": {
"type": "BearerToken",
"token": "access-token-from-Amazon"
}
}
}
}
What I don't understand is why it reports that event or endpoints are missing if they're clearly there and if this JSON is the one that they provide in their documentation.
Does anyone have this issue too?
EDIT: pasting my payload as requested.
{
"event": {
"header": {
"namespace": "Alexa.Discovery",
"name": "AddOrUpdateReport",
"payloadVersion": "3",
"messageId": "132137185729061389"
},
"payload": {
"endpoints": [
{
"endpointId": "Rmxvb2RTZW5zb3JfMDE=",
"friendlyName": "Flood sensor",
"description": "Flood sensor",
"manufacturerName": "MyCompany",
"displayCategories": [
"ACTIVITY_TRIGGER"
],
"cookie": {
"DeviceType": "FloodSensor"
},
"capabilities": [{
"interface": "Alexa",
"type": "AlexaInterface",
"version": "3"
},
{
"interface": "Alexa.EndpointHealth",
"type": "AlexaInterface",
"version": "3",
"properties": {
"supported": [{
"name": "connectivity"
}],
"proactivelyReported": true,
"retrievable": true
}
}
]
}
],
"scope": {
"type": "BearerToken",
"token": "<redacted>"
}
}
}
}

Allow SOLR core only for a single user

I can't find any information on how to allow access to specific SOLR core just for a single user. I am using SOLR7. This is what I've got:
security.json
{
"authentication": {
"blockUnknown": true,
"class": "solr.BasicAuthPlugin",
"credentials": {
"test_admin": "xxx",
"infographics": "xxx",
"test_user": "xxx"
},
"": {
"v": 0
}
},
"authorization": {
"class": "solr.RuleBasedAuthorizationPlugin",
"permissions": [
{
"name": "all",
"role": "admin",
"index": 1
},
{
"name": "update",
"role": "general",
"index": 2
},
{
"name": "read",
"role": [
"general",
"infographics",
"test_user"
],
"index": 3
},
{
"name": "collection-admin-read",
"role": "general",
"index": 4
},
{
"name": "core-admin-read",
"role": "general",
"index": 5
},
{
"name": "core-specific-permission",
"collection": "test-core",
"role": "test_user",
"before": 3,
"index": 6
}
],
"user-role": {
"test_admin": [
"admin",
"general"
],
"infographics": "infographics",
"test_user": "test_user"
},
"": {
"v": 0
}
}
}
I've added a permission for collection "test-core":
{
"name": "core-specific-permission",
"collection": "test-core",
"role": "test_user",
"before": 3,
"index": 6
}
I authenticate with test_user when calling: /solr/test-core/select?q=*:*, this works fine, but it also can access other cores, for e.g.: /solr/other-core/select?q=*:*.
If I remove test_user from read permission:
{
"name": "read",
"role": [
"general",
"infographics"
],
"index": 3
},
then I am not able to query any core. Getting 403. For test_user I'd like to allow access to only this core /solr/test-core/select?q=*:* and nothing else. Any idea how can I achieve this?

Returning 404 error when asking for userboostrap in microservices

I'm trying to develop microservices on cumulocity.
I'm following this https://cumulocity.com/guides/microservice-sdk/java/.
I'm able to create the application having this response
"availability": "MARKET",
"id": "23",
"key": "TESTMICRO-microservice-key",
"manifest": {
"imports": [],
"noAppSwitcher": true
},
"name": "TESTMICRO",
"owner": {
"self": "my_tenant/tenant/tenants/management",
"tenant": {
"id": "management"
}
},
"requiredRoles": [
"ROLE_INVENTORY_READ"
],
"roles": [
"ROLE_CUSTOM_MICROSERVICE"
],
"self": "my_tenant/application/applications/23",
"type": "MICROSERVICE"
}
Nevertheless when I try the GET URL/application/applications/23/bootstrapUser it returns me 404 Error.
Anyone that can help me?
You probably need to subscribe the application to the tenant:
POST {{url}}/tenant/tenants/{{tenant}}/applications
Body
{
"application": {
"id": "{APPLICATION_ID}"
}
}

Alexa returns correct intent, but null slot value

I've got a peculiar problem with my new Alexa skill. The skill takes in a user input flavor, either "bitter", "spicy", "sweet", "dry", or "sour" as defined in the custom slots. For whatever reason, when I test with "sweet" and "spicy", the response comes without a value attribute for the slot. For example, querying the skill using the keyword "bitter" returns:
{
"session": {
"sessionId": "[masked]",
"application": {
"applicationId": "[masked]"
},
"attributes": {},
"user": {
"userId": "[masked]"
},
"new": true
},
"request": {
"type": "IntentRequest",
"requestId": "[masked]",
"locale": "en-US",
"timestamp": "2016-11-07T03:48:53Z",
"intent": {
"name": "GetBerriesByFlavorIntent",
"slots": {
"flavor": {
"name": "flavor",
"value": "bitter"
}
}
}
},
"version": "1.0"
}
Notice the flavor slot has an attribute "value", which is "bitter". Now, when I call with "sweet" or "spicy", I get:
{
"session": {
"sessionId": "[masked]",
"application": {
"applicationId": "[masked]"
},
"attributes": {},
"user": {
"userId": "[masked]"
},
"new": true
},
"request": {
"type": "IntentRequest",
"requestId": "[masked]",
"locale": "en-US",
"timestamp": "2016-11-07T03:50:54Z",
"intent": {
"name": "GetBerriesByFlavorIntent",
"slots": {
"flavor": {
"name": "flavor"
}
}
}
},
"version": "1.0"
}
Any ideas what could be causing this to happen? I can verify that "dry" and "sour" also work, so it's really curious that these two particular keywords are having so much trouble. I can also verify that Alexa is understanding the words correctly, as I am testing on the Alexa console and hard-coding the input values that are the same as the custom slot values.
Full code

Resources