Roles

Roles are named sets of Permissions which are used to restrict user access to a subset of Fusion’s functionality.

Fusion permissions specify allowed access to the Fusion REST-API endpoints. The permissions syntax is additive and positive. The wildcard symbol "*" makes it easy to grant wide access to Fusion services. Restricting access to a subset of Fusion’s functionality requires a list of narrowly defined permissions. Roles encapsulate the permissions levels required for different kinds of users.

Default roles

At initial startup, Fusion creates a set of default roles for common types of users.

admin

The admin role is the the equivalent to the Unix root or superuser. It allows full access to all Fusion services:

GET,POST,PUT,DELETE,PATCH,HEAD:/**

developer

The developer role has all the read/write permissions required for search.

GET,POST,PUT,DELETE,HEAD:/aggregator/**
GET,POST,PUT:/usage/**
GET,POST,PUT,DELETE,HEAD:/scheduler/**
GET,POST,PUT,DELETE,HEAD:/searchCluster/**
GET,POST:/dynamicSchema/**
GET,POST,PUT,DELETE,HEAD:/solrAdmin/**
GET,POST,PUT,DELETE,HEAD,OPTIONS:/collections/**
GET,POST,PUT,DELETE,HEAD:/query-pipelines/**
GET,POST,PUT,DELETE,HEAD:/stopwords/**
GET,POST,PUT:/objects/**
GET,POST,PUT:/templates/**
GET,POST,PUT:/recommend/**
GET,POST,PUT:/signals/**
GET:/introspect/**
GET,POST,PUT,DELETE,HEAD:/spark/**
GET,POST,PUT,DELETE,HEAD:/blobs/**
GET,POST,PUT,DELETE,HEAD:/history/**
GET,POST,PUT,DELETE,HEAD:/experiments
GET,POST,PUT,DELETE,HEAD:/index-pipelines/**
GET:/features/**
GET,POST,PUT,DELETE,HEAD:/index-stages/**
GET,POST,PUT:/system/**
GET,POST,PUT:/synonyms/**
GET:/nodes/**
GET,POST,PUT:/registration/**
GET,POST,PUT,DELETE,HEAD:/connectors/**
GET,POST,PUT,DELETE,HEAD:/messaging/**
GET,POST,PUT:/configurations/**
GET,POST,PUT,DELETE,HEAD:/solr/**
GET,POST,PUT:/searchLogs/**
GET,POST,PUT,DELETE,HEAD:/query-stages/**
GET,POST,PUT,DELETE,HEAD:/catalog
GET,POST,PUT,DELETE,HEAD:/parsers/**
PUT:/usage/**
GET,POST,PUT,DELETE,HEAD:/prefs/apps/search/*
GET:/suggestions/**
PATCH:/users/{id}

The search role has the read-only search permissions required for Lucidworks View.

GET:/query-pipelines/default/collections/default/select
GET:/collections/default/query-profiles/default/select
POST:/signals/default
PATCH:/users/{id}

Role Information

Fusion stores Role information in Apache ZooKeeper. Each Role in ZooKeeper entry contains the following:

  • id: id string, created by Fusion.

  • name : role name string.

  • desc : text description, optional.

  • permissions : a list of Fusion permission specifications.

  • ui-permisions : a list of names of Fusion UI components.

  • created-at: timestamp, created by Fusion.

  • updated-at: timestamp for last edit, created by Fusion.

The following JSON shows the ZooKeeper record for the default role "search":

{
  "name":"search",
  "desc":"Provides read-only/required permissions for the Fusion Search UI.",
  "permissions":[
    {"path":"/query-pipelines/*/collections/*/select","methods":["GET"]},
    {"path":"/query-pipelines","methods":["GET"]},
    {"path":"/solr/*/schema","methods":["GET"]},
    {"path":"/prefs/apps/search/*","methods":["GET"]},
    {"path":"/collections/**","methods":["GET"]},
    {"path":"/solr/*/admin/luke","methods":["GET"]}
  ],
  "ui-permissions":[
    "search",
    "collections"
  ],
  "created-at":"2016-03-09T20:01:48Z",
  "id":"3416c03a-31df-4103-b446-358f6790af3e"
}

Managing Roles

Only Fusion users with admin privileges can manage roles.

Restricting access to a subset of Fusion’s functionality will require several narrowly defined permissions. Path variables can be used to designate specific collections. As an example, it’s possible to define a role which allows read-only access to Fusion dashboards for a specific collection:

  • GET:/solr/{id}/*:id=test- read-only access to collection named "test"

  • GET:/solr/{id}/admin/luke:id=test - also read-only access

  • GET:/solr/system_banana/* - read-only access to dashboards

  • GET:/collections/system_banana - read-only access to collection where dashboard definitions are stored

Managing Roles in the Fusion-UI

Roles are managed in "ROLES" panel of the Fusion UI "Access" component.

To create a new role from the Fusion Admin UI, first you choose a unique role name, then you edit the set of permissions. Access permissions are specified one per line via an input box. There is a separate list of checkboxes which allow access to the Fusion UI components. If this role is a role which requires access to the Fusion UI, the UI permissions as well as the REST-API permissions must be specified.

Managing Roles via HTTP Requests to the Roles API

See page Roles API.