You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@solr.apache.org by GitBox <gi...@apache.org> on 2021/07/26 17:33:28 UTC

[GitHub] [solr-operator] thelabdude opened a new pull request #299: Fix initial security.json rbap rules

thelabdude opened a new pull request #299:
URL: https://github.com/apache/solr-operator/pull/299


   Very minor change to remove the `users` role from the `all` permission, move the `all` permission to the last index in the json file, and add a new rule for the `/admin/zookeeper/status` path needed for updates to the exporter in 8.9 (see #289 )
   
   Manual integration-style testing required:
   Create a SolrCloud running Apache Solr 8.9.0, created a collection, and then tried to index some docs as the `solr` user, which now fails with a 403 ~ Unauthorized. Indexing as the `admin` user works. The `solr` user can log in to the Admin UI but can only query collections. 
   
   Also verified the Prometheus exporter (also running 8.9) can now retrieve metrics when basic auth is enabled.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org
For additional commands, e-mail: issues-help@solr.apache.org

[GitHub] [solr-operator] HoustonPutman commented on pull request #299: Fix initial security.json rbap rules

Posted by GitBox <gi...@apache.org>.

HoustonPutman commented on pull request #299:
URL: https://github.com/apache/solr-operator/pull/299#issuecomment-887571496


   Also an addition in the changelog of the Solr Operator helm chart would be nice! You can follow the templates of the other entries. Possible change _kind_ values are found [here](https://artifacthub.io/docs/topics/annotations/helm/#supported-annotations), `fixed` or `security` probably work best. Also if you think it's a serious security concern being addressed, you could always change `artifacthub.io/containsSecurityUpdates` to true.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org
For additional commands, e-mail: issues-help@solr.apache.org

[GitHub] [solr-operator] thelabdude commented on pull request #299: Fix initial security.json rbap rules

Posted by GitBox <gi...@apache.org>.

thelabdude commented on pull request #299:
URL: https://github.com/apache/solr-operator/pull/299#issuecomment-887679265


   > Also an addition in the changelog of the Solr Operator helm chart would be nice! You can follow the templates of the other entries. Possible change _kind_ values are found [here](https://artifacthub.io/docs/topics/annotations/helm/#supported-annotations), `fixed` or `security` probably work best. Also if you think it's a serious security concern being addressed, you could always change `artifacthub.io/containsSecurityUpdates` to true.
   
   I don't think it's a serious security issue (willing to be convinced though) ... mainly the `solr` user ended up getting more access than I intended but users still have to give out the `solr` user's credentials, which presumes they've reviewed that account's access privileges before handing it out willy-nilly ;-)


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org
For additional commands, e-mail: issues-help@solr.apache.org

[GitHub] [solr-operator] HoustonPutman commented on pull request #299: Fix initial security.json rbap rules

Posted by GitBox <gi...@apache.org>.

HoustonPutman commented on pull request #299:
URL: https://github.com/apache/solr-operator/pull/299#issuecomment-887564369


   +1 to the change, but we need to update the documentation to use the new rules and also explain that the default `solr` user will not be able to add/update/delete docs.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org
For additional commands, e-mail: issues-help@solr.apache.org

[GitHub] [solr-operator] thelabdude merged pull request #299: Fix initial security.json rbap rules

Posted by GitBox <gi...@apache.org>.

thelabdude merged pull request #299:
URL: https://github.com/apache/solr-operator/pull/299


   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org
For additional commands, e-mail: issues-help@solr.apache.org