You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@lucene.apache.org by no...@apache.org on 2021/03/11 05:28:54 UTC
[lucene-solr] branch branch_8x updated: SOLR-15245: Document
zk-read permission and use zk-read permission for content
This is an automated email from the ASF dual-hosted git repository.
noble pushed a commit to branch branch_8x
in repository https://gitbox.apache.org/repos/asf/lucene-solr.git
The following commit(s) were added to refs/heads/branch_8x by this push:
new afce3b0 SOLR-15245: Document zk-read permission and use zk-read permission for content
afce3b0 is described below
commit afce3b08fae0e6aac3cfef6c581b65dc70cbc554
Author: Noble Paul <no...@gmail.com>
AuthorDate: Thu Mar 11 16:28:19 2021 +1100
SOLR-15245: Document zk-read permission and use zk-read permission for content
---
solr/core/src/java/org/apache/solr/handler/admin/ZookeeperReadAPI.java | 3 +--
solr/solr-ref-guide/src/rule-based-authorization-plugin.adoc | 3 ++-
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/solr/core/src/java/org/apache/solr/handler/admin/ZookeeperReadAPI.java b/solr/core/src/java/org/apache/solr/handler/admin/ZookeeperReadAPI.java
index 18bed3e..0220ca5 100644
--- a/solr/core/src/java/org/apache/solr/handler/admin/ZookeeperReadAPI.java
+++ b/solr/core/src/java/org/apache/solr/handler/admin/ZookeeperReadAPI.java
@@ -45,7 +45,6 @@ import org.apache.zookeeper.data.Stat;
import static org.apache.solr.common.params.CommonParams.OMIT_HEADER;
import static org.apache.solr.common.params.CommonParams.WT;
import static org.apache.solr.response.RawResponseWriter.CONTENT;
-import static org.apache.solr.security.PermissionNameProvider.Name.COLL_READ_PERM;
import static org.apache.solr.security.PermissionNameProvider.Name.ZK_READ_PERM;
/**
@@ -65,7 +64,7 @@ public class ZookeeperReadAPI {
}
@EndPoint(path = "/cluster/zk/data/*",
method = SolrRequest.METHOD.GET,
- permission = COLL_READ_PERM)
+ permission = ZK_READ_PERM)
public void readNode(SolrQueryRequest req, SolrQueryResponse rsp) {
String path = req.getPathTemplateValues().get("*");
if (path == null || path.isEmpty()) path = "/";
diff --git a/solr/solr-ref-guide/src/rule-based-authorization-plugin.adoc b/solr/solr-ref-guide/src/rule-based-authorization-plugin.adoc
index 0b5a15b..4dc9401 100644
--- a/solr/solr-ref-guide/src/rule-based-authorization-plugin.adoc
+++ b/solr/solr-ref-guide/src/rule-based-authorization-plugin.adoc
@@ -253,6 +253,7 @@ The predefined permission names (and their effects) are:
** REQUESTSTATUS
* *update*: this permission is allowed to perform any update action on any collection. This includes sending documents for indexing (using an <<requesthandlers-and-searchcomponents-in-solrconfig.adoc#updaterequesthandlers,update request handler>>). This applies to all collections by default (`collection:"*"`).
* *read*: this permission is allowed to perform any read action on any collection. This includes querying using search handlers (using <<requesthandlers-and-searchcomponents-in-solrconfig.adoc#searchhandlers,request handlers>>) such as `/select`, `/get`, `/browse`, `/tvrh`, `/terms`, `/clustering`, `/elevate`, `/export`, `/spell`, `/clustering`, and `/sql`. This applies to all collections by default ( `collection:"*"` ).
+* *zk-read* : Permission to read content from ZK (`/api/cluster/zk/data/*` , `/api/cluster/zk/ls/*` )
* *all*: Any requests coming to Solr.
=== Permission Ordering and Resolution
@@ -263,7 +264,7 @@ Since Solr only uses the first matching permission it finds, it's important for
The ordering Solr uses is complex. Solr tries to check first any permissions which are specific or relevant to the incoming request, only moving on to more general permissions if none of the more-specific ones match. In effect, this means that different requests may check the same permissions in very different orders.
-If the incoming request is collection-agnostic (doesn't apply to a paritcular collection), Solr checks permissions in the following order:
+If the incoming request is collection-agnostic (doesn't apply to a particular collection), Solr checks permissions in the following order:
. Permissions with a `collection` value of `null` and a `path` value matching the request's request handler
. Permissions with a `collection` value of `null` and a `path` value of `*`