You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@lucene.apache.org by no...@apache.org on 2021/03/11 05:28:54 UTC

[lucene-solr] branch branch_8x updated: SOLR-15245: Document zk-read permission and use zk-read permission for content

This is an automated email from the ASF dual-hosted git repository.

noble pushed a commit to branch branch_8x
in repository https://gitbox.apache.org/repos/asf/lucene-solr.git


The following commit(s) were added to refs/heads/branch_8x by this push:
     new afce3b0  SOLR-15245: Document zk-read permission and use zk-read permission for content
afce3b0 is described below

commit afce3b08fae0e6aac3cfef6c581b65dc70cbc554
Author: Noble Paul <no...@gmail.com>
AuthorDate: Thu Mar 11 16:28:19 2021 +1100

    SOLR-15245: Document zk-read permission and use zk-read permission for content
---
 solr/core/src/java/org/apache/solr/handler/admin/ZookeeperReadAPI.java | 3 +--
 solr/solr-ref-guide/src/rule-based-authorization-plugin.adoc           | 3 ++-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/solr/core/src/java/org/apache/solr/handler/admin/ZookeeperReadAPI.java b/solr/core/src/java/org/apache/solr/handler/admin/ZookeeperReadAPI.java
index 18bed3e..0220ca5 100644
--- a/solr/core/src/java/org/apache/solr/handler/admin/ZookeeperReadAPI.java
+++ b/solr/core/src/java/org/apache/solr/handler/admin/ZookeeperReadAPI.java
@@ -45,7 +45,6 @@ import org.apache.zookeeper.data.Stat;
 import static org.apache.solr.common.params.CommonParams.OMIT_HEADER;
 import static org.apache.solr.common.params.CommonParams.WT;
 import static org.apache.solr.response.RawResponseWriter.CONTENT;
-import static org.apache.solr.security.PermissionNameProvider.Name.COLL_READ_PERM;
 import static org.apache.solr.security.PermissionNameProvider.Name.ZK_READ_PERM;
 
 /**
@@ -65,7 +64,7 @@ public class ZookeeperReadAPI {
   }
   @EndPoint(path = "/cluster/zk/data/*",
       method = SolrRequest.METHOD.GET,
-      permission = COLL_READ_PERM)
+      permission = ZK_READ_PERM)
   public void readNode(SolrQueryRequest req, SolrQueryResponse rsp) {
     String path = req.getPathTemplateValues().get("*");
     if (path == null || path.isEmpty()) path = "/";
diff --git a/solr/solr-ref-guide/src/rule-based-authorization-plugin.adoc b/solr/solr-ref-guide/src/rule-based-authorization-plugin.adoc
index 0b5a15b..4dc9401 100644
--- a/solr/solr-ref-guide/src/rule-based-authorization-plugin.adoc
+++ b/solr/solr-ref-guide/src/rule-based-authorization-plugin.adoc
@@ -253,6 +253,7 @@ The predefined permission names (and their effects) are:
 ** REQUESTSTATUS
 * *update*: this permission is allowed to perform any update action on any collection. This includes sending documents for indexing (using an <<requesthandlers-and-searchcomponents-in-solrconfig.adoc#updaterequesthandlers,update request handler>>). This applies to all collections by default (`collection:"*"`).
 * *read*: this permission is allowed to perform any read action on any collection. This includes querying using search handlers (using <<requesthandlers-and-searchcomponents-in-solrconfig.adoc#searchhandlers,request handlers>>) such as `/select`, `/get`, `/browse`, `/tvrh`, `/terms`, `/clustering`, `/elevate`, `/export`, `/spell`, `/clustering`, and `/sql`. This applies to all collections by default ( `collection:"*"` ).
+* *zk-read* : Permission to read content from ZK (`/api/cluster/zk/data/*` , `/api/cluster/zk/ls/*` )
 * *all*: Any requests coming to Solr.
 
 === Permission Ordering and Resolution
@@ -263,7 +264,7 @@ Since Solr only uses the first matching permission it finds, it's important for
 
 The ordering Solr uses is complex.  Solr tries to check first any permissions which are specific or relevant to the incoming request, only moving on to more general permissions if none of the more-specific ones match.  In effect, this means that different requests may check the same permissions in very different orders.
 
-If the incoming request is collection-agnostic (doesn't apply to a paritcular collection), Solr checks permissions in the following order:
+If the incoming request is collection-agnostic (doesn't apply to a particular collection), Solr checks permissions in the following order:
 
 . Permissions with a `collection` value of `null` and a `path` value matching the request's request handler
 . Permissions with a `collection` value of `null` and a `path` value of `*`