You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@solr.apache.org by "ASF subversion and git services (Jira)" <ji...@apache.org> on 2021/10/07 14:39:00 UTC
[jira] [Commented] (SOLR-15626) config-read permission does not
allow access to /solr/admin/configs?action=LIST
[ https://issues.apache.org/jira/browse/SOLR-15626?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17425605#comment-17425605 ]
ASF subversion and git services commented on SOLR-15626:
--------------------------------------------------------
Commit d013e9b485659bcf3366e4b433d69b3b60195b89 in solr's branch refs/heads/main from Jon Senchyna
[ https://gitbox.apache.org/repos/asf?p=solr.git;h=d013e9b ]
SOLR-15626: Fix `config-read` permission. (#296)
* SOLR-15626: Fix `config-read` permission. The `config-read` permission was not including the `null` collection, preventing it from being matched on endpoints like `/amin/configs?action=LIST`, as they are not associated with a specific collection.
> config-read permission does not allow access to /solr/admin/configs?action=LIST
> -------------------------------------------------------------------------------
>
> Key: SOLR-15626
> URL: https://issues.apache.org/jira/browse/SOLR-15626
> Project: Solr
> Issue Type: Bug
> Components: Authorization
> Affects Versions: 8.8
> Reporter: Jonathan J Senchyna
> Priority: Minor
> Time Spent: 4h 20m
> Remaining Estimate: 0h
>
> h2. Overview
> The {{/solr/admin/configs?action=LIST}} endpoint is not available when the user has the {{config-read}} permission.
> h2. Steps to Reproduce
> # Create a {{security.json}} file that defines:
> ## a user with the {{config-read}} permission, but _not_ the {{all}} permission.
> ## a separate user with the {{all}} permission
> # Using the first user, attempt to hit the {{/solr/admin/configs?action=LIST}} endpoint
> *Expected*
> The user is able to access the endpoint.
> *Actual*
> The request fails with a 403 and the following is logged:
> {code:java}
> This resource is configured to have a permission {
> "name":"all",
> "role":"admin"}
> {code}
> h2. Workaround
> The following can be added to the {{security.json}} file to provide the required permission to the desired roles:
> {code:java}
> {
> "name": "list-configsets",
> "role": ["someRole"],
> "collection": null,
> "path": "/admin/configs",
> "params": {
> "action": ["LIST"]
> }
> }
> {code}
> h2. Suggested fix
> I believe the issue is that the {{config-read}} permission is configured with only the {{"**"}}* collection, but it should have {{"**"}}* _and_ {{null}} like the {{config-edit}} permission to allow it to be applied to routes that are not tied to a collection (e.g. {{solr/admin/configs?action=LIST}}).
> [https://github.com/apache/solr/blob/main/solr/core/src/java/org/apache/solr/security/PermissionNameProvider.java#L44-L45]
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org
For additional commands, e-mail: issues-help@solr.apache.org