You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@solr.apache.org by "Jan Høydahl (Jira)" <ji...@apache.org> on 2021/11/07 23:55:00 UTC

[jira] [Created] (SOLR-15776) Make Admin UI play well with Authorization

Jan Høydahl created SOLR-15776:
----------------------------------

             Summary: Make Admin UI play well with Authorization
                 Key: SOLR-15776
                 URL: https://issues.apache.org/jira/browse/SOLR-15776
             Project: Solr
          Issue Type: Improvement
      Security Level: Public (Default Security Level. Issues are Public)
          Components: Admin UI, Authorization
            Reporter: Jan Høydahl
            Assignee: Jan Høydahl
         Attachments: Skjermbilde 2021-11-07 kl. 21.43.58.png

Admin UI does not really know about what the current logged in user should have access to and not, and it just throws some error messages if you attempt to do stuff you are not authorized to. The upcoming SOLR-11623 will also add further permissions to some APIs that are commonly used from admin UI.

I propose that we do the following:
 * Add to /admin/info/system a list of predefined permissions that the logged-in user has assigned (now we only list the roles)
 * Admin UI will always require permissions {{{}config-read{}}}, {{core-read}} and {{{}coll-read{}}}. If either the /admin/info/system call fails or the three permissions are not present, the Admin UI shows a message "You do not have sufficient permissions to use the Admin UI"

See the attached matrix ([or google spreadsheet|https://docs.google.com/spreadsheets/d/1s2xokDxw9IkXr7ZA5n06RPDj6EwvpbsZ7zUeKpvRC3Q/edit?usp=sharing]) of permissions required for each section of the Admin UI. Use this matrix to restrict access to various Admin UI screens or buttons, depending on user's permissions:
 * Cloud/Tree/Graph: Disable if not {{zk-read}}
 * Schema-designer: Stop probing with ajax call, check permission list instead
 * Documents tab: Disable the whole tab or only the "Submit document" button if not {{update}} permission
 * Query/Stream/SQL/Schema: Disable tabs or buttons if not {{read}} permission
 * Schema: Disable buttons if not {{schema-edit}} permission
 * Core overview: Disable if not {{health}} and {{read}} permissions
 * Ping: Disable if not {{health}} permission
 * Plugin/Stats & Segments-info: Disable if not {{metrics-read}} permission

[~thelabdude] ping



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org
For additional commands, e-mail: issues-help@solr.apache.org