You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@solr.apache.org by "ASF subversion and git services (Jira)" <ji...@apache.org> on 2021/11/19 09:03:00 UTC

[jira] [Commented] (SOLR-15768) Tune zookeeper request handler permissions (8x)

    [ https://issues.apache.org/jira/browse/SOLR-15768?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17446374#comment-17446374 ] 

ASF subversion and git services commented on SOLR-15768:
--------------------------------------------------------

Commit c2f26ac784945dca6d096b58f2d0e98196562894 in lucene-solr's branch refs/heads/branch_8x from Jan Høydahl
[ https://gitbox.apache.org/repos/asf?p=lucene-solr.git;h=c2f26ac ]

SOLR-15768 Tune zookeeper request handler permissions (#2604)



> Tune zookeeper request handler permissions (8x)
> -----------------------------------------------
>
>                 Key: SOLR-15768
>                 URL: https://issues.apache.org/jira/browse/SOLR-15768
>             Project: Solr
>          Issue Type: Improvement
>          Components: security
>            Reporter: Jan Høydahl
>            Assignee: Jan Høydahl
>            Priority: Blocker
>             Fix For: 8.11.1
>
>         Attachments: SOLR-15768.patch
>
>          Time Spent: 20m
>  Remaining Estimate: 0h
>
> See SOLR-11623 for 9.x fixes in this space. This Jira is to apply sane permission default to  {{/admin/zookeeper?path=/security.json}} and {{/api/cluster/zk/data/security.json}} so users will need "security-read" permission to see that data across the board. Users already need this permission to use the {{/api/cluster/security/authentication}} API.
> *NOTE* that this was not a bug as such, but since these endpoints did not have an attached permission, they would remain unprotected, if the user did not define custom path-based permissions for the handlers, or alternatively applied an "all" permission at the end of the chain. This could be surprising to users, especially if they already included the predefined "zk-read" and "security-read" permissions in their chain, but they did not apply to these handlers.



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org
For additional commands, e-mail: issues-help@solr.apache.org