You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@solr.apache.org by "Jonathan J Senchyna (Jira)" <ji...@apache.org> on 2021/09/13 15:06:00 UTC

[jira] [Created] (SOLR-15626) config-read permission does not allow access to /solr/admin/configs?action=LIST

Jonathan J Senchyna created SOLR-15626:
------------------------------------------

             Summary: config-read permission does not allow access to /solr/admin/configs?action=LIST
                 Key: SOLR-15626
                 URL: https://issues.apache.org/jira/browse/SOLR-15626
             Project: Solr
          Issue Type: Bug
      Security Level: Public (Default Security Level. Issues are Public)
          Components: Authorization
    Affects Versions: 8.8.2
            Reporter: Jonathan J Senchyna


h2. Overview

The {{/solr/admin/configs?action=LIST}} endpoint is not available when the user has the {{config-read}} permission.
h2. Steps to Reproduce
 # Create a {{security.json}} file that defines:
 ## a user with the {{config-read}} permission, but _not_ the {{all}} permission.
 ## a separate user with the {{all}} permission
 # Using the first user, attempt to hit the {{/solr/admin/configs?action=LIST}} endpoint

*Expected*
 The user is able to access the endpoint.
 *Actual*
 The request fails with a 403 and the following is logged:
{code:java}
This resource is configured to have a permission {
   "name":"all",
   "role":"admin"}
{code}

h2. Workaround
The following can be added to the {{security.json}} file to provide the required permission to the desired roles:
{code}
{
    "name": "list-configsets",
    "role": ["someRole"],
    "collection": null,
    "path": "/admin/configs",
    "params": {
        "action": ["LIST"]
     }
}
{code}
h2. Suggested fix

I believe the issue is that the {{config-read}} permission is configured with only the 
 {{"*"}} collection, but it should have {{"*"}} _and_ {{null}} like the {{config-edit}} permission to allow it to be applied to routes that are not tied to a collection (e.g. {{solr/admin/configs?action=LIST}}).
https://github.com/apache/solr/blob/main/solr/core/src/java/org/apache/solr/security/PermissionNameProvider.java#L44-L45



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org
For additional commands, e-mail: issues-help@solr.apache.org