You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@solr.apache.org by "Jan Høydahl (Jira)" <ji...@apache.org> on 2021/10/25 11:31:00 UTC

[jira] [Commented] (SOLR-11623) Every request handler in Solr should implement PermissionNameProvider interface

    [ https://issues.apache.org/jira/browse/SOLR-11623?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17433701#comment-17433701 ] 

Jan Høydahl commented on SOLR-11623:
------------------------------------

I tried adding PermissionNameProvider to RequestHandlerBase and got compilation error for these 23 handlers:
{code:java}
ReplicationHandler
ReloadCacheRequestHandler
HealthCheckHandler
InfoHandler
PublicKeyHandler
PropertiesRequestHandler
ThreadDumpHandler
LoggingHandler
SystemInfoHandler
SolrInfoMBeanHandler
LukeRequestHandler
MetricsCollectorHandler
SegmentsInfoRequestHandler
PluginInfoHandler
ZookeeperInfoHandler
ZookeeperStatusHandler
FieldAnalysisRequestHandler
MoreLikeThisHandler
DumpRequestHandler
NotFoundRequestHandler
DocumentAnalysisRequestHandler
TaggerRequestHandler
PingRequestHandler {code}
To not end up in the same situation later, the safest is to add the interface to RequestHandlerBase and then choose a proper permission for all the above - and choose ALL if the information should be open for all. 9.0 is a good time to do this, as we change a very central programming API. Users with custom RequestHandlers will need to revisit their custom handlers for 9.0

> Every request handler in Solr should implement PermissionNameProvider interface
> -------------------------------------------------------------------------------
>
>                 Key: SOLR-11623
>                 URL: https://issues.apache.org/jira/browse/SOLR-11623
>             Project: Solr
>          Issue Type: Improvement
>    Affects Versions: 7.1
>            Reporter: Hrishikesh Gadre
>            Priority: Major
>
> Solr authorization framework expects request handler to implement PermissionNameProvider interface so that the type of the permission for the request can be extracted. Currently not all request handlers implement PermissionNameProvider, requiring authorization plugin implementation to check this case explicitly and return OK. During code review of SENTRY-1475, this issue was discussed. Since  PermissionNameProvider.Name enum provides "ALL" permission type, it should be possible to have every request handler to implement PermissionNameProvider interface and provide "ALL" permission type if no authorization checks are necessary.
> The secondary benefit of this work would be that we can review all the request handlers and ensure that we aren't missing authorization support for any request handlers which provide sensitive information.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org
For additional commands, e-mail: issues-help@solr.apache.org