You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@solr.apache.org by GitBox <gi...@apache.org> on 2021/06/02 19:41:29 UTC
[GitHub] [solr-operator] thelabdude opened a new issue #274: Bootstrapped security.json incorrectly assigns the "all" permission to the "users" role due to ordering of rules
thelabdude opened a new issue #274:
URL: https://github.com/apache/solr-operator/issues/274
The `security.json` that the Solr operator creates during security boostrapping when using:
```
spec:
...
solrSecurity:
authenticationType: Basic
```
Grants the `all` permission to the `users` role.
I misinterpreted this permission to mean all endpoints unless specifically overridden by another rule, which is how it works but seems to be order dependent. If this "all" permission is listed last, then we get the behavior I intended. But if it's listed before the more restrictive rules, then it takes precedence and allows broader access than I intended for the default authz rules. Upon further reflection, I think the operator should not assign the `users` role to the `all` permission at all, so the change looks like:
```
diff --git a/controllers/util/solr_util.go b/controllers/util/solr_util.go
index c8f3b05..fbc9d0e 100644
--- a/controllers/util/solr_util.go
+++ b/controllers/util/solr_util.go
@@ -1387,7 +1387,7 @@ func generateSecurityJson(solrCloud *solr.SolrCloud) map[string][]byte {
{ "name": "k8s-status", "role":"k8s", "collection": null, "path":"/admin/collections" },
{ "name": "k8s-metrics", "role":"k8s", "collection": null, "path":"/admin/metrics" },
{ "name": "k8s-ping", "role":"k8s", "collection": "*", "path":"/admin/ping" },
- { "name": "all", "role":["admin","users"] },
+ { "name": "all", "role":["admin"] },
{ "name": "read", "role":["admin","users"] },
{ "name": "update", "role":["admin"] },
{ "name": "security-read", "role": "admin"},
```
The work-around for users that have already bootstrapped a SolrCloud with basic-auth enabled is to manually update their `security.json` to remove `users` from the `all` role. You can do this using the zkcli.sh script to update the security.json directly:
```
./zkcli.sh -zkhost $ZK_HOST -cmd putfile /security.json $SOME_LOCAL_PATH/security.json
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org
For additional commands, e-mail: issues-help@solr.apache.org
[GitHub] [solr-operator] thelabdude closed issue #274: Bootstrapped security.json incorrectly assigns the "all" permission to the "users" role due to ordering of rules
Posted by GitBox <gi...@apache.org>.
thelabdude closed issue #274:
URL: https://github.com/apache/solr-operator/issues/274
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org
For additional commands, e-mail: issues-help@solr.apache.org