You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@solr.apache.org by th...@apache.org on 2021/07/27 21:26:39 UTC
[solr-operator] branch main updated: Fix initial security.json rbap
rules (#299)
This is an automated email from the ASF dual-hosted git repository.
thelabdude pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/solr-operator.git
The following commit(s) were added to refs/heads/main by this push:
new 43f91ea Fix initial security.json rbap rules (#299)
43f91ea is described below
commit 43f91ead6174e9f9640022ed9da8f508e32fbc8e
Author: Timothy Potter <th...@gmail.com>
AuthorDate: Tue Jul 27 15:25:58 2021 -0600
Fix initial security.json rbap rules (#299)
---
controllers/util/solr_util.go | 7 ++++---
docs/solr-cloud/solr-cloud-crd.md | 22 ++++++++++++++++------
helm/solr-operator/Chart.yaml | 14 ++++++++++++++
3 files changed, 34 insertions(+), 9 deletions(-)
diff --git a/controllers/util/solr_util.go b/controllers/util/solr_util.go
index 14276cb..db76ff9 100644
--- a/controllers/util/solr_util.go
+++ b/controllers/util/solr_util.go
@@ -1341,12 +1341,13 @@ func generateSecurityJson(solrCloud *solr.SolrCloud) map[string][]byte {
%s,
{ "name": "k8s-status", "role":"k8s", "collection": null, "path":"/admin/collections" },
{ "name": "k8s-metrics", "role":"k8s", "collection": null, "path":"/admin/metrics" },
+ { "name": "k8s-zk", "role":"k8s", "collection": null, "path":"/admin/zookeeper/status" },
{ "name": "k8s-ping", "role":"k8s", "collection": "*", "path":"/admin/ping" },
- { "name": "all", "role":["admin","users"] },
{ "name": "read", "role":["admin","users"] },
{ "name": "update", "role":["admin"] },
- { "name": "security-read", "role": "admin"},
- { "name": "security-edit", "role": "admin"}
+ { "name": "security-read", "role": ["admin"] },
+ { "name": "security-edit", "role": ["admin"] },
+ { "name": "all", "role":["admin"] }
]
}
}`, blockUnknown, credentialsJson, username, probeAuthz)
diff --git a/docs/solr-cloud/solr-cloud-crd.md b/docs/solr-cloud/solr-cloud-crd.md
index 512b2ba..9d6a73e 100644
--- a/docs/solr-cloud/solr-cloud-crd.md
+++ b/docs/solr-cloud/solr-cloud-crd.md
@@ -792,6 +792,12 @@ Take a moment to review these authorization rules so that you're aware of the ro
"collection": null,
"path": "/admin/metrics"
},
+ {
+ "name": "k8s-zk",
+ "role":"k8s",
+ "collection": null,
+ "path":"/admin/zookeeper/status"
+ },
{
"name": "k8s-ping",
"role": "k8s",
@@ -799,10 +805,6 @@ Take a moment to review these authorization rules so that you're aware of the ro
"path": "/admin/ping"
},
{
- "name": "all",
- "role": [ "admin", "users" ]
- },
- {
"name": "read",
"role": [ "admin", "users" ]
},
@@ -812,11 +814,15 @@ Take a moment to review these authorization rules so that you're aware of the ro
},
{
"name": "security-read",
- "role": "admin"
+ "role": [ "admin" ]
},
{
"name": "security-edit",
- "role": "admin"
+ "role": [ "admin" ]
+ },
+ {
+ "name": "all",
+ "role": [ "admin" ]
}
]
}
@@ -864,6 +870,10 @@ The exporter also hits the `/admin/ping` endpoint for every collection, which re
```
The `"collection":"*"` setting indicates this path applies to all collections, which maps to endpoint `/collections/<COLL>/admin/ping` at runtime.
+The initial authorization config grants the `read` permission to the `users` role, which allows `users` to send query requests but cannot add / update / delete documents.
+For instance, the `solr` user is mapped to the `users` role, so the `solr` user can send query requests only.
+In general, please verify the initial authorization rules for each role before sharing user credentials.
+
### Option 2: User-provided Basic Auth Secret
Alternatively, if users want full control over their cluster's security config, then they can provide a `kubernetes.io/basic-auth` secret containing the credentials for the user they want the operator to make API requests as:
diff --git a/helm/solr-operator/Chart.yaml b/helm/solr-operator/Chart.yaml
index 6d791f6..68f35ee 100644
--- a/helm/solr-operator/Chart.yaml
+++ b/helm/solr-operator/Chart.yaml
@@ -105,6 +105,20 @@ annotations:
url: https://github.com/apache/solr-operator/issues/282
- name: Github PR
url: https://github.com/apache/solr-operator/pull/297
+ - kind: security
+ description: Remove users role from the all permission in the initial security.json
+ links:
+ - name: Github Issue
+ url: https://github.com/apache/solr-operator/issues/274
+ - name: Github PR
+ url: https://github.com/apache/solr-operator/pull/299
+ - kind: fixed
+ description: Grant access to the /admin/zookeeper/status path to the k8s role in the initial security.json
+ links:
+ - name: Github Issue
+ url: https://github.com/apache/solr-operator/issues/289
+ - name: Github PR
+ url: https://github.com/apache/solr-operator/pull/299
artifacthub.io/images: |
- name: solr-operator
image: apache/solr-operator:v0.4.0-prerelease