You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@solr.apache.org by th...@apache.org on 2021/07/27 21:26:39 UTC

[solr-operator] branch main updated: Fix initial security.json rbap rules (#299)

This is an automated email from the ASF dual-hosted git repository.

thelabdude pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/solr-operator.git


The following commit(s) were added to refs/heads/main by this push:
     new 43f91ea  Fix initial security.json rbap rules (#299)
43f91ea is described below

commit 43f91ead6174e9f9640022ed9da8f508e32fbc8e
Author: Timothy Potter <th...@gmail.com>
AuthorDate: Tue Jul 27 15:25:58 2021 -0600

    Fix initial security.json rbap rules (#299)
---
 controllers/util/solr_util.go     |  7 ++++---
 docs/solr-cloud/solr-cloud-crd.md | 22 ++++++++++++++++------
 helm/solr-operator/Chart.yaml     | 14 ++++++++++++++
 3 files changed, 34 insertions(+), 9 deletions(-)

diff --git a/controllers/util/solr_util.go b/controllers/util/solr_util.go
index 14276cb..db76ff9 100644
--- a/controllers/util/solr_util.go
+++ b/controllers/util/solr_util.go
@@ -1341,12 +1341,13 @@ func generateSecurityJson(solrCloud *solr.SolrCloud) map[string][]byte {
           %s,
           { "name": "k8s-status", "role":"k8s", "collection": null, "path":"/admin/collections" },
           { "name": "k8s-metrics", "role":"k8s", "collection": null, "path":"/admin/metrics" },
+          { "name": "k8s-zk", "role":"k8s", "collection": null, "path":"/admin/zookeeper/status" },
           { "name": "k8s-ping", "role":"k8s", "collection": "*", "path":"/admin/ping" },
-          { "name": "all", "role":["admin","users"] },
           { "name": "read", "role":["admin","users"] },
           { "name": "update", "role":["admin"] },
-          { "name": "security-read", "role": "admin"},
-          { "name": "security-edit", "role": "admin"}
+          { "name": "security-read", "role": ["admin"] },
+          { "name": "security-edit", "role": ["admin"] },
+          { "name": "all", "role":["admin"] }
         ]
       }
     }`, blockUnknown, credentialsJson, username, probeAuthz)
diff --git a/docs/solr-cloud/solr-cloud-crd.md b/docs/solr-cloud/solr-cloud-crd.md
index 512b2ba..9d6a73e 100644
--- a/docs/solr-cloud/solr-cloud-crd.md
+++ b/docs/solr-cloud/solr-cloud-crd.md
@@ -792,6 +792,12 @@ Take a moment to review these authorization rules so that you're aware of the ro
         "collection": null,
         "path": "/admin/metrics"
       },
+      { 
+         "name": "k8s-zk", 
+         "role":"k8s", 
+         "collection": null, 
+         "path":"/admin/zookeeper/status" 
+      },
       {
         "name": "k8s-ping",
         "role": "k8s",
@@ -799,10 +805,6 @@ Take a moment to review these authorization rules so that you're aware of the ro
         "path": "/admin/ping"
       },
       {
-        "name": "all",
-        "role": [ "admin", "users" ]
-      },
-      {
         "name": "read",
         "role": [ "admin", "users" ]
       },
@@ -812,11 +814,15 @@ Take a moment to review these authorization rules so that you're aware of the ro
       },
       {
         "name": "security-read",
-        "role": "admin"
+        "role": [ "admin" ]
       },
       {
         "name": "security-edit",
-        "role": "admin"
+        "role": [ "admin" ]
+      },
+      {
+        "name": "all",
+        "role": [ "admin" ]
       }
     ]
   }
@@ -864,6 +870,10 @@ The exporter also hits the `/admin/ping` endpoint for every collection, which re
 ```
 The `"collection":"*"` setting indicates this path applies to all collections, which maps to endpoint `/collections/<COLL>/admin/ping` at runtime.
 
+The initial authorization config grants the `read` permission to the `users` role, which allows `users` to send query requests but cannot add / update / delete documents.
+For instance, the `solr` user is mapped to the `users` role, so the `solr` user can send query requests only. 
+In general, please verify the initial authorization rules for each role before sharing user credentials.
+
 ### Option 2: User-provided Basic Auth Secret
 
 Alternatively, if users want full control over their cluster's security config, then they can provide a `kubernetes.io/basic-auth` secret containing the credentials for the user they want the operator to make API requests as:
diff --git a/helm/solr-operator/Chart.yaml b/helm/solr-operator/Chart.yaml
index 6d791f6..68f35ee 100644
--- a/helm/solr-operator/Chart.yaml
+++ b/helm/solr-operator/Chart.yaml
@@ -105,6 +105,20 @@ annotations:
           url: https://github.com/apache/solr-operator/issues/282
         - name: Github PR
           url: https://github.com/apache/solr-operator/pull/297
+    - kind: security
+      description: Remove users role from the all permission in the initial security.json
+      links:
+        - name: Github Issue
+          url: https://github.com/apache/solr-operator/issues/274
+        - name: Github PR
+          url: https://github.com/apache/solr-operator/pull/299
+    - kind: fixed
+      description: Grant access to the /admin/zookeeper/status path to the k8s role in the initial security.json
+      links:
+        - name: Github Issue
+          url: https://github.com/apache/solr-operator/issues/289
+        - name: Github PR
+          url: https://github.com/apache/solr-operator/pull/299
   artifacthub.io/images: |
     - name: solr-operator
       image: apache/solr-operator:v0.4.0-prerelease