thelabdude opened a new issue #274:
URL: https://github.com/apache/solr-operator/issues/274


   The `security.json` that the Solr operator creates during security 
boostrapping when using:
   ```
   spec:
     ...
     solrSecurity:
       authenticationType: Basic
   ```
   Grants the `all` permission to the `users` role.
   
   I misinterpreted this permission to mean all endpoints unless specifically 
overridden by another rule, which is how it works but seems to be order 
dependent. If this "all" permission is listed last, then we get the behavior I 
intended. But if it's listed before the more restrictive rules, then it takes 
precedence and allows broader access than I intended for the default authz 
rules. Upon further reflection, I think the operator should not assign the 
`users` role to the `all` permission at all, so the change looks like:
   ```
   diff --git a/controllers/util/solr_util.go b/controllers/util/solr_util.go
   index c8f3b05..fbc9d0e 100644
   --- a/controllers/util/solr_util.go
   +++ b/controllers/util/solr_util.go
   @@ -1387,7 +1387,7 @@ func generateSecurityJson(solrCloud *solr.SolrCloud) 
map[string][]byte {
              { "name": "k8s-status", "role":"k8s", "collection": null, 
"path":"/admin/collections" },
              { "name": "k8s-metrics", "role":"k8s", "collection": null, 
"path":"/admin/metrics" },
              { "name": "k8s-ping", "role":"k8s", "collection": "*", 
"path":"/admin/ping" },
   -          { "name": "all", "role":["admin","users"] },
   +          { "name": "all", "role":["admin"] },
              { "name": "read", "role":["admin","users"] },
              { "name": "update", "role":["admin"] },
              { "name": "security-read", "role": "admin"},
   ```
   
   The work-around for users that have already bootstrapped a SolrCloud with 
basic-auth enabled is to manually update their `security.json` to remove 
`users` from the `all` role. You can do this using the zkcli.sh script to 
update the security.json directly:
   ```
   ./zkcli.sh -zkhost $ZK_HOST -cmd putfile /security.json 
$SOME_LOCAL_PATH/security.json 
   ```
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org
For additional commands, e-mail: issues-h...@solr.apache.org

Reply via email to