Jonathan J Senchyna created SOLR-15626:
------------------------------------------
Summary: config-read permission does not allow access to
/solr/admin/configs?action=LIST
Key: SOLR-15626
URL: https://issues.apache.org/jira/browse/SOLR-15626
Project: Solr
Issue Type: Bug
Security Level: Public (Default Security Level. Issues are Public)
Components: Authorization
Affects Versions: 8.8.2
Reporter: Jonathan J Senchyna
h2. Overview
The {{/solr/admin/configs?action=LIST}} endpoint is not available when the user
has the {{config-read}} permission.
h2. Steps to Reproduce
# Create a {{security.json}} file that defines:
## a user with the {{config-read}} permission, but _not_ the {{all}}
permission.
## a separate user with the {{all}} permission
# Using the first user, attempt to hit the {{/solr/admin/configs?action=LIST}}
endpoint
*Expected*
The user is able to access the endpoint.
*Actual*
The request fails with a 403 and the following is logged:
{code:java}
This resource is configured to have a permission {
"name":"all",
"role":"admin"}
{code}
h2. Workaround
The following can be added to the {{security.json}} file to provide the
required permission to the desired roles:
{code}
{
"name": "list-configsets",
"role": ["someRole"],
"collection": null,
"path": "/admin/configs",
"params": {
"action": ["LIST"]
}
}
{code}
h2. Suggested fix
I believe the issue is that the {{config-read}} permission is configured with
only the
{{"*"}} collection, but it should have {{"*"}} _and_ {{null}} like the
{{config-edit}} permission to allow it to be applied to routes that are not
tied to a collection (e.g. {{solr/admin/configs?action=LIST}}).
https://github.com/apache/solr/blob/main/solr/core/src/java/org/apache/solr/security/PermissionNameProvider.java#L44-L45
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org
For additional commands, e-mail: issues-h...@solr.apache.org
