configs?action=LIST

Jonathan J Senchyna (Jira) Fri, 17 Sep 2021 04:30:06 -0700


     [ 
https://issues.apache.org/jira/browse/SOLR-15626?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Jonathan J Senchyna updated SOLR-15626:
---------------------------------------
    Affects Version/s:     (was: 8.8.2)
                       8.8

> config-read permission does not allow access to 
> /solr/admin/configs?action=LIST
> -------------------------------------------------------------------------------
>
>                 Key: SOLR-15626
>                 URL: https://issues.apache.org/jira/browse/SOLR-15626
>             Project: Solr
>          Issue Type: Bug
>      Security Level: Public(Default Security Level. Issues are Public) 
>          Components: Authorization
>    Affects Versions: 8.8
>            Reporter: Jonathan J Senchyna
>            Priority: Minor
>          Time Spent: 10m
>  Remaining Estimate: 0h
>
> h2. Overview
> The {{/solr/admin/configs?action=LIST}} endpoint is not available when the 
> user has the {{config-read}} permission.
> h2. Steps to Reproduce
>  # Create a {{security.json}} file that defines:
>  ## a user with the {{config-read}} permission, but _not_ the {{all}} 
> permission.
>  ## a separate user with the {{all}} permission
>  # Using the first user, attempt to hit the 
> {{/solr/admin/configs?action=LIST}} endpoint
> *Expected*
>  The user is able to access the endpoint.
>  *Actual*
>  The request fails with a 403 and the following is logged:
> {code:java}
> This resource is configured to have a permission {
>    "name":"all",
>    "role":"admin"}
> {code}
> h2. Workaround
> The following can be added to the {{security.json}} file to provide the 
> required permission to the desired roles:
> {code:java}
> {
>     "name": "list-configsets",
>     "role": ["someRole"],
>     "collection": null,
>     "path": "/admin/configs",
>     "params": {
>         "action": ["LIST"]
>      }
> }
> {code}
> h2. Suggested fix
> I believe the issue is that the {{config-read}} permission is configured with 
> only the {{"**"}}* collection, but it should have {{"**"}}* _and_ {{null}} 
> like the {{config-edit}} permission to allow it to be applied to routes that 
> are not tied to a collection (e.g. {{solr/admin/configs?action=LIST}}).
>  
> [https://github.com/apache/solr/blob/main/solr/core/src/java/org/apache/solr/security/PermissionNameProvider.java#L44-L45]



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org
For additional commands, e-mail: issues-h...@solr.apache.org

[jira] [Updated] (SOLR-15626) config-read permission does not allow access to /solr/admin/configs?action=LIST

Reply via email to