janhoy commented on code in PR #1851:
URL: https://github.com/apache/solr/pull/1851#discussion_r1301509653
##########
solr/core/src/resources/security.json:
##########
@@ -0,0 +1,74 @@
+{
+ "authentication": {
+ "blockUnknown": true,
+ "class": "solr.BasicAuthPlugin",
+ "credentials": {
+ "user": "5xqM3QvmfKJPaxCNRNgur/iPA+ENqGaMLou0vjRN+U0=
PoIl/rZE4wq+xdDmW3q0y/PctJ28VKIW14RTSU9du84=",
+ "admin": "bGHR1+rT5TVYHVWyZv+bW6ttXnUQDUjD06Avie1SUWQ=
Ut7wdJ0X2+IKgcp7y3DGbJBzxvPnA/YiLa5gmoVqYD0=",
+ "superadmin": "s7518QQL7UNiDNHRqo3PqvYbIts2fKkBDuBBv7Q9+D4=
MraYq5n3JjOl8SXHTH4OFMRb/rqlmt0oKbquw/urdDk="
+ }
+ },
+ "authorization": {
+ "class": "solr.RuleBasedAuthorizationPlugin",
+ "permissions": [{
+ "name": "security-edit",
+ "role": "admin",
+ "index": 1
+ },
+ {
+ "name": "security-read",
+ "role": "admin",
+ "index": 2
+ },
+ {
+ "name": "config-edit",
+ "role": "admin",
+ "index": 3
+ },
+ {
+ "name": "config-read",
+ "role": "admin",
+ "index": 4
+ },
+ {
+ "name": "collection-admin-edit",
+ "role": "admin",
+ "index": 5
+ },
+ {
+ "name": "collection-admin-read",
+ "role": "admin",
+ "index": 6
+ },
+ {
+ "name": "core-admin-edit",
+ "role": "admin",
+ "index": 7
+ },
+ {
+ "name": "core-admin-read",
+ "role": "admin",
+ "index": 8
+ },
+ {
+ "name": "all",
+ "role": [
+ "admin",
+ "superadmin"
Review Comment:
I see you have not mapped superadmin users to anything more than the admin
user, so do we need it? I think perhaps we could reserve `security-edit`
permission to the superadmin, and have all the other config edit permissions
for admin user?
Note also, that permissions like `metrics-read` and `health` will land here
since they are not explicitly defined above. Do we want metrics scraping and
healthcheck to require auth? If so, should there be a `health` user that only
gains access to these? Or should we set `blockUnknown: false` and define these
endpoints as open, unauthenticated?
##########
solr/core/src/resources/security.json:
##########
@@ -0,0 +1,74 @@
+{
+ "authentication": {
+ "blockUnknown": true,
+ "class": "solr.BasicAuthPlugin",
+ "credentials": {
+ "user": "5xqM3QvmfKJPaxCNRNgur/iPA+ENqGaMLou0vjRN+U0=
PoIl/rZE4wq+xdDmW3q0y/PctJ28VKIW14RTSU9du84=",
+ "admin": "bGHR1+rT5TVYHVWyZv+bW6ttXnUQDUjD06Avie1SUWQ=
Ut7wdJ0X2+IKgcp7y3DGbJBzxvPnA/YiLa5gmoVqYD0=",
+ "superadmin": "s7518QQL7UNiDNHRqo3PqvYbIts2fKkBDuBBv7Q9+D4=
MraYq5n3JjOl8SXHTH4OFMRb/rqlmt0oKbquw/urdDk="
+ }
+ },
+ "authorization": {
+ "class": "solr.RuleBasedAuthorizationPlugin",
+ "permissions": [{
+ "name": "security-edit",
+ "role": "admin",
+ "index": 1
+ },
+ {
+ "name": "security-read",
+ "role": "admin",
+ "index": 2
+ },
+ {
+ "name": "config-edit",
+ "role": "admin",
+ "index": 3
+ },
+ {
+ "name": "config-read",
+ "role": "admin",
+ "index": 4
+ },
+ {
+ "name": "collection-admin-edit",
+ "role": "admin",
+ "index": 5
+ },
+ {
+ "name": "collection-admin-read",
+ "role": "admin",
+ "index": 6
+ },
+ {
+ "name": "core-admin-edit",
+ "role": "admin",
+ "index": 7
+ },
+ {
+ "name": "core-admin-read",
+ "role": "admin",
+ "index": 8
+ },
+ {
+ "name": "all",
+ "role": [
+ "admin",
+ "superadmin"
+ ],
+ "index": 9
+ },
+ {
+ "name": "read",
Review Comment:
This permission will never be consulted, as the order is important. When
someone hits a `/foo/select` endpoint, it selects the `READ` predefined
permission, and then Solr evaluates which permission in security.json to use,
starting on top. When it hits the `all` permission it selects it since it
includes read, and thus requires admin or superadmin. Normally `all` should be
the last catch-all permission.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org
For additional commands, e-mail: issues-h...@solr.apache.org
