Re: [PR] SOLR-16907: Reserve some 8.x security permission names [solr]

Thu, 02 Nov 2023 08:06:51 -0700 


janhoy commented on code in PR #2040:
URL: https://github.com/apache/solr/pull/2040#discussion_r1380254600


##########
solr/core/src/java/org/apache/solr/security/Permission.java:
##########
@@ -52,18 +53,21 @@ static Permission load(Map<?, ?> m) {
     p.role = readValueAsSet(m, "role");
     if (PermissionNameProvider.Name.get(name) != null) {
       p.wellknownName = PermissionNameProvider.Name.get(name);
-      HashSet<String> disAllowed = new HashSet<>(knownKeys);
-      disAllowed.remove("role"); // these are the only
-      disAllowed.remove(NAME); // allowed keys for well-known permissions
-      disAllowed.remove("collection"); // allowed keys for well-known 
permissions
-      disAllowed.remove("index");
-      for (String s : disAllowed) {
+      for (String s : customPermissionAdditionalKeys) {
         if (m.containsKey(s))
           throw new SolrException(
               SolrException.ErrorCode.BAD_REQUEST,
               s + " is not a valid key for the permission : " + name);
       }
+    } else if 
(customPermissionAdditionalKeys.stream().noneMatch(m::containsKey)) {
+      // Custom permissions must contain one of the additional keys to be valid

Review Comment:
   Yea, not sure the docs are precise here. How can you configure a custom 
permission without a `path`? Like the below one, it does not make sense as it 
does not define what endpoint to protect. You'd need a `"path": "/select"` for 
that:
   
   ```json
   { "name": "myColl", "role": "admin", "collection": "test" }
   ```
   
   And for a custom admin request (no collection), it makes no sense to specify 
"method" or "params" without a "path":
   
   ```json
   { "name": "myAdmin", "role": "admin", "method": "GET" }
   ```
   
   Thus I believe we must require a `path` config for custom perms.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org
For additional commands, e-mail: issues-h...@solr.apache.org

Reply via email to