Uploaded image for project: 'Solr'
  1. Solr
  2. SOLR-15626

config-read permission does not allow access to /solr/admin/configs?action=LIST

Details

    • Bug
    • Status: Closed
    • Minor
    • Resolution: Fixed
    • 8.8
    • 9.0, 8.11
    • Authorization
    • None

    Description

      Overview

      The /solr/admin/configs?action=LIST endpoint is not available when the user has the config-read permission.

      Steps to Reproduce

      1. Create a security.json file that defines:
        1. a user with the config-read permission, but not the all permission.
        2. a separate user with the all permission
      2. Using the first user, attempt to hit the /solr/admin/configs?action=LIST endpoint

      Expected
      The user is able to access the endpoint.
      Actual
      The request fails with a 403 and the following is logged:

      This resource is configured to have a permission {
         "name":"all",
         "role":"admin"}
      

      Workaround

      The following can be added to the security.json file to provide the required permission to the desired roles:

      {
          "name": "list-configsets",
          "role": ["someRole"],
          "collection": null,
          "path": "/admin/configs",
          "params": {
              "action": ["LIST"]
           }
      }
      

      Suggested fix

      I believe the issue is that the config-read permission is configured with only the "*" collection, but it should have "*" and null like the config-edit permission to allow it to be applied to routes that are not tied to a collection (e.g. solr/admin/configs?action=LIST).
      https://github.com/apache/solr/blob/main/solr/core/src/java/org/apache/solr/security/PermissionNameProvider.java#L44-L45

      Attachments

        Issue Links

          Activity

            It appears the config-edit permission has been properly configured since 6.6/7.0: SOLR-6736.

            JSench Jonathan J Senchyna added a comment - It appears the config-edit  permission has been properly configured since 6.6 / 7.0 : SOLR-6736 .

            Commit d013e9b485659bcf3366e4b433d69b3b60195b89 in solr's branch refs/heads/main from Jon Senchyna
            [ https://gitbox.apache.org/repos/asf?p=solr.git;h=d013e9b ]

            SOLR-15626: Fix `config-read` permission. (#296)

            • SOLR-15626: Fix `config-read` permission. The `config-read` permission was not including the `null` collection, preventing it from being matched on endpoints like `/amin/configs?action=LIST`, as they are not associated with a specific collection.
            jira-bot ASF subversion and git services added a comment - Commit d013e9b485659bcf3366e4b433d69b3b60195b89 in solr's branch refs/heads/main from Jon Senchyna [ https://gitbox.apache.org/repos/asf?p=solr.git;h=d013e9b ] SOLR-15626 : Fix `config-read` permission. (#296) SOLR-15626 : Fix `config-read` permission. The `config-read` permission was not including the `null` collection, preventing it from being matched on endpoints like `/amin/configs?action=LIST`, as they are not associated with a specific collection.

            Commit 1174b32e17034cb54b9d98ae4016bfc37a8f8191 in lucene-solr's branch refs/heads/branch_8x from epugh@opensourceconnections.com
            [ https://gitbox.apache.org/repos/asf?p=lucene-solr.git;h=1174b32 ]

            backport SOLR-15626

            jira-bot ASF subversion and git services added a comment - Commit 1174b32e17034cb54b9d98ae4016bfc37a8f8191 in lucene-solr's branch refs/heads/branch_8x from epugh@opensourceconnections.com [ https://gitbox.apache.org/repos/asf?p=lucene-solr.git;h=1174b32 ] backport SOLR-15626
            jpountz Adrien Grand added a comment -

            Closing after the 8.11 release

            jpountz Adrien Grand added a comment - Closing after the 8.11 release

            People

              epugh Eric Pugh
              JSench Jonathan J Senchyna
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0h
                  0h
                  Logged:
                  Time Spent - 5h 20m
                  5h 20m