Details
-
Bug
-
Status: Closed
-
Minor
-
Resolution: Fixed
-
8.8
-
None
Description
Overview
The /solr/admin/configs?action=LIST endpoint is not available when the user has the config-read permission.
Steps to Reproduce
- Create a security.json file that defines:
- a user with the config-read permission, but not the all permission.
- a separate user with the all permission
- Using the first user, attempt to hit the /solr/admin/configs?action=LIST endpoint
Expected
The user is able to access the endpoint.
Actual
The request fails with a 403 and the following is logged:
This resource is configured to have a permission {
"name":"all",
"role":"admin"}
Workaround
The following can be added to the security.json file to provide the required permission to the desired roles:
{
"name": "list-configsets",
"role": ["someRole"],
"collection": null,
"path": "/admin/configs",
"params": {
"action": ["LIST"]
}
}
Suggested fix
I believe the issue is that the config-read permission is configured with only the "*" collection, but it should have "*" and null like the config-edit permission to allow it to be applied to routes that are not tied to a collection (e.g. solr/admin/configs?action=LIST).
https://github.com/apache/solr/blob/main/solr/core/src/java/org/apache/solr/security/PermissionNameProvider.java#L44-L45
Attachments
Issue Links
- links to
