Details
-
Bug
-
Status: Closed
-
Minor
-
Resolution: Fixed
-
8.8
-
None
Description
Overview
The /solr/admin/configs?action=LIST endpoint is not available when the user has the config-read permission.
Steps to Reproduce
- Create a security.json file that defines:
- a user with the config-read permission, but not the all permission.
- a separate user with the all permission
- Using the first user, attempt to hit the /solr/admin/configs?action=LIST endpoint
Expected
The user is able to access the endpoint.
Actual
The request fails with a 403 and the following is logged:
This resource is configured to have a permission { "name":"all", "role":"admin"}
Workaround
The following can be added to the security.json file to provide the required permission to the desired roles:
{ "name": "list-configsets", "role": ["someRole"], "collection": null, "path": "/admin/configs", "params": { "action": ["LIST"] } }
Suggested fix
I believe the issue is that the config-read permission is configured with only the "*" collection, but it should have "*" and null like the config-edit permission to allow it to be applied to routes that are not tied to a collection (e.g. solr/admin/configs?action=LIST).
https://github.com/apache/solr/blob/main/solr/core/src/java/org/apache/solr/security/PermissionNameProvider.java#L44-L45
Attachments
Issue Links
- links to
It appears the config-edit permission has been properly configured since 6.6/7.0:
SOLR-6736.