Uploaded image for project: 'Solr'
  1. Solr
  2. SOLR-15626

config-read permission does not allow access to /solr/admin/configs?action=LIST

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Minor
    • Resolution: Fixed
    • 8.8
    • 9.0, 8.11
    • Authorization
    • None

    Description

      Overview

      The /solr/admin/configs?action=LIST endpoint is not available when the user has the config-read permission.

      Steps to Reproduce

      1. Create a security.json file that defines:
        1. a user with the config-read permission, but not the all permission.
        2. a separate user with the all permission
      2. Using the first user, attempt to hit the /solr/admin/configs?action=LIST endpoint

      Expected
      The user is able to access the endpoint.
      Actual
      The request fails with a 403 and the following is logged:

      This resource is configured to have a permission {
         "name":"all",
         "role":"admin"}
      

      Workaround

      The following can be added to the security.json file to provide the required permission to the desired roles:

      {
          "name": "list-configsets",
          "role": ["someRole"],
          "collection": null,
          "path": "/admin/configs",
          "params": {
              "action": ["LIST"]
           }
      }
      

      Suggested fix

      I believe the issue is that the config-read permission is configured with only the "*" collection, but it should have "*" and null like the config-edit permission to allow it to be applied to routes that are not tied to a collection (e.g. solr/admin/configs?action=LIST).
      https://github.com/apache/solr/blob/main/solr/core/src/java/org/apache/solr/security/PermissionNameProvider.java#L44-L45

      Attachments

        Issue Links

          Activity

            People

              epugh David Eric Pugh
              JSench Jonathan J Senchyna
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0h
                  0h
                  Logged:
                  Time Spent - 5h 20m
                  5h 20m