The /solr/admin/configs?action=LIST endpoint is not available when the user has the config-read permission.
- Create a security.json file that defines:
- a user with the config-read permission, but not the all permission.
- a separate user with the all permission
- Using the first user, attempt to hit the /solr/admin/configs?action=LIST endpoint
The user is able to access the endpoint.
The request fails with a 403 and the following is logged:
The following can be added to the security.json file to provide the required permission to the desired roles:
I believe the issue is that the config-read permission is configured with only the "*" collection, but it should have "*" and null like the config-edit permission to allow it to be applied to routes that are not tied to a collection (e.g. solr/admin/configs?action=LIST).