[SOLR-15768] Tune zookeeper request handler permissions (8x) - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Closed
Priority: Blocker
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 8.11.1
Component/s: security
Labels:
None

Description

See ~~SOLR-11623~~ for 9.x fixes in this space. This Jira is to apply sane permission default to /admin/zookeeper?path=/security.json and /api/cluster/zk/data/security.json so users will need "security-read" permission to see that data across the board. Users already need this permission to use the /api/cluster/security/authentication API.

NOTE that this was not a bug as such, but since these endpoints did not have an attached permission, they would remain unprotected, if the user did not define custom path-based permissions for the handlers, or alternatively applied an "all" permission at the end of the chain. This could be surprising to users, especially if they already included the predefined "zk-read" and "security-read" permissions in their chain, but they did not apply to these handlers.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

SOLR-15768.patch
04/Nov/21 10:44
4 kB
Noble Paul

Issue Links

is related to

SOLR-10100 Hiding credentials from security.json when retrieving through /admin/zookeeper

Resolved

links to

GitHub Pull Request #2604

Activity

People

Assignee:: Jan Høydahl

Reporter:: Jan Høydahl

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 04/Nov/21 09:43

Updated:: 16/Dec/21 14:14

Resolved:: 19/Nov/21 09:04

Time Tracking

Estimated:

Not Specified

Remaining:

Logged:

20m