Details
-
Improvement
-
Status: Closed
-
Major
-
Resolution: Fixed
-
None
-
None
Description
Admin UI does not really know about what the current logged in user should have access to and not, and it just throws some error messages if you attempt to do stuff you are not authorized to. The upcoming SOLR-11623 will also add further permissions to some APIs that are commonly used from admin UI.
I propose that we do the following:
- Add to /admin/info/system a list of predefined permissions that the logged-in user has assigned (now we only list the roles)
- Admin UI will always require permissions config-read, core-read and coll-read. If either the /admin/info/system call fails or the three permissions are not present, the Admin UI shows a message "You do not have sufficient permissions to use the Admin UI"
See the attached matrix (or google spreadsheet) of permissions required for each section of the Admin UI. Use this matrix to restrict access to various Admin UI screens or buttons, depending on user's permissions:
- Cloud/Tree/Graph: Disable if not zk-read
- Schema-designer: Stop probing with ajax call, check permission list instead
- Documents tab: Disable the whole tab or only the "Submit document" button if not update permission
- Query/Stream/SQL/Schema: Disable tabs or buttons if not read permission
- Schema: Disable buttons if not schema-edit permission
- Core overview: Disable if not health and read permissions
- Ping: Disable if not health permission
- Plugin/Stats & Segments-info: Disable if not metrics-read permission
Timothy Potter ping
Attachments
Attachments
Issue Links
- breaks
-
SOLR-16527 RuleBasedAuthorizationPluginBase NPE
-
- Closed
-
- is required by
-
-
- Closed
-
- requires
-
-
- Closed
-
- links to
