[
https://issues.apache.org/jira/browse/SENTRY-588?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
shenguoquan updated SENTRY-588:
-------------------------------
Description: The Solr schema API allows using a REST API to get schema
about the each collection, including defined field types, fields, dynamic
fields, and copy field declarations. There exists a risk that user can get the
collection schema they does not access to. For example, user1 has no query
privilege on collection collection1, but currently the user1 can get the schema
metadata about collection1 as running the command: curl
http://{host}:{port}/solr/collection1/schema It’s should deny the users get the
schema information that they haven’t query privilege on.
> The Solr schema read protection with Sentry
> -------------------------------------------
>
> Key: SENTRY-588
> URL: https://issues.apache.org/jira/browse/SENTRY-588
> Project: Sentry
> Issue Type: Improvement
> Reporter: shenguoquan
> Assignee: shenguoquan
>
> The Solr schema API allows using a REST API to get schema about the each
> collection, including defined field types, fields, dynamic fields, and copy
> field declarations. There exists a risk that user can get the collection
> schema they does not access to. For example, user1 has no query privilege on
> collection collection1, but currently the user1 can get the schema metadata
> about collection1 as running the command: curl
> http://{host}:{port}/solr/collection1/schema It’s should deny the users get
> the schema information that they haven’t query privilege on.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
