Gregory Chanan created SENTRY-989:
-------------------------------------
Summary: RealTimeGet with explicit ids can bypass document level
authorization
Key: SENTRY-989
URL: https://issues.apache.org/jira/browse/SENTRY-989
Project: Sentry
Issue Type: Bug
Components: Solr Plugin
Affects Versions: 1.5.1
Reporter: Gregory Chanan
Assignee: Gregory Chanan
Priority: Critical
Fix For: 1.7.0
RealTimeGet just ignores filter queries currently in Solr (see SOLR-8436) which
is how document level security is implemented, so if you can guess the document
ids, you can access them.
Since we probably don't want to wait for a solr version with SOLR-8436 to be
released, we should come up with a temporary work around.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
