I didn't include the collection name in my abbreviated URL, but it is a required parameter on DELETEREPLICA requests, yep.
Historically, DELETEREPLICA is covered by the "collection-admin-edit" predefined permission, which is usually given to admins. Which is consistent with our other cluster-topology-modifying APIs. That predefined permission isn't collection-scoped afaik, though users should be able to define custom permissions that would be collection scoped. Of course, authorization around this API is necessary but not sufficient from a safety standpoint. It may or may not be a good idea to let even authorized users nuke N replicas without specifying the replica-type they want deleted, for instance. Best, Jason --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@solr.apache.org For additional commands, e-mail: dev-h...@solr.apache.org