[jira] [Commented] (SOLR-11623) Every request handler in Solr should implement PermissionNameProvider interface

Mon, 25 Oct 2021 04:31:26 -0700 


    [ 
https://issues.apache.org/jira/browse/SOLR-11623?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17433701#comment-17433701
 ] 

Jan Høydahl commented on SOLR-11623:
------------------------------------

I tried adding PermissionNameProvider to RequestHandlerBase and got compilation 
error for these 23 handlers:
{code:java}
ReplicationHandler
ReloadCacheRequestHandler
HealthCheckHandler
InfoHandler
PublicKeyHandler
PropertiesRequestHandler
ThreadDumpHandler
LoggingHandler
SystemInfoHandler
SolrInfoMBeanHandler
LukeRequestHandler
MetricsCollectorHandler
SegmentsInfoRequestHandler
PluginInfoHandler
ZookeeperInfoHandler
ZookeeperStatusHandler
FieldAnalysisRequestHandler
MoreLikeThisHandler
DumpRequestHandler
NotFoundRequestHandler
DocumentAnalysisRequestHandler
TaggerRequestHandler
PingRequestHandler {code}
To not end up in the same situation later, the safest is to add the interface 
to RequestHandlerBase and then choose a proper permission for all the above - 
and choose ALL if the information should be open for all. 9.0 is a good time to 
do this, as we change a very central programming API. Users with custom 
RequestHandlers will need to revisit their custom handlers for 9.0

> Every request handler in Solr should implement PermissionNameProvider 
> interface
> -------------------------------------------------------------------------------
>
>                 Key: SOLR-11623
>                 URL: https://issues.apache.org/jira/browse/SOLR-11623
>             Project: Solr
>          Issue Type: Improvement
>    Affects Versions: 7.1
>            Reporter: Hrishikesh Gadre
>            Priority: Major
>
> Solr authorization framework expects request handler to implement 
> PermissionNameProvider interface so that the type of the permission for the 
> request can be extracted. Currently not all request handlers implement 
> PermissionNameProvider, requiring authorization plugin implementation to 
> check this case explicitly and return OK. During code review of SENTRY-1475, 
> this issue was discussed. Since  PermissionNameProvider.Name enum provides 
> "ALL" permission type, it should be possible to have every request handler to 
> implement PermissionNameProvider interface and provide "ALL" permission type 
> if no authorization checks are necessary.
> The secondary benefit of this work would be that we can review all the 
> request handlers and ensure that we aren't missing authorization support for 
> any request handlers which provide sensitive information.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org
For additional commands, e-mail: issues-h...@solr.apache.org

Reply via email to