[jira] [Commented] (SOLR-11623) Every request handler in Solr should implement PermissionNameProvider interface

Thu, 18 Nov 2021 04:45:08 -0800 


    [ 
https://issues.apache.org/jira/browse/SOLR-11623?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17445899#comment-17445899
 ] 

ASF subversion and git services commented on SOLR-11623:
--------------------------------------------------------

Commit e90f50fb070fc87e8929ba9a67a1499b7d3a3da0 in solr's branch 
refs/heads/main from Jan Høydahl
[ https://gitbox.apache.org/repos/asf?p=solr.git;h=e90f50f ]

SOLR-11623 Every request handler in Solr implement PermissionNameProvider (#372)

* Make HEALTH_PERM apply to both node and collection-level
* Reqire CONFIG_EDIT_PERM when changing logging level
* Different access level to /security.json
* Require config-read for dump handler only when remote streaming is enabled
* Info-handler needs to delegate permissionName to sub handler
* Metrics permission both on system and collection level
* Add new health handler to UI list
* Admin UI display error on HTTP 403
* Add documentation for health permission, as well as new endpoints protected 
by metrics-read permission

> Every request handler in Solr should implement PermissionNameProvider 
> interface
> -------------------------------------------------------------------------------
>
>                 Key: SOLR-11623
>                 URL: https://issues.apache.org/jira/browse/SOLR-11623
>             Project: Solr
>          Issue Type: Improvement
>    Affects Versions: 7.1
>            Reporter: Hrishikesh Gadre
>            Assignee: Jan Høydahl
>            Priority: Blocker
>             Fix For: main (9.0)
>
>          Time Spent: 7h
>  Remaining Estimate: 0h
>
> Solr authorization framework expects request handler to implement 
> PermissionNameProvider interface so that the type of the permission for the 
> request can be extracted. Currently not all request handlers implement 
> PermissionNameProvider, requiring authorization plugin implementation to 
> check this case explicitly and return OK. During code review of SENTRY-1475, 
> this issue was discussed. Since  PermissionNameProvider.Name enum provides 
> "ALL" permission type, it should be possible to have every request handler to 
> implement PermissionNameProvider interface and provide "ALL" permission type 
> if no authorization checks are necessary.
> The secondary benefit of this work would be that we can review all the 
> request handlers and ensure that we aren't missing authorization support for 
> any request handlers which provide sensitive information.



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org
For additional commands, e-mail: issues-h...@solr.apache.org

Reply via email to