janhoy commented on a change in pull request #427: URL: https://github.com/apache/solr/pull/427#discussion_r753723020
########## File path: solr/core/src/test/org/apache/solr/security/BaseTestRuleBasedAuthorizationPlugin.java ########## @@ -213,14 +212,14 @@ public void testBasicPermissions() { "userPrincipal", "tim", "handler", new ReplicationHandler(), "collectionRequests", singletonList(new CollectionRequest("mycoll")) ) - , FORBIDDEN); + , STATUS_OK); // Replication requires "READ" permission, which Tim has checkRules(Map.of("resource", ReplicationHandler.PATH, "httpMethod", "POST", "userPrincipal", "cio", "handler", new ReplicationHandler(), "collectionRequests", singletonList(new CollectionRequest("mycoll")) ) - , STATUS_OK); + , FORBIDDEN); // User cio has role 'su' which does not have 'read' permission Review comment: The user "cio" has only one role `su` with the `all` permission. Before this PR, he was allowed access since `all` was the governing permission for the request. After the PR, the governing permission becomes `read` which is defined earlier in the permission list, and since cio lacks that permission, it does not matter that he has the `all` permission, since evaluation stops at the first governing permission. This is a bit confusing, but it is by design and documented. However, this change may cause people's existing `security.json` configs to behave differently. Typically relying on some `all` permission at the end of the chain connected to some role is no longer catching all these Request Handlers that are now covered by a specific permission, so people may need to adjust role and permission mappings to adjust. Perhaps we should spell that out in the change-note. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org For additional commands, e-mail: issues-h...@solr.apache.org