[GitHub] [solr] janhoy commented on a change in pull request #427: SOLR-11623 Every request handler - PermissionNameProvider (Take 2)

Sat, 20 Nov 2021 14:47:31 -0800 


janhoy commented on a change in pull request #427:
URL: https://github.com/apache/solr/pull/427#discussion_r753723020



##########
File path: 
solr/core/src/test/org/apache/solr/security/BaseTestRuleBasedAuthorizationPlugin.java
##########
@@ -213,14 +212,14 @@ public void testBasicPermissions() {
         "userPrincipal", "tim",
         "handler", new ReplicationHandler(),
         "collectionRequests", singletonList(new CollectionRequest("mycoll")) )
-        , FORBIDDEN);
+        , STATUS_OK); // Replication requires "READ" permission, which Tim has
 
     checkRules(Map.of("resource", ReplicationHandler.PATH,
         "httpMethod", "POST",
         "userPrincipal", "cio",
         "handler", new ReplicationHandler(),
         "collectionRequests", singletonList(new CollectionRequest("mycoll")) )
-        , STATUS_OK);
+        , FORBIDDEN); // User cio has role 'su' which does not have 'read' 
permission

Review comment:
       The user "cio" has only one role `su` with the `all` permission.
   
   Before this PR, he was allowed access since `all` was the governing 
permission for the request. After the PR, the governing permission becomes 
`read` which is defined earlier in the permission list, and since cio lacks 
that permission, it does not matter that he has the `all` permission, since 
evaluation stops at the first governing permission.
   
   This is a bit confusing, but it is by design and documented. However, this 
change may cause people's existing `security.json` configs to behave 
differently. Typically relying on some `all` permission at the end of the chain 
connected to some role is no longer catching all these Request Handlers that 
are now covered by a specific permission, so people may need to adjust role and 
permission mappings to adjust.
   
   Perhaps we should spell that out in the change-note.




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org
For additional commands, e-mail: issues-h...@solr.apache.org

Reply via email to