janhoy opened a new issue, #436: URL: https://github.com/apache/solr-operator/issues/436
The default `security.json` generated by the operator has full CollectionAPI access, see https://github.com/apache/solr-operator/blob/84a7781e498a92a66d62eac2a3515c1646bd5ce6/controllers/util/solr_security_util.go#L351 Since the operator typically is using BasicAuth, which is les secure than other auth methods, it could make sense to explicitly limit the `action`s the `k8s` role can do on the collection API, i.e. not allow that BasicAuth user to create or delete collections. This can be done by adding `params` limitation to the custom permission, e.g. ```json { "name": "k8s-status", "role":"k8s", "collection": null, "path":"/admin/collections", "params": { "action": ["LIST", "CLUSTERSTATUS", "OVERSEERSTATUS", "BACKUP"] } } ``` -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org For additional commands, e-mail: issues-h...@solr.apache.org