[
https://issues.apache.org/jira/browse/RANGER-1446?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16019788#comment-16019788
]
Colm O hEigeartaigh commented on RANGER-1446:
---------------------------------------------
Hi [~yzhou2001],
I'm wondering if the RangerSolrAuthorizer..createRequest logic should be
modified after this change (to default to "true"). If no collection name is
specified then it will not attempt any authorization. I'm not sure if this
could arise in practise or not. It would seem safer to default to "*" if no
collection name is specified and to perform the authorization. Would this
change break your tests?
Colm.
> Ranger Solr Plugin does not work when the collection list in the request is
> empty
> ---------------------------------------------------------------------------------
>
> Key: RANGER-1446
> URL: https://issues.apache.org/jira/browse/RANGER-1446
> Project: Ranger
> Issue Type: Bug
> Components: plugins
> Affects Versions: 0.7.0, 0.6.1, 0.6.2, 0.6.3
> Reporter: Yan
> Assignee: Yan
> Priority: Critical
> Fix For: 1.0.0, 0.7.1
>
> Attachments:
> 0001-Ranger-1446-Ranger-Solr-Plugin-does-not-work-when-th.patch
>
>
> The fix of Ranger-1095 set the initial value of "denied" to "true" from the
> previous "false". One impact of this change is that, when
> context.getCollectionRequests() is empty which could be the case in many
> invocations Solr makes to Ranger on authorization per client request, the
> permission is plainly denied without going to Ranger policy engine. So the
> fix changed the default behavior related "denied".
> A proper fix of Ranger-1095 IMO should be just to set the "denied" to "true"
> in the catch block without changing the initial value of the variable.
>
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
