[
https://issues.apache.org/jira/browse/SOLR-11623?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17433701#comment-17433701
]
Jan Høydahl commented on SOLR-11623:
------------------------------------
I tried adding PermissionNameProvider to RequestHandlerBase and got compilation
error for these 23 handlers:
{code:java}
ReplicationHandler
ReloadCacheRequestHandler
HealthCheckHandler
InfoHandler
PublicKeyHandler
PropertiesRequestHandler
ThreadDumpHandler
LoggingHandler
SystemInfoHandler
SolrInfoMBeanHandler
LukeRequestHandler
MetricsCollectorHandler
SegmentsInfoRequestHandler
PluginInfoHandler
ZookeeperInfoHandler
ZookeeperStatusHandler
FieldAnalysisRequestHandler
MoreLikeThisHandler
DumpRequestHandler
NotFoundRequestHandler
DocumentAnalysisRequestHandler
TaggerRequestHandler
PingRequestHandler {code}
To not end up in the same situation later, the safest is to add the interface
to RequestHandlerBase and then choose a proper permission for all the above -
and choose ALL if the information should be open for all. 9.0 is a good time to
do this, as we change a very central programming API. Users with custom
RequestHandlers will need to revisit their custom handlers for 9.0
> Every request handler in Solr should implement PermissionNameProvider
> interface
> -------------------------------------------------------------------------------
>
> Key: SOLR-11623
> URL: https://issues.apache.org/jira/browse/SOLR-11623
> Project: Solr
> Issue Type: Improvement
> Affects Versions: 7.1
> Reporter: Hrishikesh Gadre
> Priority: Major
>
> Solr authorization framework expects request handler to implement
> PermissionNameProvider interface so that the type of the permission for the
> request can be extracted. Currently not all request handlers implement
> PermissionNameProvider, requiring authorization plugin implementation to
> check this case explicitly and return OK. During code review of SENTRY-1475,
> this issue was discussed. Since PermissionNameProvider.Name enum provides
> "ALL" permission type, it should be possible to have every request handler to
> implement PermissionNameProvider interface and provide "ALL" permission type
> if no authorization checks are necessary.
> The secondary benefit of this work would be that we can review all the
> request handlers and ensure that we aren't missing authorization support for
> any request handlers which provide sensitive information.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
