[
https://issues.apache.org/jira/browse/SOLR-15776?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17444051#comment-17444051
]
Timothy Potter commented on SOLR-15776:
---------------------------------------
Agree with Jan that doing something now is preferable to doing nothing and
waiting for a migration to some other security framework (agree that is an
important goal as well).
The current permission scheme is complicated and confusing for sure, but should
end users have to suffer bad usability b/c of it now? Let's at least try to
improve the experience now, esp. with low-effort type fixes like this looks to
be.
Probing via an AJAX request back to the server to see if access is available is
definitely heavy-handed, I think I did that for schema designer so I could hide
the button from the main menu. Jan's approach is at least an improvement on
that.
> Make Admin UI play well with Authorization
> ------------------------------------------
>
> Key: SOLR-15776
> URL: https://issues.apache.org/jira/browse/SOLR-15776
> Project: Solr
> Issue Type: Improvement
> Security Level: Public(Default Security Level. Issues are Public)
> Components: Admin UI, Authorization
> Reporter: Jan Høydahl
> Assignee: Jan Høydahl
> Priority: Major
> Attachments: Skjermbilde 2021-11-07 kl. 21.43.58.png
>
> Time Spent: 10m
> Remaining Estimate: 0h
>
> Admin UI does not really know about what the current logged in user should
> have access to and not, and it just throws some error messages if you attempt
> to do stuff you are not authorized to. The upcoming SOLR-11623 will also add
> further permissions to some APIs that are commonly used from admin UI.
> I propose that we do the following:
> * Add to /admin/info/system a list of predefined permissions that the
> logged-in user has assigned (now we only list the roles)
> * Admin UI will always require permissions {{{}config-read{}}},
> {{core-read}} and {{{}coll-read{}}}. If either the /admin/info/system call
> fails or the three permissions are not present, the Admin UI shows a message
> "You do not have sufficient permissions to use the Admin UI"
> See the attached matrix ([or google
> spreadsheet|https://docs.google.com/spreadsheets/d/1s2xokDxw9IkXr7ZA5n06RPDj6EwvpbsZ7zUeKpvRC3Q/edit?usp=sharing])
> of permissions required for each section of the Admin UI. Use this matrix to
> restrict access to various Admin UI screens or buttons, depending on user's
> permissions:
> * Cloud/Tree/Graph: Disable if not {{zk-read}}
> * Schema-designer: Stop probing with ajax call, check permission list instead
> * Documents tab: Disable the whole tab or only the "Submit document" button
> if not {{update}} permission
> * Query/Stream/SQL/Schema: Disable tabs or buttons if not {{read}} permission
> * Schema: Disable buttons if not {{schema-edit}} permission
> * Core overview: Disable if not {{health}} and {{read}} permissions
> * Ping: Disable if not {{health}} permission
> * Plugin/Stats & Segments-info: Disable if not {{metrics-read}} permission
> [~thelabdude] ping
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
