[
https://issues.apache.org/jira/browse/SOLR-15768?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jan Høydahl updated SOLR-15768:
-------------------------------
Security: (was: Private (Security Issue))
> Tune zookeeper request handler permissions (8x)
> -----------------------------------------------
>
> Key: SOLR-15768
> URL: https://issues.apache.org/jira/browse/SOLR-15768
> Project: Solr
> Issue Type: Improvement
> Components: security
> Reporter: Jan Høydahl
> Assignee: Jan Høydahl
> Priority: Blocker
> Fix For: 8.11.1
>
> Attachments: SOLR-15768.patch
>
>
> See SOLR-11623 for 9.x fixes in this space. This Jira is to apply sane
> permission default to {{/admin/zookeeper?path=/security.json}} and
> {{/api/cluster/zk/data/security.json}} so users will need "security-read"
> permission to see that data across the board. Users already need this
> permission to use the {{/api/cluster/security/authentication}} API.
> *NOTE* that this was not a bug as such, but since these endpoints did not
> have an attached permission, they would remain unprotected, if the user did
> not define custom path-based permissions for the handlers, or alternatively
> applied an "all" permission at the end of the chain. This could be surprising
> to users, especially if they already included the predefined "zk-read" and
> "security-read" permissions in their chain, but they did not apply to these
> handlers.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
