[
https://issues.apache.org/jira/browse/SOLR-15768?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17446377#comment-17446377
]
ASF subversion and git services commented on SOLR-15768:
--------------------------------------------------------
Commit 70f25251635b4ca055267a7ff57fd16efd147534 in lucene-solr's branch
refs/heads/branch_8_11 from Jan Høydahl
[ https://gitbox.apache.org/repos/asf?p=lucene-solr.git;h=70f2525 ]
SOLR-15768 Tune zookeeper request handler permissions (#2604)
> Tune zookeeper request handler permissions (8x)
> -----------------------------------------------
>
> Key: SOLR-15768
> URL: https://issues.apache.org/jira/browse/SOLR-15768
> Project: Solr
> Issue Type: Improvement
> Components: security
> Reporter: Jan Høydahl
> Assignee: Jan Høydahl
> Priority: Blocker
> Fix For: 8.11.1
>
> Attachments: SOLR-15768.patch
>
> Time Spent: 20m
> Remaining Estimate: 0h
>
> See SOLR-11623 for 9.x fixes in this space. This Jira is to apply sane
> permission default to {{/admin/zookeeper?path=/security.json}} and
> {{/api/cluster/zk/data/security.json}} so users will need "security-read"
> permission to see that data across the board. Users already need this
> permission to use the {{/api/cluster/security/authentication}} API.
> *NOTE* that this was not a bug as such, but since these endpoints did not
> have an attached permission, they would remain unprotected, if the user did
> not define custom path-based permissions for the handlers, or alternatively
> applied an "all" permission at the end of the chain. This could be surprising
> to users, especially if they already included the predefined "zk-read" and
> "security-read" permissions in their chain, but they did not apply to these
> handlers.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
