[
https://issues.apache.org/jira/browse/SOLR-15776?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17446490#comment-17446490
]
David Eric Pugh commented on SOLR-15776:
----------------------------------------
I think I agree with what [~janhoy] is proposing, but want to ask a clarifying
question. I think what you are suggesting is that when a user loads up the
Admin UI, one of the calls from the front end to the back is to an API that
returns all the user permissions? Then, based on that set of user
permissions, it can intelligently show/hide etc the front end UI. This would
be a proactive request for permissions versus a reactive "let me check as I
render this if you can do something".....
Some sort of big {{permissions}} JSON structure that communicates what you can
and can't do?
> Make Admin UI play well with Authorization
> ------------------------------------------
>
> Key: SOLR-15776
> URL: https://issues.apache.org/jira/browse/SOLR-15776
> Project: Solr
> Issue Type: Improvement
> Components: Admin UI, Authorization
> Reporter: Jan Høydahl
> Assignee: Jan Høydahl
> Priority: Major
> Attachments: Skjermbilde 2021-11-07 kl. 21.43.58.png
>
> Time Spent: 10m
> Remaining Estimate: 0h
>
> Admin UI does not really know about what the current logged in user should
> have access to and not, and it just throws some error messages if you attempt
> to do stuff you are not authorized to. The upcoming SOLR-11623 will also add
> further permissions to some APIs that are commonly used from admin UI.
> I propose that we do the following:
> * Add to /admin/info/system a list of predefined permissions that the
> logged-in user has assigned (now we only list the roles)
> * Admin UI will always require permissions {{{}config-read{}}},
> {{core-read}} and {{{}coll-read{}}}. If either the /admin/info/system call
> fails or the three permissions are not present, the Admin UI shows a message
> "You do not have sufficient permissions to use the Admin UI"
> See the attached matrix ([or google
> spreadsheet|https://docs.google.com/spreadsheets/d/1s2xokDxw9IkXr7ZA5n06RPDj6EwvpbsZ7zUeKpvRC3Q/edit?usp=sharing])
> of permissions required for each section of the Admin UI. Use this matrix to
> restrict access to various Admin UI screens or buttons, depending on user's
> permissions:
> * Cloud/Tree/Graph: Disable if not {{zk-read}}
> * Schema-designer: Stop probing with ajax call, check permission list instead
> * Documents tab: Disable the whole tab or only the "Submit document" button
> if not {{update}} permission
> * Query/Stream/SQL/Schema: Disable tabs or buttons if not {{read}} permission
> * Schema: Disable buttons if not {{schema-edit}} permission
> * Core overview: Disable if not {{health}} and {{read}} permissions
> * Ping: Disable if not {{health}} permission
> * Plugin/Stats & Segments-info: Disable if not {{metrics-read}} permission
> [~thelabdude] ping
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
