janhoy commented on a change in pull request #427:
URL: https://github.com/apache/solr/pull/427#discussion_r753723020
##########
File path:
solr/core/src/test/org/apache/solr/security/BaseTestRuleBasedAuthorizationPlugin.java
##########
@@ -213,14 +212,14 @@ public void testBasicPermissions() {
"userPrincipal", "tim",
"handler", new ReplicationHandler(),
"collectionRequests", singletonList(new CollectionRequest("mycoll")) )
- , FORBIDDEN);
+ , STATUS_OK); // Replication requires "READ" permission, which Tim has
checkRules(Map.of("resource", ReplicationHandler.PATH,
"httpMethod", "POST",
"userPrincipal", "cio",
"handler", new ReplicationHandler(),
"collectionRequests", singletonList(new CollectionRequest("mycoll")) )
- , STATUS_OK);
+ , FORBIDDEN); // User cio has role 'su' which does not have 'read'
permission
Review comment:
The user "cio" has only one role `su` with the `all` permission.
Before this PR, he was allowed access since `all` was the governing
permission for the request. After the PR, the governing permission becomes
`read` which is defined earlier in the permission list, and since cio lacks
that permission, it does not matter that he has the `all` permission, since
evaluation stops at the first governing permission.
This is a bit confusing, but it is by design and documented. However, this
change may cause people's existing `security.json` configs to behave
differently. Typically relying on some `all` permission at the end of the chain
connected to some role is no longer catching all these Request Handlers that
are now covered by a specific permission, so people may need to adjust role and
permission mappings to adjust.
Perhaps we should spell that out in the change-note.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]