[
https://issues.apache.org/jira/browse/SOLR-13900?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Timothy Potter resolved SOLR-13900.
-----------------------------------
Fix Version/s: main (9.0)
8.11.1
Resolution: Fixed
> Permissions deleting works wrong
> --------------------------------
>
> Key: SOLR-13900
> URL: https://issues.apache.org/jira/browse/SOLR-13900
> Project: Solr
> Issue Type: Bug
> Components: Authorization, security
> Reporter: Yuliia Sydoruk
> Assignee: Timothy Potter
> Priority: Major
> Fix For: main (9.0), 8.11.1
>
> Time Spent: 40m
> Remaining Estimate: 0h
>
> Permissions indexes in security.json file do not correspond to indexes while
> deleting.
> The line
> {{(141) setIndex(p);}}
> in
> [https://github.com/apache/lucene-solr/blob/master/solr/core/src/java/org/apache/solr/security/AutorizationEditOperation.java]
> makes indexes renumber before deleting and it leads to wrong behavior.
> *USE CASE 1:*
> There are 2 new permissions added to security.json (with indexes 13 and 14):
> {code:java}
> ....
> {
> "role":"admin",
> "name":"schema-edit",
> "index":12},
> {
> "collection":"<collectionName>",
> "path":"/schema/*",
> "role":"test-role",
> "index":13},
> {
> "path":"/admin/collections",
> "params":{"collection":["testCollection"]},
> "role":"test-role",
> "index":14}
> ....
> {code}
> Step 1: remove the permission with index=13; result: permission is deleted
> correctly, security.json is next:
> {code:java}
> ....
> {
> "role":"admin",
> "name":"schema-edit",
> "index":12,
> {
> "path":"/admin/collections",
> "params":{"collection":["testCollection"]},
> "role":"test-role",
> "index":14}
> ....
> {code}
> Step 2: try to remove the permission with index=14; result: "No such index:
> 14" error is returned.
> *USE CASE 2:*
> There are 3 new permissions added to security.json (with indexes 13, 14 and
> 15):
> {code:json}
> ....
> {
> "role":"admin",
> "name":"schema-edit",
> "index":12},
> {
> "collection":"<collectionName>",
> "path":"/schema/*",
> "role":"test-role",
> "index":13},
> {
> "path":"/admin/collections",
> "params":{"collection":["testCollection"]},
> "role":"test-role",
> "index":14},
> {
> "path":"/admin/collections",
> "params":\{"collection":["anotherTestCollection"]},
> "role":"test-role",
> "index":15}
> ....
> {code}
> Step 1: remove the permission with index=13; result: permission is deleted
> correctly, security.json becomes next:
> {code:json}
> ....
> {
> "role":"admin",
> "name":"schema-edit",
> "index":12},
> {
> "path":"/admin/collections",
> "params":{"collection":["testCollection"]},
> "role":"test-role", "index":14},
> {
> "path":"/admin/collections",
> "params":{"collection":["anotherTestCollection"]},
> "role":"test-role",
> "index":15}
> ....
> {code}
>
> Step 2: try to remove the permission with index=14; result: permission with
> index 15 is deleted, which is *wrong*
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
