Fix initial security.json rbap rules (#299)
diff --git a/controllers/util/solr_util.go b/controllers/util/solr_util.go
index 14276cb..db76ff9 100644
--- a/controllers/util/solr_util.go
+++ b/controllers/util/solr_util.go
@@ -1341,12 +1341,13 @@
%s,
{ "name": "k8s-status", "role":"k8s", "collection": null, "path":"/admin/collections" },
{ "name": "k8s-metrics", "role":"k8s", "collection": null, "path":"/admin/metrics" },
+ { "name": "k8s-zk", "role":"k8s", "collection": null, "path":"/admin/zookeeper/status" },
{ "name": "k8s-ping", "role":"k8s", "collection": "*", "path":"/admin/ping" },
- { "name": "all", "role":["admin","users"] },
{ "name": "read", "role":["admin","users"] },
{ "name": "update", "role":["admin"] },
- { "name": "security-read", "role": "admin"},
- { "name": "security-edit", "role": "admin"}
+ { "name": "security-read", "role": ["admin"] },
+ { "name": "security-edit", "role": ["admin"] },
+ { "name": "all", "role":["admin"] }
]
}
}`, blockUnknown, credentialsJson, username, probeAuthz)
diff --git a/docs/solr-cloud/solr-cloud-crd.md b/docs/solr-cloud/solr-cloud-crd.md
index 512b2ba..9d6a73e 100644
--- a/docs/solr-cloud/solr-cloud-crd.md
+++ b/docs/solr-cloud/solr-cloud-crd.md
@@ -792,6 +792,12 @@
"collection": null,
"path": "/admin/metrics"
},
+ {
+ "name": "k8s-zk",
+ "role":"k8s",
+ "collection": null,
+ "path":"/admin/zookeeper/status"
+ },
{
"name": "k8s-ping",
"role": "k8s",
@@ -799,10 +805,6 @@
"path": "/admin/ping"
},
{
- "name": "all",
- "role": [ "admin", "users" ]
- },
- {
"name": "read",
"role": [ "admin", "users" ]
},
@@ -812,11 +814,15 @@
},
{
"name": "security-read",
- "role": "admin"
+ "role": [ "admin" ]
},
{
"name": "security-edit",
- "role": "admin"
+ "role": [ "admin" ]
+ },
+ {
+ "name": "all",
+ "role": [ "admin" ]
}
]
}
@@ -864,6 +870,10 @@
```
The `"collection":"*"` setting indicates this path applies to all collections, which maps to endpoint `/collections/<COLL>/admin/ping` at runtime.
+The initial authorization config grants the `read` permission to the `users` role, which allows `users` to send query requests but cannot add / update / delete documents.
+For instance, the `solr` user is mapped to the `users` role, so the `solr` user can send query requests only.
+In general, please verify the initial authorization rules for each role before sharing user credentials.
+
### Option 2: User-provided Basic Auth Secret
Alternatively, if users want full control over their cluster's security config, then they can provide a `kubernetes.io/basic-auth` secret containing the credentials for the user they want the operator to make API requests as:
diff --git a/helm/solr-operator/Chart.yaml b/helm/solr-operator/Chart.yaml
index 6d791f6..68f35ee 100644
--- a/helm/solr-operator/Chart.yaml
+++ b/helm/solr-operator/Chart.yaml
@@ -105,6 +105,20 @@
url: https://github.com/apache/solr-operator/issues/282
- name: Github PR
url: https://github.com/apache/solr-operator/pull/297
+ - kind: security
+ description: Remove users role from the all permission in the initial security.json
+ links:
+ - name: Github Issue
+ url: https://github.com/apache/solr-operator/issues/274
+ - name: Github PR
+ url: https://github.com/apache/solr-operator/pull/299
+ - kind: fixed
+ description: Grant access to the /admin/zookeeper/status path to the k8s role in the initial security.json
+ links:
+ - name: Github Issue
+ url: https://github.com/apache/solr-operator/issues/289
+ - name: Github PR
+ url: https://github.com/apache/solr-operator/pull/299
artifacthub.io/images: |
- name: solr-operator
image: apache/solr-operator:v0.4.0-prerelease