[
https://issues.apache.org/jira/browse/SOLR-13900?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Yuliia Sydoruk updated SOLR-13900:
----------------------------------
Description:
Permissions indexes in security.json file do not correspond to indexes while
deleting.
The line
{{(141) setIndex(p);}}
in
[https://github.com/apache/lucene-solr/blob/master/solr/core/src/java/org/apache/solr/security/AutorizationEditOperation.java]
makes indexes renumber before deleting and it leads to wrong behavior.
*USE CASE 1:*
There are 2 new permissions added to security.json (with indexes 13 and 14):
{code:java}
....
{
"role":"admin",
"name":"schema-edit",
"index":12},
{
"collection":"<collectionName>",
"path":"/schema/*",
"role":"test-role",
"index":13},
{
"path":"/admin/collections",
"params":{"collection":["testCollection"]},
"role":"test-role",
"index":14}
....
{code}
Step 1: remove the permission with index=13; result: permission is deleted
correctly, security.json is next:
{code:java}
....
{
"role":"admin",
"name":"schema-edit",
"index":12,
{
"path":"/admin/collections",
"params":{"collection":["testCollection"]},
"role":"test-role",
"index":14}
....
{code}
Step 2: try to remove the permission with index=14; result: "No such index: 14"
error is returned.
*USE CASE 2:*
There are 3 new permissions added to security.json (with indexes 13, 14 and 15):
{code:json}
....
{
"role":"admin",
"name":"schema-edit",
"index":12},
{
"collection":"<collectionName>",
"path":"/schema/*",
"role":"test-role",
"index":13},
{
"path":"/admin/collections",
"params":{"collection":["testCollection"]},
"role":"test-role",
"index":14},
{
"path":"/admin/collections",
"params":\{"collection":["anotherTestCollection"]},
"role":"test-role",
"index":15}
....
{code}
Step 1: remove the permission with index=13; result: permission is deleted
correctly, security.json becomes next:
{code:json}
....
{
"role":"admin",
"name":"schema-edit",
"index":12},
{
"path":"/admin/collections",
"params":{"collection":["testCollection"]},
"role":"test-role", "index":14},
{
"path":"/admin/collections",
"params":{"collection":["anotherTestCollection"]},
"role":"test-role",
"index":15}
....
{code}
Step 2: try to remove the permission with index=14; result: permission with
index 15 is deleted, which is *wrong*
was:
Permissions indexes in security.json file do not correspond to indexes while
deleting.
The line
{{(141) setIndex(p);}}
in
[solr/security/AutorizationEditOperation.java|[https://github.com/apache/lucene-solr/blob/master/solr/core/src/java/org/apache/solr/security/AutorizationEditOperation.java]]
makes indexes renumber before deleting and it leads to wrong behavior.
*USE CASE 1:*
There are 2 new permissions added to security.json (with indexes 13 and 14):
{code:java}
....
{
"role":"admin",
"name":"schema-edit",
"index":12},
{
"collection":"<collectionName>",
"path":"/schema/*",
"role":"test-role",
"index":13},
{
"path":"/admin/collections",
"params":{"collection":["testCollection"]},
"role":"test-role",
"index":14}
....
{code}
Step 1: remove the permission with index=13; result: permission is deleted
correctly, security.json is next:
{code:java}
....
{
"role":"admin",
"name":"schema-edit",
"index":12,
{
"path":"/admin/collections",
"params":{"collection":["testCollection"]},
"role":"test-role",
"index":14}
....
{code}
Step 2: try to remove the permission with index=14; result: "No such index: 14"
error is returned.
*USE CASE 2:*
There are 3 new permissions added to security.json (with indexes 13, 14 and 15):
{code:json}
....
{
"role":"admin",
"name":"schema-edit",
"index":12},
{
"collection":"<collectionName>",
"path":"/schema/*",
"role":"test-role",
"index":13},
{
"path":"/admin/collections",
"params":{"collection":["testCollection"]},
"role":"test-role",
"index":14},
{
"path":"/admin/collections",
"params":\{"collection":["anotherTestCollection"]},
"role":"test-role",
"index":15}
....
{code}
Step 1: remove the permission with index=13; result: permission is deleted
correctly, security.json becomes next:
{code:json}
....
{
"role":"admin",
"name":"schema-edit",
"index":12},
{
"path":"/admin/collections",
"params":{"collection":["testCollection"]},
"role":"test-role", "index":14},
{
"path":"/admin/collections",
"params":{"collection":["anotherTestCollection"]},
"role":"test-role",
"index":15}
....
{code}
Step 2: try to remove the permission with index=14; result: permission with
index 15 is deleted, which is *wrong*
> Permissions deleting works wrong
> --------------------------------
>
> Key: SOLR-13900
> URL: https://issues.apache.org/jira/browse/SOLR-13900
> Project: Solr
> Issue Type: Bug
> Security Level: Public(Default Security Level. Issues are Public)
> Components: Authorization, security
> Reporter: Yuliia Sydoruk
> Priority: Major
>
> Permissions indexes in security.json file do not correspond to indexes while
> deleting.
> The line
> {{(141) setIndex(p);}}
> in
> [https://github.com/apache/lucene-solr/blob/master/solr/core/src/java/org/apache/solr/security/AutorizationEditOperation.java]
> makes indexes renumber before deleting and it leads to wrong behavior.
> *USE CASE 1:*
> There are 2 new permissions added to security.json (with indexes 13 and 14):
> {code:java}
> ....
> {
> "role":"admin",
> "name":"schema-edit",
> "index":12},
> {
> "collection":"<collectionName>",
> "path":"/schema/*",
> "role":"test-role",
> "index":13},
> {
> "path":"/admin/collections",
> "params":{"collection":["testCollection"]},
> "role":"test-role",
> "index":14}
> ....
> {code}
> Step 1: remove the permission with index=13; result: permission is deleted
> correctly, security.json is next:
> {code:java}
> ....
> {
> "role":"admin",
> "name":"schema-edit",
> "index":12,
> {
> "path":"/admin/collections",
> "params":{"collection":["testCollection"]},
> "role":"test-role",
> "index":14}
> ....
> {code}
> Step 2: try to remove the permission with index=14; result: "No such index:
> 14" error is returned.
> *USE CASE 2:*
> There are 3 new permissions added to security.json (with indexes 13, 14 and
> 15):
> {code:json}
> ....
> {
> "role":"admin",
> "name":"schema-edit",
> "index":12},
> {
> "collection":"<collectionName>",
> "path":"/schema/*",
> "role":"test-role",
> "index":13},
> {
> "path":"/admin/collections",
> "params":{"collection":["testCollection"]},
> "role":"test-role",
> "index":14},
> {
> "path":"/admin/collections",
> "params":\{"collection":["anotherTestCollection"]},
> "role":"test-role",
> "index":15}
> ....
> {code}
> Step 1: remove the permission with index=13; result: permission is deleted
> correctly, security.json becomes next:
> {code:json}
> ....
> {
> "role":"admin",
> "name":"schema-edit",
> "index":12},
> {
> "path":"/admin/collections",
> "params":{"collection":["testCollection"]},
> "role":"test-role", "index":14},
> {
> "path":"/admin/collections",
> "params":{"collection":["anotherTestCollection"]},
> "role":"test-role",
> "index":15}
> ....
> {code}
>
> Step 2: try to remove the permission with index=14; result: permission with
> index 15 is deleted, which is *wrong*
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org
For additional commands, e-mail: issues-h...@lucene.apache.org
