[jira] [Commented] (SOLR-5523) Implement proper security when writing config files to Solr

Mon, 06 Oct 2014 12:55:58 -0700 

    [ 
https://issues.apache.org/jira/browse/SOLR-5523?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14160830#comment-14160830
 ] 

Erick Erickson commented on SOLR-5523:
--------------------------------------

[~gchanan]:

This was a whole kerfuffle where Stefan and I were allowing arbitrary XML files 
to be written to Solr's config directory, which opens up a vulnerability. I'm 
not sure how Sentry plays here. There's lots of discussion in the referenced 
JIRAs in case you're interested in what lead up to this.

The basic thing Stefan and I were working on is that it's pretty frustrating 
that we have to go outside of Solr and into a text editor in order to make 
_any_ change to your Solr config files. Now, _that_ said, how this plays with 
ZooKeeper keeping Solr's config files is kind of an open question. I mean you 
can view the XML in the Solr Admin screen, and with just a few little tweaks 
you could edit them... .but those tweaks are pretty bad from a security 
perspective. 

Regardless, your understanding of security & related issues is waaaay better 
than mine, so if you think Sentry can make all this work that'd b egreat. This 
particular JIRA is just hanging around to insure we don't release trunk/5.0 
(now) without disabling or fixing this feature.

> Implement proper security when writing config files to Solr
> -----------------------------------------------------------
>
>                 Key: SOLR-5523
>                 URL: https://issues.apache.org/jira/browse/SOLR-5523
>             Project: Solr
>          Issue Type: Bug
>    Affects Versions: Trunk
>            Reporter: Erick Erickson
>            Priority: Blocker
>
> Follow up on SOLR-5518 and SOLR-5287. We need to add proper security for 
> writing files to Solr.
> I can't pursue this for some time. If we decide to pull this out, we need to 
> ust remove EditFileRequestHandler, that should do it.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to