[
https://issues.apache.org/jira/browse/SOLR-4052?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16467136#comment-16467136
]
Shawn Heisey commented on SOLR-4052:
------------------------------------
APIs that can upload full configurations are a potential security risk. We had
the ability to edit configs in the admin UI at one point. Redhat filed a
security bug, and it was removed.
No matter how often we tell people that they shouldn't expose Solr to people
they can't trust, especially the open Internet, there are still people who do
it.
I'm not opposed to having APIs (other than ZK itself for SolrCloud) that can
upload configurations, or even the ability to edit configs directly in the
admin UI. But those capabilities should not be turned on by default. It
should require explicit configuration to enable it.
> Upload files to ZooKeeper from Solr Admin interface
> ---------------------------------------------------
>
> Key: SOLR-4052
> URL: https://issues.apache.org/jira/browse/SOLR-4052
> Project: Solr
> Issue Type: Improvement
> Reporter: Eric Pugh
> Priority: Major
> Attachments: ZookeeperInfoServletTest.java, zookeeper_edit.patch
>
>
> It would be nice if you could add files to ZooKeeper through the solr admin
> tool instead of having to use the zkCli. Steffan and I talked about this at
> ApacheCon Euro, and he suggested that if I put the java code in place, he'll
> put in the pretty GUI aspects! This patch is based around using a tool like
> http://blueimp.github.com/jQuery-File-Upload/ to upload to a java servlet. I
> hung this code off the ZookeeperInfoServlet doPost method mostly b/c I didn't
> have a better sense of where it should go. A *very* annoying thing is that
> it seems like from the browser side you can't select a directory of files and
> upload it, which would make loading a new solr core configuration split
> across many directory VERY annoying. Also, this doesn't really feel like a
> solid solution to just pulling up a file in the ZK tree browser webpage,
> editing it (maybe via a big text box) and then posting the contents back.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
