Pascal Proulx created SOLR-12371:
------------------------------------
Summary: SecurityConfHandler.doEdit fails to increase
security.json meta version (SecurityConfig.getVersion() always -1)
Key: SOLR-12371
URL: https://issues.apache.org/jira/browse/SOLR-12371
Project: Solr
Issue Type: Bug
Security Level: Public (Default Security Level. Issues are Public)
Components: JSON Request API, security
Affects Versions: 6.6.3
Reporter: Pascal Proulx
Hello again,
We use 6.6.3 and I was trying to update my security.json (in solr home,
non-zookeeper) using:
{code:java}
curl -u myuser:mypass -H 'Content-type:application/json' -d
'{"set-user-role":{"dummy":"dummy"}}'
http://localhost:8080/solr/admin/authorization
{code}
The first time this is called, the security.json is written AND reloaded in
memory correctly. The output json then contains at the end:
{code:java}
"":{"v":0}
{code}
However, subsequent calls using the same command, no matter the users specifed,
always output the same meta version, 0.
The result is that the the security.json file is correctly updated, but the
RuleBasedAuthorizationPlugin is never reloaded in memory, so the new settings
never take effect.
The version never increases, so this condition in
org.apache.solr.core.CoreContainer.initializeAuthorizationPlugin always returns
and reload is skipped:
{code:java}
if (old != null && old.getZnodeVersion() == readVersion(authorizationConf)) {
return;
}
{code}
The core of the issue is somewhere in
org.apache.solr.handler.admin.SecurityConfHandler.doEdit:
{code:java}
SecurityConfig securityConfig = getSecurityConfig(true);
Map<String, Object> data = securityConfig.getData();
Map<String, Object> latestConf = (Map<String, Object>) data.get(key);
if (latestConf == null) {
throw new SolrException(SERVER_ERROR, "No configuration present for " +
key);
}
List<CommandOperation> commandsCopy = CommandOperation.clone(ops);
Map<String, Object> out =
configEditablePlugin.edit(Utils.getDeepCopy(latestConf, 4) , commandsCopy);
if (out == null) {
List<Map> errs = CommandOperation.captureErrors(commandsCopy);
if (!errs.isEmpty()) {
rsp.add(CommandOperation.ERR_MSGS, errs);
return;
}
log.debug("No edits made");
return;
} else {
if(!Objects.equals(latestConf.get("class") , out.get("class"))){
throw new SolrException(SERVER_ERROR, "class cannot be modified");
}
Map meta = getMapValue(out, "");
meta.put("v", securityConfig.getVersion()+1);//encode the expected
zkversion
data.put(key, out);
if(persistConf(securityConfig)) {
securityConfEdited();
return;
}
}
{code}
In my case, getSecurityConfig(true) delegates to
org.apache.solr.handler.admin.SecurityConfHandlerLocal.getSecurityConfig(boolean)
But the instance variable SecurityConfig.version is never set to anything other
than -1 (it is not read back from security.json in other words the data map),
such that
{code:java}
meta.put("v", securityConfig.getVersion()+1);//encode the expected zkversion
{code}
always puts a value of 0 for the version, leading to the aforementioned memory
reload skip.
There does not seem to be any code calling SecurityConfig.setVersion anywhere
or any of SecurityConfig's methods updating the version variable.
The only code that does call it is in the SecurityConfHandlerZk for zookeeper,
but we are not using zookeeper.
Ultimately, I can't seem to use the set-user command because of this. I hope
this is just a duplicate. Thanks
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
