Pascal Proulx created SOLR-12371:

             Summary: SecurityConfHandler.doEdit fails to increase 
security.json meta version (SecurityConfig.getVersion() always -1)
                 Key: SOLR-12371
             Project: Solr
          Issue Type: Bug
      Security Level: Public (Default Security Level. Issues are Public)
          Components: JSON Request API, security
    Affects Versions: 6.6.3
            Reporter: Pascal Proulx

Hello again,

We use 6.6.3 and I was trying to update my security.json (in solr home, 
non-zookeeper) using:
curl -u myuser:mypass -H 'Content-type:application/json' -d 
The first time this is called, the security.json is written AND reloaded in 
memory correctly. The output json then contains at the end:
However, subsequent calls using the same command, no matter the users specifed, 
always output the same meta version, 0.

The result is that the the security.json file is correctly updated, but the 
RuleBasedAuthorizationPlugin is never reloaded in memory, so the new settings 
never take effect.

The version never increases, so this condition in 
org.apache.solr.core.CoreContainer.initializeAuthorizationPlugin always returns 
and reload is skipped:
if (old != null && old.getZnodeVersion() == readVersion(authorizationConf)) {
The core of the issue is somewhere in 
      SecurityConfig securityConfig = getSecurityConfig(true);
      Map<String, Object> data = securityConfig.getData();
      Map<String, Object> latestConf = (Map<String, Object>) data.get(key);
      if (latestConf == null) {
        throw new SolrException(SERVER_ERROR, "No configuration present for " + 
      List<CommandOperation> commandsCopy = CommandOperation.clone(ops);
      Map<String, Object> out = 
configEditablePlugin.edit(Utils.getDeepCopy(latestConf, 4) , commandsCopy);
      if (out == null) {
        List<Map> errs = CommandOperation.captureErrors(commandsCopy);
        if (!errs.isEmpty()) {
          rsp.add(CommandOperation.ERR_MSGS, errs);
        log.debug("No edits made");
      } else {
        if(!Objects.equals(latestConf.get("class") , out.get("class"))){
          throw new SolrException(SERVER_ERROR, "class cannot be modified");
        Map meta = getMapValue(out, "");
        meta.put("v", securityConfig.getVersion()+1);//encode the expected 
        data.put(key, out);
        if(persistConf(securityConfig)) {
In my case, getSecurityConfig(true) delegates to 

But the instance variable SecurityConfig.version is never set to anything other 
than -1 (it is not read back from security.json in other words the data map), 
such that
meta.put("v", securityConfig.getVersion()+1);//encode the expected zkversion
always puts a value of 0 for the version, leading to the aforementioned memory 
reload skip.

There does not seem to be any code calling SecurityConfig.setVersion anywhere 
or any of SecurityConfig's methods updating the version variable.

The only code that does call it is in the SecurityConfHandlerZk for zookeeper, 
but we are not using zookeeper.

Ultimately, I can't seem to use the set-user command because of this. I hope 
this is just a duplicate. Thanks

This message was sent by Atlassian JIRA

To unsubscribe, e-mail:
For additional commands, e-mail:

Reply via email to