Re: [PR] RANGER-5603: Upgrade Solr to 9.4.1 [ranger]

Fri, 22 May 2026 09:13:12 -0700 


Copilot commented on code in PR #965:
URL: https://github.com/apache/ranger/pull/965#discussion_r3289716371


##########
plugin-solr/src/main/java/org/apache/ranger/authorization/solr/authorizer/RangerSolrAuthorizer.java:
##########
@@ -127,6 +127,12 @@ public AuthorizationResponse 
authorize(AuthorizationContext context) {
         boolean isDenied = false;
 
         try {
+            if (isRangerAuditCollectionUpdate(context)) {
+                logger.debug("Allowing internal audit write to {}", 
RangerSolrAuditHandler.RANGER_AUDIT_COLLECTION);
+
+                return new AuthorizationResponse(200);
+            }

Review Comment:
   `authorize()` now short-circuits and returns HTTP 200 for any UPDATE request 
targeting the `ranger_audits` collection. As implemented, this bypass does not 
verify that the request is truly the internal SolrAuditProvider write (e.g., it 
doesn't require `context.getUserPrincipal()`/user to be absent), so an 
authenticated user (or any unauthenticated request if Solr auth is disabled) 
could write to `ranger_audits` even when Ranger policies would deny it. 
Restrict this bypass to the specific internal/audit-client scenario (for 
example: require `context.getUserPrincipal() == null` and `perm == 
UPDATE_PERM`, and avoid the broad `resource.contains("/ranger_audits/")` 
fallback unless it is similarly constrained).



##########
dev-support/ranger-docker/scripts/solr/solr-security.json:
##########
@@ -1,13 +1,4 @@
 {

Review Comment:
   This `security.json` no longer configures any Solr authentication plugin, 
but the docker-compose stack still mounts it as `/var/solr/data/security.json`. 
With authorization enabled but no authentication, Solr requests will typically 
have no user principal, which can effectively disable Ranger enforcement (or 
interact badly with the new audit-write bypass). Either restore the Kerberos 
authentication stanza here, or stop bind-mounting this file and let the Solr 9 
docker entrypoint generate the correct `security.json` based on 
`SOLR_AUTH_TYPE=kerberos`.
   



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to