[jira] [Updated] (AMBARI-22273) Disable xmlparser and configEdit API in Infra Solr by default

Thu, 19 Oct 2017 12:51:24 -0700 

     [ 
https://issues.apache.org/jira/browse/AMBARI-22273?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Olivér Szabó updated AMBARI-22273:
----------------------------------
    Description: 
1.) Disable editing with the Config API by adding the 
"-Ddisable.configEdit=true" flag to the SOLR_OPTS by default.
2.) Update all collections to reroute the xmlparser query parser away from the 
vulnerable class, but adding this to the Ranger, Atlas, and LogSearch 
collections:
{noformat}
<queryParser name="xmlparser" class="solr.ExtendedDismaxQParserPlugin" />
{noformat}

Requires manual changes for non-newly created clusters with Ranger/Atlas or 
LogSearch
1. Log Search changes:
  - add {{<queryParser name="xmlparser" 
class="solr.ExtendedDismaxQParserPlugin" />}} to 
{{logsearch-audit_logs-solrconfig/content}}
  - add {{<queryParser name="xmlparser" 
class="solr.ExtendedDismaxQParserPlugin" />}} to 
{{logsearch-service_logs-solrconfig/content}}


  was:
1.) Disable editing with the Config API by adding the 
"-Ddisable.configEdit=true" flag to the SOLR_OPTS by default.
2.) Update all collections to reroute the xmlparser query parser away from the 
vulnerable class, but adding this to the Ranger, Atlas, and LogSearch 
collections:
{noformat}
<queryParser name="xmlparser" class="solr.ExtendedDismaxQParserPlugin" />
{noformat}

Requires manual changes for non-newly created clusters with Ranger/Atlas or 
LogSearch
1. Log Search changes:
  - add {{<queryParser name="xmlparser" 
class="solr.ExtendedDismaxQParserPlugin" />}} to {{ 
logsearch-audit_logs-solrconfig/content }}
  - add {{<queryParser name="xmlparser" 
class="solr.ExtendedDismaxQParserPlugin" />}} to {{ 
logsearch-service_logs-solrconfig/content }}



> Disable xmlparser and configEdit API in Infra Solr by default
> -------------------------------------------------------------
>
>                 Key: AMBARI-22273
>                 URL: https://issues.apache.org/jira/browse/AMBARI-22273
>             Project: Ambari
>          Issue Type: Bug
>          Components: ambari-infra, ambari-logsearch, ambari-server
>    Affects Versions: 2.6.0
>            Reporter: Olivér Szabó
>            Assignee: Olivér Szabó
>             Fix For: 2.6.0
>
>
> 1.) Disable editing with the Config API by adding the 
> "-Ddisable.configEdit=true" flag to the SOLR_OPTS by default.
> 2.) Update all collections to reroute the xmlparser query parser away from 
> the vulnerable class, but adding this to the Ranger, Atlas, and LogSearch 
> collections:
> {noformat}
> <queryParser name="xmlparser" class="solr.ExtendedDismaxQParserPlugin" />
> {noformat}
> Requires manual changes for non-newly created clusters with Ranger/Atlas or 
> LogSearch
> 1. Log Search changes:
>   - add {{<queryParser name="xmlparser" 
> class="solr.ExtendedDismaxQParserPlugin" />}} to 
> {{logsearch-audit_logs-solrconfig/content}}
>   - add {{<queryParser name="xmlparser" 
> class="solr.ExtendedDismaxQParserPlugin" />}} to 
> {{logsearch-service_logs-solrconfig/content}}



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Reply via email to