janhoy commented on a change in pull request #994: SOLR-13662: Package Manager
(CLI)
URL: https://github.com/apache/lucene-solr/pull/994#discussion_r345644978
##########
File path:
solr/core/src/test-files/solr/question-answer-repository/repository.json
##########
@@ -0,0 +1,57 @@
+[
+ {
+ "name": "question-answer",
+ "description": "A natural language question answering plugin",
+ "versions": [
+ {
+ "version": "1.0.0",
+ "date": "2019-01-01",
+ "artifacts": [
+ {
+ "url": "question-answer-request-handler-1.0.jar",
+ "sig":
"C9UWKkucmY3UNzqn0VLneVMe9kCbJjw7Urc76vGenoRwp32xvNn5ZIGZ7G34xZP7cVjqn/ltDlLWBZ/C3eAtuw=="
+ }
+ ],
+ "manifest": {
+ "min-solr-version": "8.0",
+ "max-solr-version": "9.99",
+ "plugins": [
+ {
+ "name": "request-handler",
+ "setup-command": {
+ "path": "/api/collections/${collection}/config",
Review comment:
Will you allow a package to run any HTTP command against the cluster? What
privilege does the pkg manager run under? Imagine someone posts a malicious
package "superduper-solr-package" somewhere that attempts to run a
setup-command `/api/authentication/disable` :-) or `/api/c/.system/update/foo`
or some other arbitrary command?
That's one reason I think we should turn this whole deploy upside down and
let Solr plugin points fetch info from the plugin instead of the plugin author
hardcoding some literal api commands against the cluster. ยด
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org
For additional commands, e-mail: issues-h...@lucene.apache.org
