[jira] [Commented] (SOLR-16781) Remove directives from Solr

Tue, 02 May 2023 09:44:11 -0700 


    [ 
https://issues.apache.org/jira/browse/SOLR-16781?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17718645#comment-17718645
 ] 

Jason Gerlowski commented on SOLR-16781:
----------------------------------------

bq. Supported alternatives exist that are safer [... e.g.] use packages to use 
custom jars per collection

Is the package manager ready to take on all of the usecases that our users 
previously leaned on {{<lib>}} for?  I haven't followed package-manager 
development too closely, but my understanding was that it still had certain 
limitations that would make it hard to replace {{<lib>}} e.g. support for 
"standalone" Solr deployments (SOLR-16152).

bq. This feature required complex handling of "trusted" vs "non-trusted" 
configsets in configset upload API to keep Solr secure (i.e. to stop RCE 
attacks for non-authentication enabled deployments)

Is the thought then that this ticket would also deprecate or remove the 
trusted/untrusted distinction in 10?  Or is that still relevant even if 
{{<lib>}} goes away?

> Remove <lib> directives from Solr
> ---------------------------------
>
>                 Key: SOLR-16781
>                 URL: https://issues.apache.org/jira/browse/SOLR-16781
>             Project: Solr
>          Issue Type: Improvement
>      Security Level: Public(Default Security Level. Issues are Public) 
>            Reporter: Ishan Chattopadhyaya
>            Priority: Major
>
> <lib> directives in solrconfig.xml used to be recommended way for including 
> additional jar files to the classpath for a particular collection or 
> collections.
> For context: This feature required complex handling of "trusted" vs 
> "non-trusted" configsets in configset upload API to keep Solr secure (i.e. to 
> stop RCE attacks for non-authentication enabled deployments). This security 
> feature also broke down recently due to a bug in Schema designer (SOLR-16777).
> Supported alternatives exist that are safer:
>  * user can add the jar files to Solr's classpath
>  * use packages to use custom jars per collection
> In the light of these, there's no need to continue to support the <lib> 
> directive going forward.
> I propose to remove the <lib> directives handling and functionality through 
> this issue.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to