[jira] [Commented] (SOLR-16781) Remove directives from Solr

Tue, 02 May 2023 10:50:07 -0700 


    [ 
https://issues.apache.org/jira/browse/SOLR-16781?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17718671#comment-17718671
 ] 

Gus Heck commented on SOLR-16781:
---------------------------------

I'm not leaping on the solr.xml suggestion because some installs run with 
solr.xml in zookeeper, and configuring locations where solr can look for stuff 
seems like something that will be be determined by sysadmin folks at larger 
organizations who wouldn't want to be mucking around with solr.xml which 
contains a lot of esoteric search related stuff they might break. I could 
probably be sold on solr.xml also being a potential source, but if we have more 
than one location to configure this, precedence and/or merging behavior needs 
to be clear.

> Remove <lib> directives from Solr
> ---------------------------------
>
>                 Key: SOLR-16781
>                 URL: https://issues.apache.org/jira/browse/SOLR-16781
>             Project: Solr
>          Issue Type: Improvement
>      Security Level: Public(Default Security Level. Issues are Public) 
>            Reporter: Ishan Chattopadhyaya
>            Priority: Major
>
> <lib> directives in solrconfig.xml used to be recommended way for including 
> additional jar files to the classpath for a particular collection or 
> collections.
> For context: This feature required complex handling of "trusted" vs 
> "non-trusted" configsets in configset upload API to keep Solr secure (i.e. to 
> stop RCE attacks for non-authentication enabled deployments). This security 
> feature also broke down recently due to a bug in Schema designer (SOLR-16777).
> Supported alternatives exist that are safer:
>  * user can add the jar files to Solr's classpath
>  * use packages to use custom jars per collection
> In the light of these, there's no need to continue to support the <lib> 
> directive going forward.
> I propose to remove the <lib> directives handling and functionality through 
> this issue.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to