Babiel created SOLR-16905:
-----------------------------
Summary: Java Security Manager rules don't inclue
"solr.allowPaths" property
Key: SOLR-16905
URL: https://issues.apache.org/jira/browse/SOLR-16905
Project: Solr
Issue Type: Bug
Security Level: Public (Default Security Level. Issues are Public)
Components: security
Affects Versions: 9.2.1
Reporter: Babiel
Hi all,
we've upgraded from Solr 8.11 to Solr 9.2 which bricked our Solr Backup. Since
Solr 8.6 we configure solr.allowPaths, because our backup destination is
outside the Solr home directory. We do this using the solr.in.sh:
{code:java}
SOLR_OPTS="$SOLR_OPTS -Dsolr.allowPaths=/opt/backup"{code}
Since Solr 9 we received the following error message, when trying to create a
backup
{code:java}
curl -sk
'http://localhost:8983/solr/admin/collections?action=BACKUP&name=xyz&collection=xyz&location=/opt/backup'
{
"responseHeader":{
"status":500,
"QTime":0},
"error":{
"msg":"access denied (\"java.io.FilePermission\" \"/opt/backup\" \"read\")",
...{code}
After some debugging we discovered, that since Solr 9 the Java Security Manager
is enabled by default. However it doesn't have a default rule to allow access
to the path which is set using the "solr.allowPaths" property:
{code:java}
grep allowPaths /opt/solr-9.2.1/server/etc/security.policy{code}
We disabled the Java Security Manager for now, but our guess is, that the
security policy should be expanded by
{code:java}
permission java.io.FilePermission "${solr.allowPaths}",
"read,write,delete,readlink";
permission java.io.FilePermission "${solr.allowPaths}${/}-",
"read,write,delete,readlink";{code}
Cheers
Dennis
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
