[
https://issues.apache.org/jira/browse/SOLR-16905?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17950526#comment-17950526
]
Gaël Jourdan commented on SOLR-16905:
-------------------------------------
Hello folks,
According to Solr documentation, allowPaths can be a list of paths separated by
a comma:
> Solr will normally only access folders relative to {{{}$SOLR_HOME{}}},
> {{$SOLR_DATA_HOME}} or {{{}coreRootDir{}}}. If you need to e.g., create a
> core outside of these paths, you can explicitly allow the path with
> {{{}allowPaths{}}}. It is a comma separated string of file system paths to
> allow. The special value of {{*}} will allow any path on the system.
However, when configuring it as such, the policy file doesn't work as in the
policy file it's expecting one line per path.
Did I miss something or is this expected and the usage of the system property
should be discouraged when there are multiple paths then?
> Java Security Manager rules don't inclue "solr.allowPaths" property
> -------------------------------------------------------------------
>
> Key: SOLR-16905
> URL: https://issues.apache.org/jira/browse/SOLR-16905
> Project: Solr
> Issue Type: Bug
> Components: security
> Affects Versions: 9.2.1
> Reporter: Babiel
> Assignee: Houston Putman
> Priority: Major
> Fix For: 9.4
>
> Time Spent: 0.5h
> Remaining Estimate: 0h
>
> Hi all,
> we've upgraded from Solr 8.11 to Solr 9.2 which bricked our Solr Backup.
> Since Solr 8.6 we configure solr.allowPaths, because our backup destination
> is outside the Solr home directory. We do this using the solr.in.sh:
> {code:java}
> SOLR_OPTS="$SOLR_OPTS -Dsolr.allowPaths=/opt/backup"{code}
> Since Solr 9 we received the following error message, when trying to create a
> backup
> {code:java}
> curl -sk
> 'http://localhost:8983/solr/admin/collections?action=BACKUP&name=xyz&collection=xyz&location=/opt/backup'
> {
> "responseHeader":{
> "status":500,
> "QTime":0},
> "error":{
> "msg":"access denied (\"java.io.FilePermission\" \"/opt/backup\"
> \"read\")",
> ...{code}
> After some debugging we discovered, that since Solr 9 the Java Security
> Manager is enabled by default. However it doesn't have a default rule to
> allow access to the path which is set using the "solr.allowPaths" property:
> {code:java}
> grep allowPaths /opt/solr-9.2.1/server/etc/security.policy{code}
> We disabled the Java Security Manager for now, but our guess is, that the
> security policy should be expanded by
> {code:java}
> permission java.io.FilePermission "${solr.allowPaths}",
> "read,write,delete,readlink";
> permission java.io.FilePermission "${solr.allowPaths}${/}-",
> "read,write,delete,readlink";{code}
>
> Cheers
> Dennis
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org
For additional commands, e-mail: issues-h...@solr.apache.org
