[jira] [Comment Edited] (SOLR-12371) SecurityConfHandlerLocal fails to read back security.json meta version (SecurityConfig.getVersion() always -1), never increased
[
https://issues.apache.org/jira/browse/SOLR-12371?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16479536#comment-16479536
]
Pascal Proulx edited comment on SOLR-12371 at 5/17/18 6:48 PM:
---
For reference, here is what the zookeeper handler does:
org.apache.solr.handler.admin.SecurityConfHandlerZk.getSecurityConfig(boolean)
{code:java}
@Override
public SecurityConfig getSecurityConfig(boolean getFresh) {
ZkStateReader.ConfigData configDataFromZk =
cores.getZkController().getZkStateReader().getSecurityProps(getFresh);
return configDataFromZk == null ?
new SecurityConfig() :
new
SecurityConfig().setData(configDataFromZk.data).setVersion(configDataFromZk.version);
}
{code}
So presumably
org.apache.solr.handler.admin.SecurityConfHandlerLocal.getSecurityConfig(boolean)
is missing a call to setVersion after calling setData:
{code:java}
@Override
public SecurityConfig getSecurityConfig(boolean getFresh) {
if (Files.exists(securityJsonPath)) {
try (InputStream securityJsonIs = Files.newInputStream(securityJsonPath))
{
return new SecurityConfig().setData(securityJsonIs);
} catch (Exception e) {
throw new SolrException(SolrException.ErrorCode.SERVER_ERROR, "Failed
opening existing security.json file: " + securityJsonPath, e);
}
}
return new SecurityConfig();
}
{code}
(or SecurityConfig could encapsulate the initialization of version from data,
but I have no idea if that can be generalized there)
was (Author: pplx):
For reference, here is what the zookeeper handler does:
org.apache.solr.handler.admin.SecurityConfHandlerZk.getSecurityConfig(boolean)
{code:java}
@Override
public SecurityConfig getSecurityConfig(boolean getFresh) {
ZkStateReader.ConfigData configDataFromZk =
cores.getZkController().getZkStateReader().getSecurityProps(getFresh);
return configDataFromZk == null ?
new SecurityConfig() :
new
SecurityConfig().setData(configDataFromZk.data).setVersion(configDataFromZk.version);
}
{code}
So presumably
org.apache.solr.handler.admin.SecurityConfHandlerLocal.getSecurityConfig(boolean)
is missing a call to setVersion after calling setData:
{code:java}
@Override
public SecurityConfig getSecurityConfig(boolean getFresh) {
if (Files.exists(securityJsonPath)) {
try (InputStream securityJsonIs = Files.newInputStream(securityJsonPath))
{
return new SecurityConfig().setData(securityJsonIs);
} catch (Exception e) {
throw new SolrException(SolrException.ErrorCode.SERVER_ERROR, "Failed
opening existing security.json file: " + securityJsonPath, e);
}
}
return new SecurityConfig();
}
{code}
(or SecurityConfig should encapsulate the initialization of version from data)
> SecurityConfHandlerLocal fails to read back security.json meta version
> (SecurityConfig.getVersion() always -1), never increased
> ---
>
> Key: SOLR-12371
> URL: https://issues.apache.org/jira/browse/SOLR-12371
> Project: Solr
> Issue Type: Bug
> Security Level: Public(Default Security Level. Issues are Public)
> Components: JSON Request API, security
>Affects Versions: 6.6.3
>Reporter: Pascal Proulx
>Priority: Major
>
> Hello again,
> We use 6.6.3 and I was trying to update my security.json (in solr home,
> non-zookeeper) using:
> {code:java}
> curl -u myuser:mypass -H 'Content-type:application/json' -d
> '{"set-user-role":{"dummy":"dummy"}}'
> http://localhost:8080/solr/admin/authorization
> {code}
> The first time this is called, the security.json is written AND reloaded in
> memory correctly. The output json then contains at the end:
> {code:java}
> "":{"v":0}
> {code}
> However, subsequent calls using the same command, no matter the users
> specifed, always output the same meta version, 0.
> The result is that the the security.json file is correctly updated, but the
> RuleBasedAuthorizationPlugin is never reloaded in memory, so the new settings
> never take effect.
> The version never increases, so this condition in
> org.apache.solr.core.CoreContainer.initializeAuthorizationPlugin always
> returns and memory plugin reload is skipped:
> {code:java}
> if (old != null && old.getZnodeVersion() == readVersion(authorizationConf)) {
> return;
> }
> {code}
> The core of the issue is somewhere in
> org.apache.solr.handler.admin.SecurityConfHandler.doEdit:
> {code:java}
> SecurityConfig securityConfig = getSecurityConfig(true);
> Map data = securityConfig.getData();
> Map latestConf = (Map) data.get(key);
> if (latestConf == null) {
> throw new SolrException(SERVER_ERROR, "No
[jira] [Comment Edited] (SOLR-12371) SecurityConfHandlerLocal fails to read back security.json meta version (SecurityConfig.getVersion() always -1), never increased
[
https://issues.apache.org/jira/browse/SOLR-12371?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16479536#comment-16479536
]
Pascal Proulx edited comment on SOLR-12371 at 5/17/18 6:46 PM:
---
For reference, here is what the zookeeper handler does:
org.apache.solr.handler.admin.SecurityConfHandlerZk.getSecurityConfig(boolean)
{code:java}
@Override
public SecurityConfig getSecurityConfig(boolean getFresh) {
ZkStateReader.ConfigData configDataFromZk =
cores.getZkController().getZkStateReader().getSecurityProps(getFresh);
return configDataFromZk == null ?
new SecurityConfig() :
new
SecurityConfig().setData(configDataFromZk.data).setVersion(configDataFromZk.version);
}
{code}
So presumably
org.apache.solr.handler.admin.SecurityConfHandlerLocal.getSecurityConfig(boolean)
is missing a call to setVersion after calling setData:
{code:java}
@Override
public SecurityConfig getSecurityConfig(boolean getFresh) {
if (Files.exists(securityJsonPath)) {
try (InputStream securityJsonIs = Files.newInputStream(securityJsonPath))
{
return new SecurityConfig().setData(securityJsonIs);
} catch (Exception e) {
throw new SolrException(SolrException.ErrorCode.SERVER_ERROR, "Failed
opening existing security.json file: " + securityJsonPath, e);
}
}
return new SecurityConfig();
}
{code}
(or SecurityConfig should encapsulate the initialization of version from data)
was (Author: pplx):
For reference, here is what the zookeeper handler does:
org.apache.solr.handler.admin.SecurityConfHandlerZk.getSecurityConfig(boolean)
{code:java}
@Override
public SecurityConfig getSecurityConfig(boolean getFresh) {
ZkStateReader.ConfigData configDataFromZk =
cores.getZkController().getZkStateReader().getSecurityProps(getFresh);
return configDataFromZk == null ?
new SecurityConfig() :
new
SecurityConfig().setData(configDataFromZk.data).setVersion(configDataFromZk.version);
}
{code}
So presumably
org.apache.solr.handler.admin.SecurityConfHandlerLocal.getSecurityConfig(boolean)
is missing a call to setVersion after calling setData:
{code:java}
@Override
public SecurityConfig getSecurityConfig(boolean getFresh) {
if (Files.exists(securityJsonPath)) {
try (InputStream securityJsonIs = Files.newInputStream(securityJsonPath))
{
return new SecurityConfig().setData(securityJsonIs);
} catch (Exception e) {
throw new SolrException(SolrException.ErrorCode.SERVER_ERROR, "Failed
opening existing security.json file: " + securityJsonPath, e);
}
}
return new SecurityConfig();
}
{code}
> SecurityConfHandlerLocal fails to read back security.json meta version
> (SecurityConfig.getVersion() always -1), never increased
> ---
>
> Key: SOLR-12371
> URL: https://issues.apache.org/jira/browse/SOLR-12371
> Project: Solr
> Issue Type: Bug
> Security Level: Public(Default Security Level. Issues are Public)
> Components: JSON Request API, security
>Affects Versions: 6.6.3
>Reporter: Pascal Proulx
>Priority: Major
>
> Hello again,
> We use 6.6.3 and I was trying to update my security.json (in solr home,
> non-zookeeper) using:
> {code:java}
> curl -u myuser:mypass -H 'Content-type:application/json' -d
> '{"set-user-role":{"dummy":"dummy"}}'
> http://localhost:8080/solr/admin/authorization
> {code}
> The first time this is called, the security.json is written AND reloaded in
> memory correctly. The output json then contains at the end:
> {code:java}
> "":{"v":0}
> {code}
> However, subsequent calls using the same command, no matter the users
> specifed, always output the same meta version, 0.
> The result is that the the security.json file is correctly updated, but the
> RuleBasedAuthorizationPlugin is never reloaded in memory, so the new settings
> never take effect.
> The version never increases, so this condition in
> org.apache.solr.core.CoreContainer.initializeAuthorizationPlugin always
> returns and memory plugin reload is skipped:
> {code:java}
> if (old != null && old.getZnodeVersion() == readVersion(authorizationConf)) {
> return;
> }
> {code}
> The core of the issue is somewhere in
> org.apache.solr.handler.admin.SecurityConfHandler.doEdit:
> {code:java}
> SecurityConfig securityConfig = getSecurityConfig(true);
> Map data = securityConfig.getData();
> Map latestConf = (Map) data.get(key);
> if (latestConf == null) {
> throw new SolrException(SERVER_ERROR, "No configuration present for "
> + key);
> }
> List commandsCopy = CommandOperation.clone(ops);
> Map
