[jira] [Commented] (SOLR-13534) Dynamic loading of jars from a url

Tue, 11 Jun 2019 13:54:45 -0700 


    [ 
https://issues.apache.org/jira/browse/SOLR-13534?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16861492#comment-16861492
 ] 

Gus Heck commented on SOLR-13534:
---------------------------------

If I understand the doc edits I see in the PR, it looks like this is turned on 
by {{-Denable.runtime.lib=true}} ? I'm wondering if it shouldn't have its own 
flag. To me this is another level of risk beyond loading from the blob store. 
With this, they only have to trick/hack you once into running the config 
command... previously they had to trick you twice (once to upload to the 
blobstore and once to run the config command). Thinking XSRF/person 
hacking/misconfigured authorization/ etc. Also the attacker leaves no footprint 
to show what it was they did.

> Dynamic loading of jars from a url
> ----------------------------------
>
>                 Key: SOLR-13534
>                 URL: https://issues.apache.org/jira/browse/SOLR-13534
>             Project: Solr
>          Issue Type: Improvement
>            Reporter: Noble Paul
>            Priority: Major
>          Time Spent: 10m
>  Remaining Estimate: 0h
>
> Dynamic loading is possible from {{.system}} collection. It's much easier to 
> host the jars on a remote service and load it from there. This way the user 
> should have no problem in loading jars when the {{.system}} collection is not 
> available for some reason.
> The steps should look as follows
>  # get the hash of your jar file.  {{openssl dgst -sha512 <jar>}}
>  # upload it your hosting service . say the location is 
> {{[http://host:port/my-jar/location|http://hostport/]}}
>  # create a runtime lib entry for the collection as follows
> {code:java}
> curl http://localhost:8983/solr/techproducts/config -H 
> 'Content-type:application/json' -d '{
>    "add-runtimelib": { "name":"jarblobname", 
> "sha512":"e94bb3990b39aacdabaa3eef7ca6102d96fa46766048da50269f25fd41164440a4e024d7a7fb0d5ec328cd8322bb65f5ba7886e076a8f224f78cb310fd45896d"
>  , "url" : "http://host:port/my-jar/loaction"}
> }'
> {code}
> to update the jar, just repeat the steps and use the {{update-runtimelib}} to 
> update the sha512 hash



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org
For additional commands, e-mail: dev-h...@lucene.apache.org

Reply via email to