> Without polluting this thread, I'll just say that this assertion is wrong. > If you can demonstrate how someone with full API access, but no write > access to disk or ZK, can execute any user code, I'll stand corrected.
Hi Noble/Ishan. I regret using the phrasing "arbitrary plugin code upload" about the config APIs. It was not precise. I was trying to paraphrase the definition of the "config-edit" permission from memory, but obviosly did a poor job :) Let me instead quote the ref-guide for "config-edit" permission: https://solr.apache.org/guide/solr/9_2/deployment-guide/rule-based-authorization-plugin.html > config-edit:... Because configs can add libraries/custom code from various > locations, loading any new code via a trusted SolrConfig is explicitly > allowed for users with this permission... I.e. currently remote streaming can (by design) be enabled by users with config-edit and systems without auth/z. Let's move any further discussion to relevant JIRAs and/or other threads and leave this for voting. Jan > 30. apr. 2023 kl. 03:20 skrev Ishan Chattopadhyaya > <ichattopadhy...@gmail.com>: > >> it is by design to allow full access, even arbitrary plugin code upload, > by users with config-edit permission and in unprotected Solr instances. > > Without polluting this thread, I'll just say that this assertion is wrong. > If you can demonstrate how someone with full API access, but no write > access to disk or ZK, can execute any user code, I'll stand corrected. > > I'll write a more detailed reply in a different thread on the measures we > have taken to prevent that, let alone allow full access "by design". > > On Sun, 30 Apr, 2023, 6:32 am Noble Paul, <noble.p...@gmail.com> wrote: > >> On Sun, Apr 30, 2023, 10:09 AM Jan Høydahl <jan....@cominvent.com> wrote: >> >>> I maintain my +1 vote, as it is by design to allow full access, even >>> arbitrary plugin code upload, by >> >> >> There is no such "design" as you say Jan. Show me a single feature that can >> upload and run code without file system or direct zk access >> >> users with config-edit permission and in unprotected Solr instances. >>> I do support discussing new defaults to some of these setting, but that >>> can happen in the open for a future release, no rush as this is by >>> definition not a bug or vulnerability. >>> >>> Jan >>> >>>> 29. apr. 2023 kl. 17:54 skrev Justin Sweeney < >> justin.sweene...@gmail.com >>>> : >>>> >>>> I'm going to proceed with this release as is, we can follow up with an >>>> additional release as needed. Voting will close 2023-04-30 at 15:00 >> UTC. >>>> >>>> On Sat, Apr 29, 2023 at 10:37 AM Ishan Chattopadhyaya < >>>> ichattopadhy...@gmail.com> wrote: >>>> >>>>> https://issues.apache.org/jira/browse/SOLR-16777 is fixed. I've added >>> it >>>>> to >>>>> the release branch. >>>>> The other one will require me some more time, maybe another day. >>>>> Justin, I believe a re-spin is warranted to accommodate this, but I >>> leave >>>>> it to your judgement. >>>>> >>>>> On Sat, 29 Apr 2023 at 12:07, Ishan Chattopadhyaya < >>>>> ichattopadhy...@gmail.com> wrote: >>>>> >>>>>> In my opinion, these two are blockers. >>>>>> >>>>>> https://issues.apache.org/jira/browse/SOLR-16776 >>>>>> https://issues.apache.org/jira/browse/SOLR-16777 >>>>>> >>>>>> In case we decide not to respin to accommodate these, these should be >>>>>> carried over to a 9.2.2 release. >>>>>> >>>>>> On Sat, 29 Apr, 2023, 7:54 am Ishan Chattopadhyaya, < >>>>>> ichattopadhy...@gmail.com> wrote: >>>>>> >>>>>>> (FYI, -1 on a release is not a veto. Just a simple vote.) >>>>>>> >>>>>>> On Sat, 29 Apr, 2023, 6:53 am Ishan Chattopadhyaya, < >>>>>>> ichattopadhy...@gmail.com> wrote: >>>>>>> >>>>>>>> Sure, carry on with this release. >>>>>>>> >>>>>>>> I vote -1 on this release, and I'll prepare for a follow on release >>>>>>>> after this one is done. >>>>>>>> >>>>>>>> On Sat, 29 Apr, 2023, 2:45 am David Smiley, <dsmi...@apache.org> >>>>> wrote: >>>>>>>> >>>>>>>>> I'm going to challenge Ishan and say that there is no change >> coming >>>>> that >>>>>>>>> warrants halting a bugfix/patch release, as the proposed change >> that >>>>>>>>> Ishan >>>>>>>>> speaks of is an "improvement" that helps security and is not a >>>>>>>>> bug/vulnerability being fixed. It would also bring a backwards >>>>>>>>> compatibility change. So please do continue with this long >> delayed >>>>>>>>> bugfix >>>>>>>>> release! >>>>>>>>> >>>>>>>>> ~ David Smiley >>>>>>>>> Apache Lucene/Solr Search Developer >>>>>>>>> http://www.linkedin.com/in/davidwsmiley >>>>>>>>> >>>>>>>>> >>>>>>>>> On Fri, Apr 28, 2023 at 3:28 PM Justin Sweeney < >>>>>>>>> justin.sweene...@gmail.com> >>>>>>>>> wrote: >>>>>>>>> >>>>>>>>>> It sounds like the general consensus from the thread regarding >> the >>>>>>>>> issue >>>>>>>>>> was that while some changes to make that less risky are >> worthwhile, >>>>>>>>> they >>>>>>>>>> are not blockers for the release. Did that change? >>>>>>>>>> >>>>>>>>>> I just hate to hold up the release any longer unless we have a >>> truly >>>>>>>>>> blocking issue since there are a number of very worthwhile fixes >>>>>>>>> included >>>>>>>>>> here. >>>>>>>>>> >>>>>>>>>> On Fri, Apr 28, 2023 at 12:46 PM Ishan Chattopadhyaya < >>>>>>>>>> ichattopadhy...@gmail.com> wrote: >>>>>>>>>> >>>>>>>>>>> Hi Justin, >>>>>>>>>>> I am testing a patch for a security issue discussed privately >>>>>>>>> within the >>>>>>>>>>> PMC group. Can you please give me another 24 hours to have it >>>>>>>>> fixed? If >>>>>>>>>>> not, then I'll be pushing for a 9.2.2 release later, once that >> is >>>>>>>>>> resolved. >>>>>>>>>>> Thank you for your understanding. >>>>>>>>>>> Regards, >>>>>>>>>>> Ishan >>>>>>>>>>> >>>>>>>>>>> On Fri, 28 Apr 2023 at 22:04, Arrieta, Alejandro < >>>>>>>>>>> aarri...@perrinsoftware.com> wrote: >>>>>>>>>>> >>>>>>>>>>>> +1 >>>>>>>>>>>> SUCCESS! [0:29:31.135392] >>>>>>>>>>>> >>>>>>>>>>>> And run Solr operator tests successfully following >> instructions: >>>>>>>>>>>> Local end-to-end cluster test successfully run! >>>>>>>>>>>> >>>>>>>>>>>> ubuntu 23.04 amd64 temurin-openjdk11 on virtualbox 7. >>>>>>>>>>>> >>>>>>>>>>>> Kind Regards, >>>>>>>>>>>> Alejandro Arrieta >>>>>>>>>>>> >>>>>>>>>>>> On Thu, Apr 27, 2023 at 4:23 PM Joel Bernstein < >>>>>>>>> joels...@gmail.com> >>>>>>>>>>> wrote: >>>>>>>>>>>> >>>>>>>>>>>>> +1 (binding) >>>>>>>>>>>>> >>>>>>>>>>>>> SUCCESS! [0:43:48.160659] >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> I tested out the assets as well and looked fine. >>>>>>>>>>>>> >>>>>>>>>>>>> Joel Bernstein >>>>>>>>>>>>> http://joelsolr.blogspot.com/ >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> On Thu, Apr 27, 2023 at 1:23 PM Jan Høydahl < >>>>>>>>> jan....@cominvent.com> >>>>>>>>>>>> wrote: >>>>>>>>>>>>> >>>>>>>>>>>>>> +1 (binding) >>>>>>>>>>>>>> >>>>>>>>>>>>>> SUCCESS! [0:38:44.920838] >>>>>>>>>>>>>> >>>>>>>>>>>>>> Jan >>>>>>>>>>>>>> >>>>>>>>>>>>>>> 27. apr. 2023 kl. 16:12 skrev Justin Sweeney < >>>>>>>>>>>>> justin.sweene...@gmail.com >>>>>>>>>>>>>>> : >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Hi all, we are back on for the vote: >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Please vote for release candidate 1 for Solr 9.2.1 >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> The artifacts can be downloaded from: >>>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>> >>> >> https://dist.apache.org/repos/dist/dev/solr/solr-9.2.1-RC1-rev-a4c64ab6a2a270ca69c28c706dabb2927ed8a7c2 >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> You can run the smoke tester directly with this command: >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> python3 -u dev-tools/scripts/smokeTestRelease.py \ >>>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>> >>> >> https://dist.apache.org/repos/dist/dev/solr/solr-9.2.1-RC1-rev-a4c64ab6a2a270ca69c28c706dabb2927ed8a7c2 >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> You can build a release-candidate of the official docker >>>>>>>>> image >>>>>>>>>>> using >>>>>>>>>>>>> the >>>>>>>>>>>>>>> following command: >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> DIST_BASE=https://dist.apache.org/repos/dist/dev/solr && >>>>> \ >>>>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>> >>> RC_FOLDER=solr-9.2.1-RC1-rev-a4c64ab6a2a270ca69c28c706dabb2927ed8a7c2 >>>>>>>>>>>>>> && \ >>>>>>>>>>>>>>> docker build >>>>>>>>>>> $DIST_BASE/$RC_FOLDER/solr/docker/Dockerfile.official \ >>>>>>>>>>>>>>> --build-arg >>>>>>>>>>>>> SOLR_DOWNLOAD_URL=$DIST_BASE/$RC_FOLDER/solr/solr-9.2.1.tgz >>>>>>>>>>>>>> \ >>>>>>>>>>>>>>> -t solr-rc:9.2.1-1 >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> The vote will be open for at least 72 hours i.e. until >>>>>>>>> 2023-04-30 >>>>>>>>>>>> 15:00 >>>>>>>>>>>>>> UTC. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> [ ] +1 approve >>>>>>>>>>>>>>> [ ] +0 no opinion >>>>>>>>>>>>>>> [ ] -1 disapprove (and reason why) >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> On Mon, Apr 24, 2023 at 12:38 PM Justin Sweeney < >>>>>>>>>>>>>> justin.sweene...@gmail.com> >>>>>>>>>>>>>>> wrote: >>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Yup, let's wait in that case. I didn't realize it would >>>>>>>>> fail >>>>>>>>>>> since I >>>>>>>>>>>>> had >>>>>>>>>>>>>>>> temporarily added my key locally to be able to execute >>>>> the >>>>>>>>>>>> additional >>>>>>>>>>>>>>>> steps. This results in the smoketester passing for me. >>>>> I'll >>>>>>>>>>> resend a >>>>>>>>>>>>>> vote >>>>>>>>>>>>>>>> once I'm able to push my key. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> On Mon, Apr 24, 2023 at 12:32 PM Houston Putman < >>>>>>>>>>> hous...@apache.org >>>>>>>>>>>>> >>>>>>>>>>>>>>>> wrote: >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Hey Justin, >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Should we wait to run this until after your GPG key is >>>>> in >>>>>>>>>>>>>>>>> https://downloads.apache.org/solr/KEYS? >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> The smoketester fails for me because it can't find your >>>>>>>>> key. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> - Houston >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> On Mon, Apr 24, 2023 at 12:20 PM Justin Sweeney < >>>>>>>>>>>>>>>>> justin.sweene...@gmail.com> >>>>>>>>>>>>>>>>> wrote: >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> Please vote for release candidate 1 for Solr 9.2.1 >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> The artifacts can be downloaded from: >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>> >>> >> https://dist.apache.org/repos/dist/dev/solr/solr-9.2.1-RC1-rev-a4c64ab6a2a270ca69c28c706dabb2927ed8a7c2 >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> You can run the smoke tester directly with this >>>>> command: >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> python3 -u dev-tools/scripts/smokeTestRelease.py \ >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>> >>> >> https://dist.apache.org/repos/dist/dev/solr/solr-9.2.1-RC1-rev-a4c64ab6a2a270ca69c28c706dabb2927ed8a7c2 >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> You can build a release-candidate of the official >>>>> docker >>>>>>>>> image >>>>>>>>>>>> using >>>>>>>>>>>>>> the >>>>>>>>>>>>>>>>>> following command: >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> DIST_BASE=https://dist.apache.org/repos/dist/dev/solr >>>>>>>>> && \ >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>> >>> RC_FOLDER=solr-9.2.1-RC1-rev-a4c64ab6a2a270ca69c28c706dabb2927ed8a7c2 >>>>>>>>>>>>>>>>> && >>>>>>>>>>>>>>>>>> \ >>>>>>>>>>>>>>>>>> docker build >>>>>>>>>>>> $DIST_BASE/$RC_FOLDER/solr/docker/Dockerfile.official >>>>>>>>>>>>> \ >>>>>>>>>>>>>>>>>> --build-arg >>>>>>>>>>>>>>>>> >>>>>>>>> SOLR_DOWNLOAD_URL=$DIST_BASE/$RC_FOLDER/solr/solr-9.2.1.tgz \ >>>>>>>>>>>>>>>>>> -t solr-rc:9.2.1-1 >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> The vote will be open for at least 72 hours i.e. until >>>>>>>>>>> 2023-04-27 >>>>>>>>>>>>>> 17:00 >>>>>>>>>>>>>>>>>> UTC. >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> [ ] +1 approve >>>>>>>>>>>>>>>>>> [ ] +0 no opinion >>>>>>>>>>>>>>>>>> [ ] -1 disapprove (and reason why) >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>> >>>>> --------------------------------------------------------------------- >>>>>>>>>>>>>> To unsubscribe, e-mail: dev-unsubscr...@solr.apache.org >>>>>>>>>>>>>> For additional commands, e-mail: dev-h...@solr.apache.org >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>> >>>>> >>> >>> >>> --------------------------------------------------------------------- >>> To unsubscribe, e-mail: dev-unsubscr...@solr.apache.org >>> For additional commands, e-mail: dev-h...@solr.apache.org >>> >>> >>