[jira] [Created] (SOLR-15451) SQL endpoint returns the wrong error when authenticated user doesn't have read access /admin/luke

Wed, 02 Jun 2021 12:22:07 -0700 

Timothy Potter created SOLR-15451:
-------------------------------------

             Summary: SQL endpoint returns the wrong error when authenticated 
user doesn't have read access /admin/luke
                 Key: SOLR-15451
                 URL: https://issues.apache.org/jira/browse/SOLR-15451
             Project: Solr
          Issue Type: Bug
      Security Level: Public (Default Security Level. Issues are Public)
          Components: Parallel SQL
            Reporter: Timothy Potter
            Assignee: Timothy Potter


Note: This is not a security issue, it's a usability problem.

Trying out the {{/sql}} HTTP endpoint on a basic-auth enabled cluster. My user 
didn't have read access to the {{/admin/luke}} endpoint for all collections 
being queried and got an unhelpful message like:
{code}
{
  "result-set":{
    "docs":[{
        "EXCEPTION":"Failed to execute sqlQuery 'SELECT count(*) FROM sop2 
WHERE boolean1_b = 'true' LIMIT 10' against JDBC connection 
'jdbc:calcitesolr:'.\nError while executing SQL \"SELECT count(*) FROM sop2 
WHERE boolean1_b = 'true' LIMIT 10\": 
org.apache.solr.client.solrj.SolrServerException: No live SolrServers available 
to handle this request:[http://dev-solrcloud-0.dev:80/solr/sop2, 
http://dev-solrcloud-1.dev:80/solr/sop2]";,
        "EOF":true,
        "RESPONSE_TIME":33}]}}
{code}

In the server logs, I see:
{code}
Caused by: java.lang.RuntimeException: 
org.apache.solr.client.solrj.SolrServerException: No live SolrServers available 
to handle this request:[http://dev-solrcloud-0.dev:80/solr/sop2, 
http://dev-solrcloud-1.dev:80/solr/sop2]
        at 
org.apache.solr.handler.sql.SolrSchema.getFieldInfo(SolrSchema.java:102)
        at 
org.apache.solr.handler.sql.SolrSchema.getRelDataType(SolrSchema.java:112)
        at org.apache.solr.handler.sql.SolrTable.getRowType(SolrTable.java:82)
{code}

Once I granted the following permission to the user, the query worked:
{code}
      {
        "name":"queryluke",
        "path":"/admin/luke",
        "collection":"*",
        "role":["users", "admin"]
      }
{code}
I'm thinking the solution is to execute the {{getFieldInfo}} request (in 
SolrSchema) from a server thread that authenticates via the PKI plugin instead 
of having to grant this permission to the user explicitly. Users may not want 
to give access to {{/admin/luke}} to end users just for executing SQL.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to