[jira] [Updated] (SOLR-15451) SQL endpoint returns the wrong error when authenticated user doesn't have read access /admin/luke

[Timothy Potter (Jira)]

     [ 
https://issues.apache.org/jira/browse/SOLR-15451?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Timothy Potter updated SOLR-15451:
----------------------------------
    Fix Version/s: 8.10

> SQL endpoint returns the wrong error when authenticated user doesn't have 
> read access /admin/luke
> -------------------------------------------------------------------------------------------------
>
>                 Key: SOLR-15451
>                 URL: https://issues.apache.org/jira/browse/SOLR-15451
>             Project: Solr
>          Issue Type: Bug
>          Components: Parallel SQL
>            Reporter: Timothy Potter
>            Assignee: Timothy Potter
>            Priority: Major
>              Labels: RobustSQL
>             Fix For: main (9.0), 8.10
>
>          Time Spent: 1h 40m
>  Remaining Estimate: 0h
>
> Note: This is not a security issue, it's a usability problem.
> Trying out the {{/sql}} HTTP endpoint on a basic-auth enabled cluster. My 
> user didn't have read access to the {{/admin/luke}} endpoint for all 
> collections being queried and got an unhelpful message like:
> {code}
> {
>   "result-set":{
>     "docs":[{
>         "EXCEPTION":"Failed to execute sqlQuery 'SELECT count(*) FROM sop2 
> WHERE boolean1_b = 'true' LIMIT 10' against JDBC connection 
> 'jdbc:calcitesolr:'.\nError while executing SQL \"SELECT count(*) FROM sop2 
> WHERE boolean1_b = 'true' LIMIT 10\": 
> org.apache.solr.client.solrj.SolrServerException: No live SolrServers 
> available to handle this request:[http://dev-solrcloud-0.dev:80/solr/sop2, 
> http://dev-solrcloud-1.dev:80/solr/sop2]";,
>         "EOF":true,
>         "RESPONSE_TIME":33}]}}
> {code}
> In the server logs, I see:
> {code}
> Caused by: java.lang.RuntimeException: 
> org.apache.solr.client.solrj.SolrServerException: No live SolrServers 
> available to handle this request:[http://dev-solrcloud-0.dev:80/solr/sop2, 
> http://dev-solrcloud-1.dev:80/solr/sop2]
>       at 
> org.apache.solr.handler.sql.SolrSchema.getFieldInfo(SolrSchema.java:102)
>       at 
> org.apache.solr.handler.sql.SolrSchema.getRelDataType(SolrSchema.java:112)
>       at org.apache.solr.handler.sql.SolrTable.getRowType(SolrTable.java:82)
> {code}
> Once I granted the following permission to the user, the query worked:
> {code}
>       {
>         "name":"queryluke",
>         "path":"/admin/luke",
>         "collection":"*",
>         "role":["users", "admin"]
>       }
> {code}
> I'm thinking the solution is to execute the {{getFieldInfo}} request (in 
> SolrSchema) from a server thread that authenticates via the PKI plugin 
> instead of having to grant this permission to the user explicitly. Users may 
> not want to give access to {{/admin/luke}} to end users just for executing 
> SQL.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org
For additional commands, e-mail: issues-h...@solr.apache.org