[jira] [Commented] (SOLR-16905) Java Security Manager rules don't inclue "solr.allowPaths" property

Wed, 26 Jul 2023 06:24:04 -0700 


    [ 
https://issues.apache.org/jira/browse/SOLR-16905?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17747508#comment-17747508
 ] 

Kevin Risden commented on SOLR-16905:
-------------------------------------

[~bprov] have you tried adding the suggested solr.allowPaths lines to 
security.policy when you enable the security manager? Did it fix the issue?

> Java Security Manager rules don't inclue "solr.allowPaths" property
> -------------------------------------------------------------------
>
>                 Key: SOLR-16905
>                 URL: https://issues.apache.org/jira/browse/SOLR-16905
>             Project: Solr
>          Issue Type: Bug
>      Security Level: Public(Default Security Level. Issues are Public) 
>          Components: security
>    Affects Versions: 9.2.1
>            Reporter: Babiel
>            Priority: Major
>
> Hi all,
> we've upgraded from Solr 8.11 to Solr 9.2 which bricked our Solr Backup. 
> Since Solr 8.6 we configure solr.allowPaths, because our backup destination 
> is outside the Solr home directory. We do this using the solr.in.sh:
> {code:java}
> SOLR_OPTS="$SOLR_OPTS -Dsolr.allowPaths=/opt/backup"{code}
> Since Solr 9 we received the following error message, when trying to create a 
> backup
> {code:java}
> curl -sk 
> 'http://localhost:8983/solr/admin/collections?action=BACKUP&name=xyz&collection=xyz&location=/opt/backup'
> {
>   "responseHeader":{
>     "status":500,
>     "QTime":0},
>   "error":{
>     "msg":"access denied (\"java.io.FilePermission\" \"/opt/backup\" 
> \"read\")",
> ...{code}
> After some debugging we discovered, that since Solr 9 the Java Security 
> Manager is enabled by default. However it doesn't have a default rule to 
> allow access to the path which is set using the "solr.allowPaths" property:
> {code:java}
> grep allowPaths /opt/solr-9.2.1/server/etc/security.policy{code}
> We disabled the Java Security Manager for now, but our guess is, that the 
> security policy should be expanded by
> {code:java}
>   permission java.io.FilePermission "${solr.allowPaths}", 
> "read,write,delete,readlink";
>   permission java.io.FilePermission "${solr.allowPaths}${/}-", 
> "read,write,delete,readlink";{code}
>  
> Cheers
> Dennis



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to