[
https://issues.apache.org/jira/browse/SOLR-16905?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17747817#comment-17747817
]
Babiel edited comment on SOLR-16905 at 7/27/23 7:41 AM:
--------------------------------------------------------
[~krisden]
{quote}have you tried adding the suggested solr.allowPaths lines to
security.policy when you enable the security manager? Did it fix the issue?
{quote}
I just did, it works:
{code:java}
grep allowPaths /opt/solr-9.2.1/server/etc/security.policy
permission java.io.FilePermission "${solr.allowPaths}",
"read,write,delete,readlink";
permission java.io.FilePermission "${solr.allowPaths}${/}-",
"read,write,delete,readlink";
ps aux | grep solr
[...]
-Djava.security.manager
-Djava.security.policy=/opt/solr-9.2.1/server/etc/security.policy
-Djava.security.properties=/opt/solr-9.2.1/server/etc/security.properties
[...]
curl -sk
'http://localhost:8983/solr/admin/collections?action=BACKUP&name=xxx_20230725145421&collection=xxx&location=file:///opt/backup/solr/xxx&async=20230725145421'
{
"responseHeader":{
"status":0,
"QTime":11},
"requestid":"20230725145421"}{code}
Removing entries from /opt/solr-9.2.1/server/etc/security.policy to check that
it bricks
{code:java}
grep allowPaths /opt/solr-9.2.1/server/etc/security.policy
curl -sk
'http://localhost:8983/solr/admin/collections?action=BACKUP&name=xxx_20230725145422&collection=xxx&location=file:///opt/backup/solr/xxx&async=20230725145422'
{
"responseHeader":{
"status":500,
"QTime":9},
"error":{
"msg":"access denied (\"java.io.FilePermission\" \"/opt/backup/solr/xxx\"
\"read\")",{code}
It bricks without it.
was (Author: bprov):
[~krisden]
{quote}have you tried adding the suggested solr.allowPaths lines to
security.policy when you enable the security manager? Did it fix the issue?
{quote}
I just did, it works:
{code:java}
grep allowPaths /opt/solr-9.2.1/server/etc/security.policy
permission java.io.FilePermission "${solr.allowPaths}",
"read,write,delete,readlink";
permission java.io.FilePermission "${solr.allowPaths}${/}-",
"read,write,delete,readlink";
ps aux | grep solr
[...]
-Djava.security.manager
-Djava.security.policy=/opt/solr-9.2.1/server/etc/security.policy
-Djava.security.properties=/opt/solr-9.2.1/server/etc/security.properties
[...]
curl -sk
'http://localhost:8983/solr/admin/collections?action=BACKUP&name=xxx_20230725145421&collection=xxx&location=file:///opt/backup/solr/xxx&async=20230725145421'
{
"responseHeader":{
"status":0,
"QTime":11},
"requestid":"20230725145421"}{code}
Removing entries from /opt/solr-9.2.1/server/etc/security.policy to check that
it bricks
{code:java}
grep allowPaths /opt/solr-9.2.1/server/etc/security.policy
root@s070236:~# curl -sk
'http://localhost:8983/solr/admin/collections?action=BACKUP&name=xxx_20230725145422&collection=xxx&location=file:///opt/backup/solr/xxx&async=20230725145422'
{
"responseHeader":{
"status":500,
"QTime":9},
"error":{
"msg":"access denied (\"java.io.FilePermission\" \"/opt/backup/solr/xxx\"
\"read\")",{code}
It bricks without it.
> Java Security Manager rules don't inclue "solr.allowPaths" property
> -------------------------------------------------------------------
>
> Key: SOLR-16905
> URL: https://issues.apache.org/jira/browse/SOLR-16905
> Project: Solr
> Issue Type: Bug
> Security Level: Public(Default Security Level. Issues are Public)
> Components: security
> Affects Versions: 9.2.1
> Reporter: Babiel
> Priority: Major
>
> Hi all,
> we've upgraded from Solr 8.11 to Solr 9.2 which bricked our Solr Backup.
> Since Solr 8.6 we configure solr.allowPaths, because our backup destination
> is outside the Solr home directory. We do this using the solr.in.sh:
> {code:java}
> SOLR_OPTS="$SOLR_OPTS -Dsolr.allowPaths=/opt/backup"{code}
> Since Solr 9 we received the following error message, when trying to create a
> backup
> {code:java}
> curl -sk
> 'http://localhost:8983/solr/admin/collections?action=BACKUP&name=xyz&collection=xyz&location=/opt/backup'
> {
> "responseHeader":{
> "status":500,
> "QTime":0},
> "error":{
> "msg":"access denied (\"java.io.FilePermission\" \"/opt/backup\"
> \"read\")",
> ...{code}
> After some debugging we discovered, that since Solr 9 the Java Security
> Manager is enabled by default. However it doesn't have a default rule to
> allow access to the path which is set using the "solr.allowPaths" property:
> {code:java}
> grep allowPaths /opt/solr-9.2.1/server/etc/security.policy{code}
> We disabled the Java Security Manager for now, but our guess is, that the
> security policy should be expanded by
> {code:java}
> permission java.io.FilePermission "${solr.allowPaths}",
> "read,write,delete,readlink";
> permission java.io.FilePermission "${solr.allowPaths}${/}-",
> "read,write,delete,readlink";{code}
>
> Cheers
> Dennis
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org
For additional commands, e-mail: issues-h...@solr.apache.org
