You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@solr.apache.org by "Babiel (Jira)" <ji...@apache.org> on 2023/07/26 12:52:00 UTC
[jira] [Created] (SOLR-16905) Java Security Manager rules don't inclue "solr.allowPaths" property
Babiel created SOLR-16905:
-----------------------------
Summary: Java Security Manager rules don't inclue "solr.allowPaths" property
Key: SOLR-16905
URL: https://issues.apache.org/jira/browse/SOLR-16905
Project: Solr
Issue Type: Bug
Security Level: Public (Default Security Level. Issues are Public)
Components: security
Affects Versions: 9.2.1
Reporter: Babiel
Hi all,
we've upgraded from Solr 8.11 to Solr 9.2 which bricked our Solr Backup. Since Solr 8.6 we configure solr.allowPaths, because our backup destination is outside the Solr home directory. We do this using the solr.in.sh:
{code:java}
SOLR_OPTS="$SOLR_OPTS -Dsolr.allowPaths=/opt/backup"{code}
Since Solr 9 we received the following error message, when trying to create a backup
{code:java}
curl -sk 'http://localhost:8983/solr/admin/collections?action=BACKUP&name=xyz&collection=xyz&location=/opt/backup'
{
"responseHeader":{
"status":500,
"QTime":0},
"error":{
"msg":"access denied (\"java.io.FilePermission\" \"/opt/backup\" \"read\")",
...{code}
After some debugging we discovered, that since Solr 9 the Java Security Manager is enabled by default. However it doesn't have a default rule to allow access to the path which is set using the "solr.allowPaths" property:
{code:java}
grep allowPaths /opt/solr-9.2.1/server/etc/security.policy{code}
We disabled the Java Security Manager for now, but our guess is, that the security policy should be expanded by
{code:java}
permission java.io.FilePermission "${solr.allowPaths}", "read,write,delete,readlink";
permission java.io.FilePermission "${solr.allowPaths}${/}-", "read,write,delete,readlink";{code}
Cheers
Dennis
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org
For additional commands, e-mail: issues-help@solr.apache.org