You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@lucene.apache.org by is...@apache.org on 2017/03/18 12:09:50 UTC
[1/2] lucene-solr:jira/solr-6736: SOLR-6736: WIP,
adding authz and tests
Repository: lucene-solr
Updated Branches:
refs/heads/jira/solr-6736 a80da7c8e -> a2931a147
SOLR-6736: WIP, adding authz and tests
Project: http://git-wip-us.apache.org/repos/asf/lucene-solr/repo
Commit: http://git-wip-us.apache.org/repos/asf/lucene-solr/commit/7514e7ea
Tree: http://git-wip-us.apache.org/repos/asf/lucene-solr/tree/7514e7ea
Diff: http://git-wip-us.apache.org/repos/asf/lucene-solr/diff/7514e7ea
Branch: refs/heads/jira/solr-6736
Commit: 7514e7ea77755fe3dce84f8d36028de5a637be57
Parents: a80da7c
Author: Ishan Chattopadhyaya <is...@apache.org>
Authored: Sat Mar 18 16:04:23 2017 +0530
Committer: Ishan Chattopadhyaya <is...@apache.org>
Committed: Sat Mar 18 16:04:23 2017 +0530
----------------------------------------------------------------------
.../java/org/apache/solr/core/PluginInfo.java | 3 ++-
.../solr/handler/admin/ConfigSetsHandler.java | 22 +++++++++++++++++++-
.../solr/schema/ClassicIndexSchemaFactory.java | 3 ++-
.../org/apache/solr/security/Permission.java | 2 +-
.../security/RuleBasedAuthorizationPlugin.java | 14 +++++++++++++
.../org/apache/solr/servlet/HttpSolrCall.java | 4 ++--
.../FieldMutatingUpdateProcessorFactory.java | 3 ++-
.../org/apache/solr/util/SolrPluginUtils.java | 4 ++++
.../apache/solr/cloud/TestConfigSetsAPI.java | 15 ++++++++++---
9 files changed, 60 insertions(+), 10 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/lucene-solr/blob/7514e7ea/solr/core/src/java/org/apache/solr/core/PluginInfo.java
----------------------------------------------------------------------
diff --git a/solr/core/src/java/org/apache/solr/core/PluginInfo.java b/solr/core/src/java/org/apache/solr/core/PluginInfo.java
index d678cca..f7d3960 100644
--- a/solr/core/src/java/org/apache/solr/core/PluginInfo.java
+++ b/solr/core/src/java/org/apache/solr/core/PluginInfo.java
@@ -217,8 +217,9 @@ public class PluginInfo implements MapSerializable {
}
public PluginInfo copy() {
+ Boolean trusted = initArgs == null ? null: initArgs.getBooleanArg(TRUSTED);
PluginInfo result = new PluginInfo(type, attributes,
- initArgs != null ? initArgs.clone() : null, children, initArgs.getBooleanArg(TRUSTED));
+ initArgs != null ? initArgs.clone() : null, children, trusted);
result.isFromSolrConfig = isFromSolrConfig;
return result;
}
http://git-wip-us.apache.org/repos/asf/lucene-solr/blob/7514e7ea/solr/core/src/java/org/apache/solr/handler/admin/ConfigSetsHandler.java
----------------------------------------------------------------------
diff --git a/solr/core/src/java/org/apache/solr/handler/admin/ConfigSetsHandler.java b/solr/core/src/java/org/apache/solr/handler/admin/ConfigSetsHandler.java
index 00b6ed1..2b222e9 100644
--- a/solr/core/src/java/org/apache/solr/handler/admin/ConfigSetsHandler.java
+++ b/solr/core/src/java/org/apache/solr/handler/admin/ConfigSetsHandler.java
@@ -60,7 +60,10 @@ import org.apache.solr.handler.RequestHandlerBase;
import org.apache.solr.request.SolrQueryRequest;
import org.apache.solr.response.SolrQueryResponse;
import org.apache.solr.security.AuthorizationContext;
+import org.apache.solr.security.AuthorizationPlugin;
+import org.apache.solr.security.Permission;
import org.apache.solr.security.PermissionNameProvider;
+import org.apache.solr.security.RuleBasedAuthorizationPlugin;
import org.apache.zookeeper.CreateMode;
import org.apache.zookeeper.KeeperException;
import org.slf4j.Logger;
@@ -170,7 +173,24 @@ public class ConfigSetsHandler extends RequestHandlerBase implements PermissionN
InputStream inputStream = contentStreamsIterator.next().getStream();
// Create a node for the configuration in zookeeper nocommit: do this only if /admin is not protected by authz/authc
- zkClient.makePath(configPathInZk, "{\"trusted\": false}".getBytes(StandardCharsets.UTF_8), true);
+ boolean trusted;
+ AuthorizationPlugin authz = coreContainer.getAuthorizationPlugin();
+ if (authz == null) {
+ trusted = false;
+ } else {
+ if (authz instanceof RuleBasedAuthorizationPlugin) {
+ List<Permission> permissions = ((RuleBasedAuthorizationPlugin) authz).getPermissions("/admin/config");
+ System.out.println("Permissions for this path: "+permissions);
+ if (permissions.isEmpty()) {
+ trusted = false;
+ } else {
+ trusted = true;
+ }
+ } else {
+ trusted = true;
+ }
+ }
+ zkClient.makePath(configPathInZk, ("{\"trusted\": "+Boolean.toString(trusted)+"}").getBytes(StandardCharsets.UTF_8), true);
ZipInputStream zis = new ZipInputStream(inputStream, StandardCharsets.UTF_8);
ZipEntry zipEntry = null;
http://git-wip-us.apache.org/repos/asf/lucene-solr/blob/7514e7ea/solr/core/src/java/org/apache/solr/schema/ClassicIndexSchemaFactory.java
----------------------------------------------------------------------
diff --git a/solr/core/src/java/org/apache/solr/schema/ClassicIndexSchemaFactory.java b/solr/core/src/java/org/apache/solr/schema/ClassicIndexSchemaFactory.java
index 5bca9c4..145fcea 100644
--- a/solr/core/src/java/org/apache/solr/schema/ClassicIndexSchemaFactory.java
+++ b/solr/core/src/java/org/apache/solr/schema/ClassicIndexSchemaFactory.java
@@ -20,6 +20,7 @@ import java.lang.invoke.MethodHandles;
import org.apache.solr.common.SolrException;
import org.apache.solr.common.SolrException.ErrorCode;
import org.apache.solr.common.util.NamedList;
+import org.apache.solr.core.PluginInfo;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -29,7 +30,7 @@ public class ClassicIndexSchemaFactory extends IndexSchemaFactory {
@Override
public void init(NamedList args) {
// no arguments expected
- if (args.size() > 0) {
+ if (args.size() > 0 && !(args.size() == 1 && args.getName(0).equals(PluginInfo.TRUSTED))) {
String msg = "Unexpected arg(s): " + args;
log.error(msg);
throw new SolrException(ErrorCode.SERVER_ERROR, msg);
http://git-wip-us.apache.org/repos/asf/lucene-solr/blob/7514e7ea/solr/core/src/java/org/apache/solr/security/Permission.java
----------------------------------------------------------------------
diff --git a/solr/core/src/java/org/apache/solr/security/Permission.java b/solr/core/src/java/org/apache/solr/security/Permission.java
index 33ae8f7..fb8d1ba 100644
--- a/solr/core/src/java/org/apache/solr/security/Permission.java
+++ b/solr/core/src/java/org/apache/solr/security/Permission.java
@@ -36,7 +36,7 @@ import static java.util.Collections.singleton;
import static java.util.Collections.singletonList;
import static org.apache.solr.common.params.CommonParams.NAME;
-class Permission {
+public class Permission {
String name;
Set<String> path, role, collections, method;
Map<String, Function<String[], Boolean>> params;
http://git-wip-us.apache.org/repos/asf/lucene-solr/blob/7514e7ea/solr/core/src/java/org/apache/solr/security/RuleBasedAuthorizationPlugin.java
----------------------------------------------------------------------
diff --git a/solr/core/src/java/org/apache/solr/security/RuleBasedAuthorizationPlugin.java b/solr/core/src/java/org/apache/solr/security/RuleBasedAuthorizationPlugin.java
index a8a97ed..7e3b7ab 100644
--- a/solr/core/src/java/org/apache/solr/security/RuleBasedAuthorizationPlugin.java
+++ b/solr/core/src/java/org/apache/solr/security/RuleBasedAuthorizationPlugin.java
@@ -20,6 +20,7 @@ import java.io.IOException;
import java.lang.invoke.MethodHandles;
import java.security.Principal;
import java.util.ArrayList;
+import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
@@ -80,6 +81,19 @@ public class RuleBasedAuthorizationPlugin implements AuthorizationPlugin, Config
return result;
}
}
+
+ public List<Permission> getPermissions(String path) {
+ Map<String, List<Permission>> pathVsPerms = mapping.get(null);
+ if (pathVsPerms == null) {
+ return Collections.emptyList();
+ }
+ List<Permission> permissions = pathVsPerms.get(path);
+ if (permissions == null) {
+ return Collections.emptyList();
+ } else {
+ return permissions;
+ }
+ }
@Override
public AuthorizationResponse authorize(AuthorizationContext context) {
http://git-wip-us.apache.org/repos/asf/lucene-solr/blob/7514e7ea/solr/core/src/java/org/apache/solr/servlet/HttpSolrCall.java
----------------------------------------------------------------------
diff --git a/solr/core/src/java/org/apache/solr/servlet/HttpSolrCall.java b/solr/core/src/java/org/apache/solr/servlet/HttpSolrCall.java
index 4f6bae0..3f69c15 100644
--- a/solr/core/src/java/org/apache/solr/servlet/HttpSolrCall.java
+++ b/solr/core/src/java/org/apache/solr/servlet/HttpSolrCall.java
@@ -485,7 +485,7 @@ public class HttpSolrCall {
2. The requested resource is not a known static file
*/
if (cores.getAuthorizationPlugin() != null && shouldAuthorize()) {
- AuthorizationContext context = getAuthCtx();
+ AuthorizationContext context = getAuthorizationContext();
log.debug("AuthorizationContext : {}", context);
AuthorizationResponse authResponse = cores.getAuthorizationPlugin().authorize(context);
if (authResponse.statusCode == AuthorizationResponse.PROMPT.statusCode) {
@@ -978,7 +978,7 @@ public class HttpSolrCall {
return handler;
}
- private AuthorizationContext getAuthCtx() {
+ public AuthorizationContext getAuthorizationContext() {
String resource = getPath();
http://git-wip-us.apache.org/repos/asf/lucene-solr/blob/7514e7ea/solr/core/src/java/org/apache/solr/update/processor/FieldMutatingUpdateProcessorFactory.java
----------------------------------------------------------------------
diff --git a/solr/core/src/java/org/apache/solr/update/processor/FieldMutatingUpdateProcessorFactory.java b/solr/core/src/java/org/apache/solr/update/processor/FieldMutatingUpdateProcessorFactory.java
index c9034f8..eea689f 100644
--- a/solr/core/src/java/org/apache/solr/update/processor/FieldMutatingUpdateProcessorFactory.java
+++ b/solr/core/src/java/org/apache/solr/update/processor/FieldMutatingUpdateProcessorFactory.java
@@ -27,6 +27,7 @@ import java.util.regex.PatternSyntaxException;
import org.apache.solr.common.SolrException;
import org.apache.solr.common.util.NamedList;
+import org.apache.solr.core.PluginInfo;
import org.apache.solr.core.SolrCore;
import org.apache.solr.update.processor.FieldMutatingUpdateProcessor.FieldNameSelector;
import org.apache.solr.util.plugin.SolrCoreAware;
@@ -207,7 +208,7 @@ public abstract class FieldMutatingUpdateProcessorFactory
inclusions = parseSelectorParams(args);
exclusions = parseSelectorExclusionParams(args);
- if (0 < args.size()) {
+ if (0 < args.size() && !(args.size() == 1 && args.getName(0).equals(PluginInfo.TRUSTED))) {
throw new SolrException(SolrException.ErrorCode.SERVER_ERROR,
"Unexpected init param(s): '" + args.getName(0) + "'");
}
http://git-wip-us.apache.org/repos/asf/lucene-solr/blob/7514e7ea/solr/core/src/java/org/apache/solr/util/SolrPluginUtils.java
----------------------------------------------------------------------
diff --git a/solr/core/src/java/org/apache/solr/util/SolrPluginUtils.java b/solr/core/src/java/org/apache/solr/util/SolrPluginUtils.java
index 9386600..33c5f24 100644
--- a/solr/core/src/java/org/apache/solr/util/SolrPluginUtils.java
+++ b/solr/core/src/java/org/apache/solr/util/SolrPluginUtils.java
@@ -53,6 +53,7 @@ import org.apache.solr.common.params.SolrParams;
import org.apache.solr.common.util.NamedList;
import org.apache.solr.common.util.SimpleOrderedMap;
import org.apache.solr.common.util.StrUtils;
+import org.apache.solr.core.PluginInfo;
import org.apache.solr.core.RequestParams;
import org.apache.solr.handler.component.HighlightComponent;
import org.apache.solr.handler.component.ResponseBuilder;
@@ -1069,6 +1070,9 @@ public class SolrPluginUtils {
final Class<?> clazz = bean.getClass();
for (Map.Entry<String,Object> entry : initArgs) {
String key = entry.getKey();
+ if (key.equals(PluginInfo.TRUSTED)) {
+ continue;
+ }
String setterName = "set" + String.valueOf(Character.toUpperCase(key.charAt(0))) + key.substring(1);
try {
final Object val = entry.getValue();
http://git-wip-us.apache.org/repos/asf/lucene-solr/blob/7514e7ea/solr/core/src/test/org/apache/solr/cloud/TestConfigSetsAPI.java
----------------------------------------------------------------------
diff --git a/solr/core/src/test/org/apache/solr/cloud/TestConfigSetsAPI.java b/solr/core/src/test/org/apache/solr/cloud/TestConfigSetsAPI.java
index af514f7..9cc2b0b 100644
--- a/solr/core/src/test/org/apache/solr/cloud/TestConfigSetsAPI.java
+++ b/solr/core/src/test/org/apache/solr/cloud/TestConfigSetsAPI.java
@@ -335,16 +335,25 @@ public class TestConfigSetsAPI extends SolrTestCaseJ4 {
@Test
public void testUploadWithScriptUpdateProcessor() throws Exception {
- /*String authcPrefix = "/admin/authentication";
+ String authcPrefix = "/admin/authentication";
String authzPrefix = "/admin/authorization";
+ String securityJson = "{\n" +
+ " 'authentication':{\n" +
+ " 'class':'solr.BasicAuthPlugin',\n" +
+ " 'credentials':{'solr':'orwp2Ghgj39lmnrZOTm7Qtre1VqHFDfwAEzr0ApbN3Y= Ju5osoAqOX8iafhWpPP01E5P+sg8tK8tHON7rCYZRRw='}},\n" +
+ " 'authorization':{\n" +
+ " 'class':'solr.RuleBasedAuthorizationPlugin',\n" +
+ " 'user-role':{'solr':'admin'},\n" +
+ " 'permissions':[{'name':'security-edit','role':'admin'}, {'name':'config-edit','role':'admin'}]}}";
+
HttpClient cl = null;
try {
cl = HttpClientUtil.createClient(null);
JettySolrRunner randomJetty = solrCluster.getRandomJetty(random());
String baseUrl = randomJetty.getBaseUrl().toString();
- zkClient().setData("/security.json", BasicAuthIntegrationTest.STD_CONF.replaceAll("'", "\"").getBytes(UTF_8), true);
+ zkClient().setData("/security.json", securityJson.replaceAll("'", "\"").getBytes(UTF_8), true);
BasicAuthIntegrationTest.verifySecurityStatus(cl, baseUrl + authcPrefix, "authentication/class", "solr.BasicAuthPlugin", 20);
BasicAuthIntegrationTest.verifySecurityStatus(cl, baseUrl + authzPrefix, "authorization/class", "solr.RuleBasedAuthorizationPlugin", 20);
@@ -352,7 +361,7 @@ public class TestConfigSetsAPI extends SolrTestCaseJ4 {
if (cl != null) {
HttpClientUtil.close(cl);
}
- }*/
+ }
uploadConfigSet("with-script-processor");
// try to create a collection with the uploaded configset
[2/2] lucene-solr:jira/solr-6736: SOLR-6736: Adding concept of
Vulnerable plugins
Posted by is...@apache.org.
SOLR-6736: Adding concept of Vulnerable plugins
Project: http://git-wip-us.apache.org/repos/asf/lucene-solr/repo
Commit: http://git-wip-us.apache.org/repos/asf/lucene-solr/commit/a2931a14
Tree: http://git-wip-us.apache.org/repos/asf/lucene-solr/tree/a2931a14
Diff: http://git-wip-us.apache.org/repos/asf/lucene-solr/diff/a2931a14
Branch: refs/heads/jira/solr-6736
Commit: a2931a14721429a12ead68c7f133ee32e6e9c691
Parents: 7514e7e
Author: Ishan Chattopadhyaya <is...@apache.org>
Authored: Sat Mar 18 17:39:32 2017 +0530
Committer: Ishan Chattopadhyaya <is...@apache.org>
Committed: Sat Mar 18 17:39:32 2017 +0530
----------------------------------------------------------------------
.../java/org/apache/solr/core/PluginInfo.java | 28 ++++----------------
.../src/java/org/apache/solr/core/SolrCore.java | 20 ++++++++++++++
.../solr/handler/admin/ConfigSetsHandler.java | 9 +++----
.../StatelessScriptUpdateProcessorFactory.java | 3 ++-
.../org/apache/solr/util/plugin/Vulnerable.java | 21 +++++++++++++++
.../apache/solr/cloud/TestConfigSetsAPI.java | 2 +-
6 files changed, 52 insertions(+), 31 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/lucene-solr/blob/a2931a14/solr/core/src/java/org/apache/solr/core/PluginInfo.java
----------------------------------------------------------------------
diff --git a/solr/core/src/java/org/apache/solr/core/PluginInfo.java b/solr/core/src/java/org/apache/solr/core/PluginInfo.java
index f7d3960..c6c317b 100644
--- a/solr/core/src/java/org/apache/solr/core/PluginInfo.java
+++ b/solr/core/src/java/org/apache/solr/core/PluginInfo.java
@@ -42,6 +42,7 @@ public class PluginInfo implements MapSerializable {
public final Map<String, String> attributes;
public final List<PluginInfo> children;
private boolean isFromSolrConfig;
+ public Boolean trusted;
public PluginInfo(String type, Map<String, String> attrs, NamedList initArgs, List<PluginInfo> children) {
this(type, attrs, initArgs, children, null);
@@ -52,20 +53,9 @@ public class PluginInfo implements MapSerializable {
this.name = attrs.get(NAME);
this.className = attrs.get(CLASS_NAME);
this.initArgs = initArgs;
- if (trusted != null && initArgs != null) {
- initArgs.remove(TRUSTED);
- initArgs.add(TRUSTED, trusted.booleanValue());
- }
+ this.trusted = trusted;
attributes = unmodifiableMap(attrs);
this.children = children == null ? Collections.<PluginInfo>emptyList(): unmodifiableList(children);
- if (trusted != null && children != null) {
- for (PluginInfo child: this.children) {
- if (child.initArgs != null) {
- child.initArgs.remove(TRUSTED);
- child.initArgs.add(TRUSTED, trusted.booleanValue());
- }
- }
- }
isFromSolrConfig = false;
}
@@ -81,11 +71,7 @@ public class PluginInfo implements MapSerializable {
attributes = unmodifiableMap(DOMUtil.toMap(node.getAttributes()));
children = loadSubPlugins(node, trusted);
isFromSolrConfig = true;
-
- if (trusted != null) {
- initArgs.remove(TRUSTED);
- initArgs.add(TRUSTED, trusted.booleanValue());
- }
+ this.trusted = trusted;
}
public PluginInfo(String type, Map<String,Object> map) {
@@ -114,19 +100,16 @@ public class PluginInfo implements MapSerializable {
}
}
- if (trusted != null) {
- initArgs.remove(TRUSTED);
- initArgs.add(TRUSTED, trusted.booleanValue());
- }
this.type = type;
this.name = (String) m.get(NAME);
this.className = (String) m.get(CLASS_NAME);
attributes = unmodifiableMap(m);
this.children = Collections.<PluginInfo>emptyList();
isFromSolrConfig = true;
+ this.trusted = trusted;
}
- private List<PluginInfo> loadSubPlugins(Node node, boolean trusted) {
+ private List<PluginInfo> loadSubPlugins(Node node, Boolean trusted) {
List<PluginInfo> children = new ArrayList<>();
//if there is another sub tag with a non namedlist tag that has to be another plugin
NodeList nlst = node.getChildNodes();
@@ -217,7 +200,6 @@ public class PluginInfo implements MapSerializable {
}
public PluginInfo copy() {
- Boolean trusted = initArgs == null ? null: initArgs.getBooleanArg(TRUSTED);
PluginInfo result = new PluginInfo(type, attributes,
initArgs != null ? initArgs.clone() : null, children, trusted);
result.isFromSolrConfig = isFromSolrConfig;
http://git-wip-us.apache.org/repos/asf/lucene-solr/blob/a2931a14/solr/core/src/java/org/apache/solr/core/SolrCore.java
----------------------------------------------------------------------
diff --git a/solr/core/src/java/org/apache/solr/core/SolrCore.java b/solr/core/src/java/org/apache/solr/core/SolrCore.java
index 66efeed..c8e8067 100644
--- a/solr/core/src/java/org/apache/solr/core/SolrCore.java
+++ b/solr/core/src/java/org/apache/solr/core/SolrCore.java
@@ -157,6 +157,7 @@ import org.apache.solr.util.RefCounted;
import org.apache.solr.util.plugin.NamedListInitializedPlugin;
import org.apache.solr.util.plugin.PluginInfoInitialized;
import org.apache.solr.util.plugin.SolrCoreAware;
+import org.apache.solr.util.plugin.Vulnerable;
import org.apache.zookeeper.KeeperException;
import org.apache.zookeeper.data.Stat;
import org.slf4j.Logger;
@@ -808,8 +809,27 @@ public final class SolrCore implements SolrInfoMBean, Closeable {
if(info == null) return null;
T o = createInstance(info.className == null ? defClassName : info.className ,cast, msg,this, getResourceLoader());
if (o instanceof PluginInfoInitialized) {
+ if (o instanceof Vulnerable) {
+ System.out.println("Vulnerable plugin: "+o);
+ if (info.trusted != null) {
+ info.initArgs.remove(PluginInfo.TRUSTED);
+ info.initArgs.add(PluginInfo.TRUSTED, info.trusted);
+ }
+ } else {
+ System.out.println("Not vulnerable plugin: "+o);
+ info.initArgs.remove(PluginInfo.TRUSTED);
+ }
((PluginInfoInitialized) o).init(info);
} else if (o instanceof NamedListInitializedPlugin) {
+ if (o instanceof Vulnerable) {
+ System.out.println("Vulnerable plugin: "+o);
+ if (info.trusted != null) {
+ info.initArgs.remove(PluginInfo.TRUSTED);
+ info.initArgs.add(PluginInfo.TRUSTED, info.trusted);
+ }
+ } else {
+ System.out.println("Not vulnerable plugin: "+o);
+ }
((NamedListInitializedPlugin) o).init(info.initArgs);
}
if(o instanceof SearchComponent) {
http://git-wip-us.apache.org/repos/asf/lucene-solr/blob/a2931a14/solr/core/src/java/org/apache/solr/handler/admin/ConfigSetsHandler.java
----------------------------------------------------------------------
diff --git a/solr/core/src/java/org/apache/solr/handler/admin/ConfigSetsHandler.java b/solr/core/src/java/org/apache/solr/handler/admin/ConfigSetsHandler.java
index 2b222e9..8b76912 100644
--- a/solr/core/src/java/org/apache/solr/handler/admin/ConfigSetsHandler.java
+++ b/solr/core/src/java/org/apache/solr/handler/admin/ConfigSetsHandler.java
@@ -60,10 +60,7 @@ import org.apache.solr.handler.RequestHandlerBase;
import org.apache.solr.request.SolrQueryRequest;
import org.apache.solr.response.SolrQueryResponse;
import org.apache.solr.security.AuthorizationContext;
-import org.apache.solr.security.AuthorizationPlugin;
-import org.apache.solr.security.Permission;
import org.apache.solr.security.PermissionNameProvider;
-import org.apache.solr.security.RuleBasedAuthorizationPlugin;
import org.apache.zookeeper.CreateMode;
import org.apache.zookeeper.KeeperException;
import org.slf4j.Logger;
@@ -173,8 +170,8 @@ public class ConfigSetsHandler extends RequestHandlerBase implements PermissionN
InputStream inputStream = contentStreamsIterator.next().getStream();
// Create a node for the configuration in zookeeper nocommit: do this only if /admin is not protected by authz/authc
- boolean trusted;
- AuthorizationPlugin authz = coreContainer.getAuthorizationPlugin();
+ boolean trusted = false;
+ /*AuthorizationPlugin authz = coreContainer.getAuthorizationPlugin();
if (authz == null) {
trusted = false;
} else {
@@ -189,7 +186,7 @@ public class ConfigSetsHandler extends RequestHandlerBase implements PermissionN
} else {
trusted = true;
}
- }
+ }*/
zkClient.makePath(configPathInZk, ("{\"trusted\": "+Boolean.toString(trusted)+"}").getBytes(StandardCharsets.UTF_8), true);
ZipInputStream zis = new ZipInputStream(inputStream, StandardCharsets.UTF_8);
http://git-wip-us.apache.org/repos/asf/lucene-solr/blob/a2931a14/solr/core/src/java/org/apache/solr/update/processor/StatelessScriptUpdateProcessorFactory.java
----------------------------------------------------------------------
diff --git a/solr/core/src/java/org/apache/solr/update/processor/StatelessScriptUpdateProcessorFactory.java b/solr/core/src/java/org/apache/solr/update/processor/StatelessScriptUpdateProcessorFactory.java
index 8be7f40..6bb0186 100644
--- a/solr/core/src/java/org/apache/solr/update/processor/StatelessScriptUpdateProcessorFactory.java
+++ b/solr/core/src/java/org/apache/solr/update/processor/StatelessScriptUpdateProcessorFactory.java
@@ -27,6 +27,7 @@ import org.apache.solr.request.LocalSolrQueryRequest;
import org.apache.solr.response.SolrQueryResponse;
import org.apache.solr.update.*;
import org.apache.solr.util.plugin.SolrCoreAware;
+import org.apache.solr.util.plugin.Vulnerable;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.io.IOUtils;
import org.apache.commons.io.FilenameUtils;
@@ -151,7 +152,7 @@ import org.slf4j.LoggerFactory;
* </pre>
*
*/
-public class StatelessScriptUpdateProcessorFactory extends UpdateRequestProcessorFactory implements SolrCoreAware {
+public class StatelessScriptUpdateProcessorFactory extends UpdateRequestProcessorFactory implements SolrCoreAware, Vulnerable {
private static final Logger log = LoggerFactory.getLogger(MethodHandles.lookup().lookupClass());
http://git-wip-us.apache.org/repos/asf/lucene-solr/blob/a2931a14/solr/core/src/java/org/apache/solr/util/plugin/Vulnerable.java
----------------------------------------------------------------------
diff --git a/solr/core/src/java/org/apache/solr/util/plugin/Vulnerable.java b/solr/core/src/java/org/apache/solr/util/plugin/Vulnerable.java
new file mode 100644
index 0000000..8c5d34b
--- /dev/null
+++ b/solr/core/src/java/org/apache/solr/util/plugin/Vulnerable.java
@@ -0,0 +1,21 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.solr.util.plugin;
+
+public interface Vulnerable {
+
+}
http://git-wip-us.apache.org/repos/asf/lucene-solr/blob/a2931a14/solr/core/src/test/org/apache/solr/cloud/TestConfigSetsAPI.java
----------------------------------------------------------------------
diff --git a/solr/core/src/test/org/apache/solr/cloud/TestConfigSetsAPI.java b/solr/core/src/test/org/apache/solr/cloud/TestConfigSetsAPI.java
index 9cc2b0b..d1cf036 100644
--- a/solr/core/src/test/org/apache/solr/cloud/TestConfigSetsAPI.java
+++ b/solr/core/src/test/org/apache/solr/cloud/TestConfigSetsAPI.java
@@ -368,7 +368,7 @@ public class TestConfigSetsAPI extends SolrTestCaseJ4 {
CollectionAdminResponse resp = createCollection("newcollection2", "with-script-processor",
1, 1, solrCluster.getSolrClient());
System.out.println("Client saw errors: "+resp.getErrorMessages());
- assertTrue(resp.getErrorMessages().size() > 0);
+ assertTrue(resp.getErrorMessages() != null && resp.getErrorMessages().size() > 0);
assertTrue(resp.getErrorMessages().getVal(0).
contains("The configset for this collection was uploaded without any authorization"));
//scriptRequest("newcollection2");