You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@solr.apache.org by "Timothy Potter (Jira)" <ji...@apache.org> on 2021/06/09 18:31:00 UTC
[jira] [Updated] (SOLR-15451) SQL endpoint returns the wrong error
when authenticated user doesn't have read access /admin/luke
[ https://issues.apache.org/jira/browse/SOLR-15451?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Timothy Potter updated SOLR-15451:
----------------------------------
Status: Patch Available (was: Open)
> SQL endpoint returns the wrong error when authenticated user doesn't have read access /admin/luke
> -------------------------------------------------------------------------------------------------
>
> Key: SOLR-15451
> URL: https://issues.apache.org/jira/browse/SOLR-15451
> Project: Solr
> Issue Type: Bug
> Security Level: Public(Default Security Level. Issues are Public)
> Components: Parallel SQL
> Reporter: Timothy Potter
> Assignee: Timothy Potter
> Priority: Major
> Labels: RobustSQL
> Time Spent: 10m
> Remaining Estimate: 0h
>
> Note: This is not a security issue, it's a usability problem.
> Trying out the {{/sql}} HTTP endpoint on a basic-auth enabled cluster. My user didn't have read access to the {{/admin/luke}} endpoint for all collections being queried and got an unhelpful message like:
> {code}
> {
> "result-set":{
> "docs":[{
> "EXCEPTION":"Failed to execute sqlQuery 'SELECT count(*) FROM sop2 WHERE boolean1_b = 'true' LIMIT 10' against JDBC connection 'jdbc:calcitesolr:'.\nError while executing SQL \"SELECT count(*) FROM sop2 WHERE boolean1_b = 'true' LIMIT 10\": org.apache.solr.client.solrj.SolrServerException: No live SolrServers available to handle this request:[http://dev-solrcloud-0.dev:80/solr/sop2, http://dev-solrcloud-1.dev:80/solr/sop2]",
> "EOF":true,
> "RESPONSE_TIME":33}]}}
> {code}
> In the server logs, I see:
> {code}
> Caused by: java.lang.RuntimeException: org.apache.solr.client.solrj.SolrServerException: No live SolrServers available to handle this request:[http://dev-solrcloud-0.dev:80/solr/sop2, http://dev-solrcloud-1.dev:80/solr/sop2]
> at org.apache.solr.handler.sql.SolrSchema.getFieldInfo(SolrSchema.java:102)
> at org.apache.solr.handler.sql.SolrSchema.getRelDataType(SolrSchema.java:112)
> at org.apache.solr.handler.sql.SolrTable.getRowType(SolrTable.java:82)
> {code}
> Once I granted the following permission to the user, the query worked:
> {code}
> {
> "name":"queryluke",
> "path":"/admin/luke",
> "collection":"*",
> "role":["users", "admin"]
> }
> {code}
> I'm thinking the solution is to execute the {{getFieldInfo}} request (in SolrSchema) from a server thread that authenticates via the PKI plugin instead of having to grant this permission to the user explicitly. Users may not want to give access to {{/admin/luke}} to end users just for executing SQL.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org
For additional commands, e-mail: issues-help@solr.apache.org