Tomcat SecurityManager config for SOLR

[Wade Leftwich <wa...@leftwich.us>]

Hi folks,

I am setting up SOLR on a Debian Sarge system running Tomcat 5.5. I
followed the JNDI recipe on the Wiki and got SOLR running apparently
correctly.

However, when I turn on Tomcat's SecurityManager, everything goes
flooey. I've tried entering a couple FilePermission statements in
catalina.policy, but I am still getting many permission errors in the
log. I have not been able to find much in the way of a howto for
SecurityManager, and am pretty much groping in the dark at this point.

Does anyone have a procedure for configuring the SecurityManager
settings for SOLR?

My Tomcat lives under /var/lib/tomcat5.5, and here is the contents of
/var/lib/tomcat5.5/conf/Catalina/localhost/solr.xml:
"""
<Context docBase="/var/lib/solr/solr-nightly/example/webapps/solr.war"
debug="0" crossContext="true" >
   <Environment name="solr/home" type="java.lang.String"
        value="/var/lib/solr/solr-nightly/example/solr" override="true" />
</Context>
"""

Any help appreciated.

Wade Leftwich
Ithaca, NY

Re: Tomcat SecurityManager config for SOLR

[Wade Leftwich <wa...@leftwich.us>]

Chris Hostetter wrote:
> : log. I have not been able to find much in the way of a howto for
> : SecurityManager, and am pretty much groping in the dark at this point.
> 
> I found this...
>   http://tomcat.apache.org/tomcat-5.5-doc/security-manager-howto.html
> ...but I'm afraid I don't have much concrete advice to offer you, i've
> never run any servlet container with a security manager, mainly because
> i've never run a WAR i didn't trust completely...
> 
> to start with, it looks like you're going to want to enable JndiPermission
> (since that's how you are setting the solr home) and you should enable
> read FilePermission for the entire solr home dir, and write FilePermission
> for the data dir.  if you wnat to use snapshooting/snappulling you'll also
> need to RuntimePermission.  i think that's probably it ... but according
> to that doc, the best way to figure out what permissions you need to turn
> on if something isn't working, is with the -Djava.security.debug=all
> option.
> 
> if you have any luck with this, then by all means please update the
> SOlrTomcat wiki with what you find.
> 
> 
> -Hoss
> 
> 

Hoss, thanks for the Saturday night reply. Open Source does indeed rule.

I've gotten as far as making Solr completely trusted, which I think will
be sufficient for my own purposes, since only people with root access
can touch the Solr directories. Here's the command I added to
catalina.policy:

grant codeBase "file:${catalina.home}/webapps/solr/-" {
        permission java.security.AllPermission;
};

-- Wade Leftwich
Ithaca, NY

Re: Tomcat SecurityManager config for SOLR

[Chris Hostetter <ho...@fucit.org>]

: log. I have not been able to find much in the way of a howto for
: SecurityManager, and am pretty much groping in the dark at this point.

I found this...
  http://tomcat.apache.org/tomcat-5.5-doc/security-manager-howto.html
...but I'm afraid I don't have much concrete advice to offer you, i've
never run any servlet container with a security manager, mainly because
i've never run a WAR i didn't trust completely...

to start with, it looks like you're going to want to enable JndiPermission
(since that's how you are setting the solr home) and you should enable
read FilePermission for the entire solr home dir, and write FilePermission
for the data dir.  if you wnat to use snapshooting/snappulling you'll also
need to RuntimePermission.  i think that's probably it ... but according
to that doc, the best way to figure out what permissions you need to turn
on if something isn't working, is with the -Djava.security.debug=all
option.

if you have any luck with this, then by all means please update the
SOlrTomcat wiki with what you find.


-Hoss