You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@lucene.apache.org by "David Smiley (Jira)" <ji...@apache.org> on 2019/12/11 20:44:00 UTC
[jira] [Commented] (SOLR-14059) Consolidate configSet properties
and flags
[ https://issues.apache.org/jira/browse/SOLR-14059?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16993888#comment-16993888 ]
David Smiley commented on SOLR-14059:
-------------------------------------
See https://issues.apache.org/jira/browse/SOLR-6736?focusedCommentId=16992874&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-16992874
There is an inherent security concern with "trusted". If we always write this to configsetprops.json after upload (via the configSet upload API) overwriting what might be there already then it's probably fine? I don't believe we have any other APIs to upload arbitrary files to a configSet; correct me if I'm wrong.
If a user uploads directly to ZK without going through Solr (e.g. via \{{bin/solr zk upconfig}}) then the security matter is moot because the user effectively has full access to the cluster already.
> Consolidate configSet properties and flags
> ------------------------------------------
>
> Key: SOLR-14059
> URL: https://issues.apache.org/jira/browse/SOLR-14059
> Project: Solr
> Issue Type: Improvement
> Security Level: Public(Default Security Level. Issues are Public)
> Components: SolrCloud
> Reporter: David Smiley
> Priority: Minor
>
> Internally there are "configSet _flags_" and "configSet _properties_". In ZK the former is stored on the ZK node (ZK dirs can themselves be a file) vs "configsetprops.json" for the latter. *I think it's a complexity burden to have both.*
> At present it appears the only use of configSet flags is a "trusted" boolean, and the only use of configSet properties is an "immutable" boolean. Granted users have the ability to add to configSet properties via the API or by including the file, so there could be more in use.
> TBD how they should be consolidated.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@lucene.apache.org
For additional commands, e-mail: issues-help@lucene.apache.org