You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@lucene.apache.org by "Jan Høydahl (JIRA)" <ji...@apache.org> on 2019/04/15 20:06:00 UTC
[jira] [Resolved] (SOLR-12371) Editing authorization config via
REST API fails in standalone mode due to version caching
[ https://issues.apache.org/jira/browse/SOLR-12371?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jan Høydahl resolved SOLR-12371.
--------------------------------
Resolution: Fixed
Fix Version/s: 7.7.2
Ok, pushed to 7_7 as well so you can download 7.7.2 once it is released
> Editing authorization config via REST API fails in standalone mode due to version caching
> -----------------------------------------------------------------------------------------
>
> Key: SOLR-12371
> URL: https://issues.apache.org/jira/browse/SOLR-12371
> Project: Solr
> Issue Type: Bug
> Security Level: Public(Default Security Level. Issues are Public)
> Components: JSON Request API, security
> Affects Versions: 6.6.3
> Reporter: Pascal Proulx
> Assignee: Jan Høydahl
> Priority: Major
> Fix For: 7.7.2, 8.1
>
> Time Spent: 10m
> Remaining Estimate: 0h
>
> Hello again,
> We use 6.6.3 and I was trying to update my security.json (in solr home, non-zookeeper) using:
> {code:java}
> curl -u myuser:mypass -H 'Content-type:application/json' -d '{"set-user-role":{"dummy":"dummy"}}' http://localhost:8080/solr/admin/authorization
> {code}
> The first time this is called, the security.json is written AND reloaded in memory correctly. The output json then contains at the end:
> {code:java}
> "":{"v":0}
> {code}
> However, subsequent calls using the same command, no matter the users specifed, always output the same meta version, 0.
> The result is that the the security.json file is correctly updated, but the RuleBasedAuthorizationPlugin is never reloaded in memory, so the new settings never take effect.
> The version never increases, so this condition in org.apache.solr.core.CoreContainer.initializeAuthorizationPlugin always returns and memory plugin reload is skipped:
> {code:java}
> if (old != null && old.getZnodeVersion() == readVersion(authorizationConf)) {
> return;
> }
> {code}
> The core of the issue is somewhere in org.apache.solr.handler.admin.SecurityConfHandler.doEdit:
> {code:java}
> SecurityConfig securityConfig = getSecurityConfig(true);
> Map<String, Object> data = securityConfig.getData();
> Map<String, Object> latestConf = (Map<String, Object>) data.get(key);
> if (latestConf == null) {
> throw new SolrException(SERVER_ERROR, "No configuration present for " + key);
> }
> List<CommandOperation> commandsCopy = CommandOperation.clone(ops);
> Map<String, Object> out = configEditablePlugin.edit(Utils.getDeepCopy(latestConf, 4) , commandsCopy);
> if (out == null) {
> List<Map> errs = CommandOperation.captureErrors(commandsCopy);
> if (!errs.isEmpty()) {
> rsp.add(CommandOperation.ERR_MSGS, errs);
> return;
> }
> log.debug("No edits made");
> return;
> } else {
> if(!Objects.equals(latestConf.get("class") , out.get("class"))){
> throw new SolrException(SERVER_ERROR, "class cannot be modified");
> }
> Map meta = getMapValue(out, "");
> meta.put("v", securityConfig.getVersion()+1);//encode the expected zkversion
> data.put(key, out);
>
> if(persistConf(securityConfig)) {
> securityConfEdited();
> return;
> }
> }
> {code}
> In my case, getSecurityConfig(true) delegates to org.apache.solr.handler.admin.SecurityConfHandlerLocal.getSecurityConfig(boolean)
> But the instance variable SecurityConfig.version is never set to anything other than -1; it is not read back from security.json in other words the data map, such that
> {code:java}
> meta.put("v", securityConfig.getVersion()+1);//encode the expected zkversion
> {code}
> always puts a value of 0 for the version, leading to the aforementioned memory reload skip.
> There does not seem to be any code calling SecurityConfig.setVersion anywhere or any of SecurityConfig's methods updating the version variable.
> The only code that does call it is in the SecurityConfHandlerZk for zookeeper, but we are not using zookeeper.
> Ultimately, I can't seem to use the set-user-role command because of this. I hope this is just a duplicate. Thanks
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lucene.apache.org
For additional commands, e-mail: dev-help@lucene.apache.org