You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@ambari.apache.org by "Olivér Szabó (JIRA)" <ji...@apache.org> on 2017/10/20 09:52:00 UTC
[jira] [Resolved] (AMBARI-22273) Disable xmlparser and configEdit
API in Infra Solr by default
[ https://issues.apache.org/jira/browse/AMBARI-22273?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Olivér Szabó resolved AMBARI-22273.
-----------------------------------
Resolution: Fixed
committed to branch-2.6:
{code:java}
commit 0da1de119e74600109fde146cdc8a60c06e202e5
Author: Oliver Szabo <ol...@gmail.com>
Date: Fri Oct 20 00:37:37 2017 +0200
AMBARI-22273. Disable xmlparser and configEdit API in Infra Solr by default (oleewere)
{code}
> Disable xmlparser and configEdit API in Infra Solr by default
> -------------------------------------------------------------
>
> Key: AMBARI-22273
> URL: https://issues.apache.org/jira/browse/AMBARI-22273
> Project: Ambari
> Issue Type: Bug
> Components: ambari-infra, ambari-logsearch, ambari-server
> Affects Versions: 2.6.0
> Reporter: Olivér Szabó
> Assignee: Olivér Szabó
> Fix For: 2.6.0
>
>
> 1.) Disable editing with the Config API by adding the "-Ddisable.configEdit=true" flag to the SOLR_OPTS by default.
> 2.) Update all collections to reroute the xmlparser query parser away from the vulnerable class, but adding this to the Ranger, Atlas, and LogSearch collections:
> {noformat}
> <queryParser name="xmlparser" class="solr.ExtendedDismaxQParserPlugin" />
> {noformat}
> Requires manual changes for non-newly created clusters with Ranger/Atlas/LogSearch and Infra Solr:
> 1. Infra Solr changes:
> - add SOLR_OPTS="$SOLR_OPTS -Ddisable.configEdit=true" to {{infra-solr-env/content}} (for applying that change means Solr nodes needs to be restarted)
> 2. Log Search changes:
> - add {{<queryParser name="xmlparser" class="solr.ExtendedDismaxQParserPlugin" />}} to {{logsearch-audit_logs-solrconfig/content}}
> - add {{<queryParser name="xmlparser" class="solr.ExtendedDismaxQParserPlugin" />}} to {{logsearch-service_logs-solrconfig/content}}
> 3. Ranger changes: (0.7.0)
> - add {{<queryParser name="xmlparser" class="solr.ExtendedDismaxQParserPlugin" />}} to {{ranger-solr-configuration/content}}
> 4. Atlas changes: (0.7.0.2.5)
> - add {{<queryParser name="xmlparser" class="solr.ExtendedDismaxQParserPlugin" />}} to {{atlas-solrconfig/content}}
> After service restart that
> In that case if someone do not want to restart any of the services, the configuration download/upload can be done through infra solr client, like this (e.g. for ranger):
> Download the config to a temp location:
> {code:java}
> ambari-sudo.sh JAVA_HOME=/usr/jdk64/jdk1.8.0_112 /usr/lib/ambari-infra-solr-client/solrCloudCli.sh --zookeeper-connect-string mycluster:2181/infra-solr --download-config --config-dir /var/lib/ambari-agent/tmp/solr_config_ranger_audits_0.837423011509 --config-set ranger_audits --retry 30 --interval 5
> {code}
> Then add the xml parser to solrconfig.xml (inside downloaded temp config folder), then use the upload command
> {code:java}
> ambari-sudo.sh JAVA_HOME=/usr/jdk64/jdk1.8.0_112 /usr/lib/ambari-infra-solr-client/solrCloudCli.sh --zookeeper-connect-string olicluster-1.openstacklocal:2181/infra-solr --upload-config --config-dir /var/lib/ambari-agent/tmp/solr_config_ranger_audits_0.837423011509 --config-set ranger_audits --retry 30 --interval 5
> {code}
> note: use {{--jaas-file}} flag as well (with the proper logsearch/ranger/atlas jaas file location) if the cluster is kerberized, otherwise the zookeeper/solr-client command wont work.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)