You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@solr.apache.org by "Ishan Chattopadhyaya (Jira)" <ji...@apache.org> on 2021/08/19 10:25:00 UTC
[jira] [Updated] (SOLR-14593) Package store API to disable file
upload over HTTP
[ https://issues.apache.org/jira/browse/SOLR-14593?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Ishan Chattopadhyaya updated SOLR-14593:
----------------------------------------
Fix Version/s: 8.10
> Package store API to disable file upload over HTTP
> --------------------------------------------------
>
> Key: SOLR-14593
> URL: https://issues.apache.org/jira/browse/SOLR-14593
> Project: Solr
> Issue Type: Task
> Reporter: Noble Paul
> Priority: Blocker
> Fix For: 8.10
>
>
> h2. Why?
> Users installing third party plugins from external repos trust the public keys of that repository owner. Anyone who has a private key to that repo will be able to push any executable binary into such a cluster using the HTTP upload endpoints. These executables will remain trusted.
> h3. Solution: Disable uploading jars over HTTP (they can be downloaded via CLI by the user)
> * {{/cluster/files/*}} endpoint will stop accepting files. That end-point will not exist
> * All jar files will need to be uploaded using the CLI. The CLI has access to a physical file system where it copies the jar file to {{$SOLR_HOME/filestore/*}} and issues the sync command. The sync command asks other nodes to sync the jar file from this local node. (This is how the keys are distributed today)
> h2. Is this backward compatible?
> No. For anyone using the internal APIs only to deploy, their packages will stop working. Anyone using the CLI will have the same experience and they do not need to make any changes to their workflow. All packages that are currently installed will continue to work fine
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org
For additional commands, e-mail: issues-help@solr.apache.org