You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@solr.apache.org by ho...@apache.org on 2023/07/28 18:03:18 UTC
[solr] branch branch_9x updated: SOLR-16905: Allow access to allowPaths in SecurityManager (#1811)
This is an automated email from the ASF dual-hosted git repository.
houston pushed a commit to branch branch_9x
in repository https://gitbox.apache.org/repos/asf/solr.git
The following commit(s) were added to refs/heads/branch_9x by this push:
new 3d564dbffea SOLR-16905: Allow access to allowPaths in SecurityManager (#1811)
3d564dbffea is described below
commit 3d564dbffea59e856e00dbe04553366a80db1e9f
Author: Dennis W <32...@users.noreply.github.com>
AuthorDate: Fri Jul 28 19:59:42 2023 +0200
SOLR-16905: Allow access to allowPaths in SecurityManager (#1811)
Co-authored-by: Houston Putman <ho...@apache.org>
(cherry picked from commit 59057dabc13978fd8b4de4cdcd1df34c184d3139)
---
.../randomization/policies/solr-tests.policy | 11 +++--
solr/CHANGES.txt | 2 +
solr/packaging/test/test_security_manager.bats | 54 ++++++++++++++++++++++
solr/server/etc/security.policy | 11 +++--
4 files changed, 70 insertions(+), 8 deletions(-)
diff --git a/gradle/testing/randomization/policies/solr-tests.policy b/gradle/testing/randomization/policies/solr-tests.policy
index 9e594e1ffd7..276532b519d 100644
--- a/gradle/testing/randomization/policies/solr-tests.policy
+++ b/gradle/testing/randomization/policies/solr-tests.policy
@@ -50,7 +50,7 @@ grant {
permission java.net.SocketPermission "[::1]:4", "connect,resolve";
permission java.net.SocketPermission "[::1]:6", "connect,resolve";
permission java.net.SocketPermission "[::1]:8", "connect,resolve";
-
+
// Basic permissions needed for Lucene to work:
permission java.util.PropertyPermission "*", "read,write";
@@ -161,15 +161,15 @@ grant {
// Needed by zookeeper to configure SASL Auth in tests
permission javax.security.auth.AuthPermission "createLoginContext.Server";
permission javax.security.auth.AuthPermission "createLoginContext.Client";
-
+
// may only be necessary with Java 7?
permission javax.security.auth.PrivateCredentialPermission "javax.security.auth.kerberos.KeyTab * \"*\"", "read";
permission javax.security.auth.PrivateCredentialPermission "sun.security.jgss.krb5.Krb5Util$KeysFromKeyTab * \"*\"", "read";
-
+
permission javax.security.auth.kerberos.ServicePermission "*", "initiate";
permission javax.security.auth.kerberos.ServicePermission "*", "accept";
permission javax.security.auth.kerberos.DelegationPermission "\"*\" \"krbtgt/EXAMPLE.COM@EXAMPLE.COM\"";
-
+
// java 8 accessibility requires this perm - should not after 8 I believe (rrd4j is the root reason we hit an accessibility code path)
permission java.awt.AWTPermission "*";
@@ -211,6 +211,9 @@ grant {
permission java.io.FilePermission "${solr.log.dir}", "read,write,delete,readlink";
permission java.io.FilePermission "${solr.log.dir}${/}-", "read,write,delete,readlink";
+ permission java.io.FilePermission "${solr.allowPaths}", "read,write,delete,readlink";
+ permission java.io.FilePermission "${solr.allowPaths}${/}-", "read,write,delete,readlink";
+
permission java.io.FilePermission "${log4j.configurationFile}", "read,write,delete,readlink";
// Credentials for S3 Repository
diff --git a/solr/CHANGES.txt b/solr/CHANGES.txt
index 86382a0cf64..bb87cc33125 100644
--- a/solr/CHANGES.txt
+++ b/solr/CHANGES.txt
@@ -29,6 +29,8 @@ Bug Fixes
* SOLR-16906: Correctly capture REPLICATION metrics in Prometheus config (Daisuke Aritomo via Houston Putman)
+* SOLR-16905: Allow access to specified "solr.allowPaths" in Security Manager (daylicron, Houston Putman)
+
Dependency Upgrades
---------------------
(No changes)
diff --git a/solr/packaging/test/test_security_manager.bats b/solr/packaging/test/test_security_manager.bats
new file mode 100644
index 00000000000..0d7fa163a1a
--- /dev/null
+++ b/solr/packaging/test/test_security_manager.bats
@@ -0,0 +1,54 @@
+#!/usr/bin/env bats
+
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+load bats_helper
+
+setup() {
+ common_clean_setup
+}
+
+teardown() {
+ # save a snapshot of SOLR_HOME for failed tests
+ save_home_on_failure
+
+ delete_all_collections
+ SOLR_STOP_WAIT=1 solr stop -all >/dev/null 2>&1
+}
+
+@test "allowPaths - backup" {
+ # Make a test tmp dir, as the security policy includes TMP, so that might already contain the BATS_TEST_TMPDIR
+ test_tmp_dir="${BATS_TEST_TMPDIR}/tmp"
+ mkdir -p "${test_tmp_dir}"
+ test_tmp_dir="$(cd -P "${test_tmp_dir}" && pwd)"
+
+ backup_dir="${BATS_TEST_TMPDIR}/backup-dir"
+ mkdir -p "${backup_dir}"
+ backup_dir="$(cd -P "${backup_dir}" && pwd)"
+
+ export SOLR_SECURITY_MANAGER_ENABLED=true
+ export SOLR_OPTS="-Dsolr.allowPaths=${backup_dir} -Djava.io.tmpdir=${test_tmp_dir}"
+ run solr start -c
+ run solr create_collection -c COLL_NAME
+ run solr api -get "http://localhost:8983/solr/admin/collections?action=BACKUP&name=test&collection=COLL_NAME&location=file://${backup_dir}"
+ assert_output --partial '"status":0'
+
+ # Solr is not permissioned for this directory, so it should fail
+ backup_dir_other="${backup_dir}-other"
+ mkdir -p "${backup_dir_other}"
+ run solr api -get "http://localhost:8983/solr/admin/collections?action=BACKUP&name=test-fail&collection=COLL_NAME&location=file://${backup_dir_other}"
+ assert_output --partial 'access denied'
+}
diff --git a/solr/server/etc/security.policy b/solr/server/etc/security.policy
index 640f82f4e13..77ac99704c5 100644
--- a/solr/server/etc/security.policy
+++ b/solr/server/etc/security.policy
@@ -58,7 +58,7 @@ grant {
permission java.net.SocketPermission "[::1]:4", "connect,resolve";
permission java.net.SocketPermission "[::1]:6", "connect,resolve";
permission java.net.SocketPermission "[::1]:8", "connect,resolve";
-
+
// Basic permissions needed for Lucene to work:
permission java.util.PropertyPermission "*", "read,write";
@@ -159,15 +159,15 @@ grant {
// SASL/Kerberos related properties for Solr tests
permission javax.security.auth.PrivateCredentialPermission "javax.security.auth.kerberos.KerberosTicket * \"*\"", "read";
-
+
// may only be necessary with Java 7?
permission javax.security.auth.PrivateCredentialPermission "javax.security.auth.kerberos.KeyTab * \"*\"", "read";
permission javax.security.auth.PrivateCredentialPermission "sun.security.jgss.krb5.Krb5Util$KeysFromKeyTab * \"*\"", "read";
-
+
permission javax.security.auth.kerberos.ServicePermission "*", "initiate";
permission javax.security.auth.kerberos.ServicePermission "*", "accept";
permission javax.security.auth.kerberos.DelegationPermission "\"*\" \"krbtgt/EXAMPLE.COM@EXAMPLE.COM\"";
-
+
// java 8 accessibility requires this perm - should not after 8 I believe (rrd4j is the root reason we hit an accessibility code path)
permission java.awt.AWTPermission "*";
@@ -211,6 +211,9 @@ grant {
permission java.io.FilePermission "${solr.log.dir}", "read,write,delete,readlink";
permission java.io.FilePermission "${solr.log.dir}${/}-", "read,write,delete,readlink";
+ permission java.io.FilePermission "${solr.allowPaths}", "read,write,delete,readlink";
+ permission java.io.FilePermission "${solr.allowPaths}${/}-", "read,write,delete,readlink";
+
permission java.io.FilePermission "${log4j.configurationFile}", "read,write,delete,readlink";
// Credentials for S3 Repository