You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@solr.apache.org by ho...@apache.org on 2023/08/22 20:15:24 UTC
[solr] branch branch_9x updated: SOLR-16934: Give securityManager permission for client TLS (#1857)
This is an automated email from the ASF dual-hosted git repository.
houston pushed a commit to branch branch_9x
in repository https://gitbox.apache.org/repos/asf/solr.git
The following commit(s) were added to refs/heads/branch_9x by this push:
new 8a3da6a3a93 SOLR-16934: Give securityManager permission for client TLS (#1857)
8a3da6a3a93 is described below
commit 8a3da6a3a93c475063d3ebf028fe9420454ce732
Author: Houston Putman <ho...@apache.org>
AuthorDate: Tue Aug 22 15:57:01 2023 -0400
SOLR-16934: Give securityManager permission for client TLS (#1857)
(cherry picked from commit 6e508802ab8ede9809b9e76a507b064d8af7ae76)
---
solr/CHANGES.txt | 2 ++
solr/packaging/test/test_ssl.bats | 58 +++++++++++++++++++++++++++++++++++++++
solr/server/etc/security.policy | 10 ++++---
3 files changed, 66 insertions(+), 4 deletions(-)
diff --git a/solr/CHANGES.txt b/solr/CHANGES.txt
index 36d30c6e7f8..3dc30414bb6 100644
--- a/solr/CHANGES.txt
+++ b/solr/CHANGES.txt
@@ -74,6 +74,8 @@ Bug Fixes
* SOLR-16929: SolrStream propagates undecoded error message (Alex Deparvu)
+* SOLR-16934: Allow Solr to read client (javax.net.ssl.*) trustStores and keyStores via SecurityManager. (Houston Putman)
+
Dependency Upgrades
---------------------
diff --git a/solr/packaging/test/test_ssl.bats b/solr/packaging/test/test_ssl.bats
index 9f3fdfe806c..a40d3232a13 100644
--- a/solr/packaging/test/test_ssl.bats
+++ b/solr/packaging/test/test_ssl.bats
@@ -97,3 +97,61 @@ teardown() {
run curl --http2 --cacert "$ssl_dir/solr-ssl.pem" 'https://localhost:8983/solr/test/select?q=*:*'
assert_output --partial '401 require authentication'
}
+
+@test "start solr with client truststore and security manager" {
+ # Make a test tmp dir, as the security policy includes TMP, so that might already contain the BATS_TEST_TMPDIR
+ test_tmp_dir="${BATS_TEST_TMPDIR}/tmp"
+ mkdir -p "${test_tmp_dir}"
+ test_tmp_dir="$(cd -P "${test_tmp_dir}" && pwd)"
+
+ export SOLR_SECURITY_MANAGER_ENABLED=true
+ export SOLR_OPTS="-Djava.io.tmpdir=${test_tmp_dir}"
+ export SOLR_TOOL_OPTS="-Djava.io.tmpdir=${test_tmp_dir}"
+
+ # Create a keystore
+ export ssl_dir="${BATS_TEST_TMPDIR}/ssl"
+ export client_ssl_dir="${ssl_dir}-client"
+ mkdir -p "$ssl_dir"
+ (
+ cd "$ssl_dir"
+ rm -f solr-ssl.keystore.p12
+ keytool -genkeypair -alias solr-ssl -keyalg RSA -keysize 2048 -keypass secret -storepass secret -validity 9999 -keystore solr-ssl.keystore.p12 -storetype PKCS12 -ext SAN=DNS:localhost,IP:127.0.0.1 -dname "CN=localhost, OU=Organizational Unit, O=Organization, L=Location, ST=State, C=Country"
+ )
+ mkdir -p "$client_ssl_dir"
+ (
+ cd "$client_ssl_dir"
+ rm -f *
+ keytool -export -alias solr-ssl -file solr-ssl.crt -keystore "$ssl_dir/solr-ssl.keystore.p12" -keypass secret -storepass secret
+ keytool -import -v -trustcacerts -alias solr-ssl -file solr-ssl.crt -storetype PKCS12 -keystore solr-ssl.truststore.p12 -keypass secret -storepass secret -noprompt
+ )
+ cp -R "$ssl_dir" "$client_ssl_dir"
+
+ # Set ENV_VARs so that Solr uses this keystore
+ export SOLR_SSL_ENABLED=true
+ export SOLR_SSL_KEY_STORE=$ssl_dir/solr-ssl.keystore.p12
+ export SOLR_SSL_KEY_STORE_PASSWORD=secret
+ export SOLR_SSL_TRUST_STORE=$ssl_dir/solr-ssl.keystore.p12
+ export SOLR_SSL_TRUST_STORE_PASSWORD=secret
+ export SOLR_SSL_CLIENT_TRUST_STORE=$client_ssl_dir/solr-ssl.truststore.p12
+ export SOLR_SSL_CLIENT_TRUST_STORE_PASSWORD=secret
+ export SOLR_SSL_NEED_CLIENT_AUTH=false
+ export SOLR_SSL_WANT_CLIENT_AUTH=true
+ export SOLR_SSL_CHECK_PEER_NAME=true
+ export SOLR_HOST=localhost
+ export SOLR_SECURITY_MANAGER_ENABLED=true
+
+ run solr start -c
+
+ export SOLR_SSL_KEY_STORE=
+ export SOLR_SSL_KEY_STORE_PASSWORD=
+ export SOLR_SSL_TRUST_STORE=
+ export SOLR_SSL_TRUST_STORE_PASSWORD=
+
+ solr assert --started https://localhost:8983/solr --timeout 5000
+
+ run solr create -c test -s 2
+ assert_output --partial "Created collection 'test'"
+
+ run solr api -get 'https://localhost:8983/solr/admin/collections?action=CLUSTERSTATUS'
+ assert_output --partial '"urlScheme":"https"'
+}
diff --git a/solr/server/etc/security.policy b/solr/server/etc/security.policy
index 77ac99704c5..aec2e2ddcfe 100644
--- a/solr/server/etc/security.policy
+++ b/solr/server/etc/security.policy
@@ -185,11 +185,13 @@ grant {
permission java.io.FilePermission "${hadoop.security.credential.provider.path}", "read,write,delete,readlink";
permission java.io.FilePermission "${hadoop.security.credential.provider.path}${/}-", "read,write,delete,readlink";
- permission java.io.FilePermission "${solr.jetty.keystore}", "read,write,delete,readlink";
- permission java.io.FilePermission "${solr.jetty.keystore}${/}-", "read,write,delete,readlink";
+ permission java.io.FilePermission "${solr.jetty.keystore}", "read,readlink";
- permission java.io.FilePermission "${solr.jetty.truststore}", "read,write,delete,readlink";
- permission java.io.FilePermission "${solr.jetty.truststore}${/}-", "read,write,delete,readlink";
+ permission java.io.FilePermission "${solr.jetty.truststore}", "read,readlink";
+
+ permission java.io.FilePermission "${javax.net.ssl.keyStore}", "read,readlink";
+
+ permission java.io.FilePermission "${javax.net.ssl.trustStore}", "read,readlink";
permission java.io.FilePermission "${solr.install.dir}", "read,write,delete,readlink";
permission java.io.FilePermission "${solr.install.dir}${/}-", "read,write,delete,readlink";