You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@solr.apache.org by ho...@apache.org on 2023/08/22 20:15:24 UTC

[solr] branch branch_9x updated: SOLR-16934: Give securityManager permission for client TLS (#1857)

This is an automated email from the ASF dual-hosted git repository.

houston pushed a commit to branch branch_9x
in repository https://gitbox.apache.org/repos/asf/solr.git


The following commit(s) were added to refs/heads/branch_9x by this push:
     new 8a3da6a3a93 SOLR-16934: Give securityManager permission for client TLS (#1857)
8a3da6a3a93 is described below

commit 8a3da6a3a93c475063d3ebf028fe9420454ce732
Author: Houston Putman <ho...@apache.org>
AuthorDate: Tue Aug 22 15:57:01 2023 -0400

    SOLR-16934: Give securityManager permission for client TLS (#1857)
    
    (cherry picked from commit 6e508802ab8ede9809b9e76a507b064d8af7ae76)
---
 solr/CHANGES.txt                  |  2 ++
 solr/packaging/test/test_ssl.bats | 58 +++++++++++++++++++++++++++++++++++++++
 solr/server/etc/security.policy   | 10 ++++---
 3 files changed, 66 insertions(+), 4 deletions(-)

diff --git a/solr/CHANGES.txt b/solr/CHANGES.txt
index 36d30c6e7f8..3dc30414bb6 100644
--- a/solr/CHANGES.txt
+++ b/solr/CHANGES.txt
@@ -74,6 +74,8 @@ Bug Fixes
 
 * SOLR-16929: SolrStream propagates undecoded error message (Alex Deparvu)
 
+* SOLR-16934: Allow Solr to read client (javax.net.ssl.*) trustStores and keyStores via SecurityManager. (Houston Putman)
+
 Dependency Upgrades
 ---------------------
 
diff --git a/solr/packaging/test/test_ssl.bats b/solr/packaging/test/test_ssl.bats
index 9f3fdfe806c..a40d3232a13 100644
--- a/solr/packaging/test/test_ssl.bats
+++ b/solr/packaging/test/test_ssl.bats
@@ -97,3 +97,61 @@ teardown() {
   run curl --http2 --cacert "$ssl_dir/solr-ssl.pem" 'https://localhost:8983/solr/test/select?q=*:*'
   assert_output --partial '401 require authentication'
 }
+
+@test "start solr with client truststore and security manager" {
+  # Make a test tmp dir, as the security policy includes TMP, so that might already contain the BATS_TEST_TMPDIR
+  test_tmp_dir="${BATS_TEST_TMPDIR}/tmp"
+  mkdir -p "${test_tmp_dir}"
+  test_tmp_dir="$(cd -P "${test_tmp_dir}" && pwd)"
+
+  export SOLR_SECURITY_MANAGER_ENABLED=true
+  export SOLR_OPTS="-Djava.io.tmpdir=${test_tmp_dir}"
+  export SOLR_TOOL_OPTS="-Djava.io.tmpdir=${test_tmp_dir}"
+
+  # Create a keystore
+  export ssl_dir="${BATS_TEST_TMPDIR}/ssl"
+  export client_ssl_dir="${ssl_dir}-client"
+  mkdir -p "$ssl_dir"
+  (
+    cd "$ssl_dir"
+    rm -f solr-ssl.keystore.p12
+    keytool -genkeypair -alias solr-ssl -keyalg RSA -keysize 2048 -keypass secret -storepass secret -validity 9999 -keystore solr-ssl.keystore.p12 -storetype PKCS12 -ext SAN=DNS:localhost,IP:127.0.0.1 -dname "CN=localhost, OU=Organizational Unit, O=Organization, L=Location, ST=State, C=Country"
+  )
+  mkdir -p "$client_ssl_dir"
+  (
+    cd "$client_ssl_dir"
+    rm -f *
+    keytool -export -alias solr-ssl -file solr-ssl.crt -keystore "$ssl_dir/solr-ssl.keystore.p12" -keypass secret -storepass secret
+    keytool -import -v -trustcacerts -alias solr-ssl -file solr-ssl.crt -storetype PKCS12 -keystore solr-ssl.truststore.p12 -keypass secret -storepass secret  -noprompt
+  )
+  cp -R "$ssl_dir" "$client_ssl_dir"
+
+  # Set ENV_VARs so that Solr uses this keystore
+  export SOLR_SSL_ENABLED=true
+  export SOLR_SSL_KEY_STORE=$ssl_dir/solr-ssl.keystore.p12
+  export SOLR_SSL_KEY_STORE_PASSWORD=secret
+  export SOLR_SSL_TRUST_STORE=$ssl_dir/solr-ssl.keystore.p12
+  export SOLR_SSL_TRUST_STORE_PASSWORD=secret
+  export SOLR_SSL_CLIENT_TRUST_STORE=$client_ssl_dir/solr-ssl.truststore.p12
+  export SOLR_SSL_CLIENT_TRUST_STORE_PASSWORD=secret
+  export SOLR_SSL_NEED_CLIENT_AUTH=false
+  export SOLR_SSL_WANT_CLIENT_AUTH=true
+  export SOLR_SSL_CHECK_PEER_NAME=true
+  export SOLR_HOST=localhost
+  export SOLR_SECURITY_MANAGER_ENABLED=true
+
+  run solr start -c
+
+  export SOLR_SSL_KEY_STORE=
+  export SOLR_SSL_KEY_STORE_PASSWORD=
+  export SOLR_SSL_TRUST_STORE=
+  export SOLR_SSL_TRUST_STORE_PASSWORD=
+
+  solr assert --started https://localhost:8983/solr --timeout 5000
+
+  run solr create -c test -s 2
+  assert_output --partial "Created collection 'test'"
+
+  run solr api -get 'https://localhost:8983/solr/admin/collections?action=CLUSTERSTATUS'
+  assert_output --partial '"urlScheme":"https"'
+}
diff --git a/solr/server/etc/security.policy b/solr/server/etc/security.policy
index 77ac99704c5..aec2e2ddcfe 100644
--- a/solr/server/etc/security.policy
+++ b/solr/server/etc/security.policy
@@ -185,11 +185,13 @@ grant {
   permission java.io.FilePermission "${hadoop.security.credential.provider.path}", "read,write,delete,readlink";
   permission java.io.FilePermission "${hadoop.security.credential.provider.path}${/}-", "read,write,delete,readlink";
 
-  permission java.io.FilePermission "${solr.jetty.keystore}", "read,write,delete,readlink";
-  permission java.io.FilePermission "${solr.jetty.keystore}${/}-", "read,write,delete,readlink";
+  permission java.io.FilePermission "${solr.jetty.keystore}", "read,readlink";
 
-  permission java.io.FilePermission "${solr.jetty.truststore}", "read,write,delete,readlink";
-  permission java.io.FilePermission "${solr.jetty.truststore}${/}-", "read,write,delete,readlink";
+  permission java.io.FilePermission "${solr.jetty.truststore}", "read,readlink";
+
+  permission java.io.FilePermission "${javax.net.ssl.keyStore}", "read,readlink";
+
+  permission java.io.FilePermission "${javax.net.ssl.trustStore}", "read,readlink";
 
   permission java.io.FilePermission "${solr.install.dir}", "read,write,delete,readlink";
   permission java.io.FilePermission "${solr.install.dir}${/}-", "read,write,delete,readlink";