Uploaded image for project: 'Ambari'
  1. Ambari
  2. AMBARI-22273

Disable xmlparser and configEdit API in Infra Solr by default

    XMLWordPrintableJSON

Details

    Description

      1.) Disable editing with the Config API by adding the "-Ddisable.configEdit=true" flag to the SOLR_OPTS by default.
      2.) Update all collections to reroute the xmlparser query parser away from the vulnerable class, but adding this to the Ranger, Atlas, and LogSearch collections:

      <queryParser name="xmlparser" class="solr.ExtendedDismaxQParserPlugin" />

      Requires manual changes for non-newly created clusters with Ranger/Atlas/LogSearch and Infra Solr:
      1. Infra Solr changes:

      • add SOLR_OPTS="$SOLR_OPTS -Ddisable.configEdit=true" to infra-solr-env/content (for applying that change means Solr nodes needs to be restarted)
        2. Log Search changes:
      • add <queryParser name="xmlparser" class="solr.ExtendedDismaxQParserPlugin" /> to logsearch-audit_logs-solrconfig/content
      • add <queryParser name="xmlparser" class="solr.ExtendedDismaxQParserPlugin" /> to logsearch-service_logs-solrconfig/content
        3. Ranger changes: (0.7.0)
      • add <queryParser name="xmlparser" class="solr.ExtendedDismaxQParserPlugin" /> to ranger-solr-configuration/content
        4. Atlas changes: (0.7.0.2.5)
      • add <queryParser name="xmlparser" class="solr.ExtendedDismaxQParserPlugin" /> to atlas-solrconfig/content

      After service restart that
      In that case if someone do not want to restart any of the services, the configuration download/upload can be done through infra solr client, like this (e.g. for ranger):
      Download the config to a temp location:

      ambari-sudo.sh JAVA_HOME=/usr/jdk64/jdk1.8.0_112 /usr/lib/ambari-infra-solr-client/solrCloudCli.sh --zookeeper-connect-string mycluster:2181/infra-solr --download-config --config-dir /var/lib/ambari-agent/tmp/solr_config_ranger_audits_0.837423011509 --config-set ranger_audits --retry 30 --interval 5

      Then add the xml parser to solrconfig.xml (inside downloaded temp config folder), then use the upload command

      ambari-sudo.sh JAVA_HOME=/usr/jdk64/jdk1.8.0_112 /usr/lib/ambari-infra-solr-client/solrCloudCli.sh --zookeeper-connect-string olicluster-1.openstacklocal:2181/infra-solr --upload-config --config-dir /var/lib/ambari-agent/tmp/solr_config_ranger_audits_0.837423011509 --config-set ranger_audits --retry 30 --interval 5

      note: use --jaas-file flag as well (with the proper logsearch/ranger/atlas jaas file location) if the cluster is kerberized, otherwise the zookeeper/solr-client command wont work.

      Attachments

        Issue Links

          is related to

          Bug - A problem which impairs or prevents the functions of the product. RANGER-1942 Disable xmlparser and configEdit API in Solr for Audit setup

          • Major - Major loss of function.
          • Open
          links to

          Web Link Review Board

          Activity

            People

              oleewere Oliver Szabo
              oleewere Oliver Szabo
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: