Details
-
Bug
-
Status: Resolved
-
Major
-
Resolution: Fixed
-
2.6.0
-
None
Description
1.) Disable editing with the Config API by adding the "-Ddisable.configEdit=true" flag to the SOLR_OPTS by default.
2.) Update all collections to reroute the xmlparser query parser away from the vulnerable class, but adding this to the Ranger, Atlas, and LogSearch collections:
<queryParser name="xmlparser" class="solr.ExtendedDismaxQParserPlugin" />
Requires manual changes for non-newly created clusters with Ranger/Atlas/LogSearch and Infra Solr:
1. Infra Solr changes:
- add SOLR_OPTS="$SOLR_OPTS -Ddisable.configEdit=true" to infra-solr-env/content (for applying that change means Solr nodes needs to be restarted)
2. Log Search changes: - add <queryParser name="xmlparser" class="solr.ExtendedDismaxQParserPlugin" /> to logsearch-audit_logs-solrconfig/content
- add <queryParser name="xmlparser" class="solr.ExtendedDismaxQParserPlugin" /> to logsearch-service_logs-solrconfig/content
3. Ranger changes: (0.7.0) - add <queryParser name="xmlparser" class="solr.ExtendedDismaxQParserPlugin" /> to ranger-solr-configuration/content
4. Atlas changes: (0.7.0.2.5) - add <queryParser name="xmlparser" class="solr.ExtendedDismaxQParserPlugin" /> to atlas-solrconfig/content
After service restart that
In that case if someone do not want to restart any of the services, the configuration download/upload can be done through infra solr client, like this (e.g. for ranger):
Download the config to a temp location:
ambari-sudo.sh JAVA_HOME=/usr/jdk64/jdk1.8.0_112 /usr/lib/ambari-infra-solr-client/solrCloudCli.sh --zookeeper-connect-string mycluster:2181/infra-solr --download-config --config-dir /var/lib/ambari-agent/tmp/solr_config_ranger_audits_0.837423011509 --config-set ranger_audits --retry 30 --interval 5
Then add the xml parser to solrconfig.xml (inside downloaded temp config folder), then use the upload command
ambari-sudo.sh JAVA_HOME=/usr/jdk64/jdk1.8.0_112 /usr/lib/ambari-infra-solr-client/solrCloudCli.sh --zookeeper-connect-string olicluster-1.openstacklocal:2181/infra-solr --upload-config --config-dir /var/lib/ambari-agent/tmp/solr_config_ranger_audits_0.837423011509 --config-set ranger_audits --retry 30 --interval 5
note: use --jaas-file flag as well (with the proper logsearch/ranger/atlas jaas file location) if the cluster is kerberized, otherwise the zookeeper/solr-client command wont work.
Attachments
Issue Links
- is related to
-
RANGER-1942 Disable xmlparser and configEdit API in Solr for Audit setup
- Open
- links to