Uploaded image for project: 'Solr'
  1. Solr
  2. SOLR-15451

SQL endpoint returns the wrong error when authenticated user doesn't have read access /admin/luke

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Fixed
    • None
    • 9.0, 8.10
    • Parallel SQL

    Description

      Note: This is not a security issue, it's a usability problem.

      Trying out the /sql HTTP endpoint on a basic-auth enabled cluster. My user didn't have read access to the /admin/luke endpoint for all collections being queried and got an unhelpful message like:

      {
        "result-set":{
          "docs":[{
              "EXCEPTION":"Failed to execute sqlQuery 'SELECT count(*) FROM sop2 WHERE boolean1_b = 'true' LIMIT 10' against JDBC connection 'jdbc:calcitesolr:'.\nError while executing SQL \"SELECT count(*) FROM sop2 WHERE boolean1_b = 'true' LIMIT 10\": org.apache.solr.client.solrj.SolrServerException: No live SolrServers available to handle this request:[http://dev-solrcloud-0.dev:80/solr/sop2, http://dev-solrcloud-1.dev:80/solr/sop2]",
              "EOF":true,
              "RESPONSE_TIME":33}]}}
      

      In the server logs, I see:

      Caused by: java.lang.RuntimeException: org.apache.solr.client.solrj.SolrServerException: No live SolrServers available to handle this request:[http://dev-solrcloud-0.dev:80/solr/sop2, http://dev-solrcloud-1.dev:80/solr/sop2]
      	at org.apache.solr.handler.sql.SolrSchema.getFieldInfo(SolrSchema.java:102)
      	at org.apache.solr.handler.sql.SolrSchema.getRelDataType(SolrSchema.java:112)
      	at org.apache.solr.handler.sql.SolrTable.getRowType(SolrTable.java:82)
      

      Once I granted the following permission to the user, the query worked:

            {
              "name":"queryluke",
              "path":"/admin/luke",
              "collection":"*",
              "role":["users", "admin"]
            }
      

      I'm thinking the solution is to execute the getFieldInfo request (in SolrSchema) from a server thread that authenticates via the PKI plugin instead of having to grant this permission to the user explicitly. Users may not want to give access to /admin/luke to end users just for executing SQL.

      Attachments

        Issue Links

          Activity

            People

              thelabdude Timothy Potter
              thelabdude Timothy Potter
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0h
                  0h
                  Logged:
                  Time Spent - 1h 40m
                  1h 40m