Details
-
Bug
-
Status: Closed
-
Major
-
Resolution: Fixed
-
None
Description
Note: This is not a security issue, it's a usability problem.
Trying out the /sql HTTP endpoint on a basic-auth enabled cluster. My user didn't have read access to the /admin/luke endpoint for all collections being queried and got an unhelpful message like:
{
"result-set":{
"docs":[{
"EXCEPTION":"Failed to execute sqlQuery 'SELECT count(*) FROM sop2 WHERE boolean1_b = 'true' LIMIT 10' against JDBC connection 'jdbc:calcitesolr:'.\nError while executing SQL \"SELECT count(*) FROM sop2 WHERE boolean1_b = 'true' LIMIT 10\": org.apache.solr.client.solrj.SolrServerException: No live SolrServers available to handle this request:[http://dev-solrcloud-0.dev:80/solr/sop2, http://dev-solrcloud-1.dev:80/solr/sop2]",
"EOF":true,
"RESPONSE_TIME":33}]}}
In the server logs, I see:
Caused by: java.lang.RuntimeException: org.apache.solr.client.solrj.SolrServerException: No live SolrServers available to handle this request:[http://dev-solrcloud-0.dev:80/solr/sop2, http://dev-solrcloud-1.dev:80/solr/sop2] at org.apache.solr.handler.sql.SolrSchema.getFieldInfo(SolrSchema.java:102) at org.apache.solr.handler.sql.SolrSchema.getRelDataType(SolrSchema.java:112) at org.apache.solr.handler.sql.SolrTable.getRowType(SolrTable.java:82)
Once I granted the following permission to the user, the query worked:
{
"name":"queryluke",
"path":"/admin/luke",
"collection":"*",
"role":["users", "admin"]
}
I'm thinking the solution is to execute the getFieldInfo request (in SolrSchema) from a server thread that authenticates via the PKI plugin instead of having to grant this permission to the user explicitly. Users may not want to give access to /admin/luke to end users just for executing SQL.
Attachments
Issue Links
- causes
-
-
- Closed
-
- links to
