[SOLR-16671] Explicitly call out library permissions for config-edit - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Closed
Priority: Major
Resolution: Done
Affects Version/s: None
Fix Version/s: 8.11.3, 9.2
Component/s: Authorization, documentation, security
Labels:
None

Description

A lot of security questions arise from various options to add custom libraries via a solrconfig.xml. When using the recommended solr auth plugin, a user requires the config-edit permission to edit this file. And custom libraries will only be used when the solrconfig is trusted by Solr.

Right now the config-edit permission documentation does not explicitly spell out that the permission gives users the ability to install any custom library to Solr. We should fix this to reduce confusion around RCEs.

With our antora docs, I suggest we backport this documentation change to 9.0 and 9.1, and also update 8.11 for the next patch release.

Attachments

Issue Links

links to

GitHub Pull Request #1370

Activity

People

Assignee:: Houston Putman

Reporter:: Houston Putman

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 17/Feb/23 19:54

Updated:: 27/Mar/23 18:07

Resolved:: 20/Feb/23 03:07

Time Tracking

Estimated:

Not Specified

Remaining:

Logged:

20m