Disabling jvm properties from ui

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

Disabling jvm properties from ui

Naveen M-2
Hi,

Is there a way to disable jvm properties from the solr UI.

It has some information which we don’t want to expose. Any pointers would
be helpful.


Thanks
Reply | Threaded
Open this post in threaded view
|

Re: Disabling jvm properties from ui

Gus Heck
This sounds like an X Y problem <http://xyproblem.info/>. Why do you want
to do that? Can you give more detail. What sort of information is exposed
that you don't want someone to see, and who is that someone? Particularly,
how is it they can use the admin UI which has the ability to delete all
your indexes, yet there's a system property you don't want to expose?

On Wed, Nov 7, 2018 at 2:51 PM Naveen M <[hidden email]> wrote:

> Hi,
>
> Is there a way to disable jvm properties from the solr UI.
>
> It has some information which we don’t want to expose. Any pointers would
> be helpful.
>
>
> Thanks
>


--
http://www.the111shift.com
Reply | Threaded
Open this post in threaded view
|

Solr custom UpdateRequestProcessor error

Vidhya Kailash
In reply to this post by Naveen M-2
Any idea why I am getting this error inspite of the following:

I have the customupdateprocessor jar in contrib/customupdate/lib directory
I have the solrconfig.xml with the lib directives to this jar as well as
solr-core.jar

and I see those jars being loaded on startup in the logs:

2018-11-08 01:04:17.929 INFO  (coreLoadExecutor-9-thread-3) [   x:reviews]
o.a.s.c.SolrResourceLoader [reviews] Added 58 libs to classloader, from
paths: [/.../solr-7.5.0/contrib/clustering/lib,
.../solr-7.5.0/contrib/extraction/lib,
.../solr-7.5.0/contrib/hotelreviews/lib, .../solr-7.5.0/contrib/langid/lib,
.../solr-7.5.0/contrib/velocity/lib, .../solr-7.5.0/dist]


inspite of these I get the following exception:


Caused by: java.lang.NoClassDefFoundError:
org/apache/solr/update/processor/UpdateRequestProcessorFactory$RunAlways

        at java.lang.ClassLoader.defineClass1(Native Method) ~[?:1.8.0_161]

        at java.lang.ClassLoader.defineClass(ClassLoader.java:763)
~[?:1.8.0_161]

        at
java.security.SecureClassLoader.defineClass(SecureClassLoader.java:142)
~[?:1.8.0_161]

        at java.net.URLClassLoader.defineClass(URLClassLoader.java:467)
~[?:1.8.0_161]

        at java.net.URLClassLoader.access$100(URLClassLoader.java:73)
~[?:1.8.0_161]

        at java.net.URLClassLoader$1.run(URLClassLoader.java:368)
~[?:1.8.0_161]

        at java.net.URLClassLoader$1.run(URLClassLoader.java:362)
~[?:1.8.0_161]

        at java.security.AccessController.doPrivileged(Native Method)
~[?:1.8.0_161]

        at java.net.URLClassLoader.findClass(URLClassLoader.java:361)
~[?:1.8.0_161]

        at java.lang.ClassLoader.loadClass(ClassLoader.java:424)
~[?:1.8.0_161]

        at java.lang.ClassLoader.loadClass(ClassLoader.java:357)
~[?:1.8.0_161]

        at
org.eclipse.jetty.webapp.WebAppClassLoader.loadClass(WebAppClassLoader.java:565)
~[jetty-webapp-9.4.11.v20180605.jar:9.4.11.v20180605]

        at java.lang.ClassLoader.loadClass(ClassLoader.java:411)
~[?:1.8.0_161]

        at
java.net.FactoryURLClassLoader.loadClass(URLClassLoader.java:814)
~[?:1.8.0_161]

        at java.lang.ClassLoader.loadClass(ClassLoader.java:411)
~[?:1.8.0_161]

        at
java.net.FactoryURLClassLoader.loadClass(URLClassLoader.java:814)
~[?:1.8.0_161]

        at java.lang.ClassLoader.loadClass(ClassLoader.java:357)
~[?:1.8.0_161]

        at java.lang.Class.forName0(Native Method) ~[?:1.8.0_161]

        at java.lang.Class.forName(Class.java:348) ~[?:1.8.0_161]

        at
org.apache.solr.core.SolrResourceLoader.findClass(SolrResourceLoader.java:541)
~[solr-core-7.5.0.jar:7.5.0 b5bf70b7e32d7ddd9742cc821d471c5fabd4e3df -
jimczi - 2018-09-18 13:07:55]

        at
org.apache.solr.core.SolrResourceLoader.findClass(SolrResourceLoader.java:488)
~[solr-core-7.5.0.jar:7.5.0 b5bf70b7e32d7ddd9742cc821d471c5fabd4e3df -
jimczi - 2018-09-18 13:07:55]

        at org.apache.solr.core.SolrCore.createInstance(SolrCore.java:792)
~[solr-core-7.5.0.jar:7.5.0 b5bf70b7e32d7ddd9742cc821d471c5fabd4e3df -
jimczi - 2018-09-18 13:07:55]

        at
org.apache.solr.core.SolrCore.createInitInstance(SolrCore.java:848)
~[solr-core-7.5.0.jar:7.5.0 b5bf70b7e32d7ddd9742cc821d471c5fabd4e3df -
jimczi - 2018-09-18 13:07:55]

        at org.apache.solr.core.SolrCore.initPlugins(SolrCore.java:2810)
~[solr-core-7.5.0.jar:7.5.0 b5bf70b7e32d7ddd9742cc821d471c5fabd4e3df -
jimczi - 2018-09-18 13:07:55]

        at
org.apache.solr.update.processor.UpdateRequestProcessorChain.init(UpdateRequestProcessorChain.java:130)
~[solr-core-7.5.0.jar:7.5.0 b5bf70b7e32d7ddd9742cc821d471c5fabd4e3df -
jimczi - 2018-09-18 13:07:55]

        at
org.apache.solr.core.SolrCore.createInitInstance(SolrCore.java:850)
~[solr-core-7.5.0.jar:7.5.0 b5bf70b7e32d7ddd9742cc821d471c5fabd4e3df -
jimczi - 2018-09-18 13:07:55]

        at org.apache.solr.core.SolrCore.initPlugins(SolrCore.java:2785)
~[solr-core-7.5.0.jar:7.5.0 b5bf70b7e32d7ddd9742cc821d471c5fabd4e3df -
jimczi - 2018-09-18 13:07:55]

        at org.apache.solr.core.SolrCore.initPlugins(SolrCore.java:2779)
~[solr-core-7.5.0.jar:7.5.0 b5bf70b7e32d7ddd9742cc821d471c5fabd4e3df -
jimczi - 2018-09-18 13:07:55]

        at
org.apache.solr.core.SolrCore.loadUpdateProcessorChains(SolrCore.java:1430)
~[solr-core-7.5.0.jar:7.5.0 b5bf70b7e32d7ddd9742cc821d471c5fabd4e3df -
jimczi - 2018-09-18 13:07:55]

        at org.apache.solr.core.SolrCore.<init>(SolrCore.java:970)
~[solr-core-7.5.0.jar:7.5.0 b5bf70b7e32d7ddd9742cc821d471c5fabd4e3df -
jimczi - 2018-09-18 13:07:55]

        at org.apache.solr.core.SolrCore.<init>(SolrCore.java:869)
~[solr-core-7.5.0.jar:7.5.0 b5bf70b7e32d7ddd9742cc821d471c5fabd4e3df -
jimczi - 2018-09-18 13:07:55]

        at
org.apache.solr.core.CoreContainer.createFromDescriptor(CoreContainer.java:1138)
~[solr-core-7.5.0.jar:7.5.0 b5bf70b7e32d7ddd9742cc821d471c5fabd4e3df -
jimczi - 2018-09-18 13:07:55]

        ... 7 more

Caused by: java.lang.ClassNotFoundException:
org.apache.solr.update.processor.UpdateRequestProcessorFactory$RunAlways

        at java.net.URLClassLoader.findClass(URLClassLoader.java:381)
~[?:1.8.0_161]
Reply | Threaded
Open this post in threaded view
|

Re: Disabling jvm properties from ui

Jan Høydahl / Cominvent
In reply to this post by Naveen M-2
It's not documented in the Ref Guide, but you can set this system property to fix it:

SOLR_OPTS="-Dsolr.redaction.system.pattern=(.*password.*|.*your-own-regex.*)"

Then the property will show as --REDACTED— in the UI.

Note that the property still will leak through /solr/admin/metrics and you need to add the same exclusion in solr.xml, see https://lucene.apache.org/solr/guide/7_5/metrics-reporting.html#the-metrics-hiddensysprops-element 

--
Jan Høydahl, search solution architect
Cominvent AS - www.cominvent.com

> 7. nov. 2018 kl. 20:51 skrev Naveen M <[hidden email]>:
>
> Hi,
>
> Is there a way to disable jvm properties from the solr UI.
>
> It has some information which we don’t want to expose. Any pointers would
> be helpful.
>
>
> Thanks

Reply | Threaded
Open this post in threaded view
|

Re: Disabling jvm properties from ui

Gus Heck
That's an interesting feature, and it addresses X, but there are lots of
ways to discover system properties. In a managed schema, enter a field name
${java.version} and you'll get a field named 1.8.0_144 (or whatever). I
still think it's important to address Y they are trying to hide the system
properties from someone they have placed their trust in already.

On Thu, Nov 8, 2018 at 1:16 PM Jan Høydahl <[hidden email]> wrote:

> It's not documented in the Ref Guide, but you can set this system property
> to fix it:
>
>
> SOLR_OPTS="-Dsolr.redaction.system.pattern=(.*password.*|.*your-own-regex.*)"
>
> Then the property will show as --REDACTED— in the UI.
>
> Note that the property still will leak through /solr/admin/metrics and you
> need to add the same exclusion in solr.xml, see
> https://lucene.apache.org/solr/guide/7_5/metrics-reporting.html#the-metrics-hiddensysprops-element
>
> --
> Jan Høydahl, search solution architect
> Cominvent AS - www.cominvent.com
>
> > 7. nov. 2018 kl. 20:51 skrev Naveen M <[hidden email]>:
> >
> > Hi,
> >
> > Is there a way to disable jvm properties from the solr UI.
> >
> > It has some information which we don’t want to expose. Any pointers would
> > be helpful.
> >
> >
> > Thanks
>
>

--
http://www.the111shift.com
Reply | Threaded
Open this post in threaded view
|

Re: Solr custom UpdateRequestProcessor error

Erick Erickson
In reply to this post by Vidhya Kailash
contrib/customupdate/lib

is not mentioned in the snippet you showed, is it mentioned elsewhere?

You say:
I have the solrconfig.xml with the lib directives to this jar as well as
solr-core.jar

If you have an independent path to solr-core.jar, I'd take it out as
it's automatically loaded.

And what's with solr.net? That's not what I expect at all. Is your
custom code in solr.net? If it's
a custom jar  that you're trying to load into Solr, solr.net shouldn't
be referenced at all
since all the Solr code is in Java so I'm really confused about what
you're trying to do and
how things are set up.

Best,
Erick
On Thu, Nov 8, 2018 at 10:15 AM Vidhya Kailash <[hidden email]> wrote:

>
> Any idea why I am getting this error inspite of the following:
>
> I have the customupdateprocessor jar in contrib/customupdate/lib directory
> I have the solrconfig.xml with the lib directives to this jar as well as
> solr-core.jar
>
> and I see those jars being loaded on startup in the logs:
>
> 2018-11-08 01:04:17.929 INFO  (coreLoadExecutor-9-thread-3) [   x:reviews]
> o.a.s.c.SolrResourceLoader [reviews] Added 58 libs to classloader, from
> paths: [/.../solr-7.5.0/contrib/clustering/lib,
> .../solr-7.5.0/contrib/extraction/lib,
> .../solr-7.5.0/contrib/hotelreviews/lib, .../solr-7.5.0/contrib/langid/lib,
> .../solr-7.5.0/contrib/velocity/lib, .../solr-7.5.0/dist]
>
>
> inspite of these I get the following exception:
>
>
> Caused by: java.lang.NoClassDefFoundError:
> org/apache/solr/update/processor/UpdateRequestProcessorFactory$RunAlways
>
>         at java.lang.ClassLoader.defineClass1(Native Method) ~[?:1.8.0_161]
>
>         at java.lang.ClassLoader.defineClass(ClassLoader.java:763)
> ~[?:1.8.0_161]
>
>         at
> java.security.SecureClassLoader.defineClass(SecureClassLoader.java:142)
> ~[?:1.8.0_161]
>
>         at java.net.URLClassLoader.defineClass(URLClassLoader.java:467)
> ~[?:1.8.0_161]
>
>         at java.net.URLClassLoader.access$100(URLClassLoader.java:73)
> ~[?:1.8.0_161]
>
>         at java.net.URLClassLoader$1.run(URLClassLoader.java:368)
> ~[?:1.8.0_161]
>
>         at java.net.URLClassLoader$1.run(URLClassLoader.java:362)
> ~[?:1.8.0_161]
>
>         at java.security.AccessController.doPrivileged(Native Method)
> ~[?:1.8.0_161]
>
>         at java.net.URLClassLoader.findClass(URLClassLoader.java:361)
> ~[?:1.8.0_161]
>
>         at java.lang.ClassLoader.loadClass(ClassLoader.java:424)
> ~[?:1.8.0_161]
>
>         at java.lang.ClassLoader.loadClass(ClassLoader.java:357)
> ~[?:1.8.0_161]
>
>         at
> org.eclipse.jetty.webapp.WebAppClassLoader.loadClass(WebAppClassLoader.java:565)
> ~[jetty-webapp-9.4.11.v20180605.jar:9.4.11.v20180605]
>
>         at java.lang.ClassLoader.loadClass(ClassLoader.java:411)
> ~[?:1.8.0_161]
>
>         at
> java.net.FactoryURLClassLoader.loadClass(URLClassLoader.java:814)
> ~[?:1.8.0_161]
>
>         at java.lang.ClassLoader.loadClass(ClassLoader.java:411)
> ~[?:1.8.0_161]
>
>         at
> java.net.FactoryURLClassLoader.loadClass(URLClassLoader.java:814)
> ~[?:1.8.0_161]
>
>         at java.lang.ClassLoader.loadClass(ClassLoader.java:357)
> ~[?:1.8.0_161]
>
>         at java.lang.Class.forName0(Native Method) ~[?:1.8.0_161]
>
>         at java.lang.Class.forName(Class.java:348) ~[?:1.8.0_161]
>
>         at
> org.apache.solr.core.SolrResourceLoader.findClass(SolrResourceLoader.java:541)
> ~[solr-core-7.5.0.jar:7.5.0 b5bf70b7e32d7ddd9742cc821d471c5fabd4e3df -
> jimczi - 2018-09-18 13:07:55]
>
>         at
> org.apache.solr.core.SolrResourceLoader.findClass(SolrResourceLoader.java:488)
> ~[solr-core-7.5.0.jar:7.5.0 b5bf70b7e32d7ddd9742cc821d471c5fabd4e3df -
> jimczi - 2018-09-18 13:07:55]
>
>         at org.apache.solr.core.SolrCore.createInstance(SolrCore.java:792)
> ~[solr-core-7.5.0.jar:7.5.0 b5bf70b7e32d7ddd9742cc821d471c5fabd4e3df -
> jimczi - 2018-09-18 13:07:55]
>
>         at
> org.apache.solr.core.SolrCore.createInitInstance(SolrCore.java:848)
> ~[solr-core-7.5.0.jar:7.5.0 b5bf70b7e32d7ddd9742cc821d471c5fabd4e3df -
> jimczi - 2018-09-18 13:07:55]
>
>         at org.apache.solr.core.SolrCore.initPlugins(SolrCore.java:2810)
> ~[solr-core-7.5.0.jar:7.5.0 b5bf70b7e32d7ddd9742cc821d471c5fabd4e3df -
> jimczi - 2018-09-18 13:07:55]
>
>         at
> org.apache.solr.update.processor.UpdateRequestProcessorChain.init(UpdateRequestProcessorChain.java:130)
> ~[solr-core-7.5.0.jar:7.5.0 b5bf70b7e32d7ddd9742cc821d471c5fabd4e3df -
> jimczi - 2018-09-18 13:07:55]
>
>         at
> org.apache.solr.core.SolrCore.createInitInstance(SolrCore.java:850)
> ~[solr-core-7.5.0.jar:7.5.0 b5bf70b7e32d7ddd9742cc821d471c5fabd4e3df -
> jimczi - 2018-09-18 13:07:55]
>
>         at org.apache.solr.core.SolrCore.initPlugins(SolrCore.java:2785)
> ~[solr-core-7.5.0.jar:7.5.0 b5bf70b7e32d7ddd9742cc821d471c5fabd4e3df -
> jimczi - 2018-09-18 13:07:55]
>
>         at org.apache.solr.core.SolrCore.initPlugins(SolrCore.java:2779)
> ~[solr-core-7.5.0.jar:7.5.0 b5bf70b7e32d7ddd9742cc821d471c5fabd4e3df -
> jimczi - 2018-09-18 13:07:55]
>
>         at
> org.apache.solr.core.SolrCore.loadUpdateProcessorChains(SolrCore.java:1430)
> ~[solr-core-7.5.0.jar:7.5.0 b5bf70b7e32d7ddd9742cc821d471c5fabd4e3df -
> jimczi - 2018-09-18 13:07:55]
>
>         at org.apache.solr.core.SolrCore.<init>(SolrCore.java:970)
> ~[solr-core-7.5.0.jar:7.5.0 b5bf70b7e32d7ddd9742cc821d471c5fabd4e3df -
> jimczi - 2018-09-18 13:07:55]
>
>         at org.apache.solr.core.SolrCore.<init>(SolrCore.java:869)
> ~[solr-core-7.5.0.jar:7.5.0 b5bf70b7e32d7ddd9742cc821d471c5fabd4e3df -
> jimczi - 2018-09-18 13:07:55]
>
>         at
> org.apache.solr.core.CoreContainer.createFromDescriptor(CoreContainer.java:1138)
> ~[solr-core-7.5.0.jar:7.5.0 b5bf70b7e32d7ddd9742cc821d471c5fabd4e3df -
> jimczi - 2018-09-18 13:07:55]
>
>         ... 7 more
>
> Caused by: java.lang.ClassNotFoundException:
> org.apache.solr.update.processor.UpdateRequestProcessorFactory$RunAlways
>
>         at java.net.URLClassLoader.findClass(URLClassLoader.java:381)
> ~[?:1.8.0_161]
Reply | Threaded
Open this post in threaded view
|

Re: Disabling jvm properties from ui

Jan Høydahl / Cominvent
In reply to this post by Gus Heck
Yes, it is important to understand that only trusted clients and persons should be given access to Solr's port.

But it may stil be surprising to users that e.g. passwords to a DB or SSL keystore is available over HTTP when there is no need for them at the client side. I'm not saying itis a bug, but may be surprising. So I think we should continue step by step to address these and have Solr behave after the principle of least surprise, thus the discussion in https://issues.apache.org/jira/browse/SOLR-12976

After locking down secrets as good as possible, the next logical step would be to couple Solr's Authentication/Authorization feature to this, so that if a client has a role with the read/edit securityconfig permission, then she could be allowed to see those properties. So far the authorization is true/false based on handler/HTTPMethod meaning we'd have to add a new /solr/admin/info/system/secrets/ handler which could return those hidden props. But there may not be a need to retrieve these on API level at all.

--
Jan Høydahl, search solution architect
Cominvent AS - www.cominvent.com

> 8. nov. 2018 kl. 19:54 skrev Gus Heck <[hidden email]>:
>
> That's an interesting feature, and it addresses X, but there are lots of
> ways to discover system properties. In a managed schema, enter a field name
> ${java.version} and you'll get a field named 1.8.0_144 (or whatever). I
> still think it's important to address Y they are trying to hide the system
> properties from someone they have placed their trust in already.
>
> On Thu, Nov 8, 2018 at 1:16 PM Jan Høydahl <[hidden email]> wrote:
>
>> It's not documented in the Ref Guide, but you can set this system property
>> to fix it:
>>
>>
>> SOLR_OPTS="-Dsolr.redaction.system.pattern=(.*password.*|.*your-own-regex.*)"
>>
>> Then the property will show as --REDACTED— in the UI.
>>
>> Note that the property still will leak through /solr/admin/metrics and you
>> need to add the same exclusion in solr.xml, see
>> https://lucene.apache.org/solr/guide/7_5/metrics-reporting.html#the-metrics-hiddensysprops-element
>>
>> --
>> Jan Høydahl, search solution architect
>> Cominvent AS - www.cominvent.com
>>
>>> 7. nov. 2018 kl. 20:51 skrev Naveen M <[hidden email]>:
>>>
>>> Hi,
>>>
>>> Is there a way to disable jvm properties from the solr UI.
>>>
>>> It has some information which we don’t want to expose. Any pointers would
>>> be helpful.
>>>
>>>
>>> Thanks
>>
>>
>
> --
> http://www.the111shift.com