mirror of https://github.com/apache/lucene.git
SOLR-13984: add (experimental, disabled by default) security manager support (#1082)
* SOLR-13984: add (experimental, disabled by default) security manager support. User can set SOLR_SECURITY_MANAGER_ENABLED=true to enable security manager at runtime. The current policy file used by tests is moved to solr/server Additional permissions are granted for the filesystem locations set by bin/solr, and networking everywhere is enabled. This takes advantage of the fact that permission entries are ignored if properties are not defined: https://docs.oracle.com/javase/7/docs/technotes/guides/security/PolicyFiles.html#PropertyExp
This commit is contained in:
parent
27840562a6
commit
126d6b7767
|
@ -715,7 +715,7 @@ function jetty_port() {
|
|||
function run_tool() {
|
||||
|
||||
"$JAVA" $SOLR_SSL_OPTS $AUTHC_OPTS $SOLR_ZK_CREDS_AND_ACLS -Dsolr.install.dir="$SOLR_TIP" \
|
||||
-Dlog4j.configurationFile="file:$DEFAULT_SERVER_DIR/resources/log4j2-console.xml" \
|
||||
-Dlog4j.configurationFile="$DEFAULT_SERVER_DIR/resources/log4j2-console.xml" \
|
||||
-classpath "$DEFAULT_SERVER_DIR/solr-webapp/webapp/WEB-INF/lib/*:$DEFAULT_SERVER_DIR/lib/ext/*:$DEFAULT_SERVER_DIR/lib/*" \
|
||||
org.apache.solr.util.SolrCLI "$@"
|
||||
|
||||
|
@ -1951,7 +1951,7 @@ fi
|
|||
|
||||
LOG4J_CONFIG=()
|
||||
if [ -n "$LOG4J_PROPS" ]; then
|
||||
LOG4J_CONFIG+=("-Dlog4j.configurationFile=file:$LOG4J_PROPS")
|
||||
LOG4J_CONFIG+=("-Dlog4j.configurationFile=$LOG4J_PROPS")
|
||||
fi
|
||||
|
||||
if [ "$SCRIPT_CMD" == "stop" ]; then
|
||||
|
@ -2080,6 +2080,16 @@ else
|
|||
REMOTE_JMX_OPTS=()
|
||||
fi
|
||||
|
||||
# Enable java security manager (limiting filesystem access and other things)
|
||||
if [ "$SOLR_SECURITY_MANAGER_ENABLED" == "true" ]; then
|
||||
SECURITY_MANAGER_OPTS=('-Djava.security.manager' \
|
||||
"-Djava.security.policy=${SOLR_SERVER_DIR}/etc/security.policy" \
|
||||
"-Djava.security.properties=${SOLR_SERVER_DIR}/etc/security.properties" \
|
||||
'-Dsolr.internal.network.permission=*')
|
||||
else
|
||||
SECURITY_MANAGER_OPTS=()
|
||||
fi
|
||||
|
||||
JAVA_MEM_OPTS=()
|
||||
if [ -z "$SOLR_HEAP" ] && [ -n "$SOLR_JAVA_MEM" ]; then
|
||||
JAVA_MEM_OPTS=($SOLR_JAVA_MEM)
|
||||
|
@ -2189,7 +2199,7 @@ function start_solr() {
|
|||
"-Djetty.port=$SOLR_PORT" "-DSTOP.PORT=$stop_port" "-DSTOP.KEY=$STOP_KEY" \
|
||||
"${SOLR_HOST_ARG[@]}" "-Duser.timezone=$SOLR_TIMEZONE" \
|
||||
"-Djetty.home=$SOLR_SERVER_DIR" "-Dsolr.solr.home=$SOLR_HOME" "-Dsolr.data.home=$SOLR_DATA_HOME" "-Dsolr.install.dir=$SOLR_TIP" \
|
||||
"-Dsolr.default.confdir=$DEFAULT_CONFDIR" "${LOG4J_CONFIG[@]}" "${SOLR_OPTS[@]}")
|
||||
"-Dsolr.default.confdir=$DEFAULT_CONFDIR" "${LOG4J_CONFIG[@]}" "${SOLR_OPTS[@]}" "${SECURITY_MANAGER_OPTS[@]}")
|
||||
|
||||
if [ "$SOLR_MODE" == "solrcloud" ]; then
|
||||
IN_CLOUD_MODE=" in SolrCloud mode"
|
||||
|
|
|
@ -1001,7 +1001,7 @@ set "EXAMPLE_DIR=%SOLR_TIP%\example"
|
|||
set TMP_SOLR_HOME=!SOLR_HOME:%EXAMPLE_DIR%=!
|
||||
IF NOT "%TMP_SOLR_HOME%"=="%SOLR_HOME%" (
|
||||
set "SOLR_LOGS_DIR=%SOLR_HOME%\..\logs"
|
||||
set "LOG4J_CONFIG=file:///%SOLR_SERVER_DIR%\resources\log4j2.xml"
|
||||
set "LOG4J_CONFIG=%SOLR_SERVER_DIR%\resources\log4j2.xml"
|
||||
)
|
||||
|
||||
set IS_RESTART=0
|
||||
|
@ -1175,6 +1175,14 @@ IF "%ENABLE_REMOTE_JMX_OPTS%"=="true" (
|
|||
set REMOTE_JMX_OPTS=
|
||||
)
|
||||
|
||||
REM Enable java security manager (limiting filesystem access and other things)
|
||||
IF "%SOLR_SECURITY_MANAGER_ENABLED%"=="true" (
|
||||
set SECURITY_MANAGER_OPTS=-Djava.security.manager ^
|
||||
-Djava.security.policy="%SOLR_SERVER_DIR%\etc\security.policy" ^
|
||||
-Djava.security.properties="%SOLR_SERVER_DIR%\etc\security.properties" ^
|
||||
-Dsolr.internal.network.permission=*
|
||||
)
|
||||
|
||||
IF NOT "%SOLR_HEAP%"=="" set SOLR_JAVA_MEM=-Xms%SOLR_HEAP% -Xmx%SOLR_HEAP%
|
||||
IF "%SOLR_JAVA_MEM%"=="" set SOLR_JAVA_MEM=-Xms512m -Xmx512m
|
||||
IF "%SOLR_JAVA_STACK_SIZE%"=="" set SOLR_JAVA_STACK_SIZE=-Xss256k
|
||||
|
@ -1267,6 +1275,7 @@ IF NOT "%REMOTE_JMX_OPTS%"=="" set "START_OPTS=%START_OPTS% %REMOTE_JMX_OPTS%"
|
|||
IF NOT "%SOLR_ADDL_ARGS%"=="" set "START_OPTS=%START_OPTS% %SOLR_ADDL_ARGS%"
|
||||
IF NOT "%SOLR_HOST_ARG%"=="" set "START_OPTS=%START_OPTS% %SOLR_HOST_ARG%"
|
||||
IF NOT "%SOLR_OPTS%"=="" set "START_OPTS=%START_OPTS% %SOLR_OPTS%"
|
||||
IF NOT "!SECURITY_MANAGER_OPTS!"=="" set "START_OPTS=%START_OPTS% !SECURITY_MANAGER_OPTS!"
|
||||
IF "%SOLR_SSL_ENABLED%"=="true" (
|
||||
set "SSL_PORT_PROP=-Dsolr.jetty.https.port=%SOLR_PORT%"
|
||||
set "START_OPTS=%START_OPTS% %SOLR_SSL_OPTS% !SSL_PORT_PROP!"
|
||||
|
@ -1278,7 +1287,7 @@ set SOLR_DATA_HOME_QUOTED="%SOLR_DATA_HOME%"
|
|||
|
||||
set "START_OPTS=%START_OPTS% -Dsolr.log.dir=%SOLR_LOGS_DIR_QUOTED%"
|
||||
IF NOT "%SOLR_DATA_HOME%"=="" set "START_OPTS=%START_OPTS% -Dsolr.data.home=%SOLR_DATA_HOME_QUOTED%"
|
||||
IF NOT DEFINED LOG4J_CONFIG set "LOG4J_CONFIG=file:///%SOLR_SERVER_DIR%\resources\log4j2.xml"
|
||||
IF NOT DEFINED LOG4J_CONFIG set "LOG4J_CONFIG=%SOLR_SERVER_DIR%\resources\log4j2.xml"
|
||||
|
||||
cd /d "%SOLR_SERVER_DIR%"
|
||||
|
||||
|
|
|
@ -188,3 +188,9 @@ REM For a visual indication in the Admin UI of what type of environment this clu
|
|||
REM a -Dsolr.environment property below. Valid values are prod, stage, test, dev, with an optional
|
||||
REM label or color, e.g. -Dsolr.environment=test,label=Functional+test,color=brown
|
||||
REM SOLR_OPTS="$SOLR_OPTS -Dsolr.environment=prod"
|
||||
|
||||
REM Runs solr in a java security manager sandbox. This can protect against some attacks.
|
||||
REM Runtime properties are passed to the security policy file (server\etc\security.policy)
|
||||
REM You can also tweak via standard JDK files such as ~\.java.policy, see https://s.apache.org/java8policy
|
||||
REM This is experimental! It may not work at all with Hadoop/HDFS features.
|
||||
REM set SOLR_SECURITY_MANAGER_ENABLED=false
|
||||
|
|
|
@ -216,3 +216,9 @@
|
|||
# a -Dsolr.environment property below. Valid values are prod, stage, test, dev, with an optional
|
||||
# label or color, e.g. -Dsolr.environment=test,label=Functional+test,color=brown
|
||||
#SOLR_OPTS="$SOLR_OPTS -Dsolr.environment=prod"
|
||||
|
||||
# Runs solr in java security manager sandbox. This can protect against some attacks.
|
||||
# Runtime properties are passed to the security policy file (server/etc/security.policy)
|
||||
# You can also tweak via standard JDK files such as ~/.java.policy, see https://s.apache.org/java8policy
|
||||
# This is experimental! It may not work at all with Hadoop/HDFS features.
|
||||
#SOLR_SECURITY_MANAGER_ENABLED=false
|
||||
|
|
|
@ -38,7 +38,7 @@
|
|||
<property name="maven.dist.dir" location="${package.dir}/maven"/>
|
||||
<property name="lucene-libs" location="${dest}/lucene-libs" />
|
||||
<property name="tests.userdir" location="src/test-files"/>
|
||||
<property name="tests.policy" location="${common-solr.dir}/../lucene/tools/junit4/solr-tests.policy"/>
|
||||
<property name="tests.policy" location="${common-solr.dir}/server/etc/security.policy"/>
|
||||
<property name="server.dir" location="${common-solr.dir}/server" />
|
||||
<property name="example" location="${common-solr.dir}/example" />
|
||||
<property name="javadoc.dir" location="${dest}/docs"/>
|
||||
|
|
|
@ -15,8 +15,10 @@
|
|||
* limitations under the License.
|
||||
*/
|
||||
|
||||
// Policy file for solr tests. Please keep minimal and avoid wildcards.
|
||||
// Policy file for solr. Please keep minimal and avoid wildcards.
|
||||
|
||||
// permissions needed for tests to pass, based on properties set by the build system
|
||||
// NOTE: if the property is not set, the permission entry is ignored.
|
||||
grant {
|
||||
// contain read access to only what we need:
|
||||
// 3rd party jar resources (where symlinks are not supported), test-files/ resources
|
||||
|
@ -163,3 +165,39 @@ grant {
|
|||
// used by solr to create sandboxes (e.g. script execution)
|
||||
permission java.security.SecurityPermission "createAccessControlContext";
|
||||
};
|
||||
|
||||
// additional permissions based on system properties set by /bin/solr
|
||||
// NOTE: if the property is not set, the permission entry is ignored.
|
||||
grant {
|
||||
permission java.io.FilePermission "${hadoop.security.credential.provider.path}", "read,write,delete,readlink";
|
||||
permission java.io.FilePermission "${hadoop.security.credential.provider.path}${/}-", "read,write,delete,readlink";
|
||||
|
||||
permission java.io.FilePermission "${solr.jetty.keystore}", "read,write,delete,readlink";
|
||||
permission java.io.FilePermission "${solr.jetty.keystore}${/}-", "read,write,delete,readlink";
|
||||
|
||||
permission java.io.FilePermission "${solr.jetty.truststore}", "read,write,delete,readlink";
|
||||
permission java.io.FilePermission "${solr.jetty.truststore}${/}-", "read,write,delete,readlink";
|
||||
|
||||
permission java.io.FilePermission "${solr.install.dir}", "read,write,delete,readlink";
|
||||
permission java.io.FilePermission "${solr.install.dir}${/}-", "read,write,delete,readlink";
|
||||
|
||||
permission java.io.FilePermission "${jetty.home}", "read,write,delete,readlink";
|
||||
permission java.io.FilePermission "${jetty.home}${/}-", "read,write,delete,readlink";
|
||||
|
||||
permission java.io.FilePermission "${solr.solr.home}", "read,write,delete,readlink";
|
||||
permission java.io.FilePermission "${solr.solr.home}${/}-", "read,write,delete,readlink";
|
||||
|
||||
permission java.io.FilePermission "${solr.data.home}", "read,write,delete,readlink";
|
||||
permission java.io.FilePermission "${solr.data.home}${/}-", "read,write,delete,readlink";
|
||||
|
||||
permission java.io.FilePermission "${solr.default.confdir}", "read,write,delete,readlink";
|
||||
permission java.io.FilePermission "${solr.default.confdir}${/}-", "read,write,delete,readlink";
|
||||
|
||||
permission java.io.FilePermission "${solr.log.dir}", "read,write,delete,readlink";
|
||||
permission java.io.FilePermission "${solr.log.dir}${/}-", "read,write,delete,readlink";
|
||||
|
||||
permission java.io.FilePermission "${log4j.configurationFile}", "read,write,delete,readlink";
|
||||
|
||||
// expanded to a wildcard if set, allows all networking everywhere
|
||||
permission java.net.SocketPermission "${solr.internal.network.permission}", "accept,listen,connect,resolve";
|
||||
};
|
|
@ -0,0 +1,24 @@
|
|||
#
|
||||
# Licensed to the Apache Software Foundation (ASF) under one or more
|
||||
# contributor license agreements. See the NOTICE file distributed with
|
||||
# this work for additional information regarding copyright ownership.
|
||||
# The ASF licenses this file to You under the Apache License, Version 2.0
|
||||
# (the "License"); you may not use this file except in compliance with
|
||||
# the License. You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
#
|
||||
# command-line security properties file
|
||||
#
|
||||
# By default, when enabling security manager, DNS lookups are cached indefinitely,
|
||||
# as protection against DNS spoofing. We set this back to the default (non-security-manager)
|
||||
# value of 30 seconds, to prevent surprising behavior (e.g. nodes in cloud environments without
|
||||
# static IP addresses). Users concerned about DNS spoofing should instead follow best practices:
|
||||
# populating solr.shardsWhitelist, enabling TLS, etc.
|
||||
networkaddress.cache.ttl=30
|
Loading…
Reference in New Issue