mirror of https://github.com/apache/lucene.git
SOLR-14014 Allow disabling AdminUI at launch (#1471)
This commit is contained in:
parent
1783c4ad47
commit
6f775bfa69
|
@ -67,6 +67,10 @@ Other Changes
|
||||||
* SOLR-14412: Automatically set urlScheme to https when running secure solr with embedded zookeeper. (Mike Drob)
|
* SOLR-14412: Automatically set urlScheme to https when running secure solr with embedded zookeeper. (Mike Drob)
|
||||||
Do not erroneously set solr.jetty.https.port system property when running in http mode (Upendra Penegalapati)
|
Do not erroneously set solr.jetty.https.port system property when running in http mode (Upendra Penegalapati)
|
||||||
|
|
||||||
|
* SOLR-14014: Introducing a system property that allows users to disable the Admin UI, which is enabled by default.
|
||||||
|
If you have security concerns or other reasons to disable the Admin UI, you can modify `SOLR_ADMIN_UI_DISABLED`
|
||||||
|
`solr.in.sh`/`solr.in.cmd` at start. (marcussorealheis)
|
||||||
|
|
||||||
================== 8.6.0 ==================
|
================== 8.6.0 ==================
|
||||||
|
|
||||||
Consult the LUCENE_CHANGES.txt file for additional, low level, changes in this release.
|
Consult the LUCENE_CHANGES.txt file for additional, low level, changes in this release.
|
||||||
|
|
|
@ -2097,6 +2097,14 @@ else
|
||||||
SECURITY_MANAGER_OPTS=()
|
SECURITY_MANAGER_OPTS=()
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
# Enable ADMIN UI by default, and give the option for users to disable it
|
||||||
|
if [ "$SOLR_ADMIN_UI_DISABLED" == "true" ]; then
|
||||||
|
SOLR_ADMIN_UI="-DdisableAdminUI=true"
|
||||||
|
echo -e "ADMIN UI Disabled"
|
||||||
|
else
|
||||||
|
SOLR_ADMIN_UI="-DdisableAdminUI=false"
|
||||||
|
fi
|
||||||
|
|
||||||
JAVA_MEM_OPTS=()
|
JAVA_MEM_OPTS=()
|
||||||
if [ -z "$SOLR_HEAP" ] && [ -n "$SOLR_JAVA_MEM" ]; then
|
if [ -z "$SOLR_HEAP" ] && [ -n "$SOLR_JAVA_MEM" ]; then
|
||||||
JAVA_MEM_OPTS=($SOLR_JAVA_MEM)
|
JAVA_MEM_OPTS=($SOLR_JAVA_MEM)
|
||||||
|
@ -2208,7 +2216,7 @@ function start_solr() {
|
||||||
# users who don't care about useful error msgs can override in SOLR_OPTS with +OmitStackTraceInFastThrow
|
# users who don't care about useful error msgs can override in SOLR_OPTS with +OmitStackTraceInFastThrow
|
||||||
"${SOLR_HOST_ARG[@]}" "-Duser.timezone=$SOLR_TIMEZONE" "-XX:-OmitStackTraceInFastThrow" \
|
"${SOLR_HOST_ARG[@]}" "-Duser.timezone=$SOLR_TIMEZONE" "-XX:-OmitStackTraceInFastThrow" \
|
||||||
"-Djetty.home=$SOLR_SERVER_DIR" "-Dsolr.solr.home=$SOLR_HOME" "-Dsolr.data.home=$SOLR_DATA_HOME" "-Dsolr.install.dir=$SOLR_TIP" \
|
"-Djetty.home=$SOLR_SERVER_DIR" "-Dsolr.solr.home=$SOLR_HOME" "-Dsolr.data.home=$SOLR_DATA_HOME" "-Dsolr.install.dir=$SOLR_TIP" \
|
||||||
"-Dsolr.default.confdir=$DEFAULT_CONFDIR" "${LOG4J_CONFIG[@]}" "${SOLR_OPTS[@]}" "${SECURITY_MANAGER_OPTS[@]}")
|
"-Dsolr.default.confdir=$DEFAULT_CONFDIR" "${LOG4J_CONFIG[@]}" "${SOLR_OPTS[@]}" "${SECURITY_MANAGER_OPTS[@]}" "${SOLR_ADMIN_UI}")
|
||||||
|
|
||||||
if [ "$SOLR_MODE" == "solrcloud" ]; then
|
if [ "$SOLR_MODE" == "solrcloud" ]; then
|
||||||
IN_CLOUD_MODE=" in SolrCloud mode"
|
IN_CLOUD_MODE=" in SolrCloud mode"
|
||||||
|
|
|
@ -1199,6 +1199,13 @@ IF "%SOLR_SECURITY_MANAGER_ENABLED%"=="true" (
|
||||||
-Dsolr.internal.network.permission=*
|
-Dsolr.internal.network.permission=*
|
||||||
)
|
)
|
||||||
|
|
||||||
|
REM Enable ADMIN UI by default, and give the option for users to disable it
|
||||||
|
IF "%SOLR_ADMIN_UI_DISABLED%"=="true" (
|
||||||
|
set DISABLE_ADMIN_UI="true"
|
||||||
|
) else (
|
||||||
|
set DISABLE_ADMIN_UI="false"
|
||||||
|
)
|
||||||
|
|
||||||
IF NOT "%SOLR_HEAP%"=="" set SOLR_JAVA_MEM=-Xms%SOLR_HEAP% -Xmx%SOLR_HEAP%
|
IF NOT "%SOLR_HEAP%"=="" set SOLR_JAVA_MEM=-Xms%SOLR_HEAP% -Xmx%SOLR_HEAP%
|
||||||
IF "%SOLR_JAVA_MEM%"=="" set SOLR_JAVA_MEM=-Xms512m -Xmx512m
|
IF "%SOLR_JAVA_MEM%"=="" set SOLR_JAVA_MEM=-Xms512m -Xmx512m
|
||||||
IF "%SOLR_JAVA_STACK_SIZE%"=="" set SOLR_JAVA_STACK_SIZE=-Xss256k
|
IF "%SOLR_JAVA_STACK_SIZE%"=="" set SOLR_JAVA_STACK_SIZE=-Xss256k
|
||||||
|
@ -1288,6 +1295,7 @@ REM '-OmitStackTraceInFastThrow' ensures stack traces in errors,
|
||||||
REM users who don't care about useful error msgs can override in SOLR_OPTS with +OmitStackTraceInFastThrow
|
REM users who don't care about useful error msgs can override in SOLR_OPTS with +OmitStackTraceInFastThrow
|
||||||
set "START_OPTS=%START_OPTS% -XX:-OmitStackTraceInFastThrow"
|
set "START_OPTS=%START_OPTS% -XX:-OmitStackTraceInFastThrow"
|
||||||
set START_OPTS=%START_OPTS% !GC_TUNE! %GC_LOG_OPTS%
|
set START_OPTS=%START_OPTS% !GC_TUNE! %GC_LOG_OPTS%
|
||||||
|
set START_OPTS=%START_OPTS% -DdisableAdminUI=%DISABLE_ADMIN_UI%
|
||||||
IF NOT "!CLOUD_MODE_OPTS!"=="" set "START_OPTS=%START_OPTS% !CLOUD_MODE_OPTS!"
|
IF NOT "!CLOUD_MODE_OPTS!"=="" set "START_OPTS=%START_OPTS% !CLOUD_MODE_OPTS!"
|
||||||
IF NOT "!IP_ACL_OPTS!"=="" set "START_OPTS=%START_OPTS% !IP_ACL_OPTS!"
|
IF NOT "!IP_ACL_OPTS!"=="" set "START_OPTS=%START_OPTS% !IP_ACL_OPTS!"
|
||||||
IF NOT "%REMOTE_JMX_OPTS%"=="" set "START_OPTS=%START_OPTS% %REMOTE_JMX_OPTS%"
|
IF NOT "%REMOTE_JMX_OPTS%"=="" set "START_OPTS=%START_OPTS% %REMOTE_JMX_OPTS%"
|
||||||
|
|
|
@ -203,3 +203,8 @@ REM Runtime properties are passed to the security policy file (server\etc\securi
|
||||||
REM You can also tweak via standard JDK files such as ~\.java.policy, see https://s.apache.org/java8policy
|
REM You can also tweak via standard JDK files such as ~\.java.policy, see https://s.apache.org/java8policy
|
||||||
REM This is experimental! It may not work at all with Hadoop/HDFS features.
|
REM This is experimental! It may not work at all with Hadoop/HDFS features.
|
||||||
REM set SOLR_SECURITY_MANAGER_ENABLED=true
|
REM set SOLR_SECURITY_MANAGER_ENABLED=true
|
||||||
|
REM This variable provides you with the option to disable the Admin UI. if you uncomment the variable below and
|
||||||
|
REM change the value to true. The option is configured as a system property as defined in SOLR_START_OPTS in the start
|
||||||
|
REM scripts.
|
||||||
|
REM set SOLR_ADMIN_UI_DISABLED=false
|
||||||
|
|
||||||
|
|
|
@ -234,4 +234,7 @@
|
||||||
# You can also tweak via standard JDK files such as ~/.java.policy, see https://s.apache.org/java8policy
|
# You can also tweak via standard JDK files such as ~/.java.policy, see https://s.apache.org/java8policy
|
||||||
# This is experimental! It may not work at all with Hadoop/HDFS features.
|
# This is experimental! It may not work at all with Hadoop/HDFS features.
|
||||||
#SOLR_SECURITY_MANAGER_ENABLED=true
|
#SOLR_SECURITY_MANAGER_ENABLED=true
|
||||||
|
# This variable provides you with the option to disable the Admin UI. if you uncomment the variable below and
|
||||||
|
# change the value to true. The option is configured as a system property as defined in SOLR_START_OPTS in the start
|
||||||
|
# scripts.
|
||||||
|
# SOLR_ADMIN_UI_DISABLED=false
|
||||||
|
|
|
@ -15,6 +15,13 @@
|
||||||
* limitations under the License.
|
* limitations under the License.
|
||||||
*/
|
*/
|
||||||
package org.apache.solr.servlet;
|
package org.apache.solr.servlet;
|
||||||
|
import javax.servlet.http.HttpServletRequest;
|
||||||
|
import javax.servlet.http.HttpServletResponse;
|
||||||
|
import java.io.IOException;
|
||||||
|
import java.io.InputStream;
|
||||||
|
import java.io.OutputStreamWriter;
|
||||||
|
import java.io.Writer;
|
||||||
|
import java.nio.charset.StandardCharsets;
|
||||||
|
|
||||||
import org.apache.commons.io.IOUtils;
|
import org.apache.commons.io.IOUtils;
|
||||||
import org.apache.commons.io.output.CloseShieldOutputStream;
|
import org.apache.commons.io.output.CloseShieldOutputStream;
|
||||||
|
@ -24,15 +31,6 @@ import org.apache.solr.common.params.CommonParams;
|
||||||
import org.apache.solr.core.CoreContainer;
|
import org.apache.solr.core.CoreContainer;
|
||||||
import org.apache.solr.core.SolrCore;
|
import org.apache.solr.core.SolrCore;
|
||||||
|
|
||||||
import javax.servlet.http.HttpServletRequest;
|
|
||||||
import javax.servlet.http.HttpServletResponse;
|
|
||||||
|
|
||||||
import java.io.IOException;
|
|
||||||
import java.io.InputStream;
|
|
||||||
import java.io.OutputStreamWriter;
|
|
||||||
import java.io.Writer;
|
|
||||||
import java.nio.charset.StandardCharsets;
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* A simple servlet to load the Solr Admin UI
|
* A simple servlet to load the Solr Admin UI
|
||||||
*
|
*
|
||||||
|
@ -40,13 +38,20 @@ import java.nio.charset.StandardCharsets;
|
||||||
*/
|
*/
|
||||||
public final class LoadAdminUiServlet extends BaseSolrServlet {
|
public final class LoadAdminUiServlet extends BaseSolrServlet {
|
||||||
|
|
||||||
|
// check system properties for whether or not admin UI is disabled, default is false
|
||||||
|
private static final boolean disabled = Boolean.parseBoolean(System.getProperty("disableAdminUI", "false"));
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public void doGet(HttpServletRequest _request,
|
public void doGet(HttpServletRequest _request, HttpServletResponse _response) throws IOException {
|
||||||
HttpServletResponse _response)
|
if(disabled){
|
||||||
throws IOException {
|
_response.sendError(404, "Solr Admin UI is disabled. To enable it, change the default value of SOLR_ADMIN_UI_" +
|
||||||
|
"ENABLED in bin/solr.in.sh or solr.in.cmd.");
|
||||||
|
return;
|
||||||
|
}
|
||||||
HttpServletRequest request = SolrDispatchFilter.closeShield(_request, false);
|
HttpServletRequest request = SolrDispatchFilter.closeShield(_request, false);
|
||||||
HttpServletResponse response = SolrDispatchFilter.closeShield(_response, false);
|
HttpServletResponse response = SolrDispatchFilter.closeShield(_response, false);
|
||||||
|
|
||||||
|
|
||||||
response.addHeader("X-Frame-Options", "DENY"); // security: SOLR-7966 - avoid clickjacking for admin interface
|
response.addHeader("X-Frame-Options", "DENY"); // security: SOLR-7966 - avoid clickjacking for admin interface
|
||||||
|
|
||||||
// This attribute is set by the SolrDispatchFilter
|
// This attribute is set by the SolrDispatchFilter
|
||||||
|
|
Loading…
Reference in New Issue