mirror of https://github.com/apache/lucene.git
SOLR-14014 Allow disabling AdminUI at launch (#1471)
This commit is contained in:
parent
1783c4ad47
commit
6f775bfa69
|
@ -67,6 +67,10 @@ Other Changes
|
|||
* SOLR-14412: Automatically set urlScheme to https when running secure solr with embedded zookeeper. (Mike Drob)
|
||||
Do not erroneously set solr.jetty.https.port system property when running in http mode (Upendra Penegalapati)
|
||||
|
||||
* SOLR-14014: Introducing a system property that allows users to disable the Admin UI, which is enabled by default.
|
||||
If you have security concerns or other reasons to disable the Admin UI, you can modify `SOLR_ADMIN_UI_DISABLED`
|
||||
`solr.in.sh`/`solr.in.cmd` at start. (marcussorealheis)
|
||||
|
||||
================== 8.6.0 ==================
|
||||
|
||||
Consult the LUCENE_CHANGES.txt file for additional, low level, changes in this release.
|
||||
|
|
|
@ -2097,6 +2097,14 @@ else
|
|||
SECURITY_MANAGER_OPTS=()
|
||||
fi
|
||||
|
||||
# Enable ADMIN UI by default, and give the option for users to disable it
|
||||
if [ "$SOLR_ADMIN_UI_DISABLED" == "true" ]; then
|
||||
SOLR_ADMIN_UI="-DdisableAdminUI=true"
|
||||
echo -e "ADMIN UI Disabled"
|
||||
else
|
||||
SOLR_ADMIN_UI="-DdisableAdminUI=false"
|
||||
fi
|
||||
|
||||
JAVA_MEM_OPTS=()
|
||||
if [ -z "$SOLR_HEAP" ] && [ -n "$SOLR_JAVA_MEM" ]; then
|
||||
JAVA_MEM_OPTS=($SOLR_JAVA_MEM)
|
||||
|
@ -2208,7 +2216,7 @@ function start_solr() {
|
|||
# users who don't care about useful error msgs can override in SOLR_OPTS with +OmitStackTraceInFastThrow
|
||||
"${SOLR_HOST_ARG[@]}" "-Duser.timezone=$SOLR_TIMEZONE" "-XX:-OmitStackTraceInFastThrow" \
|
||||
"-Djetty.home=$SOLR_SERVER_DIR" "-Dsolr.solr.home=$SOLR_HOME" "-Dsolr.data.home=$SOLR_DATA_HOME" "-Dsolr.install.dir=$SOLR_TIP" \
|
||||
"-Dsolr.default.confdir=$DEFAULT_CONFDIR" "${LOG4J_CONFIG[@]}" "${SOLR_OPTS[@]}" "${SECURITY_MANAGER_OPTS[@]}")
|
||||
"-Dsolr.default.confdir=$DEFAULT_CONFDIR" "${LOG4J_CONFIG[@]}" "${SOLR_OPTS[@]}" "${SECURITY_MANAGER_OPTS[@]}" "${SOLR_ADMIN_UI}")
|
||||
|
||||
if [ "$SOLR_MODE" == "solrcloud" ]; then
|
||||
IN_CLOUD_MODE=" in SolrCloud mode"
|
||||
|
|
|
@ -1199,6 +1199,13 @@ IF "%SOLR_SECURITY_MANAGER_ENABLED%"=="true" (
|
|||
-Dsolr.internal.network.permission=*
|
||||
)
|
||||
|
||||
REM Enable ADMIN UI by default, and give the option for users to disable it
|
||||
IF "%SOLR_ADMIN_UI_DISABLED%"=="true" (
|
||||
set DISABLE_ADMIN_UI="true"
|
||||
) else (
|
||||
set DISABLE_ADMIN_UI="false"
|
||||
)
|
||||
|
||||
IF NOT "%SOLR_HEAP%"=="" set SOLR_JAVA_MEM=-Xms%SOLR_HEAP% -Xmx%SOLR_HEAP%
|
||||
IF "%SOLR_JAVA_MEM%"=="" set SOLR_JAVA_MEM=-Xms512m -Xmx512m
|
||||
IF "%SOLR_JAVA_STACK_SIZE%"=="" set SOLR_JAVA_STACK_SIZE=-Xss256k
|
||||
|
@ -1288,6 +1295,7 @@ REM '-OmitStackTraceInFastThrow' ensures stack traces in errors,
|
|||
REM users who don't care about useful error msgs can override in SOLR_OPTS with +OmitStackTraceInFastThrow
|
||||
set "START_OPTS=%START_OPTS% -XX:-OmitStackTraceInFastThrow"
|
||||
set START_OPTS=%START_OPTS% !GC_TUNE! %GC_LOG_OPTS%
|
||||
set START_OPTS=%START_OPTS% -DdisableAdminUI=%DISABLE_ADMIN_UI%
|
||||
IF NOT "!CLOUD_MODE_OPTS!"=="" set "START_OPTS=%START_OPTS% !CLOUD_MODE_OPTS!"
|
||||
IF NOT "!IP_ACL_OPTS!"=="" set "START_OPTS=%START_OPTS% !IP_ACL_OPTS!"
|
||||
IF NOT "%REMOTE_JMX_OPTS%"=="" set "START_OPTS=%START_OPTS% %REMOTE_JMX_OPTS%"
|
||||
|
|
|
@ -203,3 +203,8 @@ REM Runtime properties are passed to the security policy file (server\etc\securi
|
|||
REM You can also tweak via standard JDK files such as ~\.java.policy, see https://s.apache.org/java8policy
|
||||
REM This is experimental! It may not work at all with Hadoop/HDFS features.
|
||||
REM set SOLR_SECURITY_MANAGER_ENABLED=true
|
||||
REM This variable provides you with the option to disable the Admin UI. if you uncomment the variable below and
|
||||
REM change the value to true. The option is configured as a system property as defined in SOLR_START_OPTS in the start
|
||||
REM scripts.
|
||||
REM set SOLR_ADMIN_UI_DISABLED=false
|
||||
|
||||
|
|
|
@ -234,4 +234,7 @@
|
|||
# You can also tweak via standard JDK files such as ~/.java.policy, see https://s.apache.org/java8policy
|
||||
# This is experimental! It may not work at all with Hadoop/HDFS features.
|
||||
#SOLR_SECURITY_MANAGER_ENABLED=true
|
||||
|
||||
# This variable provides you with the option to disable the Admin UI. if you uncomment the variable below and
|
||||
# change the value to true. The option is configured as a system property as defined in SOLR_START_OPTS in the start
|
||||
# scripts.
|
||||
# SOLR_ADMIN_UI_DISABLED=false
|
||||
|
|
|
@ -15,6 +15,13 @@
|
|||
* limitations under the License.
|
||||
*/
|
||||
package org.apache.solr.servlet;
|
||||
import javax.servlet.http.HttpServletRequest;
|
||||
import javax.servlet.http.HttpServletResponse;
|
||||
import java.io.IOException;
|
||||
import java.io.InputStream;
|
||||
import java.io.OutputStreamWriter;
|
||||
import java.io.Writer;
|
||||
import java.nio.charset.StandardCharsets;
|
||||
|
||||
import org.apache.commons.io.IOUtils;
|
||||
import org.apache.commons.io.output.CloseShieldOutputStream;
|
||||
|
@ -24,15 +31,6 @@ import org.apache.solr.common.params.CommonParams;
|
|||
import org.apache.solr.core.CoreContainer;
|
||||
import org.apache.solr.core.SolrCore;
|
||||
|
||||
import javax.servlet.http.HttpServletRequest;
|
||||
import javax.servlet.http.HttpServletResponse;
|
||||
|
||||
import java.io.IOException;
|
||||
import java.io.InputStream;
|
||||
import java.io.OutputStreamWriter;
|
||||
import java.io.Writer;
|
||||
import java.nio.charset.StandardCharsets;
|
||||
|
||||
/**
|
||||
* A simple servlet to load the Solr Admin UI
|
||||
*
|
||||
|
@ -40,13 +38,20 @@ import java.nio.charset.StandardCharsets;
|
|||
*/
|
||||
public final class LoadAdminUiServlet extends BaseSolrServlet {
|
||||
|
||||
// check system properties for whether or not admin UI is disabled, default is false
|
||||
private static final boolean disabled = Boolean.parseBoolean(System.getProperty("disableAdminUI", "false"));
|
||||
|
||||
@Override
|
||||
public void doGet(HttpServletRequest _request,
|
||||
HttpServletResponse _response)
|
||||
throws IOException {
|
||||
public void doGet(HttpServletRequest _request, HttpServletResponse _response) throws IOException {
|
||||
if(disabled){
|
||||
_response.sendError(404, "Solr Admin UI is disabled. To enable it, change the default value of SOLR_ADMIN_UI_" +
|
||||
"ENABLED in bin/solr.in.sh or solr.in.cmd.");
|
||||
return;
|
||||
}
|
||||
HttpServletRequest request = SolrDispatchFilter.closeShield(_request, false);
|
||||
HttpServletResponse response = SolrDispatchFilter.closeShield(_response, false);
|
||||
|
||||
|
||||
response.addHeader("X-Frame-Options", "DENY"); // security: SOLR-7966 - avoid clickjacking for admin interface
|
||||
|
||||
// This attribute is set by the SolrDispatchFilter
|
||||
|
|
Loading…
Reference in New Issue