SOLR-14147 change the Security manager to default to true. (#1141)

* change the Security manager to default.
* update the ref-guide.
* uncomment init scripts update changes.
* changed the ref guide and re-commented file.
* remove added comment.
* modified shell script.
* removed comment in windows file.

Signed-off-by: marcussorealheis <marcuseagan@gmail.com>

* bashism and fix windows
* remove space

Signed-off-by: marcussorealheis <marcuseagan@gmail.com>
This commit is contained in:
Marcus 2020-02-05 16:17:55 -08:00 committed by GitHub
parent 93b83f635d
commit bc5f837344
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
6 changed files with 16 additions and 13 deletions

View File

@ -81,7 +81,9 @@ Upgrade Notes
* SOLR-13985: Solr's Jetty now binds to localhost network interface by default for better out of the box security.
Administrators that need Solr exposed more broadly can change the SOLR_JETTY_HOST property in their Solr include
(solr.in.sh/solr.in.cmd) file. (Jason Gerlowski, David Smiley, Robert Muir)
* SOLR-14147: Solr now runs with the java security manager enabled by default. Administrators that need to run Solr with Hadoop will need to disable this feature by setting SOLR_SECURITY_MANAGER=false in the environment or in one of the Solr init scripts. Other features in Solr could also break. (Robert Muir, marcussorealheis)
Improvements
----------------------

View File

@ -2086,12 +2086,12 @@ else
REMOTE_JMX_OPTS=()
fi
# Enable java security manager (limiting filesystem access and other things)
if [ "$SOLR_SECURITY_MANAGER_ENABLED" == "true" ]; then
# Enable java security manager (allowing filesystem access and other things)
if [ "${SOLR_SECURITY_MANAGER_ENABLED:-true}" == "true" ]; then
SECURITY_MANAGER_OPTS=('-Djava.security.manager' \
"-Djava.security.policy=${SOLR_SERVER_DIR}/etc/security.policy" \
"-Djava.security.properties=${SOLR_SERVER_DIR}/etc/security.properties" \
'-Dsolr.internal.network.permission=*')
"-Djava.security.policy=${SOLR_SERVER_DIR}/etc/security.policy" \
"-Djava.security.properties=${SOLR_SERVER_DIR}/etc/security.properties" \
'-Dsolr.internal.network.permission=*')
else
SECURITY_MANAGER_OPTS=()
fi

View File

@ -1187,7 +1187,11 @@ IF "%ENABLE_REMOTE_JMX_OPTS%"=="true" (
set REMOTE_JMX_OPTS=
)
REM Enable java security manager (limiting filesystem access and other things)
REM Enable java security manager by default (limiting filesystem access and other things)
IF NOT DEFINED SOLR_SECURITY_MANAGER_ENABLED (
set SOLR_SECURITY_MANAGER_ENABLED=true
)
IF "%SOLR_SECURITY_MANAGER_ENABLED%"=="true" (
set SECURITY_MANAGER_OPTS=-Djava.security.manager ^
-Djava.security.policy="%SOLR_SERVER_DIR%\etc\security.policy" ^

View File

@ -17,6 +17,7 @@
@echo off
REM Settings here will override settings in existing env vars or in bin/solr. The default shipped state
REM of this file is completely commented.
REM By default the script will use JAVA_HOME to determine which java
@ -197,4 +198,4 @@ REM Runs solr in a java security manager sandbox. This can protect against some
REM Runtime properties are passed to the security policy file (server\etc\security.policy)
REM You can also tweak via standard JDK files such as ~\.java.policy, see https://s.apache.org/java8policy
REM This is experimental! It may not work at all with Hadoop/HDFS features.
REM set SOLR_SECURITY_MANAGER_ENABLED=false
REM set SOLR_SECURITY_MANAGER_ENABLED=true

View File

@ -229,4 +229,4 @@
# Runtime properties are passed to the security policy file (server/etc/security.policy)
# You can also tweak via standard JDK files such as ~/.java.policy, see https://s.apache.org/java8policy
# This is experimental! It may not work at all with Hadoop/HDFS features.
#SOLR_SECURITY_MANAGER_ENABLED=false
#SOLR_SECURITY_MANAGER_ENABLED=true

View File

@ -79,7 +79,6 @@ SOLR_IP_BLACKLIST="192.168.0.3, 192.168.0.4"
ZooKeeper is a central and important part of a SolrCloud cluster and understanding how to secure
its content is covered in the <<zookeeper-access-control.adoc#zookeeper-access-control,ZooKeeper Access Control>> page.
== Network Configuration
// tag::security-network-binding-1[]
@ -95,6 +94,3 @@ It is also strongly recommended that Solr listen to only those network interface
----
// end::security-network-binding-1[]
== Enable Security Manager
Solr can run in a Java Security Manager sandbox by setting `SOLR_SECURITY_MANAGER_ENABLED=true` via environment variable or in `solr.in.sh`/`solr.in.cmd`. This feature is incompatible with Hadoop.