mirror of https://github.com/apache/lucene.git
SOLR-14147 change the Security manager to default to true. (#1141)
* change the Security manager to default. * update the ref-guide. * uncomment init scripts update changes. * changed the ref guide and re-commented file. * remove added comment. * modified shell script. * removed comment in windows file. Signed-off-by: marcussorealheis <marcuseagan@gmail.com> * bashism and fix windows * remove space Signed-off-by: marcussorealheis <marcuseagan@gmail.com>
This commit is contained in:
parent
93b83f635d
commit
bc5f837344
|
@ -81,7 +81,9 @@ Upgrade Notes
|
|||
* SOLR-13985: Solr's Jetty now binds to localhost network interface by default for better out of the box security.
|
||||
Administrators that need Solr exposed more broadly can change the SOLR_JETTY_HOST property in their Solr include
|
||||
(solr.in.sh/solr.in.cmd) file. (Jason Gerlowski, David Smiley, Robert Muir)
|
||||
|
||||
|
||||
* SOLR-14147: Solr now runs with the java security manager enabled by default. Administrators that need to run Solr with Hadoop will need to disable this feature by setting SOLR_SECURITY_MANAGER=false in the environment or in one of the Solr init scripts. Other features in Solr could also break. (Robert Muir, marcussorealheis)
|
||||
|
||||
Improvements
|
||||
----------------------
|
||||
|
||||
|
|
|
@ -2086,12 +2086,12 @@ else
|
|||
REMOTE_JMX_OPTS=()
|
||||
fi
|
||||
|
||||
# Enable java security manager (limiting filesystem access and other things)
|
||||
if [ "$SOLR_SECURITY_MANAGER_ENABLED" == "true" ]; then
|
||||
# Enable java security manager (allowing filesystem access and other things)
|
||||
if [ "${SOLR_SECURITY_MANAGER_ENABLED:-true}" == "true" ]; then
|
||||
SECURITY_MANAGER_OPTS=('-Djava.security.manager' \
|
||||
"-Djava.security.policy=${SOLR_SERVER_DIR}/etc/security.policy" \
|
||||
"-Djava.security.properties=${SOLR_SERVER_DIR}/etc/security.properties" \
|
||||
'-Dsolr.internal.network.permission=*')
|
||||
"-Djava.security.policy=${SOLR_SERVER_DIR}/etc/security.policy" \
|
||||
"-Djava.security.properties=${SOLR_SERVER_DIR}/etc/security.properties" \
|
||||
'-Dsolr.internal.network.permission=*')
|
||||
else
|
||||
SECURITY_MANAGER_OPTS=()
|
||||
fi
|
||||
|
|
|
@ -1187,7 +1187,11 @@ IF "%ENABLE_REMOTE_JMX_OPTS%"=="true" (
|
|||
set REMOTE_JMX_OPTS=
|
||||
)
|
||||
|
||||
REM Enable java security manager (limiting filesystem access and other things)
|
||||
REM Enable java security manager by default (limiting filesystem access and other things)
|
||||
IF NOT DEFINED SOLR_SECURITY_MANAGER_ENABLED (
|
||||
set SOLR_SECURITY_MANAGER_ENABLED=true
|
||||
)
|
||||
|
||||
IF "%SOLR_SECURITY_MANAGER_ENABLED%"=="true" (
|
||||
set SECURITY_MANAGER_OPTS=-Djava.security.manager ^
|
||||
-Djava.security.policy="%SOLR_SERVER_DIR%\etc\security.policy" ^
|
||||
|
|
|
@ -17,6 +17,7 @@
|
|||
@echo off
|
||||
|
||||
REM Settings here will override settings in existing env vars or in bin/solr. The default shipped state
|
||||
|
||||
REM of this file is completely commented.
|
||||
|
||||
REM By default the script will use JAVA_HOME to determine which java
|
||||
|
@ -197,4 +198,4 @@ REM Runs solr in a java security manager sandbox. This can protect against some
|
|||
REM Runtime properties are passed to the security policy file (server\etc\security.policy)
|
||||
REM You can also tweak via standard JDK files such as ~\.java.policy, see https://s.apache.org/java8policy
|
||||
REM This is experimental! It may not work at all with Hadoop/HDFS features.
|
||||
REM set SOLR_SECURITY_MANAGER_ENABLED=false
|
||||
REM set SOLR_SECURITY_MANAGER_ENABLED=true
|
|
@ -229,4 +229,4 @@
|
|||
# Runtime properties are passed to the security policy file (server/etc/security.policy)
|
||||
# You can also tweak via standard JDK files such as ~/.java.policy, see https://s.apache.org/java8policy
|
||||
# This is experimental! It may not work at all with Hadoop/HDFS features.
|
||||
#SOLR_SECURITY_MANAGER_ENABLED=false
|
||||
#SOLR_SECURITY_MANAGER_ENABLED=true
|
||||
|
|
|
@ -79,7 +79,6 @@ SOLR_IP_BLACKLIST="192.168.0.3, 192.168.0.4"
|
|||
ZooKeeper is a central and important part of a SolrCloud cluster and understanding how to secure
|
||||
its content is covered in the <<zookeeper-access-control.adoc#zookeeper-access-control,ZooKeeper Access Control>> page.
|
||||
|
||||
|
||||
== Network Configuration
|
||||
|
||||
// tag::security-network-binding-1[]
|
||||
|
@ -95,6 +94,3 @@ It is also strongly recommended that Solr listen to only those network interface
|
|||
----
|
||||
// end::security-network-binding-1[]
|
||||
|
||||
== Enable Security Manager
|
||||
|
||||
Solr can run in a Java Security Manager sandbox by setting `SOLR_SECURITY_MANAGER_ENABLED=true` via environment variable or in `solr.in.sh`/`solr.in.cmd`. This feature is incompatible with Hadoop.
|
||||
|
|
Loading…
Reference in New Issue