* introduce jattach check if jstack is missing. jattach ships in the Solr docker image instead of jstack.
* get the full path to the jattach command
Co-authored-by: Christine Poerschke <cpoerschke@apache.org>
* Remove DIH example directory
* Remove contrib code directories
* Remove contrib package related configurations for build tools
* Remove mention of DIH example
* remove dih as build dependencies and no-longer needed version pins
* Remove README references to DIH
* Remove dih mention from the script that probably does need to exist at all
* More build artifact references
* More removed dependencies leftovers (licenses/versions)
* No need to smoke exclude DIH anymore
* Remove Admin UI's DIH integration
* Remove DIH from shortname package list
* Remove unused DIH (related? not?) dataset
Unclear what is happening here, but there is no reference to that directory anywhere else
The other parallel directories ARE referenced in a TestConfigSetsAPI.java
* Hidden Idea files references
* No DIH to ignore anymore
* Remove last Derby DB references
* Remove DIH from documentation
Add the information in Major Changes document with the link to the external repo
* Added/updated a mention to CHANGES
* Fix leftover library mentions
* Fix Spellings
Prior to this commit, Solr's Jetty listened for connections on all
network interfaces. This commit changes it to only listen on localhost,
to prevent incautious administrators from accidentally exposing their
Solr deployment to the world.
Administrators who wish to override this behavior can set the
SOLR_JETTY_HOST property in their Solr include file
(solr.in.sh/solr.in.cmd) to "0.0.0.0" or some other value.
A version of this commit was previously reverted due to inconsistency
between SOLR_HOST and SOLR_JETTY_HOST. This commit fixes this issue.
Prior to this commit, Solr's Jetty listened for connections on all
network interfaces. This commit changes it to only listen on localhost,
to prevent incautious administrators from accidentally exposing their
Solr deployment to the world.
Administrators who wish to override this behavior can set the
SOLR_JETTY_HOST property in their Solr include file
(solr.in.sh/solr.in.cmd) to "0.0.0.0" or some other value.
Currently the documentation pretends to create a JKS keystore. It is
only actually a JKS keystore on java 8: on java9+ it is a PKCS12
keystore with a .jks extension (because PKCS12 is the new java default).
It works even though solr explicitly tells the JDK
(SOLR_SSL_KEY_STORE_TYPE=JKS) that its JKS when it is in fact not, due
to how keystore backwards compatibility was implemented.
Fix docs to explicitly create a PKCS12 keystore with .p12 extension and
so on instead of a PKCS12 keystore masquerading as a JKS one. This
simplifies the SSL steps since the "conversion" step (which was doing
nothing) from .JKS -> .P12 can be removed.
* SOLR-13984: add (experimental, disabled by default) security manager support.
User can set SOLR_SECURITY_MANAGER_ENABLED=true to enable security manager at runtime.
The current policy file used by tests is moved to solr/server
Additional permissions are granted for the filesystem locations set by bin/solr, and networking everywhere is enabled.
This takes advantage of the fact that permission entries are ignored if properties are not defined:
https://docs.oracle.com/javase/7/docs/technotes/guides/security/PolicyFiles.html#PropertyExp
SOLR-14136: ip whitelist/blacklist via env vars
This makes it easy to restrict access to Solr by IP. For example SOLR_IP_WHITELIST="127.0.0.1, 192.168.0.0/24, [::1], [2000:123:4:5::]/64" would restrict access to v4/v6 localhost, the 192.168.0 ipv4 network, and 2000:123:4:5 ipv6 network. Any other IP will receive a 403 response.
Blacklisting functionality can deny access to problematic addresses or networks that would otherwise be allowed. For example SOLR_IP_BLACKLIST="192.168.0.3, 192.168.0.4" would explicitly prevent those two specific addresses from accessing solr.
User can now set SOLR_REQUESTLOG_ENABLED=true to enable the jetty request log, instead of editing XML. The location of the request logs will respect SOLR_LOGS_DIR if that is set. The deprecated NCSARequestLog is no longer used, instead it uses CustomRequestLog with NCSA_FORMAT.
whoami displays a warning if the effective-uid is not in /etc/password.
This can happen in certain situations when running in a docker
container. This replaces the 'whoami' usage with a safer check.
Eric Pugh
Houston Putman
Mike Drob
Munendra S N
Christine Poerschke
Ilan Ginzburg
Erick Erickson
Alexandre Rafalovitch
Ishan Chattopadhyaya
Aren Cambre
Jan Høydahl
Guna Sekhar Dora Kovvuru
Mikhail Khludnev
Marcus
Jan Høydahl
Chris Hostetter
Maxim Antonov
Jason Gerlowski
Kevin Risden
Jason Gerlowski
Martijn Koster
Joel Bernstein
Robert Muir
Andy Vuong
Cao Manh Dat
Noble Paul
Andrzej Bialecki