[
https://issues.apache.org/jira/browse/SOLR-15451?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17359410#comment-17359410
]
Mike Drob commented on SOLR-15451:
----------------------------------
{quote}I'm thinking the solution is to execute the {{getFieldInfo}} request (in
SolrSchema) from a server thread that authenticates via the PKI plugin instead
of having to grant this permission to the user explicitly. Users may not want
to give access to {{/admin/luke}} to end users just for executing SQL.
{quote}
I like this approach
> SQL endpoint returns the wrong error when authenticated user doesn't have
> read access /admin/luke
> -------------------------------------------------------------------------------------------------
>
> Key: SOLR-15451
> URL: https://issues.apache.org/jira/browse/SOLR-15451
> Project: Solr
> Issue Type: Bug
> Security Level: Public(Default Security Level. Issues are Public)
> Components: Parallel SQL
> Reporter: Timothy Potter
> Assignee: Timothy Potter
> Priority: Major
> Labels: RobustSQL
>
> Note: This is not a security issue, it's a usability problem.
> Trying out the {{/sql}} HTTP endpoint on a basic-auth enabled cluster. My
> user didn't have read access to the {{/admin/luke}} endpoint for all
> collections being queried and got an unhelpful message like:
> {code}
> {
> "result-set":{
> "docs":[{
> "EXCEPTION":"Failed to execute sqlQuery 'SELECT count(*) FROM sop2
> WHERE boolean1_b = 'true' LIMIT 10' against JDBC connection
> 'jdbc:calcitesolr:'.\nError while executing SQL \"SELECT count(*) FROM sop2
> WHERE boolean1_b = 'true' LIMIT 10\":
> org.apache.solr.client.solrj.SolrServerException: No live SolrServers
> available to handle this request:[http://dev-solrcloud-0.dev:80/solr/sop2,
> http://dev-solrcloud-1.dev:80/solr/sop2]";,
> "EOF":true,
> "RESPONSE_TIME":33}]}}
> {code}
> In the server logs, I see:
> {code}
> Caused by: java.lang.RuntimeException:
> org.apache.solr.client.solrj.SolrServerException: No live SolrServers
> available to handle this request:[http://dev-solrcloud-0.dev:80/solr/sop2,
> http://dev-solrcloud-1.dev:80/solr/sop2]
> at
> org.apache.solr.handler.sql.SolrSchema.getFieldInfo(SolrSchema.java:102)
> at
> org.apache.solr.handler.sql.SolrSchema.getRelDataType(SolrSchema.java:112)
> at org.apache.solr.handler.sql.SolrTable.getRowType(SolrTable.java:82)
> {code}
> Once I granted the following permission to the user, the query worked:
> {code}
> {
> "name":"queryluke",
> "path":"/admin/luke",
> "collection":"*",
> "role":["users", "admin"]
> }
> {code}
> I'm thinking the solution is to execute the {{getFieldInfo}} request (in
> SolrSchema) from a server thread that authenticates via the PKI plugin
> instead of having to grant this permission to the user explicitly. Users may
> not want to give access to {{/admin/luke}} to end users just for executing
> SQL.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org
For additional commands, e-mail: issues-h...@solr.apache.org
