Re: [PR] SOLR-17584: Remove code and documentation for "trusted" configsets [solr]

Fri, 21 Mar 2025 10:08:49 -0700 


gerlowskija commented on code in PR #3272:
URL: https://github.com/apache/solr/pull/3272#discussion_r2007989269


##########
solr/modules/scripting/src/java/org/apache/solr/scripting/update/ScriptUpdateProcessorFactory.java:
##########
@@ -216,13 +215,6 @@ void setScriptEngineCustomizer(ScriptEngineCustomizer 
scriptEngineCustomizer) {
 
   @Override
   public void inform(SolrCore core) {
-    if (!core.getCoreDescriptor().isConfigSetTrusted()) {

Review Comment:
   Ultimately I don't feel strongly about this, so feel free to add or not.  
But fwiw:
   
   1. We [ship both 
ScriptUpdateProcessorFactory](https://github.com/apache/solr/blob/main/solr/modules/scripting/src/java/org/apache/solr/scripting/update/ScriptUpdateProcessorFactory.java)
 and XSLTUpdateProcessorFactory.
   2. Yes, they're disabled by default, but they **are** enabled in our 
"techproducts" example which a lot of folks use as a starting point.  Very 
plausible to me that someone would get introduced to these via "techproducts" 
and never think through the security implications later on.
   3. We actually **do** log warnings about security best-practice violations 
to help nudge users who might've missed things.  Including some plugin-specific 
warnings when authc/authz aren't configured.  See 
[here](https://github.com/apache/solr/blob/main/solr/solrj-zookeeper/src/java/org/apache/solr/common/cloud/SolrZkClient.java#L310-L312),
 
[here](https://github.com/apache/solr/blob/main/solr/solrj-zookeeper/src/java/org/apache/solr/common/cloud/SolrZkClient.java#L279-L280),
 
[here](https://github.com/apache/solr/blob/main/solr/core/src/java/org/apache/solr/core/CoreContainer.java#L1233-L1248),
 and 
[here](https://github.com/apache/solr/blob/main/solr/core/src/java/org/apache/solr/cloud/ZkController.java#L960-L962).
   
   



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org
For additional commands, e-mail: issues-h...@solr.apache.org

Reply via email to