Doubt about number of shards

2022-11-15 Thread DAVID MARTIN NIETO 
hello solr users

We have a production cluster of six machines using solr 8.2 and I had a 
question about whether or not changing the number of shards could improve the 
performance of collection queries. Specifically, we have several collections, 
some of which are several gigabytes (20 GB, 10, 2 GB) and other very small 
collections that have 40% of the incoming queries. All the solr nodes have all 
de shards replicateds now.

Any recommendations on how to improve performance?

Additionally several questions:
- Is there any way for Solr to discard requests that take more than X seconds 
to respond?
- Is there any way to limit Solr's response rate, with the idea of not 
responding if more than 100 requests arrive per second, for example, and 
discarding the rest so as not to affect performance?
- Is there any way for Solr to avoid distributed request between the six nodes 
of the cluster?

Thank you very much for the help.
All the best.



David Martín Nieto
E-mail: dmart...@viewnext.com | Web: www.viewnext.com





---
Este mensaje va dirigido únicamente a la(s) persona(s) y/o entidad(es) arriba 
relacionada(s). Puede contener información confidencial o legalmente protegida. 
Si no es usted el destinatario señalado, le rogamos borre del sistema 
inmediatamente el mensaje y sus copias. Asimismo le informamos que cualquier 
copia, divulgación, distribución o uso de los contenidos está prohibida.
---
This message is addressed only to the person (people) and / or entities listed 
above. It may contain confidential or legally protected information. If you are 
not the recipient indicated, please delete the message and its copies 
immediately from the system. We also inform that any copy, disclosure, 
distribution or use of the contents is forbidden
---
Viewnext, S.A. Domicilio Social: Avda. de Burgos 8-A 28036 de Madrid. telf: 
913834060, Fax: 913834090. Reg. M. Madrid: Tomo 3238, Libro:0, Folio: 78, 
Seccion: 8ª, Hoja M-55112, N.I.F.: A-80157746

warning at solr startup on Ubuntu

2022-11-15 Thread Szűcs Roland 
Dear SOLR users,

I use Solr 9.0, with open jdk 11. After installation, I managed to access
the admin page of the solr, but I always get two warnings at the startup of
the server.

One is complaining about low entropy and the other is the max number of
open files.

Is there a blog post or any guidance how to get rid of this warning message
on Ubuntu 22.04?

Thanks,
Roland

Re: warning at solr startup on Ubuntu

2022-11-15 Thread Nicolae Vartolomei 

Hello Roland,

For the file maximum number of files you have to modify the limits.conf. 
The settings should look like:


@ hard nofile 65535

@ soft nofile 65535

Thank you,


On 2022-11-15 2:08 PM, Szűcs Roland wrote:

Dear SOLR users,

I use Solr 9.0, with open jdk 11. After installation, I managed to access
the admin page of the solr, but I always get two warnings at the startup of
the server.

One is complaining about low entropy and the other is the max number of
open files.

Is there a blog post or any guidance how to get rid of this warning message
on Ubuntu 22.04?

Thanks,
Roland


--
Nicoale Vartolomei
---
Elasticsearch/OpenSearch & Solr Consulting, Production Support & Training 
Sematext Cloud - Full Stack Observability
https://sematext.com/

Timeout from hosts with Solr Cloud 8.4.1

2022-11-15 Thread Mark Hieber 
I have created a cluster (on 18 hosts) using
/solr/solr-8.4.0/bin/solr start
I have three zookeeper instances, they are listed in solr.in.sh
ZK_HOST="host1:2181,host2:2181,host3:2181/MyRoot"
I have set JAVA_HOME
I have set SOLR_PORT

I have uploaded my configs to zookeeper

I have 6 collections I want for my cluster, all the configs are in zookeeper

I create my collections as follows:

for c in collection1 collection2 collection3 collection4 collection5
collection6;

do curl "
http://localhost:1080/solr/admin/collections?action=CREATE&name=$c&numShards=2&replicationFactor=3&collection.configName=$c&autoAddReplicas=true
";

done


All create commands show success in the response.


However, when I try to query a collection (there is no data in the
collection, but I shouldn't get an error) I get


curl -k 'http://localhost:1080/solr/collection1/query?q=*:*'

{

  "responseHeader":{

"zkConnected":true,

"status":500,

"QTime":3,

"params":{

  "q":"*:*",

  "_forwardedCount":"1"}},

  "error":{

"metadata":[

  "error-class","org.apache.solr.common.SolrException",

  "root-error-class","java.util.concurrent.TimeoutException"],

"msg":"org.apache.solr.client.solrj.SolrServerException: Timeout
occured while waiting response from server at:
http://host1:1080/solr/collection1_shard2_replica_n10/query";,

"trace":"org.apache.solr.common.SolrException:
org.apache.solr.client.solrj.SolrServerException: Timeout occured while
waiting response from server at:
http://host1:1080/solr/collection1_shard2_replica_n10/query\n\tat
org.apache.solr.handler.component.SearchHandler.handleRequestBody(SearchHandler.java:443)\n\tat
org.apache.solr.handler.RequestHandlerBase.handleRequest(RequestHandlerBase.java:211)\n\tat
org.apache.solr.core.SolrCore.execute(SolrCore.java:2596)\n\tat
org.apache.solr.servlet.HttpSolrCall.execute(HttpSolrCall.java:799)\n\tat
org.apache.solr.servlet.HttpSolrCall.call(HttpSolrCall.java:578)\n\tat
org.apache.solr.servlet.SolrDispatchFilter.doFilter(SolrDispatchFilter.java:419)\n\tat
org.apache.solr.servlet.SolrDispatchFilter.doFilter(SolrDispatchFilter.java:351)\n\tat
org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1602)\n\tat
org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:540)\n\tat
org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:146)\n\tat
org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:548)\n\tat
org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132)\n\tat
org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:257)\n\tat
org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1711)\n\tat
org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:255)\n\tat
org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1347)\n\tat
org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:203)\n\tat
org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:480)\n\tat
org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1678)\n\tat
org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:201)\n\tat
org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1249)\n\tat
org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:144)\n\tat
org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:220)\n\tat
org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:152)\n\tat
org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132)\n\tat
org.eclipse.jetty.rewrite.handler.RewriteHandler.handle(RewriteHandler.java:335)\n\tat
org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132)\n\tat
org.eclipse.jetty.server.Server.handle(Server.java:505)\n\tat
org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:370)\n\tat
org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:267)\n\tat
org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:305)\n\tat
org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103)\n\tat
org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:117)\n\tat
org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:333)\n\tat
org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:310)\n\tat
org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:168)\n\tat
org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:126)\n\tat
org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:366)\n\tat
org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:781)\n\tat
org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(Que

Re: warning at solr startup on Ubuntu

2022-11-15 Thread Shawn Heisey 

On 11/15/22 05:08, Szűcs Roland wrote:

Dear SOLR users,

I use Solr 9.0, with open jdk 11. After installation, I managed to access
the admin page of the solr, but I always get two warnings at the startup of
the server.

One is complaining about low entropy and the other is the max number of
open files.

Is there a blog post or any guidance how to get rid of this warning message
on Ubuntu 22.04?


The low entropy one might be solved by installing the "haveged" package 
with apt.  Some servers have hardware random number generators that 
Linux can use.  That is common on Dell servers, not sure about other 
OEMs.  The fact that you have a low entropy warning probably means that 
your hardware does not have a random number generator.


If you don't want to actually increase the limits as Nicolae mentioned, 
the warning can be eliminated by adding SOLR_ULIMIT_CHECKS=false to the 
include script.  That will usually be /etc/default/solr.in.sh or 
bin/solr.in.sh.  It doesn't take a very big install for a Solr to blow 
through typical OS default limits, so if it were me, I would prefer to 
adjust the limits rather than turn off the warning.


Thanks,
Shawn

Re: Doubt about number of shards

2022-11-15 Thread Walter Underwood 
To limit request rate, I would put an instance of nginx on each host, send 
external requests to that, then have that forward to Solr. Nginx has good tools 
for controlling request rate.

This would also give you a place to monitor the extrernal requests separate 
from the intra-cluster traffic.

wunder
Walter Underwood
wun...@wunderwood.org 
http://observer.wunderwood.org/  (my blog)

> On Nov 15, 2022, at 3:49 AM, DAVID MARTIN NIETO  > wrote:
> 
> hello solr users
> 
> We have a production cluster of six machines using solr 8.2 and I had a 
> question about whether or not changing the number of shards could improve the 
> performance of collection queries. Specifically, we have several collections, 
> some of which are several gigabytes (20 GB, 10, 2 GB) and other very small 
> collections that have 40% of the incoming queries. All the solr nodes have 
> all de shards replicateds now.
> 
> Any recommendations on how to improve performance?
> 
> Additionally several questions:
> - Is there any way for Solr to discard requests that take more than X seconds 
> to respond?
> - Is there any way to limit Solr's response rate, with the idea of not 
> responding if more than 100 requests arrive per second, for example, and 
> discarding the rest so as not to affect performance?
> - Is there any way for Solr to avoid distributed request between the six 
> nodes of the cluster?
> 
> Thank you very much for the help.
> All the best.
> 
> 
> 
> David Martín Nieto
> E-mail: dmart...@viewnext.com  | Web: 
> www.viewnext.com 
> 
> 
> 
> 
> 
> ---
> Este mensaje va dirigido únicamente a la(s) persona(s) y/o entidad(es) arriba 
> relacionada(s). Puede contener información confidencial o legalmente 
> protegida. Si no es usted el destinatario señalado, le rogamos borre del 
> sistema inmediatamente el mensaje y sus copias. Asimismo le informamos que 
> cualquier copia, divulgación, distribución o uso de los contenidos está 
> prohibida.
> ---
> This message is addressed only to the person (people) and / or entities 
> listed above. It may contain confidential or legally protected information. 
> If you are not the recipient indicated, please delete the message and its 
> copies immediately from the system. We also inform that any copy, disclosure, 
> distribution or use of the contents is forbidden
> ---
> Viewnext, S.A. Domicilio Social: Avda. de Burgos 8-A 28036 de Madrid. telf: 
> 913834060, Fax: 913834090. Reg. M. Madrid: Tomo 3238, Libro:0, Folio: 78, 
> Seccion: 8ª, Hoja M-55112, N.I.F.: A-80157746

Re: How to write custom Solr plugin that can be called core container level instead of core level

2022-11-15 Thread Ishan Chattopadhyaya 
Here's a core container level plugin, for example:
https://github.com/yasa-org/yasa/tree/master/yasa-solr-plugin

On Mon, Nov 14, 2022 at 10:07 PM Gus Heck  wrote:

> In 9.x it should be possible to write a separate servlet that can answer
> custom non-search queries. Then all you need to edit is web.xml. You can
> now get hold of a core container
> via org.apache.solr.servlet.CoreContainerProvider#getCoreContainer.
>
> Looking at the code, it seems you still need to live in the apache package
> because that method is not public, but if you've got a demonstrable use
> case for it I don't see why that couldn't be made public in future
> versions. If that's tweaked to be public you could avoid changing implicit
> plugins, would not need to live under admin, and it should be possible to
> load from a separate jar if the jar is inserted
> into /server/solr-webapp/webapp/WEB-INF/lib
>
> A question to consider when choosing is whether you want the end point to
> be protected by authentication. If so then you're going to want to do it
> Shawn's way. If you want something publicly visible (say to infrastructure
> systems without login) then a servlet might be more useful since it will
> live outside of all our security stuff.
>
> On Mon, Nov 14, 2022 at 2:16 AM gnandre  wrote:
>
> > Thanks, Shawn. I think what you propose there will be very helpful. There
> > are definitely usecases where we want to work at the solr node level and
> > not core level. Fieldcache is one other example.
> >
> > In my case, I am trying to write a simple health check request handler
> that
> > makes sure that all cores on a particular node are loaded and are
> > queriable. The ping request handler works on a core level. The
> > /solr/admin/cores api works for me but it returns with the ok status even
> > if some other cores are still loading after solr restart.
> >
> > Ps. I am using legacy setup (non-cloud)
> >
> > On Mon, Nov 14, 2022, 2:04 AM Shawn Heisey  wrote:
> >
> > > On 11/13/22 23:55, Shawn Heisey wrote:
> > > > If you want to create your own global handler, then you can add a
> > > > definition to ImplicitPlugins.json, which is embedded in the
> solr-core
> > > > jar.  Unless you want to do jar surgery, it's best to make that
> change
> > > > in the source code and recompile Solr.
> > >
> > > See https://issues.apache.org/jira/browse/SOLR-15859 for an example
> > > where I am creating a new global handler.
> > >
> > > I am wondering if ImplicitPlugins.json could be put in a location like
> > > server/lib/ext so recompiling Solr or jar surgery isn't required.  I
> > > think server/lib/ext is searched on the classpath before WEB-INF.  Even
> > > better would be to have another json where user-specified implicit
> > > handlers can be defined.
> > >
> > > Thanks,
> > > Shawn
> > >
> > >
> >
>
>
> --
> http://www.needhamsoftware.com (work)
> http://www.the111shift.com (play)
>

Re: How to write custom Solr plugin that can be called core container level instead of core level

2022-11-15 Thread Ishan Chattopadhyaya 
https://issues.apache.org/jira/browse/SOLR-14404

On Wed, Nov 16, 2022 at 12:46 AM Ishan Chattopadhyaya <
ichattopadhy...@gmail.com> wrote:

> Here's a core container level plugin, for example:
> https://github.com/yasa-org/yasa/tree/master/yasa-solr-plugin
>
> On Mon, Nov 14, 2022 at 10:07 PM Gus Heck  wrote:
>
>> In 9.x it should be possible to write a separate servlet that can answer
>> custom non-search queries. Then all you need to edit is web.xml. You can
>> now get hold of a core container
>> via org.apache.solr.servlet.CoreContainerProvider#getCoreContainer.
>>
>> Looking at the code, it seems you still need to live in the apache package
>> because that method is not public, but if you've got a demonstrable use
>> case for it I don't see why that couldn't be made public in future
>> versions. If that's tweaked to be public you could avoid changing implicit
>> plugins, would not need to live under admin, and it should be possible to
>> load from a separate jar if the jar is inserted
>> into /server/solr-webapp/webapp/WEB-INF/lib
>>
>> A question to consider when choosing is whether you want the end point to
>> be protected by authentication. If so then you're going to want to do it
>> Shawn's way. If you want something publicly visible (say to infrastructure
>> systems without login) then a servlet might be more useful since it will
>> live outside of all our security stuff.
>>
>> On Mon, Nov 14, 2022 at 2:16 AM gnandre  wrote:
>>
>> > Thanks, Shawn. I think what you propose there will be very helpful.
>> There
>> > are definitely usecases where we want to work at the solr node level and
>> > not core level. Fieldcache is one other example.
>> >
>> > In my case, I am trying to write a simple health check request handler
>> that
>> > makes sure that all cores on a particular node are loaded and are
>> > queriable. The ping request handler works on a core level. The
>> > /solr/admin/cores api works for me but it returns with the ok status
>> even
>> > if some other cores are still loading after solr restart.
>> >
>> > Ps. I am using legacy setup (non-cloud)
>> >
>> > On Mon, Nov 14, 2022, 2:04 AM Shawn Heisey  wrote:
>> >
>> > > On 11/13/22 23:55, Shawn Heisey wrote:
>> > > > If you want to create your own global handler, then you can add a
>> > > > definition to ImplicitPlugins.json, which is embedded in the
>> solr-core
>> > > > jar.  Unless you want to do jar surgery, it's best to make that
>> change
>> > > > in the source code and recompile Solr.
>> > >
>> > > See https://issues.apache.org/jira/browse/SOLR-15859 for an example
>> > > where I am creating a new global handler.
>> > >
>> > > I am wondering if ImplicitPlugins.json could be put in a location like
>> > > server/lib/ext so recompiling Solr or jar surgery isn't required.  I
>> > > think server/lib/ext is searched on the classpath before WEB-INF.
>> Even
>> > > better would be to have another json where user-specified implicit
>> > > handlers can be defined.
>> > >
>> > > Thanks,
>> > > Shawn
>> > >
>> > >
>> >
>>
>>
>> --
>> http://www.needhamsoftware.com (work)
>> http://www.the111shift.com (play)
>>
>

Solr 9 - Admin UI throwing error "The JSON must be an object of the form"

2022-11-15 Thread Susheel Kumar 
Hello,

I am seeing Solr 9.0.0 admin UI throwing error "The JSON must be an object
of the form..." when adding any Permission under security tab.  Can someone
confirm and accordingly will create JIRA and also if there is any work
around?

Thnx

Re: How to write custom Solr plugin that can be called core container level instead of core level

2022-11-15 Thread gnandre 
Thanks, Ishan. Is this available only in Solr 8.6+? I am using 8.5.0 :(

On Tue, Nov 15, 2022 at 2:19 PM Ishan Chattopadhyaya <
ichattopadhy...@gmail.com> wrote:

> https://issues.apache.org/jira/browse/SOLR-14404
>
> On Wed, Nov 16, 2022 at 12:46 AM Ishan Chattopadhyaya <
> ichattopadhy...@gmail.com> wrote:
>
> > Here's a core container level plugin, for example:
> > https://github.com/yasa-org/yasa/tree/master/yasa-solr-plugin
> >
> > On Mon, Nov 14, 2022 at 10:07 PM Gus Heck  wrote:
> >
> >> In 9.x it should be possible to write a separate servlet that can answer
> >> custom non-search queries. Then all you need to edit is web.xml. You can
> >> now get hold of a core container
> >> via org.apache.solr.servlet.CoreContainerProvider#getCoreContainer.
> >>
> >> Looking at the code, it seems you still need to live in the apache
> package
> >> because that method is not public, but if you've got a demonstrable use
> >> case for it I don't see why that couldn't be made public in future
> >> versions. If that's tweaked to be public you could avoid changing
> implicit
> >> plugins, would not need to live under admin, and it should be possible
> to
> >> load from a separate jar if the jar is inserted
> >> into /server/solr-webapp/webapp/WEB-INF/lib
> >>
> >> A question to consider when choosing is whether you want the end point
> to
> >> be protected by authentication. If so then you're going to want to do it
> >> Shawn's way. If you want something publicly visible (say to
> infrastructure
> >> systems without login) then a servlet might be more useful since it will
> >> live outside of all our security stuff.
> >>
> >> On Mon, Nov 14, 2022 at 2:16 AM gnandre 
> wrote:
> >>
> >> > Thanks, Shawn. I think what you propose there will be very helpful.
> >> There
> >> > are definitely usecases where we want to work at the solr node level
> and
> >> > not core level. Fieldcache is one other example.
> >> >
> >> > In my case, I am trying to write a simple health check request handler
> >> that
> >> > makes sure that all cores on a particular node are loaded and are
> >> > queriable. The ping request handler works on a core level. The
> >> > /solr/admin/cores api works for me but it returns with the ok status
> >> even
> >> > if some other cores are still loading after solr restart.
> >> >
> >> > Ps. I am using legacy setup (non-cloud)
> >> >
> >> > On Mon, Nov 14, 2022, 2:04 AM Shawn Heisey 
> wrote:
> >> >
> >> > > On 11/13/22 23:55, Shawn Heisey wrote:
> >> > > > If you want to create your own global handler, then you can add a
> >> > > > definition to ImplicitPlugins.json, which is embedded in the
> >> solr-core
> >> > > > jar.  Unless you want to do jar surgery, it's best to make that
> >> change
> >> > > > in the source code and recompile Solr.
> >> > >
> >> > > See https://issues.apache.org/jira/browse/SOLR-15859 for an example
> >> > > where I am creating a new global handler.
> >> > >
> >> > > I am wondering if ImplicitPlugins.json could be put in a location
> like
> >> > > server/lib/ext so recompiling Solr or jar surgery isn't required.  I
> >> > > think server/lib/ext is searched on the classpath before WEB-INF.
> >> Even
> >> > > better would be to have another json where user-specified implicit
> >> > > handlers can be defined.
> >> > >
> >> > > Thanks,
> >> > > Shawn
> >> > >
> >> > >
> >> >
> >>
> >>
> >> --
> >> http://www.needhamsoftware.com (work)
> >> http://www.the111shift.com (play)
> >>
> >
>

Re: How to write custom Solr plugin that can be called core container level instead of core level

2022-11-15 Thread gnandre 
Also, is this supported only in SolrCloud mode?

On Tue, Nov 15, 2022 at 6:42 PM gnandre  wrote:

> Thanks, Ishan. Is this available only in Solr 8.6+? I am using 8.5.0 :(
>
> On Tue, Nov 15, 2022 at 2:19 PM Ishan Chattopadhyaya <
> ichattopadhy...@gmail.com> wrote:
>
>> https://issues.apache.org/jira/browse/SOLR-14404
>>
>> On Wed, Nov 16, 2022 at 12:46 AM Ishan Chattopadhyaya <
>> ichattopadhy...@gmail.com> wrote:
>>
>> > Here's a core container level plugin, for example:
>> > https://github.com/yasa-org/yasa/tree/master/yasa-solr-plugin
>> >
>> > On Mon, Nov 14, 2022 at 10:07 PM Gus Heck  wrote:
>> >
>> >> In 9.x it should be possible to write a separate servlet that can
>> answer
>> >> custom non-search queries. Then all you need to edit is web.xml. You
>> can
>> >> now get hold of a core container
>> >> via org.apache.solr.servlet.CoreContainerProvider#getCoreContainer.
>> >>
>> >> Looking at the code, it seems you still need to live in the apache
>> package
>> >> because that method is not public, but if you've got a demonstrable use
>> >> case for it I don't see why that couldn't be made public in future
>> >> versions. If that's tweaked to be public you could avoid changing
>> implicit
>> >> plugins, would not need to live under admin, and it should be possible
>> to
>> >> load from a separate jar if the jar is inserted
>> >> into /server/solr-webapp/webapp/WEB-INF/lib
>> >>
>> >> A question to consider when choosing is whether you want the end point
>> to
>> >> be protected by authentication. If so then you're going to want to do
>> it
>> >> Shawn's way. If you want something publicly visible (say to
>> infrastructure
>> >> systems without login) then a servlet might be more useful since it
>> will
>> >> live outside of all our security stuff.
>> >>
>> >> On Mon, Nov 14, 2022 at 2:16 AM gnandre 
>> wrote:
>> >>
>> >> > Thanks, Shawn. I think what you propose there will be very helpful.
>> >> There
>> >> > are definitely usecases where we want to work at the solr node level
>> and
>> >> > not core level. Fieldcache is one other example.
>> >> >
>> >> > In my case, I am trying to write a simple health check request
>> handler
>> >> that
>> >> > makes sure that all cores on a particular node are loaded and are
>> >> > queriable. The ping request handler works on a core level. The
>> >> > /solr/admin/cores api works for me but it returns with the ok status
>> >> even
>> >> > if some other cores are still loading after solr restart.
>> >> >
>> >> > Ps. I am using legacy setup (non-cloud)
>> >> >
>> >> > On Mon, Nov 14, 2022, 2:04 AM Shawn Heisey 
>> wrote:
>> >> >
>> >> > > On 11/13/22 23:55, Shawn Heisey wrote:
>> >> > > > If you want to create your own global handler, then you can add a
>> >> > > > definition to ImplicitPlugins.json, which is embedded in the
>> >> solr-core
>> >> > > > jar.  Unless you want to do jar surgery, it's best to make that
>> >> change
>> >> > > > in the source code and recompile Solr.
>> >> > >
>> >> > > See https://issues.apache.org/jira/browse/SOLR-15859 for an
>> example
>> >> > > where I am creating a new global handler.
>> >> > >
>> >> > > I am wondering if ImplicitPlugins.json could be put in a location
>> like
>> >> > > server/lib/ext so recompiling Solr or jar surgery isn't required.
>> I
>> >> > > think server/lib/ext is searched on the classpath before WEB-INF.
>> >> Even
>> >> > > better would be to have another json where user-specified implicit
>> >> > > handlers can be defined.
>> >> > >
>> >> > > Thanks,
>> >> > > Shawn
>> >> > >
>> >> > >
>> >> >
>> >>
>> >>
>> >> --
>> >> http://www.needhamsoftware.com (work)
>> >> http://www.the111shift.com (play)
>> >>
>> >
>>
>

SOLR 8.11 and Text4Shell ( commons-text 1.6)

2022-11-15 Thread Arwa Daqqaq 
Hello team,

I was reading about the commons-text vulnerability, but I could not assure the 
recommended action by SOLR regarding this issue, I have read that version 1.10 
does not have this security issue, but is there a patch for SOLR or is SOLR not 
affected by it, please advise.
Currently I have SOLR 8.11 is it better to upgrade to version 9 or there is 
remedy or no issue for version 8.11 ?

This is what I found on Aptech page:

On 2022-10-13, the Apache Commons 
Text team disclosed 
CVE-2022-42889. Key takeaways:

  *   If you rely on software that uses a version of commons-text prior to 
1.10.0, you are likely still not vulnerable: you are only affected when this 
software uses the StringSubstitutor API without properly sanitizing any 
untrusted input.
  *   If your own software uses commons-text, double-check whether it uses the 
StringSubstitutor API without properly sanitizing any untrusted input. If so, 
an update to 1.10.0 could be a quick workaround, but the recommended solution 
is to also properly validate and sanitize any untrusted input.

Apache Commons Text is a low-level library for performing various text 
operations, such as escaping, calculating string differences, and substituting 
placeholders in the text with values looked up through interpolators. When 
using the string substitution feature, some of the available interpolators can 
trigger network access or code execution. This is intended, but it also means 
an application that includes user input in the string passed to the 
substitution without properly sanitizing it would allow an attacker to trigger 
those interpolators.

For that reason the Apache Commons Text team have decided to update the 
configuration to be more "secure by default", so that the impact of a failure 
to validate inputs is mitigated and will not give an attacker access to these 
interpolators. However, it is still recommended that users treat untrusted 
input with care.
>From URL: Time-Consuming Remediation: Assessing the Impact of Text4Shell | 
>eSecurityPlanet

Thanks!!

[1513779001828]
Arwa Daqqaq, CEDA | Business Intelligence Specialist
Center for Enterprise Data & Analytics (CEDA)
Enterprise Business Intelligence
Supporting the Department of Finance & Administration - Strategic Technology 
Solutions (STS)
901 Rep. John Lewis Way North, Nashville, TN 37243
Office: 615-741-2404 | Mobile: 615-424-8221
arwa.daq...@tn.gov
[facebook]
  [twitter]    [pinterest] 
   [youtube] 
[linkedin] 

[cid:image007.jpg@01D8F939.66CAABC0]