SOLR-17584: Remove code and docs for "trusted" configsets (#3272)

All Configsets are now inherently "trusted".

Co-authored-by: aumarjikar <[email protected]>

Author: abumarjikar

solr/CHANGES.txt

@@ -164,6 +164,10 @@ Other Changes
 * SOLR-17706: SolrJ DocumentObjectBinder is now a global singleton via an INSTANCE field and that
   which is pluggable via Java SPI/ServiceLoader.  SolrClient.getBinder is gone.  (David Smiley)
 
+* SOLR-17584: There is no longer a distinction between trusted and untrusted configSets; all are now trusted.
+  To ensure security, Solr should enforce authentication and authorization,
+  allowing only authorized admins to publish them. (Abhishek Umarjikar)
+
 ==================  9.9.0 ==================
 New Features
 ---------------------

solr/core/src/java/org/apache/solr/cli/CreateTool.java

@@ -283,7 +283,7 @@ protected void createCollection(CloudSolrClient cloudSolrClient, CommandLine cli
               + " to ZooKeeper at "
               + cloudSolrClient.getClusterStateProvider().getQuorumHosts());
       // We will trust the config since we have the Zookeeper Address
-      configSetService.uploadConfig(confName, confPath, true);
+      configSetService.uploadConfig(confName, confPath);
     }
 
     // since creating a collection is a heavy-weight operation, check for existence first

solr/core/src/java/org/apache/solr/cloud/ZkConfigSetService.java

@@ -167,7 +167,7 @@ public void copyConfig(String fromConfig, String toConfig) throws IOException {
   }
 
   @Override
-  protected void uploadConfig(String configName, Path dir) throws IOException {
+  public void uploadConfig(String configName, Path dir) throws IOException {
     zkClient.uploadToZK(
         dir, CONFIGS_ZKNODE + "/" + configName, ConfigSetService.UPLOAD_FILENAME_EXCLUDE_PATTERN);
   }

solr/core/src/java/org/apache/solr/cloud/api/collections/RestoreCmd.java

@@ -150,7 +150,6 @@ private static class RestoreContext implements Closeable {
     final URI location;
     final URI backupPath;
     final List<String> nodeList;
-    final boolean requestIsTrusted;
 
     final CoreContainer container;
     final BackupRepository repository;
@@ -166,7 +165,6 @@ private RestoreContext(ZkNodeProps message, CollectionCommandContext ccc) throws
       this.asyncId = message.getStr(ASYNC);
       this.repo = message.getStr(CoreAdminParams.BACKUP_REPOSITORY);
       this.backupId = message.getInt(CoreAdminParams.BACKUP_ID, -1);
-      this.requestIsTrusted = message.getBool(CoreAdminParams.TRUSTED, false);
 
       this.container = ccc.getCoreContainer();
       this.repository = this.container.newBackupRepository(repo);
@@ -230,8 +228,7 @@ public void process(NamedList<Object> results, RestoreContext rc) throws Excepti
           rc.backupProperties.getConfigName(),
           rc.restoreConfigName,
           rc.backupManager,
-          rc.container.getConfigSetService(),
-          rc.requestIsTrusted);
+          rc.container.getConfigSetService());
 
       log.info(
           "Starting restore into collection={} with backup_name={} at location={}",
@@ -296,8 +293,7 @@ private void uploadConfig(
         String configName,
         String restoreConfigName,
         BackupManager backupMgr,
-        ConfigSetService configSetService,
-        boolean requestIsTrusted)
+        ConfigSetService configSetService)
         throws IOException {
       if (configSetService.checkConfigExists(restoreConfigName)) {
         log.info(
@@ -309,8 +305,7 @@ private void uploadConfig(
             "Config with name {} does not already exist in ZooKeeper. Will restore from Backup.",
             restoreConfigName);
 
-        backupMgr.uploadConfigDir(
-            configName, restoreConfigName, configSetService, requestIsTrusted);
+        backupMgr.uploadConfigDir(configName, restoreConfigName, configSetService);
       }
     }
 

solr/core/src/java/org/apache/solr/core/ConfigSet.java

@@ -35,20 +35,16 @@ public class ConfigSet {
 
   private final NamedList<?> properties;
 
-  private final boolean trusted;
-
   public ConfigSet(
       String name,
       SolrConfig solrConfig,
       SchemaSupplier indexSchemaSupplier,
-      NamedList<?> properties,
-      boolean trusted) {
+      NamedList<?> properties) {
     this.name = name;
     this.solrConfig = solrConfig;
     this.schemaSupplier = indexSchemaSupplier;
     schema = schemaSupplier.get(true);
     this.properties = properties;
-    this.trusted = trusted;
   }
 
   public String getName() {
@@ -75,10 +71,6 @@ public NamedList<?> getProperties() {
     return properties;
   }
 
-  public boolean isTrusted() {
-    return trusted;
-  }
-
   /**
    * Provide a Schema object on demand We want IndexSchema Objects to be lazily instantiated because
    * when a configset is created the {@link SolrResourceLoader} associated with it is not associated

solr/core/src/java/org/apache/solr/core/ConfigSetService.java

@@ -23,7 +23,6 @@
 import java.lang.reflect.Constructor;
 import java.nio.file.Files;
 import java.nio.file.Path;
-import java.util.HashMap;
 import java.util.List;
 import java.util.Locale;
 import java.util.Map;
@@ -117,7 +116,7 @@ private void bootstrapDefaultConf() throws IOException {
             "intended to be the default. Current 'solr.default.confdir' value:",
             System.getProperty(SolrDispatchFilter.SOLR_DEFAULT_CONFDIR_ATTRIBUTE));
       } else {
-        this.uploadConfig(ConfigSetsHandler.DEFAULT_CONFIGSET_NAME, configDirPath, true);
+        this.uploadConfig(ConfigSetsHandler.DEFAULT_CONFIGSET_NAME, configDirPath);
       }
     }
   }
@@ -132,7 +131,7 @@ private void bootstrapConfDir(String confDir) throws IOException {
     String confName =
         System.getProperty(
             ZkController.COLLECTION_PARAM_PREFIX + ZkController.CONFIGNAME_PROP, "configuration1");
-    this.uploadConfig(confName, configPath, true);
+    this.uploadConfig(confName, configPath);
   }
 
   /**
@@ -216,47 +215,10 @@ public static void bootstrapConf(CoreContainer cc) throws IOException {
       if (StrUtils.isNullOrEmpty(confName)) confName = coreName;
       Path udir = cd.getInstanceDir().resolve("conf");
       log.info("Uploading directory {} with name {} for solrCore {}", udir, confName, coreName);
-      cc.getConfigSetService().uploadConfig(confName, udir, true);
+      cc.getConfigSetService().uploadConfig(confName, udir);
     }
   }
 
-  /**
-   * Return whether the given configSet is trusted.
-   *
-   * @param name name of the configSet
-   */
-  public boolean isConfigSetTrusted(String name) throws IOException {
-    Map<String, Object> contentMap = getConfigMetadata(name);
-    return (boolean) contentMap.getOrDefault("trusted", true);
-  }
-
-  /**
-   * Return whether the configSet used for the given resourceLoader is trusted.
-   *
-   * @param coreLoader resourceLoader for a core
-   */
-  public boolean isConfigSetTrusted(SolrResourceLoader coreLoader) throws IOException {
-    // ConfigSet flags are loaded from the metadata of the ZK node of the configset. (For the
-    // ZKConfigSetService)
-    NamedList<?> flags = loadConfigSetFlags(coreLoader);
-
-    // Trust if there is no trusted flag (i.e. the ConfigSetApi was not used for this configSet)
-    // or if the trusted flag is set to "true".
-    return (flags == null || flags.get("trusted") == null || flags.getBooleanArg("trusted"));
-  }
-
-  /**
-   * Change the trust of the given configSet.
-   *
-   * @param name name of the configSet
-   * @param isTrusted whether the given configSet should be trusted or not
-   */
-  public void setConfigSetTrust(String name, boolean isTrusted) throws IOException {
-    Map<String, Object> contentMap = new HashMap<>(getConfigMetadata(name));
-    contentMap.put("trusted", isTrusted);
-    setConfigMetadata(name, contentMap);
-  }
-
   /**
    * Load the ConfigSet for a core
    *
@@ -270,7 +232,6 @@ public final ConfigSet loadConfigSet(CoreDescriptor dcore) {
     try {
       // ConfigSet properties are loaded from ConfigSetProperties.DEFAULT_FILENAME file.
       NamedList<?> properties = loadConfigSetProperties(dcore, coreLoader);
-      boolean trusted = isConfigSetTrusted(coreLoader);
 
       SolrConfig solrConfig = createSolrConfig(dcore, coreLoader);
       return new ConfigSet(
@@ -283,8 +244,7 @@ public final ConfigSet loadConfigSet(CoreDescriptor dcore) {
               throw new SolrException(SolrException.ErrorCode.SERVER_ERROR, e.getMessage(), e);
             }
           },
-          properties,
-          trusted);
+          properties);
     } catch (Exception e) {
       throw new SolrException(
           SolrException.ErrorCode.SERVER_ERROR,
@@ -418,20 +378,7 @@ protected NamedList<Object> loadConfigSetFlags(SolrResourceLoader loader) throws
    * @param dir {@link Path} to the files
    * @throws IOException if an I/O error occurs or the path does not exist
    */
-  protected abstract void uploadConfig(String configName, Path dir) throws IOException;
-
-  /**
-   * Upload files from a given path to config, which will explicitly be trusted or not.
-   *
-   * @param configName the config name
-   * @param dir {@link Path} to the files
-   * @param isTrusted whether the config being uploaded is trusted
-   * @throws IOException if an I/O error occurs or the path does not exist
-   */
-  public void uploadConfig(String configName, Path dir, boolean isTrusted) throws IOException {
-    setConfigSetTrust(configName, isTrusted);
-    uploadConfig(configName, dir);
-  }
+  public abstract void uploadConfig(String configName, Path dir) throws IOException;
 
   /**
    * Upload a file to config If file does not exist, it will be uploaded If overwriteOnExists is set
@@ -507,22 +454,6 @@ public abstract void deleteFilesFromConfig(String configName, List<String> files
   protected abstract void setConfigMetadata(String configName, Map<String, Object> data)
       throws IOException;
 
-  /**
-   * Set the config metadata If config does not exist, it will be created and set metadata on it
-   * Else metadata will be replaced with the provided metadata. This will preserve the trust that
-   * the configSet already has if trust is not included in the metadata.
-   *
-   * @param configName the config name
-   * @param data the metadata to be set on config
-   */
-  public void setConfigMetadataWithTrust(String configName, Map<String, Object> data)
-      throws IOException {
-    if (!data.containsKey("trusted")) {
-      data.put("trusted", isConfigSetTrusted(configName));
-    }
-    setConfigMetadata(configName, data);
-  }
-
   /**
    * Get the config metadata (mutable, non-null)
    *

solr/core/src/java/org/apache/solr/core/CoreContainer.java

@@ -1741,13 +1741,11 @@ private SolrCore createFromDescriptor(
       }
 
       ConfigSet coreConfig = coreConfigService.loadConfigSet(dcore);
-      dcore.setConfigSetTrusted(coreConfig.isTrusted());
       if (log.isInfoEnabled()) {
         log.info(
-            "Creating SolrCore '{}' using configuration from {}, trusted={}",
+            "Creating SolrCore '{}' using configuration from {}",
             dcore.getName(),
-            coreConfig.getName(),
-            dcore.isConfigSetTrusted());
+            coreConfig.getName());
       }
       try {
         core = new SolrCore(this, dcore, coreConfig);

solr/core/src/java/org/apache/solr/core/CoreDescriptor.java

@@ -66,13 +66,6 @@ public class CoreDescriptor {
   public static final String DEFAULT_EXTERNAL_PROPERTIES_FILE =
       "conf" + FileSystems.getDefault().getSeparator() + "solrcore.properties";
 
-  /**
-   * Whether this core was configured using a configSet that was trusted. This helps in avoiding the
-   * loading of plugins that have potential vulnerabilities, when the configSet was not uploaded
-   * from a trusted user.
-   */
-  private boolean trustedConfigSet = true;
-
   /**
    * Get the standard properties in persistable form
    *
@@ -174,7 +167,6 @@ public CoreDescriptor(String coreName, CoreDescriptor other) {
     this.coreProperties.setProperty(CORE_NAME, coreName);
     this.originalCoreProperties.setProperty(CORE_NAME, coreName);
     this.substitutableProperties.setProperty(SOLR_CORE_PROP_PREFIX + CORE_NAME, coreName);
-    this.trustedConfigSet = other.trustedConfigSet;
   }
 
   /**
@@ -396,13 +388,4 @@ public void setConfigSet(String configSetName) {
   public String getConfigSetPropertiesName() {
     return coreProperties.getProperty(CORE_CONFIGSET_PROPERTIES);
   }
-
-  public boolean isConfigSetTrusted() {
-    return trustedConfigSet;
-  }
-
-  /** TODO remove mutability */
-  public void setConfigSetTrusted(boolean trusted) {
-    this.trustedConfigSet = trusted;
-  }
 }

solr/core/src/java/org/apache/solr/core/FileSystemConfigSetService.java

@@ -140,7 +140,7 @@ public FileVisitResult postVisitDirectory(Path dir, IOException ioException)
   }
 
   @Override
-  protected void uploadConfig(String configName, Path source) throws IOException {
+  public void uploadConfig(String configName, Path source) throws IOException {
     Path dest = getConfigDir(configName);
     copyRecursively(source, dest);
   }

solr/core/src/java/org/apache/solr/core/SyntheticSolrCore.java

@@ -64,7 +64,6 @@ public static SyntheticSolrCore createAndRegisterCore(
     syntheticCoreDescriptor.setConfigSet(configSetName);
     ConfigSet coreConfig =
         coreContainer.getConfigSetService().loadConfigSet(syntheticCoreDescriptor);
-    syntheticCoreDescriptor.setConfigSetTrusted(coreConfig.isTrusted());
     SyntheticSolrCore syntheticCore =
         new SyntheticSolrCore(coreContainer, syntheticCoreDescriptor, coreConfig);
     coreContainer.registerCore(syntheticCoreDescriptor, syntheticCore, false, false);

solr/core/src/java/org/apache/solr/core/backup/BackupManager.java

@@ -255,16 +255,12 @@ public void writeCollectionState(String collectionName, DocCollection collection
    * @throws IOException in case of I/O errors.
    */
   public void uploadConfigDir(
-      String sourceConfigName,
-      String targetConfigName,
-      ConfigSetService configSetService,
-      boolean requestIsTrusted)
+      String sourceConfigName, String targetConfigName, ConfigSetService configSetService)
       throws IOException {
     URI source = repository.resolveDirectory(getZkStateDir(), CONFIG_STATE_DIR, sourceConfigName);
     if (!repository.exists(source)) {
       throw new IllegalArgumentException("Configset expected at " + source + " does not exist");
     }
-    configSetService.setConfigSetTrust(targetConfigName, requestIsTrusted);
     uploadConfigToSolrCloud(configSetService, source, targetConfigName, "");
   }
 

solr/core/src/java/org/apache/solr/handler/admin/api/RestoreCollection.java

@@ -29,7 +29,6 @@
 import static org.apache.solr.common.params.CoreAdminParams.BACKUP_ID;
 import static org.apache.solr.common.params.CoreAdminParams.BACKUP_LOCATION;
 import static org.apache.solr.common.params.CoreAdminParams.BACKUP_REPOSITORY;
-import static org.apache.solr.common.params.CoreAdminParams.TRUSTED;
 import static org.apache.solr.handler.admin.CollectionsHandler.DEFAULT_COLLECTION_OP_TIMEOUT;
 import static org.apache.solr.security.PermissionNameProvider.Name.COLL_EDIT_PERM;
 
@@ -52,7 +51,6 @@
 import org.apache.solr.common.util.Utils;
 import org.apache.solr.core.CoreContainer;
 import org.apache.solr.handler.admin.CollectionsHandler;
-import org.apache.solr.handler.configsets.ConfigSetAPIBase;
 import org.apache.solr.jersey.PermissionName;
 import org.apache.solr.request.SolrQueryRequest;
 import org.apache.solr.response.SolrQueryResponse;
@@ -168,10 +166,6 @@ public ZkNodeProps createRemoteMessage(
     // Copy restore-specific parameters
     remoteMessage.put(QUEUE_OPERATION, CollectionParams.CollectionAction.RESTORE.toLower());
     remoteMessage.put(NAME, backupName);
-    remoteMessage.put(
-        TRUSTED,
-        ConfigSetAPIBase.isTrusted(
-            solrQueryRequest.getUserPrincipal(), coreContainer.getAuthenticationPlugin()));
     return new ZkNodeProps(remoteMessage);
   }
 

solr/core/src/java/org/apache/solr/handler/configsets/CloneConfigSet.java

@@ -18,7 +18,6 @@
 package org.apache.solr.handler.configsets;
 
 import static org.apache.solr.common.params.CommonParams.NAME;
-import static org.apache.solr.handler.admin.ConfigSetsHandler.DISABLE_CREATE_AUTH_CHECKS;
 import static org.apache.solr.security.PermissionNameProvider.Name.CONFIG_EDIT_PERM;
 
 import jakarta.inject.Inject;
@@ -63,15 +62,6 @@ public SolrJerseyResponse cloneExistingConfigSet(CloneConfigsetRequestBody reque
           "Base ConfigSet does not exist: " + requestBody.baseConfigSet);
     }
 
-    if (!DISABLE_CREATE_AUTH_CHECKS
-        && !isTrusted(solrQueryRequest.getUserPrincipal(), coreContainer.getAuthenticationPlugin())
-        && configSetService.isConfigSetTrusted(requestBody.baseConfigSet)) {
-      throw new SolrException(
-          SolrException.ErrorCode.UNAUTHORIZED,
-          "Can't create a configset with an unauthenticated request from a trusted "
-              + ConfigSetCmds.BASE_CONFIGSET);
-    }
-
     final Map<String, Object> configsetCommandMsg = new HashMap<>();
     configsetCommandMsg.put(NAME, requestBody.name);
     configsetCommandMsg.put(ConfigSetCmds.BASE_CONFIGSET, requestBody.baseConfigSet);