lucene-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Noble Paul (JIRA)" <>
Subject [jira] [Commented] (SOLR-7576) Implement RequestHandler in Javascript
Date Thu, 06 Aug 2015 17:21:05 GMT


Noble Paul commented on SOLR-7576:

bq.We've had JS, we've had XSLT, etc, in our config directory for a long time. What is different
about this new approach that it demands a more secure approach in all situations

We don't give an HTTP API to upload any executable (XSLT/JS). You need direct access to ZK.
Solr is moving deeper and deeper into the enterprise and security cannot be an afterthought.
So, if there are security hole sin our system, we should close them instead of opening new

bq. I know that a lot of normal users will find the .system and the HTTP post part hard to

I miss that point. Users do not need to know anything about {{.system}} collection or anything.
They should just blindly run a curl command to upload a new version of their JS. That is just
one step. The problem starts when you start explaining the innards of the system. You should
just say 
"If you want to upload a new version of your JS, this is the command". {{curl -X POST -H 'Content-Type:
application/octet-stream' --data-binary @test.js http://localhost:8983/solr/.system/blob/test}}
It does not matter to the user whether the JS is going to live in the cloud, ZK , filesystem
or whatever, it just works. Solr is managing it for them

BTW I'm not saying this is the best design possible. Please suggest a simpler way to submit
code to SolrCloud and we can adopt that

> Implement RequestHandler in Javascript
> --------------------------------------
>                 Key: SOLR-7576
>                 URL:
>             Project: Solr
>          Issue Type: New Feature
>            Reporter: Noble Paul
>         Attachments: SOLR-7576.patch, SOLR-7576.patch
> Solr now support dynamic loading (SOLR-7073) of components and it is secured in SOLR-7126
> We can extend the same functionality with JS as well
> the handler {{/js}} is implicitly registered
> To make this work
> * Solr should be started with {{-Denable.js.loading=true}}
> * The javascript must be loaded to the {{.system}} collection using the blob store API
> * Sign the javascript and pass the signature in a param called {{_sig}}
> The {{JSRequestHandler}} is implicitly defined and it can be accessed by hitting {{/js/<jsname>/<version>}}

> Steps for developing scripts
> # start the cluster with the {{enable.js.loading}} . If you are starting using our script
it would be {{bin/solr start -e cloud -a "-Denable.js.loading=true"}} . You would not need
security during development , so don't add the private keys to Solr
> # create {{.system}} collection {{bin/solr create -c .system}}
> # Write your javascript code . (say {{test.js}} )
> # post it to {{.system}} collection . {{curl -X POST -H 'Content-Type: application/octet-stream'
--data-binary @test.js http://localhost:8983/solr/.system/blob/test}}
> # run your script {{http://host:8983/solr/gettingstarted/js/test/1}}
> # Edit your script and repeat from step #4 . Keep in mind that the version would be bumped
up every time you post a new script . So, the second time the url would be {{http://host:8983/solr/gettingstarted/js/test/2}}
. So on and so forth
> sample programs
> 1) writes a val to output
> {code:javascript}
> //empty line
> $.response().add('testkey','Test Val');
> {code}
> 2)  manipulate the output to add an extra field to each doc 
> {code}
> //empty line
> var l = [];
> $.query({
>               q: '*:*',
>               qt: '/select',
>               start:0,
>           }).forEach('response', function(doc) {
>                                          doc.put('script', 'Added this value');
>                                          l.push(doc);
>           });
>  $.response().add('alldocs', l);
> {code}
> 3)  stream through all the docs
> {code:Javascript}
> //empty line
> $.query({
>               q: '*:*',
>               qt: '/select',
>               start:0,
>               distrib:'false'
>           }).pipe('response', 'docs', function(doc) { // the pipe function is executed
right before the response writer and right after the transformers   
>                                          if('IT'== doc.get('genre_s')) return null;
>                                          doc.put('script', 'Added this value');
>                                          return doc;
>           });
> {code}

This message was sent by Atlassian JIRA

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message