Error when using <lib> directives in Solr configsets created via Fusion UI

Issue

Collections created in Fusion 5.9.13 fail to initialize when the Solr configset includes <lib> directives. The following error appears in logs or the Fusion UI:

Error:

The configset for this collection was uploaded without any authentication in place, and use of <lib> is not available for collections with untrusted configsets. To use this component, re-upload the configset after enabling authentication and authorization.

Diagnosis

This issue occurs when the Solr configset is uploaded using the Solr ConfigSets API without authentication enabled. Solr treats these configsets as "untrusted," and untrusted configsets are not permitted to use <lib> directives in solrconfig.xml.

This restriction is enforced as a security measure in Solr 8.4 and above, including the version bundled with Fusion 5.9.13 (Solr 9.6.1).

Environment

• Fusion 5.9.13

• Solr 9.6.1 (bundled)

• Self-managed Fusion deployments

• Kubernetes (EKS, AKS, or GKE)

• Collections created via Fusion UI → Collections Manager

Cause

Solr disables <lib> directive support for configsets uploaded through unauthenticated ConfigSet API requests. Configsets uploaded in this manner are flagged as untrusted and cannot initialize components requiring dynamic JAR loading.

Resolution

To resolve this issue, use one of the following approaches:

Option 1: Upload the configset using the Solr zkcli.sh or bin/solr CLI

Configsets uploaded using the CLI are considered trusted and will allow <lib> directives.

Example using zkcli.sh inside a Solr container:

/opt/solr/server/scripts/cloud-scripts/zkcli.sh \
  -zkhost <ZK-HOST> \
  -cmd upconfig \
  -confname <CONFIGSET_NAME> \
  -confdir /path/to/configset

Make sure the confdir includes your custom solrconfig.xml with the <lib> directives included.

This approach requires access to the Solr container or pod, and a local copy of the configset directory.

Option 2: Add libraries directly to the Solr classpath

If possible, place required JARs in a Solr classpath directory, such as:

/opt/solr/server/lib/

Once added, restart the Solr pods to ensure the new libraries are loaded. When libraries are on the classpath, you do not need to use the <lib> directive.

This is suitable for libraries used across multiple collections, such as Basistech or language packs.

Option 3: Enable Solr authentication and authorization

If you must use the ConfigSets API to manage configsets (e.g., through Fusion UI or scripts), then Solr authentication must be enabled to mark configsets as trusted.

Follow Solr’s documentation to enable BasicAuth and Rule-Based Authorization:

• https://solr.apache.org/guide/solr/latest/security-guide.html

Once authentication is enabled, configsets uploaded via the ConfigSets API will be considered trusted, and <lib> directives will be allowed.

Note: Enabling authentication requires downtime and coordination across services and clients that interact with Solr.

Additional information

The underlying Solr restriction is described in SOLR-14071:

Untrusted configsets (ones uploaded via unsecured configset API) cannot use <lib> directive. Consider enabling authentication/authorization or using zkcli.sh to upload the config.

For more background, see:

• Solr configset trust model: https://solr.apache.org/guide/solr/latest/configuration-guide/configsets-api.html

• Alternatives to <lib> usage: https://solr.apache.org/guide/solr/latest/configuration-guide/libs.html#lib-directories