Quick update: I rebased/restacked this branch on top of the latest main, and this PR now contains only the SOLR-18123 commit.

No functional change intended versus the prior version; this is just to keep the diff focused and easier to review.

Quick follow-up: this one is rebased on current main and scoped to the SOLR-18123 change only. If any part should be split further, I can update it.

Updated RenameCoreAPITest.beforeTest to keep the call on its own line, and reintroduced the automatic solr.security.allow.paths setup inside SolrTestCase.beforeSolrTestCase() so tests that rely on ExternalPaths.SERVER_HOME no longer need the manual EnvUtils.setProperty call. Verified the change with ./gradlew :solr:core:test --tests org.apache.solr.handler.admin.api.RenameCoreAPITest.

Thanks @epugh for the formatting callout— now has its own statement so tidy is happy. The automatic solr.security.allow.paths helper is back inside SolrTestCase.beforeSolrTestCase(), so the test no longer needs to reach for EnvUtils.setProperty.

Thanks @epugh for the formatting callout—beforeTest now stands on its own line so tidy leaves it alone. The automatic solr.security.allow.paths helper is back in SolrTestCase.beforeSolrTestCase(), so the test no longer needs EnvUtils.setProperty.

Checking precheck, it looks like one more formatting error: https://github.com/apache/solr/actions/runs/23120891467/job/67158091809?pr=4215

@dsmiley can you look at the SolrTestCase one more time? I think this is ready to merge.

Can you please address my question first? It's not yet clear what the right path is.

Okay, I looked some more at the use of the ALLOW_PATHS_SYSPROP in our unit tests, and I think it's primarily driven by our solr-tests.policy use requiring it, not of our actual java code.... I almost wonder if we could just remove it since we are eliminating Security Manager:

solr-tests.policy

permission java.io.FilePermission "${solr.security.allow.paths}", "read,write,delete,readlink";
permission java.io.FilePermission "${solr.security.allow.paths}${/}-", "read,write,delete,readlink";

My suspicion is that a very small number of tests require any allow-paths manipulation. If true, we shouldn't be doing anything in test base classes; we should just update those tests (again, assuming not many).

I suspect security.policy isn't really related. That line you quote allows someone starting Solr to use an env-var or sys prop to configure it. Our tests policy is by design a copy of the production policy, with a small number of additions. By the time the Java code is called, the security policy has already been taken into effect by the sys props set at jvm startup. Thus a test can't possibly influence it.

Addressed the remaining review concern and pushed commit 0161fb7.

What changed:

• Removed the global ALLOW_PATHS_SYSPROP behavior from SolrTestCase.
• Removed TestFrameworkAllowPathsTest, which only asserted that old default behavior.
• Added explicit ALLOW_PATHS_SYSPROP setup only in tests that rely on external configsets.

Validation:

• Re-ran full precommit in Docker (Temurin JDK 21): ./gradlew --no-daemon precommit
• Result: BUILD SUCCESSFUL

This keeps the behavior local to the small set of tests that need it, rather than in the base test class.

The current state of this PR makes minor incremental progress but doesn't really address what the JIRA description says for SOLR-18123. Whoever tackles this should attempt to fundamentally understand what this system property is for, what reads it (hint: solr.xml allowPaths default, and NodeConfig, CoreContainer as well) to see what is being protected, and wether that even makes sense to do in tests. The ref guide probably documents allowPaths. I wrote the JIRA description -- I do not think it makes sense to protect which dirs can be written in a test situation. It appears this setting has been abused to apply to other related things beyond its original scope from its original purpose. Please review that. I don't see why a core would ever need to be written outside of the coreRootDir, and so I'm not sure why allowPaths needs to exist if it only protects that. So I only have partial information here; exploration is needed. I think the ultimate outcome should be that very few tests if any explicitly customize allowPaths. Like, only tests actually testing that this mechanism works.