From 7a92bbfcb18153157c346c623b326fe8da7079e0 Mon Sep 17 00:00:00 2001
From: James Dyer <jdyer@apache.org>
Date: Mon, 11 Dec 2023 08:02:59 -0600
Subject: [PATCH 01/21] SOLR-15484 JWTAuthPluginIntegrationTest - dynamically
 generate the self-signed certificate using the localhost loopback address
 (#2099)

SOLR-15484: dynamically generate the self-signed certificate using the localhost loopback address
---
 .../randomization/policies/solr-tests.policy  |   4 +
 solr/modules/jwt-auth/build.gradle            |   2 +
 .../solr/security/jwt/JWTIssuerConfig.java    |  17 ++-
 .../jwt/JWTAuthPluginIntegrationTest.java     |  17 ++-
 .../solr/security/jwt/KeystoreGenerator.java  | 116 ++++++++++++++++++
 5 files changed, 144 insertions(+), 12 deletions(-)
 create mode 100644 solr/modules/jwt-auth/src/test/org/apache/solr/security/jwt/KeystoreGenerator.java

diff --git a/gradle/testing/randomization/policies/solr-tests.policy b/gradle/testing/randomization/policies/solr-tests.policy
index 276532b519d..86871e72613 100644
--- a/gradle/testing/randomization/policies/solr-tests.policy
+++ b/gradle/testing/randomization/policies/solr-tests.policy
@@ -162,6 +162,10 @@ grant {
   permission javax.security.auth.AuthPermission "createLoginContext.Server";
   permission javax.security.auth.AuthPermission "createLoginContext.Client";
 
+  // Needed by BouncyCastle in jwt-auth tests
+  permission java.security.SecurityPermission "putProviderProperty.BC";
+  permission java.security.SecurityPermission "getProperty.org.bouncycastle.x509.allow_non-der_tbscert";
+
   // may only be necessary with Java 7?
   permission javax.security.auth.PrivateCredentialPermission "javax.security.auth.kerberos.KeyTab * \"*\"", "read";
   permission javax.security.auth.PrivateCredentialPermission "sun.security.jgss.krb5.Krb5Util$KeysFromKeyTab * \"*\"", "read";
diff --git a/solr/modules/jwt-auth/build.gradle b/solr/modules/jwt-auth/build.gradle
index 1b420899e33..17886099e18 100644
--- a/solr/modules/jwt-auth/build.gradle
+++ b/solr/modules/jwt-auth/build.gradle
@@ -61,6 +61,8 @@ dependencies {
   testImplementation 'com.fasterxml.jackson.core:jackson-databind'
   permitTestUnusedDeclared 'com.fasterxml.jackson.core:jackson-databind'
 
+  testImplementation 'org.bouncycastle:bcpkix-jdk15on'
+  testImplementation 'org.bouncycastle:bcprov-jdk15on'
   testImplementation 'com.nimbusds:nimbus-jose-jwt'
   testImplementation 'com.squareup.okhttp3:mockwebserver'
   testImplementation 'com.squareup.okhttp3:okhttp'
diff --git a/solr/modules/jwt-auth/src/java/org/apache/solr/security/jwt/JWTIssuerConfig.java b/solr/modules/jwt-auth/src/java/org/apache/solr/security/jwt/JWTIssuerConfig.java
index 947d040da8b..b7e650c1401 100644
--- a/solr/modules/jwt-auth/src/java/org/apache/solr/security/jwt/JWTIssuerConfig.java
+++ b/solr/modules/jwt-auth/src/java/org/apache/solr/security/jwt/JWTIssuerConfig.java
@@ -22,6 +22,7 @@
 import java.io.IOException;
 import java.io.InputStream;
 import java.lang.invoke.MethodHandles;
+import java.net.InetAddress;
 import java.net.MalformedURLException;
 import java.net.URL;
 import java.nio.charset.Charset;
@@ -423,6 +424,14 @@ public boolean isValid() {
     return jwkConfigured > 0;
   }
 
+  private static void disableHostVerificationIfLocalhost(URL url, Get httpGet) {
+    InetAddress loopbackAddress = InetAddress.getLoopbackAddress();
+    if (loopbackAddress.getCanonicalHostName().equals(url.getHost())
+        || loopbackAddress.getHostName().equals(url.getHost())) {
+      httpGet.setHostnameVerifier((hostname, session) -> true);
+    }
+  }
+
   public void setTrustedCerts(Collection<X509Certificate> trustedCerts) {
     this.trustedCerts = trustedCerts;
   }
@@ -472,9 +481,7 @@ private HttpsJwks create(String url) {
       if (trustedCerts != null) {
         Get getWithCustomTrust = new Get();
         getWithCustomTrust.setTrustedCertificates(trustedCerts);
-        if ("localhost".equals(jwksUrl.getHost())) {
-          getWithCustomTrust.setHostnameVerifier((hostname, session) -> true);
-        }
+        disableHostVerificationIfLocalhost(jwksUrl, getWithCustomTrust);
         httpsJkws.setSimpleHttpGet(getWithCustomTrust);
       }
       return httpsJkws;
@@ -525,9 +532,7 @@ public static WellKnownDiscoveryConfig parse(
           Get httpGet = new Get();
           if (trustedCerts != null) {
             httpGet.setTrustedCertificates(trustedCerts);
-            if ("localhost".equals(url.getHost())) {
-              httpGet.setHostnameVerifier((hostname, session) -> true);
-            }
+            disableHostVerificationIfLocalhost(url, httpGet);
           }
           SimpleResponse resp = httpGet.get(url.toString());
           return parse(new ByteArrayInputStream(resp.getBody().getBytes(StandardCharsets.UTF_8)));
diff --git a/solr/modules/jwt-auth/src/test/org/apache/solr/security/jwt/JWTAuthPluginIntegrationTest.java b/solr/modules/jwt-auth/src/test/org/apache/solr/security/jwt/JWTAuthPluginIntegrationTest.java
index c2613d8550c..ef7fe35d4f5 100644
--- a/solr/modules/jwt-auth/src/test/org/apache/solr/security/jwt/JWTAuthPluginIntegrationTest.java
+++ b/solr/modules/jwt-auth/src/test/org/apache/solr/security/jwt/JWTAuthPluginIntegrationTest.java
@@ -25,6 +25,7 @@
 import java.io.InputStreamReader;
 import java.io.OutputStream;
 import java.net.HttpURLConnection;
+import java.net.InetAddress;
 import java.net.URL;
 import java.nio.charset.Charset;
 import java.nio.charset.StandardCharsets;
@@ -102,6 +103,14 @@ public static void beforeClass() throws Exception {
     pemFilePath = JWT_TEST_PATH().resolve("security").resolve("jwt_plugin_idp_cert.pem");
     wrongPemFilePath = JWT_TEST_PATH().resolve("security").resolve("jwt_plugin_idp_wrongcert.pem");
 
+    Path tempDir = Files.createTempDirectory(JWTAuthPluginIntegrationTest.class.getSimpleName());
+    tempDir.toFile().deleteOnExit();
+    Path modifiedP12Cert = tempDir.resolve(p12Cert.getFileName());
+    new KeystoreGenerator()
+        .generateKeystore(
+            p12Cert, modifiedP12Cert, InetAddress.getLoopbackAddress().getCanonicalHostName());
+    p12Cert = modifiedP12Cert;
+
     mockOAuth2Server = createMockOAuthServer(p12Cert, "secret");
     mockOAuth2Server.start();
     mockOAuthToken =
@@ -112,7 +121,7 @@ public static void beforeClass() throws Exception {
   }
 
   @AfterClass
-  public static void afterClass() throws Exception {
+  public static void afterClass() {
     if (mockOAuth2Server != null) {
       mockOAuth2Server.shutdown();
     }
@@ -485,11 +494,7 @@ private void executeCommand(String url, HttpClient cl, String payload, JsonWebSi
    * and trusting its SSL
    */
   private static String createMockOAuthSecurityJson(Path pemFilePath) throws IOException {
-    String wellKnown =
-        mockOAuth2Server
-            .wellKnownUrl("default")
-            .toString()
-            .replace(".localdomain", ""); // Use only 'localhost' to match our SSL cert
+    String wellKnown = mockOAuth2Server.wellKnownUrl("default").toString();
     String pemCert =
         CryptoKeys.extractCertificateFromPem(Files.readString(pemFilePath))
             .replace("\\n", "\\\\n"); // Use literal \n to play well with JSON
diff --git a/solr/modules/jwt-auth/src/test/org/apache/solr/security/jwt/KeystoreGenerator.java b/solr/modules/jwt-auth/src/test/org/apache/solr/security/jwt/KeystoreGenerator.java
new file mode 100644
index 00000000000..6d2d6c9c23a
--- /dev/null
+++ b/solr/modules/jwt-auth/src/test/org/apache/solr/security/jwt/KeystoreGenerator.java
@@ -0,0 +1,116 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.solr.security.jwt;
+
+import java.io.FileInputStream;
+import java.io.FileOutputStream;
+import java.io.IOException;
+import java.io.OutputStream;
+import java.math.BigInteger;
+import java.nio.file.Path;
+import java.security.KeyPair;
+import java.security.KeyPairGenerator;
+import java.security.KeyStore;
+import java.security.KeyStoreException;
+import java.security.NoSuchAlgorithmException;
+import java.security.Provider;
+import java.security.Security;
+import java.security.cert.CertificateException;
+import java.security.cert.X509Certificate;
+import java.time.Instant;
+import java.time.LocalDate;
+import java.time.ZoneOffset;
+import java.time.ZonedDateTime;
+import java.util.Date;
+import org.bouncycastle.asn1.DERUTF8String;
+import org.bouncycastle.asn1.x500.AttributeTypeAndValue;
+import org.bouncycastle.asn1.x500.RDN;
+import org.bouncycastle.asn1.x500.X500Name;
+import org.bouncycastle.asn1.x500.style.BCStyle;
+import org.bouncycastle.asn1.x509.BasicConstraints;
+import org.bouncycastle.asn1.x509.Extension;
+import org.bouncycastle.cert.CertIOException;
+import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
+import org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder;
+import org.bouncycastle.jce.provider.BouncyCastleProvider;
+import org.bouncycastle.operator.ContentSigner;
+import org.bouncycastle.operator.OperatorCreationException;
+import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
+
+public class KeystoreGenerator {
+
+  private static final String PASS_PHRASE = "secret";
+
+  public void generateKeystore(Path existingKeystore, Path newKeystore, String cn) {
+    KeyStore ks = null;
+    try (FileInputStream fis = new FileInputStream(existingKeystore.toFile())) {
+      ks = KeyStore.getInstance(KeyStore.getDefaultType());
+      ks.load(fis, PASS_PHRASE.toCharArray());
+      ks.setCertificateEntry(cn, selfSignCertificate(cn));
+
+    } catch (KeyStoreException | CertificateException | NoSuchAlgorithmException | IOException e) {
+      throw new RuntimeException(e);
+    }
+    try (OutputStream fos = new FileOutputStream(newKeystore.toFile())) {
+      ks.store(fos, PASS_PHRASE.toCharArray());
+    } catch (CertificateException | KeyStoreException | IOException | NoSuchAlgorithmException e) {
+      throw new RuntimeException(e);
+    }
+  }
+
+  private X509Certificate selfSignCertificate(String commonName) {
+    try {
+      KeyPairGenerator kpg = KeyPairGenerator.getInstance("RSA");
+      kpg.initialize(1024);
+      KeyPair kp = kpg.generateKeyPair();
+      Provider bcp = new BouncyCastleProvider();
+      Security.addProvider(bcp);
+
+      X500Name cn =
+          new X500Name(
+              new RDN[] {
+                new RDN(new AttributeTypeAndValue(BCStyle.CN, new DERUTF8String(commonName)))
+              });
+      X500Name issuer =
+          new X500Name(
+              new RDN[] {
+                new RDN(new AttributeTypeAndValue(BCStyle.CN, new DERUTF8String("Solr Root CA")))
+              });
+
+      Instant yesterday =
+          LocalDate.now(ZoneOffset.UTC).minusDays(1).atStartOfDay().toInstant(ZoneOffset.UTC);
+      Instant oneYear = ZonedDateTime.ofInstant(yesterday, ZoneOffset.UTC).plusYears(1).toInstant();
+      BigInteger serial = new BigInteger(String.valueOf(yesterday.toEpochMilli()));
+
+      JcaX509v3CertificateBuilder certBuilder =
+          new JcaX509v3CertificateBuilder(
+              issuer, serial, Date.from(yesterday), Date.from(oneYear), cn, kp.getPublic());
+      BasicConstraints basicConstraints = new BasicConstraints(true);
+      certBuilder.addExtension(Extension.basicConstraints, true, basicConstraints);
+
+      ContentSigner cs = new JcaContentSignerBuilder("SHA256WithRSA").build(kp.getPrivate());
+      return new JcaX509CertificateConverter()
+          .setProvider(bcp)
+          .getCertificate(certBuilder.build(cs));
+    } catch (CertificateException
+        | CertIOException
+        | NoSuchAlgorithmException
+        | OperatorCreationException e) {
+      throw new RuntimeException(e);
+    }
+  }
+}

From 0bf936fe805fafe251333f521e53975f42ef11ca Mon Sep 17 00:00:00 2001
From: Solr Bot <125606113+solrbot@users.noreply.github.com>
Date: Tue, 12 Dec 2023 12:19:24 +0100
Subject: [PATCH 02/21] Update dependency org.bitbucket.b_c:jose4j to v0.9.4
 (#2143)

---
 solr/licenses/jose4j-0.9.3.jar.sha1 | 1 -
 solr/licenses/jose4j-0.9.4.jar.sha1 | 1 +
 versions.lock                       | 4 ++--
 versions.props                      | 2 +-
 4 files changed, 4 insertions(+), 4 deletions(-)
 delete mode 100644 solr/licenses/jose4j-0.9.3.jar.sha1
 create mode 100644 solr/licenses/jose4j-0.9.4.jar.sha1

diff --git a/solr/licenses/jose4j-0.9.3.jar.sha1 b/solr/licenses/jose4j-0.9.3.jar.sha1
deleted file mode 100644
index bae58301d21..00000000000
--- a/solr/licenses/jose4j-0.9.3.jar.sha1
+++ /dev/null
@@ -1 +0,0 @@
-9670e11587194cb6b1b2edcaa688a3fab85b4148
diff --git a/solr/licenses/jose4j-0.9.4.jar.sha1 b/solr/licenses/jose4j-0.9.4.jar.sha1
new file mode 100644
index 00000000000..837b7df47df
--- /dev/null
+++ b/solr/licenses/jose4j-0.9.4.jar.sha1
@@ -0,0 +1 @@
+7efe6ccf593e52a2b77f98de52238f15b4a67188
diff --git a/versions.lock b/versions.lock
index aa992040b51..e95bc0f871e 100644
--- a/versions.lock
+++ b/versions.lock
@@ -258,7 +258,7 @@ org.apache.xmlbeans:xmlbeans:5.0.3 (2 constraints: 72173075)
 org.apache.zookeeper:zookeeper:3.9.1 (2 constraints: 9d13795f)
 org.apache.zookeeper:zookeeper-jute:3.9.1 (2 constraints: 9b128823)
 org.apiguardian:apiguardian-api:1.1.2 (2 constraints: 601bd5a8)
-org.bitbucket.b_c:jose4j:0.9.3 (1 constraints: 0e050936)
+org.bitbucket.b_c:jose4j:0.9.4 (1 constraints: 0f050a36)
 org.bouncycastle:bcmail-jdk15on:1.70 (1 constraints: 310c8af5)
 org.bouncycastle:bcpkix-jdk15on:1.70 (2 constraints: ce1b11b3)
 org.bouncycastle:bcprov-jdk15on:1.70 (4 constraints: 1f34ee12)
@@ -345,7 +345,7 @@ org.reactivestreams:reactive-streams:1.0.4 (3 constraints: 3f2b77fd)
 org.semver4j:semver4j:5.2.2 (1 constraints: 0b050c36)
 org.slf4j:jcl-over-slf4j:2.0.9 (3 constraints: cf17cfa6)
 org.slf4j:jul-to-slf4j:2.0.9 (3 constraints: 29286349)
-org.slf4j:slf4j-api:2.0.9 (59 constraints: dd104075)
+org.slf4j:slf4j-api:2.0.9 (59 constraints: e310a790)
 org.tallison:isoparser:1.9.41.7 (1 constraints: fb0c5528)
 org.tallison:jmatio:1.5 (1 constraints: ff0b57e9)
 org.tallison:metadata-extractor:2.17.1.0 (1 constraints: f00c3b28)
diff --git a/versions.props b/versions.props
index f38263dd33b..1a2527610ab 100644
--- a/versions.props
+++ b/versions.props
@@ -51,7 +51,7 @@ org.apache.lucene:*=9.8.0
 org.apache.tika:*=1.28.5
 org.apache.tomcat:annotations-api=6.0.53
 org.apache.zookeeper:*=3.9.1
-org.bitbucket.b_c:jose4j=0.9.3
+org.bitbucket.b_c:jose4j=0.9.4
 org.carrot2:carrot2-core=4.5.1
 org.codehaus.woodstox:stax2-api=4.2.2
 org.eclipse.jetty*:*=10.0.18

From 686700b96edab4ee35199015297cd27c5ddca4a2 Mon Sep 17 00:00:00 2001
From: James Dyer <jdyer@apache.org>
Date: Tue, 12 Dec 2023 08:23:59 -0600
Subject: [PATCH 03/21] SOLR-15484: use latest version of bouncycastle
 libraries (#2145)

---
 gradle/testing/randomization/policies/solr-tests.policy       | 1 +
 solr/licenses/bcpkix-jdk18on-1.77.jar.sha1                    | 1 +
 solr/licenses/bcprov-jdk18on-1.77.jar.sha1                    | 1 +
 ...il-jdk15on-LICENSE-BSD_LIKE.txt => bcutil-LICENSE-MIT.txt} | 0
 solr/licenses/bcutil-jdk18on-1.77.jar.sha1                    | 1 +
 .../{bcutil-jdk15on-NOTICE.txt => bcutil-jdk18on-NOTICE.txt}  | 0
 solr/modules/jwt-auth/build.gradle                            | 4 ++--
 versions.lock                                                 | 3 +++
 versions.props                                                | 1 +
 9 files changed, 10 insertions(+), 2 deletions(-)
 create mode 100644 solr/licenses/bcpkix-jdk18on-1.77.jar.sha1
 create mode 100644 solr/licenses/bcprov-jdk18on-1.77.jar.sha1
 rename solr/licenses/{bcutil-jdk15on-LICENSE-BSD_LIKE.txt => bcutil-LICENSE-MIT.txt} (100%)
 create mode 100644 solr/licenses/bcutil-jdk18on-1.77.jar.sha1
 rename solr/licenses/{bcutil-jdk15on-NOTICE.txt => bcutil-jdk18on-NOTICE.txt} (100%)

diff --git a/gradle/testing/randomization/policies/solr-tests.policy b/gradle/testing/randomization/policies/solr-tests.policy
index 86871e72613..c4b07f8ac1a 100644
--- a/gradle/testing/randomization/policies/solr-tests.policy
+++ b/gradle/testing/randomization/policies/solr-tests.policy
@@ -164,6 +164,7 @@ grant {
 
   // Needed by BouncyCastle in jwt-auth tests
   permission java.security.SecurityPermission "putProviderProperty.BC";
+  permission java.security.SecurityPermission "removeProviderProperty.BC";
   permission java.security.SecurityPermission "getProperty.org.bouncycastle.x509.allow_non-der_tbscert";
 
   // may only be necessary with Java 7?
diff --git a/solr/licenses/bcpkix-jdk18on-1.77.jar.sha1 b/solr/licenses/bcpkix-jdk18on-1.77.jar.sha1
new file mode 100644
index 00000000000..78f704d21a8
--- /dev/null
+++ b/solr/licenses/bcpkix-jdk18on-1.77.jar.sha1
@@ -0,0 +1 @@
+ed953791ba0229747dd0fd9911e3d76a462acfd3
diff --git a/solr/licenses/bcprov-jdk18on-1.77.jar.sha1 b/solr/licenses/bcprov-jdk18on-1.77.jar.sha1
new file mode 100644
index 00000000000..72d478f021a
--- /dev/null
+++ b/solr/licenses/bcprov-jdk18on-1.77.jar.sha1
@@ -0,0 +1 @@
+2cc971b6c20949c1ff98d1a4bc741ee848a09523
diff --git a/solr/licenses/bcutil-jdk15on-LICENSE-BSD_LIKE.txt b/solr/licenses/bcutil-LICENSE-MIT.txt
similarity index 100%
rename from solr/licenses/bcutil-jdk15on-LICENSE-BSD_LIKE.txt
rename to solr/licenses/bcutil-LICENSE-MIT.txt
diff --git a/solr/licenses/bcutil-jdk18on-1.77.jar.sha1 b/solr/licenses/bcutil-jdk18on-1.77.jar.sha1
new file mode 100644
index 00000000000..003ab86c340
--- /dev/null
+++ b/solr/licenses/bcutil-jdk18on-1.77.jar.sha1
@@ -0,0 +1 @@
+de3eaef351545fe8562cf29ddff4a403a45b49b7
diff --git a/solr/licenses/bcutil-jdk15on-NOTICE.txt b/solr/licenses/bcutil-jdk18on-NOTICE.txt
similarity index 100%
rename from solr/licenses/bcutil-jdk15on-NOTICE.txt
rename to solr/licenses/bcutil-jdk18on-NOTICE.txt
diff --git a/solr/modules/jwt-auth/build.gradle b/solr/modules/jwt-auth/build.gradle
index 17886099e18..c2a4990b5b3 100644
--- a/solr/modules/jwt-auth/build.gradle
+++ b/solr/modules/jwt-auth/build.gradle
@@ -61,8 +61,8 @@ dependencies {
   testImplementation 'com.fasterxml.jackson.core:jackson-databind'
   permitTestUnusedDeclared 'com.fasterxml.jackson.core:jackson-databind'
 
-  testImplementation 'org.bouncycastle:bcpkix-jdk15on'
-  testImplementation 'org.bouncycastle:bcprov-jdk15on'
+  testImplementation 'org.bouncycastle:bcpkix-jdk18on'
+  testImplementation 'org.bouncycastle:bcprov-jdk18on'
   testImplementation 'com.nimbusds:nimbus-jose-jwt'
   testImplementation 'com.squareup.okhttp3:mockwebserver'
   testImplementation 'com.squareup.okhttp3:okhttp'
diff --git a/versions.lock b/versions.lock
index e95bc0f871e..9c0f9ef53d4 100644
--- a/versions.lock
+++ b/versions.lock
@@ -418,6 +418,9 @@ org.apache.kerby:kerb-identity:1.0.1 (1 constraints: 5f0cb602)
 org.apache.kerby:kerb-server:1.0.1 (1 constraints: d10b65f2)
 org.apache.kerby:kerb-simplekdc:1.0.1 (1 constraints: dc0d7e3e)
 org.apache.tomcat.embed:tomcat-embed-el:9.0.76 (1 constraints: d41558cf)
+org.bouncycastle:bcpkix-jdk18on:1.77 (1 constraints: e3040431)
+org.bouncycastle:bcprov-jdk18on:1.77 (2 constraints: c51a825c)
+org.bouncycastle:bcutil-jdk18on:1.77 (1 constraints: 620d2d29)
 org.freemarker:freemarker:2.3.32 (1 constraints: f00e9371)
 org.glassfish.grizzly:grizzly-framework:2.4.4 (1 constraints: 670fe271)
 org.glassfish.grizzly:grizzly-http:2.4.4 (1 constraints: 2b127cf5)
diff --git a/versions.props b/versions.props
index 1a2527610ab..10b583c43e2 100644
--- a/versions.props
+++ b/versions.props
@@ -52,6 +52,7 @@ org.apache.tika:*=1.28.5
 org.apache.tomcat:annotations-api=6.0.53
 org.apache.zookeeper:*=3.9.1
 org.bitbucket.b_c:jose4j=0.9.4
+org.bouncycastle:bcpkix-jdk18on=1.77
 org.carrot2:carrot2-core=4.5.1
 org.codehaus.woodstox:stax2-api=4.2.2
 org.eclipse.jetty*:*=10.0.18

From 755d619d9aff90444cd817c0dcfee9f19429dce7 Mon Sep 17 00:00:00 2001
From: Andrey Bozhko <andybozhko@gmail.com>
Date: Tue, 12 Dec 2023 09:50:07 -0600
Subject: [PATCH 04/21] remove duplicate section from solrconfig.xml (#2146)

Co-authored-by: Andrey Bozhko <abozhko@apple.com>
---
 .../configsets/_default/conf/solrconfig.xml     | 17 -----------------
 1 file changed, 17 deletions(-)

diff --git a/solr/server/solr/configsets/_default/conf/solrconfig.xml b/solr/server/solr/configsets/_default/conf/solrconfig.xml
index d68a091f163..a74f283ed68 100644
--- a/solr/server/solr/configsets/_default/conf/solrconfig.xml
+++ b/solr/server/solr/configsets/_default/conf/solrconfig.xml
@@ -494,23 +494,6 @@
       -->
     <queryResultMaxDocsCached>200</queryResultMaxDocsCached>
 
-  <!-- Use Filter For Sorted Query
-
-   A possible optimization that attempts to use a filter to
-   satisfy a search.  If the requested sort does not include
-   score, then the filterCache will be checked for a filter
-   matching the query. If found, the filter will be used as the
-   source of document ids, and then the sort will be applied to
-   that.
-
-   For most situations, this will not be useful unless you
-   frequently get the same search repeatedly with different sort
-   options, and none of them ever use "score"
--->
-    <!--
-       <useFilterForSortedQuery>true</useFilterForSortedQuery>
-      -->
-
     <!-- Query Related Event Listeners
 
          Various IndexSearcher related events can trigger Listeners to

From eb498c8eb67f0c859a54ee69a00cdd78b877944b Mon Sep 17 00:00:00 2001
From: Houston Putman <houston@apache.org>
Date: Tue, 12 Dec 2023 11:57:56 -0500
Subject: [PATCH 05/21] Add one more error reason for mtls integration test

---
 solr/packaging/test/test_ssl.bats | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/solr/packaging/test/test_ssl.bats b/solr/packaging/test/test_ssl.bats
index 7d02ebebe03..4569acee517 100644
--- a/solr/packaging/test/test_ssl.bats
+++ b/solr/packaging/test/test_ssl.bats
@@ -350,7 +350,7 @@ teardown() {
       export SOLR_SSL_CLIENT_KEY_STORE_PASSWORD=
 
       run ! solr api -verbose -get "https://localhost:${SOLR_PORT}/solr/test/select?q=*:*&rows=0"
-      assert_output --regexp '(bad_certificate|Server refused connection)'
+      assert_output --regexp '(bad_certificate|java.nio.channels.ClosedChannelException|Server refused connection)'
     )
   )
 

From 3331e6dc2dc410064cb4c7d134f8f27bea28fb6d Mon Sep 17 00:00:00 2001
From: Andrey Bozhko <andybozhko@gmail.com>
Date: Tue, 12 Dec 2023 13:51:40 -0600
Subject: [PATCH 06/21] clarify the behavior of package manager (#2147)

Co-authored-by: Andrey Bozhko <abozhko@apple.com>
---
 .../pages/package-manager-internals.adoc      | 35 ++++++++++++++-----
 1 file changed, 27 insertions(+), 8 deletions(-)

diff --git a/solr/solr-ref-guide/modules/configuration-guide/pages/package-manager-internals.adoc b/solr/solr-ref-guide/modules/configuration-guide/pages/package-manager-internals.adoc
index 223ae1c09f7..964b67aa771 100644
--- a/solr/solr-ref-guide/modules/configuration-guide/pages/package-manager-internals.adoc
+++ b/solr/solr-ref-guide/modules/configuration-guide/pages/package-manager-internals.adoc
@@ -32,9 +32,11 @@ This document contains an overview of those APIs.
 == Classloaders
 
 At the heart of the system, we have classloader isolation.
-To achieve this, the system is simplified into two layered classloaders: the root classloader which has all the jars from Solr classpath.
-This requires Solr node restart to change anything.
-A set of named classloaders that inherit from the root classloader.
+To achieve this, the system is simplified into two layered classloaders:
+
+* The root classloader which has all the jars from Solr classpath. This requires Solr node restart to change anything.
+
+* A set of named classloaders that inherit from the root classloader.
 The life cycles of the named classloaders are tied to the package configuration in ZooKeeper.
 As soon as the configuration is modified, the corresponding classloaders are reloaded and components are asked to reload.
 
@@ -95,7 +97,7 @@ The end points are:
 
 Use the following steps to upload a jar signed with your public key:
 
-. If you don't have a jar file with plugins, download a sample from github:
+. If you don't have a jar file with plugins, download a sample from GitHub:
 +
 [source, bash,subs="attributes"]
 ----
@@ -144,12 +146,18 @@ A Package has the following attributes:
 For every package/version in the packages definition, there is a unique `SolrResourceLoader` instance.
 This is a child of the `CoreContainer` resource loader.
 
+NOTE: Solr does not require that the version string follows any particular format -
+it can be an arbitrary string or even an empty string.
+
 === packages.json
 
 The package configurations live in a file called `packages.json` in ZooKeeper.
 At any given moment we can have multiple versions of a given package in the package configuration.
 The system will always use the latest version.
-Versions are sorted by their numeric value and the highest is the latest.
+Versions are sorted by their values in lexicographic order, and the largest string is considered to be the latest.
+
+CAUTION: Lexicographic order for version strings means that for a package with versions *1.2.0*, *1.9.0*, *1.11.0*,
+Solr would pick *1.9.0* as the latest version.
 
 For example:
 
@@ -187,7 +195,7 @@ Use the `delete` command to delete the highest version and choose the next highe
 === Using Multiple Versions in Parallel
 
 We use `params.json` in the collection config to store a version of a package it uses.
-By default it is the `$LATEST`.
+By default, it is the `$LATEST`.
 
 [source, json]
 ----
@@ -203,6 +211,15 @@ By default it is the `$LATEST`.
 This is optional.
 The default is `$LATEST`.
 
+[NOTE]
+====
+The package version in `params.json` actually instructs Solr to pick the package with the
+largest version that is not greater than the provided value.
+
+So in the example above, if the only available versions for `mypkg` are *0.01* and *0.2*,
+the version *0.01* will be used.
+====
+
 === Workflow
 
 * A new version of a package is added.
@@ -263,7 +280,7 @@ curl http://localhost:8983/solr/gettingstarted/config -H 'Content-type:applicati
           "class": "mypkg:org.apache.solr.core.RuntimeLibReqHandler" }}'
 ----
 
-. Verify that the component is created and it is using the correct version of the package to load classes from:
+. Verify that the component is created, and it is using the correct version of the package to load classes from:
 +
 [source,bash]
 ----
@@ -394,7 +411,9 @@ Note that the `Version` value is `"2"`, which means the plugin is updated.
 === How to Avoid Automatic Upgrade
 
 The default version used in any collection is always the latest.
-However, setting a per-collection property in `params.json` ensures that the versions are always fixed irrespective of the new versions added.
+However, setting a per-collection property in `params.json` ensures that the collection uses the same
+package version (i.e., version *2.0*), irrespective of any versions larger than *2.0* that may be added to Solr
+at a later point.
 
 [source,bash]
 ----

From f14e0d0f4ffe9eab4dd3822cdbe826e98fea078f Mon Sep 17 00:00:00 2001
From: Andrey Bozhko <andybozhko@gmail.com>
Date: Tue, 12 Dec 2023 15:19:02 -0600
Subject: [PATCH 07/21] Fix typos and improve grammar in Query Guide (#2024)

---------

Co-authored-by: Andrey Bozhko <abozhko@apple.com>
---
 .../pages/block-join-query-parser.adoc        |  6 ++---
 .../pages/collapse-and-expand-results.adoc    |  4 ++--
 .../pages/common-query-parameters.adoc        | 12 +++++-----
 .../pages/computational-geometry.adoc         |  8 +++----
 .../pages/dense-vector-search.adoc            |  4 ++--
 .../pages/dismax-query-parser.adoc            |  6 ++---
 .../pages/document-transformers.adoc          | 10 ++++----
 .../modules/query-guide/pages/dsp.adoc        |  8 +++----
 .../pages/exporting-result-sets.adoc          |  2 +-
 .../modules/query-guide/pages/faceting.adoc   |  6 ++---
 .../query-guide/pages/graph-traversal.adoc    |  8 +++----
 .../modules/query-guide/pages/graph.adoc      |  4 ++--
 .../query-guide/pages/highlighting.adoc       |  6 ++---
 .../query-guide/pages/jdbc-zeppelin.adoc      |  2 +-
 .../query-guide/pages/join-query-parser.adoc  |  6 ++---
 .../query-guide/pages/json-facet-api.adoc     | 12 +++++-----
 .../query-guide/pages/json-query-dsl.adoc     |  2 +-
 .../query-guide/pages/json-request-api.adoc   |  2 +-
 .../modules/query-guide/pages/loading.adoc    |  4 ++--
 .../modules/query-guide/pages/logs.adoc       | 14 +++++------
 .../query-guide/pages/machine-learning.adoc   | 24 +++++++++----------
 .../modules/query-guide/pages/math-start.adoc |  2 +-
 .../query-guide/pages/numerical-analysis.adoc |  4 ++--
 .../query-guide/pages/other-parsers.adoc      | 24 +++++++++----------
 .../pages/pagination-of-results.adoc          | 14 +++++------
 .../pages/probability-distributions.adoc      |  4 ++--
 .../query-guide/pages/query-re-ranking.adoc   |  6 ++---
 .../modules/query-guide/pages/regression.adoc |  2 +-
 .../query-guide/pages/response-writers.adoc   |  6 ++---
 .../query-guide/pages/search-sample.adoc      | 10 ++++----
 .../pages/searching-nested-documents.adoc     |  4 ++--
 .../query-guide/pages/simulations.adoc        |  4 ++--
 .../query-guide/pages/spatial-search.adoc     |  6 ++---
 .../query-guide/pages/spell-checking.adoc     |  2 +-
 .../modules/query-guide/pages/sql-query.adoc  | 16 ++++++-------
 .../pages/standard-query-parser.adoc          |  2 +-
 .../modules/query-guide/pages/statistics.adoc | 10 ++++----
 .../query-guide/pages/stats-component.adoc    |  2 +-
 .../pages/stream-decorator-reference.adoc     | 22 ++++++++---------
 .../pages/stream-evaluator-reference.adoc     | 16 ++++++-------
 .../pages/stream-source-reference.adoc        | 14 +++++------
 .../pages/streaming-expressions.adoc          |  4 ++--
 .../modules/query-guide/pages/suggester.adoc  |  2 +-
 .../query-guide/pages/tagger-handler.adoc     |  4 ++--
 .../pages/term-vector-component.adoc          |  2 +-
 .../modules/query-guide/pages/transform.adoc  |  4 ++--
 .../modules/query-guide/pages/variables.adoc  |  2 +-
 47 files changed, 169 insertions(+), 169 deletions(-)

diff --git a/solr/solr-ref-guide/modules/query-guide/pages/block-join-query-parser.adoc b/solr/solr-ref-guide/modules/query-guide/pages/block-join-query-parser.adoc
index 95ad96d0a53..2eed9721639 100644
--- a/solr/solr-ref-guide/modules/query-guide/pages/block-join-query-parser.adoc
+++ b/solr/solr-ref-guide/modules/query-guide/pages/block-join-query-parser.adoc
@@ -178,13 +178,13 @@ When subordinate clause (`<someChildren>`) is omitted, it's parsed as a _segment
 [#block-mask]
 == Block Masks: The `of` and `which` local params
 
-The purpose of the "Block Mask" query specified as either an `of` or `which` param (depending on the parser used) is to identy the set of all documents in the index which should be treated as "parents" _(or their ancestors)_ and which documents should be treated as "children".
+The purpose of the "Block Mask" query specified as either an `of` or `which` param (depending on the parser used) is to identify the set of all documents in the index which should be treated as "parents" _(or their ancestors)_ and which documents should be treated as "children".
 This is important because in the "on disk" index, the relationships are flattened into "blocks" of documents, so the `of` / `which` params are needed to serve as a "mask" against the flat document blocks to identify the boundaries of every hierarchical relationship.
 
 In the example queries above, we were able to use a very simple Block Mask of `doc_type:parent` because our data is very simple: every document is either a `parent` or a `child`.
 So this query string easily distinguishes _all_ of our documents.
 
-A common mistake is to try and use a `which` parameter that is more restrictive then the set of all parent documents, in order to filter the parents that are matched, as in this bad example:
+A common mistake is to try and use a `which` parameter that is more restrictive than the set of all parent documents, in order to filter the parents that are matched, as in this bad example:
 
 ----
 // BAD! DO NOT USE!
@@ -210,4 +210,4 @@ A similar problematic situation can arise when mixing parent/child documents wit
 ...then our simple `doc_type:parent` Block Mask would no longer be adequate.
  We would instead need to use `\*:* -doc_type:child` or `doc_type:(simple parent)` to prevent our "simple" document from mistakenly being treated as a "child" of an adjacent "parent" document.
 
-The xref:query-guide:searching-nested-documents.adoc[] section contains more detailed examples of specifying Block Mask queries with non trivial hierarchies of documents.
+The xref:query-guide:searching-nested-documents.adoc[] section contains more detailed examples of specifying Block Mask queries with nontrivial hierarchies of documents.
diff --git a/solr/solr-ref-guide/modules/query-guide/pages/collapse-and-expand-results.adoc b/solr/solr-ref-guide/modules/query-guide/pages/collapse-and-expand-results.adoc
index 2d23b9d2144..cfce616a453 100644
--- a/solr/solr-ref-guide/modules/query-guide/pages/collapse-and-expand-results.adoc
+++ b/solr/solr-ref-guide/modules/query-guide/pages/collapse-and-expand-results.adoc
@@ -199,7 +199,7 @@ For example: searching for "grand child" documents and collapsing on a field tha
 
 [CAUTION]
 ====
-Specifing `hint=block` when collapsing on a field that is not unique per contiguous block of documents is not supported and may fail in unexpected ways; including the possibility of silently returning incorrect results.
+Specifying `hint=block` when collapsing on a field that is not unique per contiguous block of documents is not supported and may fail in unexpected ways; including the possibility of silently returning incorrect results.
 
 The implementation does not offer any safeguards against misuse on an unsupported field, since doing so would require the same group level tracking as the non-Block collapsing implementation -- defeating the purpose of this optimization.
 ====
@@ -228,7 +228,7 @@ q=foo&fq={!collapse field=ISBN}&expand=true
 
 [IMPORTANT]
 ====
-When used with CollapsingQParserPlugin and there are multiple collapse groups, the field is chosen from the group with least cost.
+When used with CollapsingQParserPlugin and there are multiple collapse groups, the field is chosen from the group with the least cost.
 If there are multiple collapse groups with same cost then the first specified one is chosen.
 ====
 
diff --git a/solr/solr-ref-guide/modules/query-guide/pages/common-query-parameters.adoc b/solr/solr-ref-guide/modules/query-guide/pages/common-query-parameters.adoc
index 29fdf0f17e0..82419ba9754 100644
--- a/solr/solr-ref-guide/modules/query-guide/pages/common-query-parameters.adoc
+++ b/solr/solr-ref-guide/modules/query-guide/pages/common-query-parameters.adoc
@@ -18,7 +18,7 @@
 
 Several query parsers share supported query parameters.
 
-The following sections describe Solr's common query parameters, which are supported by the xref:configuration-guide:requesthandlers-searchcomponents#search-handlers[search request handlers].
+The following sections describe Solr's common query parameters, which are supported by the xref:configuration-guide:requesthandlers-searchcomponents.adoc#search-handlers[search request handlers].
 
 == defType Parameter
 
@@ -40,7 +40,7 @@ Solr can sort query responses according to:
 
 * Document scores
 * xref:function-queries.adoc#sort-by-function[Function results]
-* The value of any primitive field (numerics, string, boolean, dates, etc.) which has `docValues="true"` (or `multiValued="false"` and `indexed="true"`, in which case the indexed terms will used to build DocValue like structures on the fly at runtime)
+* The value of any primitive field (numerics, string, boolean, dates, etc.) which has `docValues="true"` (or `multiValued="false"` and `indexed="true"`, in which case the indexed terms will be used to build DocValue like structures on the fly at runtime)
 * A SortableTextField which implicitly uses `docValues="true"` by default to allow sorting on the original input string regardless of the analyzers used for Searching.
 * A single-valued TextField that uses an analyzer (such as the KeywordTokenizer) that produces only a single term per document.
 TextField does not support `docValues="true"`, but a DocValue-like structure will be built on the fly at runtime.
@@ -73,7 +73,7 @@ If there is a third entry, it will only be used if the first AND second entries
 And so on.
 ** If documents tie in all of the explicit sort criteria, Solr uses each document's Lucene document ID as the final tie-breaker.
 This internal property is subject to change during segment merges and document updates, which can lead to unexpected result ordering changes.
-Users looking to avoid this behavior can add an additional sort criteria on a unique or rarely-shared field such as `id` to prevent ties from occurring (e.g., `price desc,id asc`).
+Users looking to avoid this behavior can define an additional sort criteria on a unique or rarely-shared field such as `id` to prevent ties from occurring (e.g., `price desc,id asc`).
 
 == start Parameter
 
@@ -122,7 +122,7 @@ When using the `fq` parameter, keep in mind the following:
 
 * The `fq` parameter can be specified multiple times in a query.
 Documents will only be included in the result if they are in the intersection of the document sets resulting from each instance of the parameter.
-In the example below, only documents which have a popularity greater then 10 and have a section of 0 will match.
+In the example below, only documents which have a popularity greater than 10 and have a section of 0 will match.
 +
 [source,text]
 ----
@@ -142,7 +142,7 @@ Thus, concerning the previous examples: use a single `fq` containing two mandato
 (To learn about tuning cache sizes and making sure a filter cache actually exists, see xref:configuration-guide:caches-warming.adoc#caches[Caches].)
 * It is also possible to use xref:standard-query-parser.adoc#differences-between-lucenes-classic-query-parser-and-solrs-standard-query-parser[filter(condition) syntax] inside the `fq` to cache clauses individually and - among other things - to achieve union of cached filter queries.
 
-* As with all parameters: special characters in an URL need to be properly escaped and encoded as hex values.
+* As with all parameters: special characters in a URL need to be properly escaped and encoded as hex values.
 Online tools are available to help you with URL-encoding.
 For example: http://meyerweb.com/eric/tools/dencoder/.
 
@@ -277,7 +277,7 @@ For example:
 
 [source,text]
 ----
-q=supervillians&debugQuery=on&explainOther=id:juggernaut
+q=supervillains&debugQuery=on&explainOther=id:juggernaut
 ----
 
 The query above allows you to examine the scoring explain info of the top matching documents, compare it to the explain info for documents matching `id:juggernaut`, and determine why the rankings are not as you expect.
diff --git a/solr/solr-ref-guide/modules/query-guide/pages/computational-geometry.adoc b/solr/solr-ref-guide/modules/query-guide/pages/computational-geometry.adoc
index 02006bcc6b6..c40052b2b54 100644
--- a/solr/solr-ref-guide/modules/query-guide/pages/computational-geometry.adoc
+++ b/solr/solr-ref-guide/modules/query-guide/pages/computational-geometry.adoc
@@ -37,7 +37,7 @@ An investigation of the border around the rat sightings can be done to better un
 
 ==== Scatter Plot
 
-Before visualizing the convex hull its often useful to visualize the 2D points as a scatter plot.
+Before visualizing the convex hull it's often useful to visualize the 2D points as a scatter plot.
 
 In this example the `random` function draws a sample of records from the NYC311 (complaints database) collection where the complaint description matches "rat sighting" and the zip code is 11238.
 The latitude and longitude fields are then vectorized and plotted as a scatter plot with longitude on x-axis and latitude on the y-axis.
@@ -59,7 +59,7 @@ The convex hull is set a variable called `hull`.
 Once the convex hull has been created the `getVertices` function can be used to
 retrieve the matrix of points in the scatter plot that comprise the convex border around the scatter plot.
 The `colAt` function can then be used to retrieve the latitude and longitude vectors from the matrix
-so they can visualized by the `zplot` function.
+so they can be visualized by the `zplot` function.
 In the example below the convex hull points are visualized as a scatter plot.
 
 image::math-expressions/hullplot.png[]
@@ -68,8 +68,8 @@ Notice that the 15 points in the scatter plot describe that latitude and longitu
 
 ==== Projecting and Clustering
 
-The once a convex hull as been calculated the `projectToBorder` can then be used to project points to the nearest point on the border.
-In the example below the `projectToBorder` function is used to project the original scatter scatter plot points to the nearest border.
+Once a convex hull has been calculated the `projectToBorder` can then be used to project points to the nearest point on the border.
+In the example below the `projectToBorder` function is used to project the original scatter plot points to the nearest border.
 
 The `projectToBorder` function returns a matrix of lat/lon points for the border projections.
 In the example the matrix of border points is then clustered into 7 clusters using kmeans clustering.
diff --git a/solr/solr-ref-guide/modules/query-guide/pages/dense-vector-search.adoc b/solr/solr-ref-guide/modules/query-guide/pages/dense-vector-search.adoc
index 076b42fe410..24d7859bb39 100644
--- a/solr/solr-ref-guide/modules/query-guide/pages/dense-vector-search.adoc
+++ b/solr/solr-ref-guide/modules/query-guide/pages/dense-vector-search.adoc
@@ -100,9 +100,9 @@ this similarity is intended as an optimized way to perform cosine similarity. In
 the preferred way to perform cosine similarity is to normalize all vectors to unit length, and instead use DOT_PRODUCT. You should only use this function if you need to preserve the original vectors and cannot normalize them in advance.
 
 To use the following advanced parameters that customise the codec format
-and the hyper-parameter of the HNSW algorithm, make sure the xref:configuration-guide:codec-factory.adoc[Schema Codec Factory], is in use.
+and the hyperparameter of the HNSW algorithm, make sure the xref:configuration-guide:codec-factory.adoc[Schema Codec Factory], is in use.
 
-Here's how `DenseVectorField` can be configured with the advanced hyper-parameters:
+Here's how `DenseVectorField` can be configured with the advanced hyperparameters:
 
 [source,xml]
 <fieldType name="knn_vector" class="solr.DenseVectorField" vectorDimension="4" similarityFunction="cosine" knnAlgorithm="hnsw" hnswMaxConnections="10" hnswBeamWidth="40"/>
diff --git a/solr/solr-ref-guide/modules/query-guide/pages/dismax-query-parser.adoc b/solr/solr-ref-guide/modules/query-guide/pages/dismax-query-parser.adoc
index c9d0db263f7..5720c4c4212 100644
--- a/solr/solr-ref-guide/modules/query-guide/pages/dismax-query-parser.adoc
+++ b/solr/solr-ref-guide/modules/query-guide/pages/dismax-query-parser.adoc
@@ -92,7 +92,7 @@ The table below explains the various ways that mm values can be specified.
 |Percentage |75% |Sets the minimum number of matching clauses to this percentage of the total number of optional clauses. The number computed from the percentage is rounded down and used as the minimum.
 |Negative percentage |-25% |Indicates that this percent of the total number of optional clauses can be missing. The number computed from the percentage is rounded down, before being subtracted from the total to determine the minimum number.
 |An expression beginning with a positive integer followed by a > or < sign and another value |3<90% |Defines a conditional expression indicating that if the number of optional clauses is equal to (or less than) the integer, they are all required, but if it's greater than the integer, the specification applies. In this example: if there are 1 to 3 clauses they are all required, but for 4 or more clauses only 90% are required.
-|Multiple conditional expressions involving > or < signs |2\<-25% 9\<-3 |Defines multiple conditions, each one being valid only for numbers greater than the one before it. In the example at left, if there are 1 or 2 clauses, then both are required. If there are 3-9 clauses all but 25% are required. If there are more then 9 clauses, all but three are required.
+|Multiple conditional expressions involving > or < signs |2\<-25% 9\<-3 |Defines multiple conditions, each one being valid only for numbers greater than the one before it. In the example at left, if there are 1 or 2 clauses, then both are required. If there are 3-9 clauses all but 25% are required. If there are more than 9 clauses, all but three are required.
 |===
 
 When specifying `mm` values, keep in mind the following:
@@ -163,7 +163,7 @@ bq=category:food^10
 bq=category:deli^5
 ----
 
-Using the `bq` parameter in this way is functionally equivilent to combining your `q` and `bq` parameters into a single larger boolean query, where the (original) `q` parameter is "mandatory" and the other clauses are optional:
+Using the `bq` parameter in this way is functionally equivalent to combining your `q` and `bq` parameters into a single larger boolean query, where the (original) `q` parameter is "mandatory" and the other clauses are optional:
 
 [source,text]
 ----
@@ -249,7 +249,7 @@ Another request handler is registered at "/instock" and has slightly different c
 `\http://localhost:8983/solr/techproducts/instock?defType=dismax&q=video&fl=name,score,inStock`
 
 One of the other really cool features in this parser is robust support for specifying the "BooleanQuery.minimumNumberShouldMatch" you want to be used based on how many terms are in your user's query.
-These allows flexibility for typos and partial matches.
+This allows flexibility for typos and partial matches.
 For the dismax parser, one and two word queries require that all of the optional clauses match, but for three to five word queries one missing word is allowed.
 
 `\http://localhost:8983/solr/techproducts/select?defType=dismax&q=belkin+ipod`
diff --git a/solr/solr-ref-guide/modules/query-guide/pages/document-transformers.adoc b/solr/solr-ref-guide/modules/query-guide/pages/document-transformers.adoc
index addbefedb9d..e454ebafd97 100644
--- a/solr/solr-ref-guide/modules/query-guide/pages/document-transformers.adoc
+++ b/solr/solr-ref-guide/modules/query-guide/pages/document-transformers.adoc
@@ -137,7 +137,7 @@ Note that this transformer can be used even when the query used to match the res
 q=book_title:Solr&fl=id,[child childFilter=doc_type:chapter limit=100]
 ----
 
-If the documents involved include a `\_nest_path_` field, then it is used to re-create the hierarchical structure of the descendent documents using the original pseudo-field names the documents were indexed with, otherwise the descendent documents are returned as a flat list of xref:indexing-guide:indexing-nested-documents#indexing-anonymous-children[anonymous children].
+If the documents involved include a `\_nest_path_` field, then it is used to re-create the hierarchical structure of the descendent documents using the original pseudo-field names the documents were indexed with, otherwise the descendent documents are returned as a flat list of xref:indexing-guide:indexing-nested-documents.adoc#indexing-anonymous-children[anonymous children].
 
 `childFilter`::
 +
@@ -281,7 +281,7 @@ fl=id,source_s:[json]&wt=json
 This transformer executes a separate query per transforming document passing document fields as an input for subquery parameters.
 It's usually used with `{!join}` and `{!parent}` query parsers, and is intended to be an improvement for `[child]`.
 
-* It must be given an unique name: `fl=*,children:[subquery]`
+* It must be given a unique name: `fl=*,children:[subquery]`
 * There might be a few of them, e.g., `fl=*,sons:[subquery],daughters:[subquery]`.
 * Every `[subquery]` occurrence adds a field into a result document with the given name, the value of this field is a document list, which is a result of executing subquery using document fields as an input.
 * Subquery will use the `/select` search handler by default, and will return an error if `/select` is not configured.
@@ -391,7 +391,7 @@ If subquery collection has a different unique key field name (such as `foo_id` i
 [source,plain]
 foo.fl=id:foo_id&foo.distrib.singlePass=true
 
-Otherwise you'll get `NullPointerException` from `QueryComponent.mergeIds`.
+Otherwise, you'll get `NullPointerException` from `QueryComponent.mergeIds`.
 ====
 
 
@@ -414,7 +414,7 @@ In a sense this double-storage between docValues and stored-value storage isn't
 === [features] - LTRFeatureLoggerTransformerFactory
 
 The "LTR" prefix stands for xref:learning-to-rank.adoc[].
-This transformer returns the values of features and it can be used for feature extraction and feature logging.
+This transformer returns the values of features, and it can be used for feature extraction and feature logging.
 
 [source,plain]
 ----
@@ -428,4 +428,4 @@ This will return the values of the features in the `yourFeatureStore` store.
 fl=id,[features]&rq={!ltr model=yourModel}
 ----
 
-If you use `[features]` together with an Learning-To-Rank reranking query then the values of the features in the reranking model (`yourModel`) will be returned.
+If you use `[features]` together with a Learning-To-Rank reranking query then the values of the features in the reranking model (`yourModel`) will be returned.
diff --git a/solr/solr-ref-guide/modules/query-guide/pages/dsp.adoc b/solr/solr-ref-guide/modules/query-guide/pages/dsp.adoc
index e0662bc5416..846e118bed0 100644
--- a/solr/solr-ref-guide/modules/query-guide/pages/dsp.adoc
+++ b/solr/solr-ref-guide/modules/query-guide/pages/dsp.adoc
@@ -162,8 +162,8 @@ image::math-expressions/noise.png[]
 In the next example the random noise is added to the sine wave using the `ebeAdd` function.
 The result of this is plotted in the image below.
 Notice that the sine wave has been hidden somewhat within the noise.
-Its difficult to say for sure if there is structure.
-As plots becomes more dense it can become harder to see a pattern hidden within noise.
+It's difficult to say for sure if there is structure.
+As plots become more dense it can become harder to see a pattern hidden within noise.
 
 image::math-expressions/hidden-signal.png[]
 
@@ -249,7 +249,7 @@ In the second example the `fft` function is called on a vector of random data si
 The plot of the real values of the `fft` response is shown below.
 
 Notice that in is this response there is no clear peak.
-Instead all frequencies have accumulated a random level of power.
+Instead, all frequencies have accumulated a random level of power.
 This `fft` shows no clear sign of signal and appears to be noise.
 
 image::math-expressions/noise-fft.png[]
@@ -259,6 +259,6 @@ The plot of the real values of the `fft` response is shown below.
 
 Notice that there are two clear mirrored peaks, at the same locations as the `fft` of the pure signal.
 But there is also now considerable noise on the frequencies.
-The `fft` has found the signal and but also shows that there is considerable noise along with the signal.
+The `fft` has found the signal and also shows that there is considerable noise along with the signal.
 
 image::math-expressions/hidden-signal-fft.png[]
diff --git a/solr/solr-ref-guide/modules/query-guide/pages/exporting-result-sets.adoc b/solr/solr-ref-guide/modules/query-guide/pages/exporting-result-sets.adoc
index 6719d378013..28c395daa46 100644
--- a/solr/solr-ref-guide/modules/query-guide/pages/exporting-result-sets.adoc
+++ b/solr/solr-ref-guide/modules/query-guide/pages/exporting-result-sets.adoc
@@ -16,7 +16,7 @@
 // specific language governing permissions and limitations
 // under the License.
 
-The `/export` request handler allows a fully sorted result set to be streamed out of Solr using a special xref:query-re-ranking.adoc[rank query parser] and xef:response-writers.adoc[response writer].
+The `/export` request handler allows a fully sorted result set to be streamed out of Solr using a special xref:query-re-ranking.adoc[rank query parser] and xref:response-writers.adoc[response writer].
 These have been specifically designed to work together to handle scenarios that involve sorting and exporting millions of records.
 
 This feature uses a stream sorting technique that begins to send records within milliseconds and continues to stream results until the entire result set has been sorted and exported.
diff --git a/solr/solr-ref-guide/modules/query-guide/pages/faceting.adoc b/solr/solr-ref-guide/modules/query-guide/pages/faceting.adoc
index 8c1cacf9040..e5669dbc936 100644
--- a/solr/solr-ref-guide/modules/query-guide/pages/faceting.adoc
+++ b/solr/solr-ref-guide/modules/query-guide/pages/faceting.adoc
@@ -67,7 +67,7 @@ When using these parameters, it is important to remember that "term" is a very s
 For text fields that include stemming, lowercasing, or word splitting, the resulting terms may not be what you expect.
 
 If you want Solr to perform both analysis (for searching) and faceting on the full literal strings, use the `copyField` directive in your Schema to create two versions of the field: one Text and one String.
-The Text field should have `indexed="true" docValues=“false"` if used for searching but not faceting and the String field should have `indexed="false" docValues="true"` if used for faceting but not searching.
+The Text field should have `indexed="true" docValues="false"` if used for searching but not faceting and the String field should have `indexed="false" docValues="true"` if used for faceting but not searching.
 (For more information about the `copyField` directive, see xref:indexing-guide:copy-fields.adoc[].)
 
 Unless otherwise specified, all of the parameters below can be specified on a per-field basis with the syntax of `f.<fieldname>.facet.<parameter>`
@@ -398,8 +398,8 @@ To ensure you avoid double-counting, do not choose both `lower` and `upper`, do
 +
 The `facet.range.other` parameter specifies that in addition to the counts for each range constraint between `facet.range.start` and `facet.range.end`, counts should also be computed for these options:
 
-* `before`: All records with field values lower then lower bound of the first range.
-* `after`: All records with field values greater then the upper bound of the last range.
+* `before`: All records with field values lower than lower bound of the first range.
+* `after`: All records with field values greater than the upper bound of the last range.
 * `between`: All records with field values between the start and end bounds of all ranges.
 * `none`: Do not compute any counts.
 * `all`: Compute counts for before, between, and after.
diff --git a/solr/solr-ref-guide/modules/query-guide/pages/graph-traversal.adoc b/solr/solr-ref-guide/modules/query-guide/pages/graph-traversal.adoc
index 1b79156a130..1d034f5bfce 100644
--- a/solr/solr-ref-guide/modules/query-guide/pages/graph-traversal.adoc
+++ b/solr/solr-ref-guide/modules/query-guide/pages/graph-traversal.adoc
@@ -117,7 +117,7 @@ The `node` field contains the node IDs gathered by the function.
 The `collection`, `field`, and `level` of the traversal are also included in the output.
 
 Notice that the level is "1" for each tuple in the example.
-The root nodes are level 0 (in the example above, the root nodes are "johndoe@apache.org, janesmith@apache.org") By default the `nodes` function emits only the _*leaf nodes*_ of the traversal, which is the outer-most node set.
+The root nodes are level 0 (in the example above, the root nodes are "johndoe@apache.org, janesmith@apache.org") By default the `nodes` function emits only the _*leaf nodes*_ of the traversal, which is the outermost node set.
 To emit the root nodes you can specify the `scatter` parameter:
 
 [source,plain]
@@ -129,7 +129,7 @@ nodes(emails,
 ----
 
 The `scatter` parameter controls whether to emit the _branches_ with the _leaves_.
-The root nodes are considered "branches" because they are not the outer-most level of the traversal.
+The root nodes are considered "branches" because they are not the outermost level of the traversal.
 
 When scattering both branches and leaves the output would like this:
 
@@ -321,7 +321,7 @@ The sample code below shows steps 1 and 2 of the recommendation:
 In the example above, the inner search expression searches the `logs` collection and returning all the articles viewed by "user1".
 The outer `nodes` expression takes all the articles emitted from the inner search expression and finds all the records in the logs collection for those articles.
 It then gathers and aggregates the users that have read the articles.
-The `maxDocFreq` parameter limits the articles returned to those that appear in no more then 10,000 log records (per shard).
+The `maxDocFreq` parameter limits the articles returned to those that appear in no more than 10,000 log records (per shard).
 This guards against returning articles that have been viewed by millions of users.
 
 == Tracking the Traversal
@@ -351,7 +351,7 @@ nodes(emails,
 == Cross-Collection Traversals
 
 Nested `nodes` functions can operate on different SolrCloud collections.
-This allow traversals to "walk" from one collection to another to gather nodes.
+This allows traversals to "walk" from one collection to another to gather nodes.
 Cycle detection does not cross collection boundaries, so nodes collected in one collection will be traversed in a different collection.
 This was done deliberately to support cross-collection traversals.
 Note that the output from a cross-collection traversal will likely contain duplicate nodes with different collection attributes.
diff --git a/solr/solr-ref-guide/modules/query-guide/pages/graph.adoc b/solr/solr-ref-guide/modules/query-guide/pages/graph.adoc
index 5977e279673..edaab44f18f 100644
--- a/solr/solr-ref-guide/modules/query-guide/pages/graph.adoc
+++ b/solr/solr-ref-guide/modules/query-guide/pages/graph.adoc
@@ -635,7 +635,7 @@ In a lagged correlation an event occurs and following a *delay* another event oc
 The window parameter doesn't capture the delay as we only know that an event occurred somewhere within a prior window.
 
 The `lag` parameter can be used to start calculating the window parameter a number of ten second windows in the past.
-For example we could walk the graph in 20 second windows starting from 30 seconds prior to a set of root events.
+For example, we could walk the graph in 20 second windows starting from 30 seconds prior to a set of root events.
 By adjusting the lag and re-running the query we can determine which lagged window has the highest degree.
 From this we can determine the delay.
 
@@ -733,7 +733,7 @@ This score give us a good indication of where to begin our *root cause analysis*
 To switch to *day* or *weekday* time windows we must first index day truncated ISO 8601 timestamps in a string field with the log records.
 In the example below the field `time_day_s` contains the day truncated time stamps.
 
-Then its simply a matter of specifying -3DAYS in the window parameter. This will switch from the default ten second
+Then it's simply a matter of specifying -3DAYS in the window parameter. This will switch from the default ten second
 time windows to daily windows.
 
 [source,text]
diff --git a/solr/solr-ref-guide/modules/query-guide/pages/highlighting.adoc b/solr/solr-ref-guide/modules/query-guide/pages/highlighting.adoc
index 6077827b224..e857c1ff476 100644
--- a/solr/solr-ref-guide/modules/query-guide/pages/highlighting.adoc
+++ b/solr/solr-ref-guide/modules/query-guide/pages/highlighting.adoc
@@ -330,7 +330,7 @@ If you don't go out of your way to configure the other options below, the highli
 +
 The benefit of this approach is that your index won't grow larger with any extra data that isn't strictly necessary for highlighting.
 +
-The down side is that highlighting speed is roughly linear with the amount of text to process, with a large factor being the complexity of your analysis chain.
+The downside is that highlighting speed is roughly linear with the amount of text to process, with a large factor being the complexity of your analysis chain.
 +
 For "short" text, this is a good choice.
 Or maybe it's not short but you're prioritizing a smaller index and indexing speed over highlighting performance.
@@ -366,7 +366,7 @@ The Unified Highlighter supports these following additional parameters to the on
 |===
 +
 By default, the Unified Highlighter will usually pick the right offset source (see above).
-However it may be ambiguous such as during a migration from one offset source to another that hasn't completed.
+However, it may be ambiguous such as during a migration from one offset source to another that hasn't completed.
 +
 The offset source can be explicitly configured to one of: `ANALYSIS`, `POSTINGS`, `POSTINGS_WITH_TERM_VECTORS`, or `TERM_VECTORS`.
 
@@ -587,7 +587,7 @@ If set to `false`, or if there is no match in the alternate field either, the al
 |===
 +
 Selects a formatter for the highlighted output.
-Currently the only legal value is `simple`, which surrounds a highlighted term with a customizable pre- and post-text snippet.
+Currently, the only legal value is `simple`, which surrounds a highlighted term with a customizable pre- and post-text snippet.
 
 `hl.simple.pre`, `hl.simple.post`::
 +
diff --git a/solr/solr-ref-guide/modules/query-guide/pages/jdbc-zeppelin.adoc b/solr/solr-ref-guide/modules/query-guide/pages/jdbc-zeppelin.adoc
index a025637a15f..3fd357c0d09 100644
--- a/solr/solr-ref-guide/modules/query-guide/pages/jdbc-zeppelin.adoc
+++ b/solr/solr-ref-guide/modules/query-guide/pages/jdbc-zeppelin.adoc
@@ -81,7 +81,7 @@ Instructions on how to bind the JDBC interpreter to a notebook are available htt
 .Results of Solr query
 image::jdbc-zeppelin/zeppelin_solrjdbc_6.png[image,width=481,height=400]
 
-The below code block assumes that the Apache Solr driver is setup as the default JDBC interpreter driver.
+The below code block assumes that the Apache Solr driver is set up as the default JDBC interpreter driver.
 If that is not the case, instructions for using a different prefix is available https://zeppelin.apache.org/docs/latest/interpreter/jdbc.html#how-to-use[here].
 
 [source,text]
diff --git a/solr/solr-ref-guide/modules/query-guide/pages/join-query-parser.adoc b/solr/solr-ref-guide/modules/query-guide/pages/join-query-parser.adoc
index 8c6e876c30d..1b116c8c5a8 100644
--- a/solr/solr-ref-guide/modules/query-guide/pages/join-query-parser.adoc
+++ b/solr/solr-ref-guide/modules/query-guide/pages/join-query-parser.adoc
@@ -43,7 +43,7 @@ WHERE id IN (
 
 The join operation is done on a term basis, so the `from` and `to` fields must use compatible field types.
 For example: joining between a `StrField` and a `IntPointField` will not work.
-Likewise joining between a `StrField` and a `TextField` that uses `LowerCaseFilterFactory` will only work for values that are already lower cased in the string field.
+Likewise, joining between a `StrField` and a `TextField` that uses `LowerCaseFilterFactory` will only work for values that are already lower cased in the string field.
 
 == Parameters
 
@@ -183,7 +183,7 @@ node 4: movie_directors_shard1_replica4
 At query time, the `JoinQParser` will access the local replica of the *movie_directors* collection to perform the join.
 If a local replica is not available or active, then the query will fail.
 At this point, it should be clear that since you're limited to a single shard and the data must be replicated across all nodes where it is needed, this approach works better with smaller data sets where there is a one-to-many relationship between the from collection and the to collection.
-Moreover, if you add a replica to the to collection, then you also need to add a replica for the from collection.
+Moreover, if you add a replica to the "to" collection, then you also need to add a replica for the "from" collection.
 
 For more information, Erick Erickson has written a blog post about join performance titled https://lucidworks.com/post/solr-and-joins/[Solr and Joins].
 
@@ -315,7 +315,7 @@ If neither `zkHost` nor `solrUrl` are specified, the local ZooKeeper cluster wil
 |===
 +
 The URL of the external Solr node to be queried.
-Must be a character-for-character exact match of a allow-listed URL that is listed in the `allowSolrUrls` parameter in `solrconfig.xml`.
+Must be a character-for-character exact match of an allow-listed URL that is listed in the `allowSolrUrls` parameter in `solrconfig.xml`.
 If the URL does not match, this parameter will be effectively disabled.
 
 `from`::
diff --git a/solr/solr-ref-guide/modules/query-guide/pages/json-facet-api.adoc b/solr/solr-ref-guide/modules/query-guide/pages/json-facet-api.adoc
index 16faa60c1fd..988e6a42f82 100644
--- a/solr/solr-ref-guide/modules/query-guide/pages/json-facet-api.adoc
+++ b/solr/solr-ref-guide/modules/query-guide/pages/json-facet-api.adoc
@@ -212,7 +212,7 @@ The default of `-1` causes a heuristic to be applied based on other options spec
 |`mincount` |Only return buckets with a count of at least this number. Defaults to `1`.
 |`missing` |A boolean that specifies if a special “missing” bucket should be returned that is defined by documents without a value in the field. Defaults to `false`.
 |`numBuckets` |A boolean. If `true`, adds “numBuckets” to the response, an integer representing the number of buckets for the facet (as opposed to the number of buckets returned). Defaults to `false`.
-|`allBuckets` |A boolean. If `true`, adds an “allBuckets” bucket to the response, representing the union of all of the buckets. For multi-valued fields, this is different than a bucket for all of the documents in the domain since a single document can belong to multiple buckets. Defaults to `false`.
+|`allBuckets` |A boolean. If `true`, adds an “allBuckets” bucket to the response, representing the union of all of the buckets. For multi-valued fields, this is different from a bucket for all of the documents in the domain since a single document can belong to multiple buckets. Defaults to `false`.
 |`prefix` |Only produce buckets for terms starting with the specified prefix.
 |`facet` |Aggregations, metrics or nested facets that will be calculated for every returned bucket
 |`method` a|
@@ -388,8 +388,8 @@ For example "start" here corresponds to "facet.range.start" in a facet.range com
 |other a|
 This parameter indicates that in addition to the counts for each range constraint between `start` and `end`, counts should also be computed for…
 
-* "before" all records with field values lower then lower bound of the first range
-* "after" all records with field values greater then the upper bound of the last range
+* "before" all records with field values lower than lower bound of the first range
+* "after" all records with field values greater than the upper bound of the last range
 * "between" all records with field values between the start and end bounds of all ranges
 * "none" compute none of this information
 * "all" shortcut for before, between, and after
@@ -626,7 +626,7 @@ include::example$JsonRequestApiTest.java[tag=solrj-json-metrics-facet-simple]
 --
 
 An expanded form allows for xref:local-params.adoc[] to be specified.
-These may be used explicitly by some specialized aggregations such as <<relatedness-options,`relatedness()`>>, but can also be used as parameter references to make aggregation expressions more readable, with out needing to use (global) request parameters:
+These may be used explicitly by some specialized aggregations such as <<relatedness-options,`relatedness()`>>, but can also be used as parameter references to make aggregation expressions more readable, without needing to use (global) request parameters:
 
 [.dynamic-tabs]
 --
@@ -930,7 +930,7 @@ ____
 
 The `relatedness(...)` function is used to "score" these relationships, relative to "Foreground" and "Background" sets of documents, specified in the function params as queries.
 
-Unlike most aggregation functions, the `relatedness(...)` function is aware of whether and how it's used in <<nested-facets,Nested Facets>>.  It evaluates the query defining the current bucket _independently_ from its parent/ancestor buckets, and intersects those documents with a "Foreground Set" defined by the foreground query _combined with the ancestor buckets_.  The result is then compared to a similar intersection done against the "Background Set" (defined exclusively by background query) to see if there is a positive, or negative, correlation between the current bucket and the Foreground Set, relative to the Background Set.
+Unlike most aggregation functions, the `relatedness(...)` function is aware of whether and how it's used in <<nested-facets,Nested Facets>>.  It evaluates the query defining the current bucket _independently_ of its parent/ancestor buckets, and intersects those documents with a "Foreground Set" defined by the foreground query _combined with the ancestor buckets_.  The result is then compared to a similar intersection done against the "Background Set" (defined exclusively by background query) to see if there is a positive, or negative, correlation between the current bucket and the Foreground Set, relative to the Background Set.
 
 NOTE: The semantics of `relatedness(...)` in an `allBuckets` context is currently undefined.
 Accordingly, although the `relatedness(...)` stat may be specified for a facet request that also specifies `allBuckets:true`, the `allBuckets` bucket itself will not include a relatedness calculation.
@@ -1067,7 +1067,7 @@ curl -sS -X POST http://localhost:8983/solr/gettingstarted/query -d 'rows=0&q=*:
 <1> Even though `hobbies:golf` has a lower total facet `count` then `hobbies:painting`, it has a higher `relatedness` score, indicating that relative to the Background Set (the entire collection) Golf has a stronger correlation to our Foreground Set (people age 35+) then Painting.
 <2> The number of documents matching `age:[35 TO *]` _and_ `hobbies:golf` is 31.25% of the total number of documents in the Background Set
 <3> 37.5% of the documents in the Background Set match `hobbies:golf`
-<4> The state of Arizona (AZ) has a _positive_ relatedness correlation with the _nested_ Foreground Set (people ages 35+ who play Golf) compared to the Background Set -- i.e., "People in Arizona are statistically more likely to be '35+ year old Golfers' then the country as a whole."
+<4> The state of Arizona (AZ) has a _positive_ relatedness correlation with the _nested_ Foreground Set (people ages 35+ who play Golf) compared to the Background Set -- i.e., "People in Arizona are statistically more likely to be '35+ year old Golfers' than the country as a whole."
 <5> The state of Colorado (CO) has a _negative_ correlation with the nested Foreground Set -- i.e., "People in Colorado are statistically less likely to be '35+ year old Golfers' then the country as a whole."
 <6> The number documents matching `age:[35 TO *]` _and_ `hobbies:golf` _and_ `state:AZ` is 18.75% of the total number of documents in the Background Set
 <7> 50% of the documents in the Background Set match `state:AZ`
diff --git a/solr/solr-ref-guide/modules/query-guide/pages/json-query-dsl.adoc b/solr/solr-ref-guide/modules/query-guide/pages/json-query-dsl.adoc
index 85544cbd5c7..3f6b9f2572b 100644
--- a/solr/solr-ref-guide/modules/query-guide/pages/json-query-dsl.adoc
+++ b/solr/solr-ref-guide/modules/query-guide/pages/json-query-dsl.adoc
@@ -455,7 +455,7 @@ need to do this is if you are displaying filters for products (parents) with SKU
 options (children). Let's go on item by item:
 
 * _Filter exclusion_ is usually necessary when multiple filter values can be applied to each field.
-This is also also known as drill-sideways facets.
+This is also known as drill-sideways facets.
 See also xref:faceting.adoc#tagging-and-excluding-filters[tagging and filter exclusion].
 * _Nested documents_, or child documents, are described in xref:indexing-guide:indexing-nested-documents.adoc[].
 In the example below, they are referred as SKUs since this is a frequent use case for this feature.
diff --git a/solr/solr-ref-guide/modules/query-guide/pages/json-request-api.adoc b/solr/solr-ref-guide/modules/query-guide/pages/json-request-api.adoc
index fe9227d3025..dbf45513351 100644
--- a/solr/solr-ref-guide/modules/query-guide/pages/json-request-api.adoc
+++ b/solr/solr-ref-guide/modules/query-guide/pages/json-request-api.adoc
@@ -53,7 +53,7 @@ curl http://localhost:8983/solr/techproducts/query -d 'json={"query":"memory"}'
 === JSON Parameter Merging
 If multiple `json` parameters are provided in a single request, Solr attempts to merge the parameter values together before processing the request.
 
-The JSON Request API has several properties (`filter`, `fields`, etc) which accept multiple values.  During the merging process, all values for these "multivalued" properties are retained.  Many properties though (`query`, `limit`, etc.) can have only a single value.  When multiple parameter values conflict with one another a single value is chosen based on the following precedence rules:
+The JSON Request API has several properties (`filter`, `fields`, etc.) which accept multiple values.  During the merging process, all values for these "multivalued" properties are retained.  Many properties though (`query`, `limit`, etc.) can have only a single value.  When multiple parameter values conflict with one another a single value is chosen based on the following precedence rules:
 
 * Traditional query parameters (`q`, `rows`, etc.) take first precedence and are used over any other specified values.
 * `json`-prefixed query parameters are considered next.
diff --git a/solr/solr-ref-guide/modules/query-guide/pages/loading.adoc b/solr/solr-ref-guide/modules/query-guide/pages/loading.adoc
index f2d03b10516..e2d04080847 100644
--- a/solr/solr-ref-guide/modules/query-guide/pages/loading.adoc
+++ b/solr/solr-ref-guide/modules/query-guide/pages/loading.adoc
@@ -174,7 +174,7 @@ data to a SolrCloud collection for indexing.
 The `update` function adds documents to Solr in batches and returns a tuple for each batch with summary information about the batch and load.
 
 In the example below the `update` expression is run using Zeppelin-Solr because the data set is small.
-For larger loads it's best to run the load from a curl command where the output of the `update` function can be spooled to disk.
+For larger loads, it's best to run the load from a curl command where the output of the `update` function can be spooled to disk.
 
 image::math-expressions/update.png[]
 
@@ -378,7 +378,7 @@ image::math-expressions/havingId.png[]
 ==== Skipping
 
 The `gt` (greater than) function can be used on the `recNum` field to filter the result set to
-records with a recNum greater then a specific value:
+records with a recNum greater than a specific value:
 
 image::math-expressions/skipping.png[]
 
diff --git a/solr/solr-ref-guide/modules/query-guide/pages/logs.adoc b/solr/solr-ref-guide/modules/query-guide/pages/logs.adoc
index 6246008ac7a..33adbdc3cf3 100644
--- a/solr/solr-ref-guide/modules/query-guide/pages/logs.adoc
+++ b/solr/solr-ref-guide/modules/query-guide/pages/logs.adoc
@@ -18,7 +18,7 @@
 
 This section of the user guide provides an introduction to Solr log analytics.
 
-NOTE: This is an appendix of the xref::math-expressions.adoc[Visual Guide to Streaming Expressions and Math Expressions].
+NOTE: This is an appendix of the xref:math-expressions.adoc[Visual Guide to Streaming Expressions and Math Expressions].
 All the functions described below are covered in detail in the guide.
 See the xref:math-start.adoc[] chapter to learn how to get started with visualizations and Apache Zeppelin.
 
@@ -94,7 +94,7 @@ By looking at this sample we can quickly learn about the *fields* available in t
 === Time Period
 
 Each log record contains a time stamp in the `date_dt` field.
-Its often useful to understand what time period the logs cover and how many log records have been indexed.
+It's often useful to understand what time period the logs cover and how many log records have been indexed.
 
 The `stats` function can be run to display this information.
 
@@ -144,7 +144,7 @@ The example below breaks this down further by adding a query on the `type_s` fie
 
 image::math-expressions/logs-time-series2.png[]
 
-Notice the query activity accounts for more then half of the burst of log records between 21:27 and 21:52.
+Notice the query activity accounts for more than half of the burst of log records between 21:27 and 21:52.
 But the query activity does not account for the large spike in log activity that follows.
 
 We can account for that spike by changing the search to include only *update*, *commit*, and *deleteByQuery* records in the logs.
@@ -205,7 +205,7 @@ Scatter plots can be used to visualize random samples of the `qtime_i`
 field.
 The example below demonstrates a scatter plot of 500 random samples from the `ptest1` collection of log records.
 
-In this example, `qtime_i` is plotted on the y-axis and the x-axis is simply a sequence to spread the query times out across the plot.
+In this example, `qtime_i` is plotted on the y-axis, and the x-axis is simply a sequence to spread the query times out across the plot.
 
 NOTE: The `x` field is included in the field list.
 The `random` function automatically generates a sequence for the x-axis when `x` is included in the field list.
@@ -296,18 +296,18 @@ image::math-expressions/qtime-series.png[]
 
 == Performance Troubleshooting
 
-If query analysis determines that queries are not performing as expected then log analysis can also be used to troubleshoot the cause of the slowness.
+If query analysis determines that queries are not performing as expected, then log analysis can also be used to troubleshoot the cause of the slowness.
 The section below demonstrates several approaches for locating the source of query slowness.
 
 === Slow Nodes
 
 In a distributed search the final search performance is only as fast as the slowest responding shard in the cluster.
-Therefore one slow node can be responsible for slow overall search time.
+Therefore, one slow node can be responsible for slow overall search time.
 
 The fields `core_s`, `replica_s` and `shard_s` are available in the log records.
 These fields allow average query time to be calculated by *core*, *replica* or *shard*.
 
-The `core_s` field is particularly useful as its the most granular element and the naming convention often includes the collection, shard and replica information.
+The `core_s` field is particularly useful as it's the most granular element and the naming convention often includes the collection, shard and replica information.
 
 The example below uses the `facet` function to calculate `avg(qtime_i)` by core.
 
diff --git a/solr/solr-ref-guide/modules/query-guide/pages/machine-learning.adoc b/solr/solr-ref-guide/modules/query-guide/pages/machine-learning.adoc
index 55aaba56948..aaa763ea231 100644
--- a/solr/solr-ref-guide/modules/query-guide/pages/machine-learning.adoc
+++ b/solr/solr-ref-guide/modules/query-guide/pages/machine-learning.adoc
@@ -110,7 +110,7 @@ The `count(*)` field populates the values in the cells of the matrix.
 The `distance` function is then used to compute the distance matrix for the columns of the matrix using `cosine` distance.
 This produces a distance matrix that shows distance between complaint types based on the zip codes they appear in.
 
-Finally the `zplot` function is used to plot the distance matrix as a heat map.
+Finally, the `zplot` function is used to plot the distance matrix as a heat map.
 Notice that the heat map has been configured so that the intensity of color increases as the distance between vectors decreases.
 
 
@@ -182,7 +182,7 @@ These are the zip codes that are most similar to the 10280 zip code based on the
 
 K-nearest neighbor regression is a non-linear, bivariate and multivariate regression method.
 KNN regression is a lazy learning technique which means it does not fit a model to the training set in advance.
-Instead the entire training set of observations and outcomes are held in memory and predictions are made by averaging the outcomes of the k-nearest neighbors.
+Instead, the entire training set of observations and outcomes are held in memory and predictions are made by averaging the outcomes of the k-nearest neighbors.
 
 The `knnRegress` function is used to perform nearest neighbor regression.
 
@@ -229,7 +229,7 @@ These predictions will be used to determine how well the KNN regression performe
 The error, or *residuals*, for the regression are then calculated by subtracting the *predicted* quality from the *observed* quality.
 The `ebeSubtract` function is used to perform the element-by-element subtraction between the two vectors.
 
-Finally the `zplot` function formats the predictions and errors for the visualization of the *residual plot*.
+Finally, the `zplot` function formats the predictions and errors for the visualization of the *residual plot*.
 
 image::math-expressions/redwine1.png[]
 
@@ -262,7 +262,7 @@ From this plot we can see the probability of getting prediction errors between -
 The `knnRegression` function has three additional parameters that make it suitable for many different regression scenarios.
 
 . Any of the distance measures can be used for the regression simply by adding the function to the call.
-This allows for regression analysis over sparse vectors (`cosine`), dense vectors and geo-spatial lat/lon vectors (`haversineMeters`).
+This allows for regression analysis over sparse vectors (`cosine`), dense vectors and geospatial lat/lon vectors (`haversineMeters`).
 +
 Sample syntax:
 +
@@ -330,9 +330,9 @@ The matrix is transposed so each row contains a single latitude, longitude point
 The `dbscan` function is then used to cluster the latitude and longitude points.
 Notice that the `dbscan` function in the example has four parameters.
 
-* `obs` : The observation matrix of lat/lon points
+* `obs`: The observation matrix of lat/lon points
 
-* `eps` : The distance between points to be considered a cluster.
+* `eps`: The distance between points to be considered a cluster.
 100 meters in the example.
 
 * `min points`: The minimum points in a cluster for the cluster to be returned by the function.
@@ -386,7 +386,7 @@ The plot is dense enough so the outlines of the different boroughs are visible i
 
 Each cluster is shown in a different color.
 This plot provides interesting insight into the densities of rat sightings throughout the five boroughs of New York City.
-For example it highlights a cluster of dense sightings in Brooklyn at cluster1
+For example, it highlights a cluster of dense sightings in Brooklyn at cluster1
 surrounded by less dense but still high activity clusters.
 
 === Plotting the Centroids
@@ -412,7 +412,7 @@ K-means clustering produces centroids or *prototype* vectors which can be used t
 In this example the key features of the centroids are extracted to represent the key phrases for clusters of TF-IDF term vectors.
 
 NOTE: The example below works with TF-IDF _term vectors_.
-The section xref:term-vectors.adoc[] offers a full explanation of this features.
+The section xref:term-vectors.adoc[] offers a full explanation of these features.
 
 In the example the `search` function returns documents where the `review_t` field matches the phrase "star wars".
 The `select` function is run over the result set and applies the `analyze` function which uses the analyzer attached to the schema field `text_bigrams` to re-analyze the `review_t` field.
@@ -420,7 +420,7 @@ This analyzer returns bigrams which are then annotated to documents in a field c
 
 The `termVectors` function then creates TD-IDF term vectors from the bigrams stored in the `terms` field.
 The `kmeans` function is then used to cluster the bigram term vectors into 5 clusters.
-Finally the top 5 features are extracted from the centroids and returned.
+Finally, the top 5 features are extracted from the centroids and returned.
 Notice that the features are all bigram phrases with semantic significance.
 
 [source,text]
@@ -565,7 +565,7 @@ This expression returns the following response:
 
 == Fuzzy K-Means Clustering
 
-The `fuzzyKmeans` function is a soft clustering algorithm which allows vectors to be assigned to more then one cluster.
+The `fuzzyKmeans` function is a soft clustering algorithm which allows vectors to be assigned to more than one cluster.
 The `fuzziness` parameter is a value between `1` and `2` that determines how fuzzy to make the cluster assignment.
 
 After the clustering has been performed the `getMembershipMatrix` function can be called on the clustering result to return a matrix describing the probabilities of cluster membership for each vector.
@@ -597,7 +597,7 @@ When operating on a matrix the rows of the matrix are scaled.
 === Min/Max Scaling
 
 The `minMaxScale` function scales a vector or matrix between a minimum and maximum value.
-By default it will scale between `0` and `1` if min/max values are not provided.
+By default, it will scale between `0` and `1` if min/max values are not provided.
 
 Below is a plot of a sine wave, with an amplitude of 1, before and after it has been scaled between -5 and 5.
 
@@ -654,7 +654,7 @@ Below is a plot of a sine wave, with an amplitude of 1, before and after it has
 
 image::math-expressions/standardize.png[]
 
-Below is a simple example of of a standardized matrix.
+Below is a simple example of a standardized matrix.
 Notice that once brought into the same scale the vectors are the same.
 
 [source,text]
diff --git a/solr/solr-ref-guide/modules/query-guide/pages/math-start.adoc b/solr/solr-ref-guide/modules/query-guide/pages/math-start.adoc
index 8a3b6551825..eaf050b740a 100644
--- a/solr/solr-ref-guide/modules/query-guide/pages/math-start.adoc
+++ b/solr/solr-ref-guide/modules/query-guide/pages/math-start.adoc
@@ -96,7 +96,7 @@ The visualizations in this guide were performed with Apache Zeppelin using the Z
 === Zeppelin-Solr Interpreter
 
 An Apache Zeppelin interpreter for Solr allows streaming expressions and math expressions to be executed and results visualized in Zeppelin.
-The instructions for installing and configuring Zeppelin-Solr can be found on the Github repository for the project:
+The instructions for installing and configuring Zeppelin-Solr can be found on the GitHub repository for the project:
 https://github.com/lucidworks/zeppelin-solr
 
 Once installed the Solr Interpreter can be configured to connect to your Solr instance.
diff --git a/solr/solr-ref-guide/modules/query-guide/pages/numerical-analysis.adoc b/solr/solr-ref-guide/modules/query-guide/pages/numerical-analysis.adoc
index bf8b412099b..4800e055e52 100644
--- a/solr/solr-ref-guide/modules/query-guide/pages/numerical-analysis.adoc
+++ b/solr/solr-ref-guide/modules/query-guide/pages/numerical-analysis.adoc
@@ -55,7 +55,7 @@ These are the new zoomed in x-axis points, between 0 and 3.
 Notice that we are sampling a specific area of the curve.
 
 Then the `predict` function is used to predict y-axis points for the sampled x-axis, for all three interpolation functions.
-Finally all three prediction vectors are plotted with the sampled x-axis points.
+Finally, all three prediction vectors are plotted with the sampled x-axis points.
 
 The red line is the `lerp` interpolation, the blue line is the `akima` and the purple line is the `spline` interpolation.
 You can see they each produce different curves in between the control points.
@@ -64,7 +64,7 @@ You can see they each produce different curves in between the control points.
 === Smoothing Interpolation
 
 The `loess` function is a smoothing interpolator which means it doesn't derive a function that passes through the original control points.
-Instead the `loess` function returns a function that smooths the original control points.
+Instead, the `loess` function returns a function that smooths the original control points.
 
 A technique known as local regression is used to compute the smoothed curve.
 The size of the neighborhood of the local regression can be adjusted to control how close the new curve conforms to the original control points.
diff --git a/solr/solr-ref-guide/modules/query-guide/pages/other-parsers.adoc b/solr/solr-ref-guide/modules/query-guide/pages/other-parsers.adoc
index 56023635026..0fc92b17268 100644
--- a/solr/solr-ref-guide/modules/query-guide/pages/other-parsers.adoc
+++ b/solr/solr-ref-guide/modules/query-guide/pages/other-parsers.adoc
@@ -73,7 +73,7 @@ For a BooleanQuery with no `must` queries, one or more `should` queries must mat
 A list of queries that *must* appear in matching documents.
 However, unlike `must`, the score of filter queries is ignored.
 Also, these queries are cached in filter cache.
-To avoid caching add either `cache=false` as local parameter, or `"cache":"false"` property to underneath Query DLS Object.
+To avoid caching add either `cache=false` as local parameter, or `"cache":"false"` property to the underlying Query DSL Object.
 
 `mm`::
 +
@@ -140,7 +140,7 @@ q={!bool must=foo}
 
 `BoostQParser` extends the `QParserPlugin` and creates a boosted query from the input value.
 The main value is any query to be "wrapped" and "boosted" -- only documents which match that query will match the final query produced by this parser.
-Parameter `b` is a xref:function-queries.adoc#available-functions[function] to be evaluated against each document that matches the original query, and the result of the function will be multiplied into into the final score for that document.
+Parameter `b` is a xref:function-queries.adoc#available-functions[function] to be evaluated against each document that matches the original query, and the result of the function will be multiplied into the final score for that document.
 
 === Boost Query Parser Examples
 
@@ -151,7 +151,7 @@ Creates a query `name:foo` which is boosted (scores are multiplied) by the funct
 q={!boost b=log(popularity)}name:foo
 ----
 
-Creates a query `name:foo` which has it's scores multiplied by the _inverse_ of the numeric `price` field -- effectively "demoting" documents which have a high `price` by lowering their final score:
+Creates a query `name:foo` which has its scores multiplied by the _inverse_ of the numeric `price` field -- effectively "demoting" documents which have a high `price` by lowering their final score:
 
 [source,text]
 ----
@@ -516,7 +516,7 @@ http://localhost:8983/solr/my_graph/query?fl=id&q={!graph+from=in_edge+to=out_ed
 ----
 
 The examples shown so far have all used a query for a single document (`"id:A"`) as the root node for the graph traversal, but any query can be used to identify multiple documents to use as root nodes.
-The next example demonstrates using the `maxDepth` parameter to find all nodes that are at most one edge away from an root node with a value in the `foo` field less then or equal to 10:
+The next example demonstrates using the `maxDepth` parameter to find all nodes that are at most one edge away from a root node with a value in the `foo` field less than or equal to 10:
 
 [source,text]
 ----
@@ -686,7 +686,7 @@ The queries measure Jaccard similarity between the query string and MinHash fiel
 The parser supports two modes of operation.
 The first, when tokens are generated from text by normal analysis; and the second, when explicit tokens are provided.
 
-Currently the score returned by the query reflects the number of top level elements that match and is *not* normalised between 0 and 1.
+Currently, the score returned by the query reflects the number of top level elements that match and is *not* normalised between 0 and 1.
 
 `sim`::
 +
@@ -866,7 +866,7 @@ In this case, generating a score of 1 if one hash matches and a score of 512 if
 A banded query mixes conjunctions and disjunctions.
 We could have 256 bands each of two queries ANDed together, 128 with 4 hashes ANDed together etc.
 With fewer bands query performance increases but we may miss some matches.
-There is a trade off between speed and accuracy.
+There is a trade-off between speed and accuracy.
 With 64 bands the score will range from 0 to 64 (the number of bands ORed together)
 
 Given the required similarity and an acceptable true positive rate, the query parser computes the appropriate band size^[1]^.
@@ -886,7 +886,7 @@ Even a single match may indicate some kind of similarity either in meaning, styl
 
 For a general introduction see "Mining of Massive Datasets"^[1]^.
 
-For documents of ~1500 words expect an index size overhead of ~10%; your milage will vary.
+For documents of ~1500 words expect an index size overhead of ~10%; your mileage will vary.
 512 hashes would be expected to represent ~2500 words well.
 
 Using a set of MinHash values was proposed in the initial paper^[2]^ but provides a biased estimate of Jaccard similarity.
@@ -1070,7 +1070,7 @@ Find all documents with the phrase "foo bar" where term "foo" has a payload grea
 == Prefix Query Parser
 
 `PrefixQParser` extends the `QParserPlugin` by creating a prefix query from the input value.
-Currently no analysis or value transformation is done to create this prefix query.
+Currently, no analysis or value transformation is done to create this prefix query.
 
 The parameter is `f`, the field.
 The string after the prefix declaration is treated as a wildcard query.
@@ -1231,7 +1231,7 @@ The non-unary operators (everything but `NOT`) support both infix `(a AND b AND
 
 `SwitchQParser` is a `QParserPlugin` that acts like a "switch" or "case" statement.
 
-The primary input string is trimmed and then prefixed with `case.` for use as a key to lookup a "switch case" in the parser's local params.
+The primary input string is trimmed and then prefixed with `case.` for use as a key to look up a "switch case" in the parser's local params.
 If a matching local param is found the resulting parameter value will then be parsed as a subquery, and returned as the parse result.
 
 The `case` local param can be optionally be specified as a switch case to match missing (or blank) input strings.
@@ -1251,7 +1251,7 @@ In the examples below, the result of each query is "XXX":
 {!switch case.foo=qqq case.bar=XXX case.yak=zzz} bar
 ----
 
-.The result will fallback to the default.
+.The result will fall back to the default.
 [source,text]
 ----
 {!switch case.foo=qqq case.bar=zzz default=XXX}asdf
@@ -1289,7 +1289,7 @@ Using the example configuration below, clients can optionally specify the custom
 == Term Query Parser
 
 `TermQParser` extends the `QParserPlugin` by creating a single term query from the input value equivalent to `readableToIndexed()`.
-This is useful for generating filter queries from the external human readable terms returned by the faceting or terms components.
+This is useful for generating filter queries from the external human-readable terms returned by the faceting or terms components.
 The only parameter is `f`, for the field.
 
 Example:
@@ -1308,7 +1308,7 @@ If no analysis or transformation is desired for any type of field, see the <<Raw
 
 `TermsQParser` functions similarly to the <<Term Query Parser,Term Query Parser>> but takes in multiple values separated by commas and returns documents matching any of the specified values.
 
-This can be useful for generating filter queries from the external human readable terms returned by the faceting or terms components, and may be more efficient in some cases than using the xref:standard-query-parser.adoc[] to generate a boolean query since the default implementation `method` avoids scoring.
+This can be useful for generating filter queries from the external human-readable terms returned by the faceting or terms components, and may be more efficient in some cases than using the xref:standard-query-parser.adoc[] to generate a boolean query since the default implementation `method` avoids scoring.
 
 This query parser takes the following parameters:
 
diff --git a/solr/solr-ref-guide/modules/query-guide/pages/pagination-of-results.adoc b/solr/solr-ref-guide/modules/query-guide/pages/pagination-of-results.adoc
index da9f34af047..d575bd6d412 100644
--- a/solr/solr-ref-guide/modules/query-guide/pages/pagination-of-results.adoc
+++ b/solr/solr-ref-guide/modules/query-guide/pages/pagination-of-results.adoc
@@ -26,7 +26,7 @@ In Solr, this basic paginated searching is supported using the `start` and `rows
 
 === Basic Pagination Examples
 
-The easiest way to think about simple pagination, is to simply multiply the page number you want (treating the "first" page number as "0") by the number of rows per page; such as in the following pseudo-code:
+The easiest way to think about simple pagination, is to simply multiply the page number you want (treating the "first" page number as "0") by the number of rows per page; such as in the following pseudocode:
 
 [source,plain]
 ----
@@ -87,7 +87,7 @@ For a ten shard index, ten million entries must be retrieved and sorted to figur
 As an alternative to increasing the "start" parameter to request subsequent pages of sorted results, Solr supports using a "Cursor" to scan through results.
 
 Cursors in Solr are a logical concept that doesn't involve caching any state information on the server.
-Instead the sort values of the last document returned to the client are used to compute a "mark" representing a logical point in the ordered space of sort values.
+Instead, the sort values of the last document returned to the client are used to compute a "mark" representing a logical point in the ordered space of sort values.
 That "mark" can be specified in the parameters of subsequent requests to tell Solr where to continue.
 
 === Using Cursors
@@ -127,7 +127,7 @@ Requiring that the uniqueKey field be used as a clause in the sort criteria guar
 
 ==== Fetch All Docs
 
-The pseudo-code shown here shows the basic logic involved in fetching all documents matching a query using a cursor:
+The pseudocode shown here shows the basic logic involved in fetching all documents matching a query using a cursor:
 
 [source,plain]
 ----
@@ -145,7 +145,7 @@ while (not $done) {
 }
 ----
 
-Using SolrJ, this pseudo-code would be:
+Using SolrJ, this pseudocode would be:
 
 [source,java]
 ----
@@ -254,9 +254,9 @@ In a nutshell: When fetching all results matching a query using `cursorMark`, th
 
 [TIP]
 ====
-One way to ensure that a document will never be returned more then once, is to use the uniqueKey field as the primary (and therefore: only significant) sort criterion.
+One way to ensure that a document will never be returned more than once, is to use the uniqueKey field as the primary (and therefore: only significant) sort criterion.
 
-In this situation, you will be guaranteed that each document is only returned once, no matter how it may be be modified during the use of the cursor.
+In this situation, you will be guaranteed that each document is only returned once, no matter how it may be modified during the use of the cursor.
 ====
 
 === "Tailing" a Cursor
@@ -270,7 +270,7 @@ Client applications can continuously poll a cursor using a `sort=timestamp asc,
 
 Another common example is when you have uniqueKey values that always increase as new documents are created, and you can continuously poll a cursor using `sort=id asc` to be notified about new documents.
 
-The pseudo-code for tailing a cursor is only a slight modification from our early example for processing all docs matching a query:
+The pseudocode for tailing a cursor is only a slight modification from our early example for processing all docs matching a query:
 
 [source,plain]
 ----
diff --git a/solr/solr-ref-guide/modules/query-guide/pages/probability-distributions.adoc b/solr/solr-ref-guide/modules/query-guide/pages/probability-distributions.adoc
index b47e37ead03..9ed35fc5329 100644
--- a/solr/solr-ref-guide/modules/query-guide/pages/probability-distributions.adoc
+++ b/solr/solr-ref-guide/modules/query-guide/pages/probability-distributions.adoc
@@ -114,7 +114,7 @@ image::math-expressions/poisson.png[]
 
 ==== binomialDistribution
 
-The visualization below shows a binomial distribution with a 100 trials and .15 probability of success.
+The visualization below shows a binomial distribution with 100 trials and .15 probability of success.
 
 image::math-expressions/binomial.png[]
 
@@ -326,7 +326,7 @@ The covariance matrix describes the covariance between `filesize_d` and `respons
 The `multivariateNormalDistribution` function is then called with the array of means for the two fields and the covariance matrix.
 The model for the multivariate normal distribution is assigned to variable `g`.
 
-Finally five samples are drawn from the multivariate normal distribution.
+Finally, five samples are drawn from the multivariate normal distribution.
 
 [source,text]
 ----
diff --git a/solr/solr-ref-guide/modules/query-guide/pages/query-re-ranking.adoc b/solr/solr-ref-guide/modules/query-guide/pages/query-re-ranking.adoc
index d1eb28e302e..0cf15be3ff6 100644
--- a/solr/solr-ref-guide/modules/query-guide/pages/query-re-ranking.adoc
+++ b/solr/solr-ref-guide/modules/query-guide/pages/query-re-ranking.adoc
@@ -19,7 +19,7 @@
 Query Re-Ranking allows you to run a simple query (A) for matching documents and then re-rank the top N documents using the scores from a more complex query (B).
 
 Since the more costly ranking from query B is only applied to the top _N_ documents, it will have less impact on performance then just using the complex query B by itself.
-The trade off is that documents which score very low using the simple query A may not be considered during the re-ranking phase, even if they would score very highly using query B.
+The trade-off is that documents which score very low using the simple query A may not be considered during the re-ranking phase, even if they would score very highly using query B.
 
 == Specifying a Ranking Query
 
@@ -39,7 +39,7 @@ You can also configure a custom {solr-javadocs}/core/org/apache/solr/search/QPar
 
 === ReRank Query Parser
 
-The `rerank` parser wraps a query specified by an local parameter, along with additional parameters indicating how many documents should be re-ranked, and how the final scores should be computed:
+The `rerank` parser wraps a query specified by a local parameter, along with additional parameters indicating how many documents should be re-ranked, and how the final scores should be computed:
 
 `reRankQuery`::
 +
@@ -96,7 +96,7 @@ min and max are positive integers. Example `reRankMainScale=0-1` rescales the ma
 |Optional |Default: `add`
 |===
 +
-By default the score from the reRankQuery multiplied by the `reRankWeight` is added to the original score.
+By default, the score from the reRankQuery multiplied by the `reRankWeight` is added to the original score.
 
 In the example below using the default `add` behaviour, the top 1000 documents matching the query "greetings" will be re-ranked using the query "(hi hello hey hiya)".
 The resulting scores for each of those 1000 documents will be 3 times their score from the "(hi hello hey hiya)", plus the score from the original "greetings" query:
diff --git a/solr/solr-ref-guide/modules/query-guide/pages/regression.adoc b/solr/solr-ref-guide/modules/query-guide/pages/regression.adoc
index 36cd11f2658..ad98774bc7e 100644
--- a/solr/solr-ref-guide/modules/query-guide/pages/regression.adoc
+++ b/solr/solr-ref-guide/modules/query-guide/pages/regression.adoc
@@ -165,7 +165,7 @@ image::math-expressions/linear.png[]
 === Residuals
 
 The difference between the observed value and the predicted value is known as the residual.
-There isn't a specific function to calculate the residuals but vector math can used to perform the calculation.
+There isn't a specific function to calculate the residuals but vector math can be used to perform the calculation.
 
 In the example below the predictions are stored in variable `p`.
 The `ebeSubtract` function is then used to subtract the predictions from the actual `response_d` values stored in variable `y`.
diff --git a/solr/solr-ref-guide/modules/query-guide/pages/response-writers.adoc b/solr/solr-ref-guide/modules/query-guide/pages/response-writers.adoc
index 6fc40c65ef7..229a3a85014 100644
--- a/solr/solr-ref-guide/modules/query-guide/pages/response-writers.adoc
+++ b/solr/solr-ref-guide/modules/query-guide/pages/response-writers.adoc
@@ -39,7 +39,7 @@ The list below describe shows the most common settings for the `wt` parameter, w
 
 == JSON Response Writer
 
-The default Solr Response Writer is the `JsonResponseWriter`, which formats output in JavaScript Object Notation (JSON), a lightweight data interchange format specified in specified in RFC 4627.
+The default Solr Response Writer is the `JsonResponseWriter`, which formats output in JavaScript Object Notation (JSON), a lightweight data interchange format specified in RFC 4627.
 The default response writer is used when:
 
 * the `wt` parameter is not specified in the request, or
@@ -88,7 +88,7 @@ The default mime type for the JSON writer is `application/json`, however this ca
 </queryResponseWriter>
 ----
 
-WARNING: If you using the JSON formatted response with JSONP to query across boundaries, having Solr respond with `text/plain` mime type when the
+WARNING: If you are using the JSON formatted response with JSONP to query across boundaries, having Solr respond with `text/plain` mime type when the
 browser expects `application/json` will trigger the browser to block the request.
 
 === JSON-Specific Parameters
@@ -245,7 +245,7 @@ For production you probably want a much higher value.
     <language>en-us</language>
     <docs>http://localhost:8983/solr</docs>
     <item>
-      <title>iPod & iPod Mini USB 2.0 Cable</title>
+      <title>iPod &amp; iPod Mini USB 2.0 Cable</title>
       <link>
         http://localhost:8983/solr/select?q=id:IW-02
       </link>
diff --git a/solr/solr-ref-guide/modules/query-guide/pages/search-sample.adoc b/solr/solr-ref-guide/modules/query-guide/pages/search-sample.adoc
index 9dbdade8fda..dddf2e729c0 100644
--- a/solr/solr-ref-guide/modules/query-guide/pages/search-sample.adoc
+++ b/solr/solr-ref-guide/modules/query-guide/pages/search-sample.adoc
@@ -161,9 +161,9 @@ The `facet` function supports any combination of the following aggregate functio
 
 === facet2D
 
-The `facet2D` function performs two dimensional aggregations that can be visualized as heat maps or pivoted into matrices and operated on by machine learning functions.
+The `facet2D` function performs two-dimensional aggregations that can be visualized as heat maps or pivoted into matrices and operated on by machine learning functions.
 
-`facet2D` has different syntax and behavior then a two dimensional `facet` function which does not control the number of unique facets of each dimension.
+`facet2D` has different syntax and behavior then a two-dimensional `facet` function which does not control the number of unique facets of each dimension.
 The `facet2D` function has the `dimensions` parameter which controls the number of unique facets for the *x* and *y* dimensions.
 
 The example below visualizes the output of the `facet2D` function.
@@ -201,7 +201,7 @@ The `significantTerms` function can often provide insights that cannot be gleane
 The example below illustrates the difference between the `facet` function and the `significantTerms` function.
 
 In the first example the `facet` function aggregates the top 5 complaint types in Brooklyn.
-This returns the five most common complaint types in Brooklyn, but it's not clear that these terms appear more frequently in Brooklyn then then the other boroughs.
+This returns the five most common complaint types in Brooklyn, but it's not clear that these terms appear more frequently in Brooklyn than the other boroughs.
 
 image::math-expressions/significantTermsCompare.png[]
 
@@ -242,11 +242,11 @@ The `gather` parameter tells the nodes expression to gather the `ticker_s` symbo
 The `count(*)` parameter counts the occurrences of the tickers.
 This will count the number of times each ticker appears in the breadth first search.
 
-Finally the `top` function selects the top 5 tickers by count and returns them.
+Finally, the `top` function selects the top 5 tickers by count and returns them.
 
 The result below shows the ticker symbols in the `nodes` field and the counts for each node.
 Notice *jpm* is first, which shows how many days *jpm* had a change greater then .25 in this time period.
-The next set of ticker symbols (*mtb*, *slvb*, *gs* and *pnc*) are the symbols with highest number of days with a change greater then .25 on the same days that *jpm* had a change greater then .25.
+The next set of ticker symbols (*mtb*, *slvb*, *gs* and *pnc*) are the symbols with the highest number of days with a change greater then .25 on the same days that *jpm* had a change greater then .25.
 
 image::math-expressions/nodestab.png[]
 
diff --git a/solr/solr-ref-guide/modules/query-guide/pages/searching-nested-documents.adoc b/solr/solr-ref-guide/modules/query-guide/pages/searching-nested-documents.adoc
index 2a92df2d37e..4ccf81f9dd5 100644
--- a/solr/solr-ref-guide/modules/query-guide/pages/searching-nested-documents.adoc
+++ b/solr/solr-ref-guide/modules/query-guide/pages/searching-nested-documents.adoc
@@ -37,7 +37,7 @@ include::indexing-guide:page$indexing-nested-documents.adoc[tag=sample-indexing-
 By default, documents that match a query do not include any of their nested children in the response.
 The `[child]` Doc Transformer Can be used enrich query results with the documents' descendants.
 
-For a detailed explanation of this transformer, and specifics on it's syntax & limitations, please refer to the section xref:document-transformers.adoc#child-childdoctransformerfactory[[child] - ChildDocTransformerFactory].
+For a detailed explanation of this transformer, and specifics on its syntax & limitations, please refer to the section xref:document-transformers.adoc#child-childdoctransformerfactory[[child] - ChildDocTransformerFactory].
 
 A simple query matching all documents with a description that includes "staplers":
 
@@ -174,7 +174,7 @@ Note that in the above example, the `/` characters in the `\_nest_path_` were "d
 * One level of `\` escaping is necessary to prevent the `/` from being interpreted as a {lucene-javadocs}/queryparser/org/apache/lucene/queryparser/classic/package-summary.html#Regexp_Searches[Regex Query]
 * An additional level of "escaping the escape character" is necessary because the `of` local parameter is a quoted string; so we need a second `\` to ensure the first `\` is preserved and passed as is to the query parser.
 
-(You can see that only a single level of of `\` escaping is needed in the body of the query string -- to prevent the Regex syntax --  because it's not a quoted string local param).
+(You can see that only a single level of `\` escaping is needed in the body of the query string -- to prevent the Regex syntax --  because it's not a quoted string local param).
 
 You may find it more convenient to use xref:local-params.adoc#parameter-dereferencing[parameter references] in conjunction with xref:other-parsers.adoc[other parsers] that do not treat `/` as a special character to express the same query in a more verbose form:
 
diff --git a/solr/solr-ref-guide/modules/query-guide/pages/simulations.adoc b/solr/solr-ref-guide/modules/query-guide/pages/simulations.adoc
index ca5915f0af7..297b70bb99a 100644
--- a/solr/solr-ref-guide/modules/query-guide/pages/simulations.adoc
+++ b/solr/solr-ref-guide/modules/query-guide/pages/simulations.adoc
@@ -118,7 +118,7 @@ The distribution visualizes the probability of the different total returns from
 
 image::math-expressions/randomwalk5.png[]
 
-The `probability` and `cumulativeProbability` functions can then used to learn more about the `empiricalDistribution`.
+The `probability` and `cumulativeProbability` functions can then be used to learn more about the `empiricalDistribution`.
 For example the `probability` function can be used to calculate the probability of a non-negative return from 100 days of stock returns.
 
 The example below uses the `probability` function to return the probability of a return between the range of 0 and 40 from the `empiricalDistribution` of the simulation.
@@ -166,7 +166,7 @@ image::math-expressions/corrsim2.png[]
 
 === Covariance Matrix
 
-A covariance matrix is actually whats needed by the `multiVariateNormalDistribution` as it contains both the variance of the two stock return vectors and the covariance between the two vectors.
+A covariance matrix is actually what's needed by the `multiVariateNormalDistribution` as it contains both the variance of the two stock return vectors and the covariance between the two vectors.
 The `cov` function will compute the covariance matrix for the columns of a matrix.
 
 The example below demonstrates how to compute the covariance matrix by adding the `all` and `cvx` vectors as rows to a matrix.
diff --git a/solr/solr-ref-guide/modules/query-guide/pages/spatial-search.adoc b/solr/solr-ref-guide/modules/query-guide/pages/spatial-search.adoc
index 37aa5802bd2..dadaeef4cb1 100644
--- a/solr/solr-ref-guide/modules/query-guide/pages/spatial-search.adoc
+++ b/solr/solr-ref-guide/modules/query-guide/pages/spatial-search.adoc
@@ -63,7 +63,7 @@ Use `x y` (a space) if RPT.
 For PointType however, use `x,y` (a comma).
 
 If you'd rather use a standard industry format, Solr supports https://en.wikipedia.org/wiki/Well-known_text[WKT] and http://geojson.org/[GeoJSON].
-However it's much bulkier than the raw coordinates for such simple data.
+However, it's much bulkier than the raw coordinates for such simple data.
 (Not supported by PointType)
 
 === Indexing GeoJSON and WKT
@@ -709,9 +709,9 @@ Some of the attributes are in common with the RPT field like geo, units, worldBo
 To index a box, add a field value to a bbox field that's a string in the WKT/CQL ENVELOPE syntax.
 Example: `ENVELOPE(-10, 20, 15, 10)` which is minX, maxX, maxY, minY order.
 The parameter ordering is unintuitive but that's what the spec calls for.
-Alternatively, you could provide a rectangular polygon in WKT (or GeoJSON if you set set `format="GeoJSON"`).
+Alternatively, you could provide a rectangular polygon in WKT (or GeoJSON if you set `format="GeoJSON"`).
 
-To search, you can use the `{!bbox}` query parser, or the range syntax e.g., `[10,-10 TO 15,20]`, or the ENVELOPE syntax wrapped in parenthesis with a leading search predicate.
+To search, you can use the `{!bbox}` query parser, or the range syntax e.g., `[10,-10 TO 15,20]`, or the ENVELOPE syntax wrapped in parentheses with a leading search predicate.
 The latter is the only way to choose a predicate other than Intersects.
 For example:
 
diff --git a/solr/solr-ref-guide/modules/query-guide/pages/spell-checking.adoc b/solr/solr-ref-guide/modules/query-guide/pages/spell-checking.adoc
index 0adfd4c10fc..2c30bd4fb6b 100644
--- a/solr/solr-ref-guide/modules/query-guide/pages/spell-checking.adoc
+++ b/solr/solr-ref-guide/modules/query-guide/pages/spell-checking.adoc
@@ -401,7 +401,7 @@ This is ignored if `spellcheck.collate` is false.
 +
 This parameter specifies the maximum number of documents that should be collected when testing potential collations against the index.
 A value of `0` indicates that all documents should be collected, resulting in exact hit-counts.
-Otherwise an estimation is provided as a performance optimization in cases where exact hit-counts are unnecessary – the higher the value specified, the more precise the estimation.
+Otherwise, an estimation is provided as a performance optimization in cases where exact hit-counts are unnecessary – the higher the value specified, the more precise the estimation.
 +
 When `spellcheck.collateExtendedResults` is `false`, the optimization is always used as if `1` had been specified.
 
diff --git a/solr/solr-ref-guide/modules/query-guide/pages/sql-query.adoc b/solr/solr-ref-guide/modules/query-guide/pages/sql-query.adoc
index c956c589abb..f6f768fc465 100644
--- a/solr/solr-ref-guide/modules/query-guide/pages/sql-query.adoc
+++ b/solr/solr-ref-guide/modules/query-guide/pages/sql-query.adoc
@@ -39,10 +39,10 @@ More information about how to Solr supports SQL queries for Solr is described in
 === Solr Collections and DB Tables
 
 In a standard `SELECT` statement such as `SELECT <expressions> FROM <table>`, the table names correspond to Solr collection names.
-Table names are case insensitive.
+Table names are case-insensitive.
 
 Column names in the SQL query map directly to fields in the Solr index for the collection being queried.
-These identifiers are case sensitive.
+These identifiers are case-sensitive.
 Aliases are supported, and can be referenced in the `ORDER BY` clause.
 
 The `SELECT *` syntax to indicate all fields is only supported for queries with a `LIMIT` clause.
@@ -65,7 +65,7 @@ Solr supports a broad range of SQL syntax.
 .SQL Parser is Case Insensitive
 [IMPORTANT]
 ====
-The SQL parser being used by Solr to translate the SQL statements is case insensitive.
+The SQL parser being used by Solr to translate the SQL statements is case-insensitive.
 However, for ease of reading, all examples on this page use capitalized keywords.
 ====
 
@@ -199,7 +199,7 @@ If the `ORDER BY` clause contains the exact fields in the `GROUP BY` clause, the
 If the `ORDER BY` clause contains different fields than the `GROUP BY` clause, a limit of 100 is automatically applied.
 To increase this limit you must specify a value in the `LIMIT` clause.
 
-Order by fields are case sensitive.
+Order by fields are case-sensitive.
 
 ==== OFFSET with FETCH
 
@@ -295,7 +295,7 @@ The Column Identifiers can contain both fields in the Solr index and aggregate f
 The supported aggregate functions are:
 
 * `COUNT(*)`: Counts the number of records over a set of buckets.
-* `SUM(field)`: Sums a numeric field over over a set of buckets.
+* `SUM(field)`: Sums a numeric field over a set of buckets.
 * `AVG(field)`: Averages a numeric field over a set of buckets.
 * `MIN(field)`: Returns the min value of a numeric field over a set of buckets.
 * `MAX(field)`: Returns the max value of a numerics over a set of buckets.
@@ -352,7 +352,7 @@ The request handlers used for the SQL interface are configured to load implicitl
 The `/sql` handler is the front end of the Parallel SQL interface.
 All SQL queries are sent to the `/sql` handler to be processed.
 The handler also coordinates the distributed MapReduce jobs when running `GROUP BY` and `SELECT DISTINCT` queries in `map_reduce` mode.
-By default the `/sql` handler will choose worker nodes from its own collection to handle the distributed operations.
+By default, the `/sql` handler will choose worker nodes from its own collection to handle the distributed operations.
 In this default scenario the collection where the `/sql` handler resides acts as the default worker collection for MapReduce queries.
 
 By default, the `/sql` request handler is configured as an implicit handler, meaning that it is always enabled in every Solr installation and no further configuration is required.
@@ -388,7 +388,7 @@ Like the `/sql` request handler, the `/stream` and `/export` request handlers ar
 
 In some cases, fields used in SQL queries must be configured as DocValue fields.
 If queries are unlimited, all fields must be DocValue fields.
-If queries are limited (with the `limit` clause) then fields do not have to be have DocValues enabled.
+If queries are limited (with the `limit` clause) then fields do not have to have DocValues enabled.
 
 .Multi-valued Fields
 [IMPORTANT]
@@ -483,7 +483,7 @@ One of the parameters of the request is the `aggregationMode`, which defines if
 === Parallelized Queries
 
 The Parallel SQL architecture consists of three logical tiers: a *SQL* tier, a *Worker* tier, and a *Data Table* tier.
-By default the SQL and Worker tiers are collapsed into the same physical SolrCloud collection.
+By default, the SQL and Worker tiers are collapsed into the same physical SolrCloud collection.
 
 ==== SQL Tier
 
diff --git a/solr/solr-ref-guide/modules/query-guide/pages/standard-query-parser.adoc b/solr/solr-ref-guide/modules/query-guide/pages/standard-query-parser.adoc
index 06dd8112a11..46bb8a6c407 100644
--- a/solr/solr-ref-guide/modules/query-guide/pages/standard-query-parser.adoc
+++ b/solr/solr-ref-guide/modules/query-guide/pages/standard-query-parser.adoc
@@ -211,7 +211,7 @@ This is a <<differences-between-lucenes-classic-query-parser-and-solrs-standard-
 .Matching `NaN` values with wildcards
 ====
 For most fields, unbounded range queries, `field:[* TO *]`, are equivalent to existence queries, `field: *` .
-However for float/double types that support `NaN` values, these two queries perform differently.
+However, for float/double types that support `NaN` values, these two queries perform differently.
 
 * `field:*` matches all existing values, including `NaN`
 * `field:[* TO *]` matches all real values, excluding `NaN`
diff --git a/solr/solr-ref-guide/modules/query-guide/pages/statistics.adoc b/solr/solr-ref-guide/modules/query-guide/pages/statistics.adoc
index 2427c90e292..c2cbb9f11b0 100644
--- a/solr/solr-ref-guide/modules/query-guide/pages/statistics.adoc
+++ b/solr/solr-ref-guide/modules/query-guide/pages/statistics.adoc
@@ -166,7 +166,7 @@ The list of tuples with the counts is then stored in variable *a*.
 
 Then an `array` of labels is created and set to variable *l*.
 
-Finally the `zplot` function is used to plot the labels vector and the `count(*)` column.
+Finally, the `zplot` function is used to plot the labels vector and the `count(*)` column.
 Notice the `col` function is used inside of the `zplot` function to extract the counts from the `stats` results.
 
 image::math-expressions/custom-hist.png[]
@@ -176,7 +176,7 @@ image::math-expressions/custom-hist.png[]
 
 The `freqTable` function returns a frequency distribution for a discrete data set.
 The `freqTable` function doesn't create bins like the histogram.
-Instead it counts the occurrence of each discrete data value and returns a list of tuples with the frequency statistics for each value.
+Instead, it counts the occurrence of each discrete data value and returns a list of tuples with the frequency statistics for each value.
 
 Below is an example of a frequency table built from a result set of rounded *differences* in daily opening stock prices for the stock ticker *amzn*.
 
@@ -193,7 +193,7 @@ This will provide an array of price differences for each day which will show dai
 Then the `round` function is used to round the price differences to the nearest integer to create a vector of discrete values.
 The `round` function in this example is effectively *binning* continuous data at integer boundaries.
 
-Finally the `freqTable` function is run on the discrete values to calculate the frequency table.
+Finally, the `freqTable` function is run on the discrete values to calculate the frequency table.
 
 [source,text]
 ----
@@ -388,7 +388,7 @@ The `corr` function is then used correlate the *columns* of the matrix.
 This produces a correlation matrix that shows how complaint types are correlated based on the zip codes they appear in.
 Another way to look at this is it shows how the different complaint types tend to co-occur across zip codes.
 
-Finally the `zplot` function is used to plot the correlation matrix as a heat map.
+Finally, the `zplot` function is used to plot the correlation matrix as a heat map.
 
 image::math-expressions/corrmatrix.png[]
 
@@ -524,7 +524,7 @@ When this expression is sent to the `/stream` handler it responds with:
 
 == Transformations
 
-In statistical analysis its often useful to transform data sets before performing statistical calculations.
+In statistical analysis it's often useful to transform data sets before performing statistical calculations.
 The statistical function library includes the following commonly used transformations:
 
 * `rank`: Returns a numeric array with the rank-transformed value of each element of the original array.
diff --git a/solr/solr-ref-guide/modules/query-guide/pages/stats-component.adoc b/solr/solr-ref-guide/modules/query-guide/pages/stats-component.adoc
index 32614751ca0..d388cf5b834 100644
--- a/solr/solr-ref-guide/modules/query-guide/pages/stats-component.adoc
+++ b/solr/solr-ref-guide/modules/query-guide/pages/stats-component.adoc
@@ -156,7 +156,7 @@ This statistic is computed for all field types but is not computed by default.
 
 `cardinality`::
 A statistical approximation (currently using the https://en.wikipedia.org/wiki/HyperLogLog[HyperLogLog] algorithm) of the number of distinct values in the field/function in all of the documents in the set.
-This calculation is much more efficient then using the `countDistinct` option, but may not be 100% accurate.
+This calculation is much more efficient than using the `countDistinct` option, but may not be 100% accurate.
 +
 Input for this option can be floating point number between `0.0` and `1.0` indicating how aggressively the algorithm should try to be accurate: `0.0` means use as little memory as possible; `1.0` means use as much memory as needed to be as accurate as possible.
 `true` is supported as an alias for `0.3`.
diff --git a/solr/solr-ref-guide/modules/query-guide/pages/stream-decorator-reference.adoc b/solr/solr-ref-guide/modules/query-guide/pages/stream-decorator-reference.adoc
index 447bb1b8d56..1c2d8afccdf 100644
--- a/solr/solr-ref-guide/modules/query-guide/pages/stream-decorator-reference.adoc
+++ b/solr/solr-ref-guide/modules/query-guide/pages/stream-decorator-reference.adoc
@@ -392,7 +392,7 @@ It was designed specifically to work with models trained using the xref:stream-s
 The `classify` function uses the xref:stream-source-reference.adoc#model[`model` function] to retrieve a stored model and then scores a stream of tuples using the model.
 The tuples read by the classifier must contain a text field that can be used for classification.
 The classify function uses a Lucene analyzer to extract the features from the text so the model can be applied.
-By default the `classify` function looks for the analyzer using the name of text field in the tuple.
+By default, the `classify` function looks for the analyzer using the name of text field in the tuple.
 If the Solr schema on the worker node does not contain this field, the analyzer can be looked up in another field by specifying the `analyzerField` parameter.
 
 Each tuple that is classified is assigned two scores:
@@ -400,7 +400,7 @@ Each tuple that is classified is assigned two scores:
 * probability_d*: A float between 0 and 1 which describes the probability that the tuple belongs to the class.
 This is useful in the classification use case.
 
-* score_d*: The score of the document that has not be squashed between 0 and 1.
+* score_d*: The score of the document that has not been squashed between 0 and 1.
 The score may be positive or negative.
 The higher the score the better the document fits the class.
 This un-squashed score will be useful in query re-ranking and recommendation use cases.
@@ -410,7 +410,7 @@ This score is particularly useful when multiple high ranking documents have a pr
 
 * `model expression`: (Mandatory) Retrieves the stored logistic regression model.
 * `field`: (Mandatory) The field in the tuples to apply the classifier to.
-By default the analyzer for this field in the schema will be used extract the features.
+By default, the analyzer for this field in the schema will be used extract the features.
 * `analyzerField`: (Optional) Specifies a different field to find the analyzer from in the schema.
 
 === classify Syntax
@@ -526,7 +526,7 @@ daemon(id="uniqueId",
 ----
 
 The sample code above shows a `daemon` function wrapping an `update` function, which is wrapping a `topic` function.
-When this expression is sent to the `/stream` handler, the `/stream` hander sees the `daemon` function and keeps it in memory where it will run at intervals.
+When this expression is sent to the `/stream` handler, the `/stream` handler sees the `daemon` function and keeps it in memory where it will run at intervals.
 In this particular example, the `daemon` function will run the `update` function every second.
 The `update` function is wrapping a xref:stream-source-reference.adoc#topic[`topic` function], which will stream tuples that match the `topic` function query in batches.
 Each subsequent call to the topic will return the next batch of tuples for the topic.
@@ -596,7 +596,7 @@ DaemonStream daemonStream = new DaemonStream(topicStream,             // The und
                                              "daemonId",              // The id of the daemon
                                              1000,                    // The interval at which to run the internal stream
                                              500);                    // The internal queue size for the daemon stream. Tuples will be placed in the queue
-                                                                      // as they are read by the internal internal thread.
+                                                                      // as they are read by the internal thread.
                                                                       // Calling read() on the daemon stream reads records from the internal queue.
 
 daemonStream.setStreamContext(context);
@@ -636,7 +636,7 @@ This is similar to the `<<update,update()>>` function described below.
 
 === delete Parameters
 
-* `destinationCollection`: (Mandatory) The collection where the tuples will deleted.
+* `destinationCollection`: (Mandatory) The collection where the tuples will be deleted.
 * `batchSize`: (Optional, defaults to `250`) The delete batch size.
 * `pruneVersionField`: (Optional, defaults to `false`) Whether to prune `\_version_` values from tuples
 * `StreamExpression`: (Mandatory)
@@ -727,7 +727,7 @@ The `executor` function has an internal thread pool that runs tasks that compile
 This function can also be parallelized across worker nodes by wrapping it in the <<parallel,`parallel`>> function to provide parallel execution of expressions across a cluster.
 
 The `executor` function does not do anything specific with the output of the expressions that it runs.
-Therefore the expressions that are executed must contain the logic for pushing tuples to their destination.
+Therefore, the expressions that are executed must contain the logic for pushing tuples to their destination.
 The <<update,update function>> can be included in the expression being executed to send the tuples to a SolrCloud collection for storage.
 
 This model allows for asynchronous execution of jobs where the output is stored in a SolrCloud collection where it can be accessed as the job progresses.
@@ -815,7 +815,7 @@ having(rollup(over=a_s,
 
 ----
 
-In this example, the `having` expression iterates the aggregated tuples from the `rollup` expression and emits all tuples where the field `sum(a_i)` is greater then 100 and less then 110.
+In this example, the `having` expression iterates the aggregated tuples from the `rollup` expression and emits all tuples where the field `sum(a_i)` is greater than 100 and less than 110.
 
 == leftOuterJoin
 
@@ -1167,7 +1167,7 @@ The `parallel` function maintains the sort order of the tuples returned by the w
 For example if you sort on year, month and day you could partition on year only as long as there are enough different years to spread the tuples around the worker nodes.
 
 Solr allows sorting on more than 4 fields, but you cannot specify more than 4 partitionKeys for speed considerations.
-Also it's overkill to specify many `partitionKeys` when we one or two keys could be enough to spread the tuples.
+Also, it's overkill to specify many `partitionKeys` when we one or two keys could be enough to spread the tuples.
 
 Parallel stream was designed when the underlying search stream will emit a lot of tuples from the collection.
 If the search stream only emits a small subset of the data from the collection using `parallel` could potentially be slower.
@@ -1299,7 +1299,7 @@ The group operation also serves as an example reduce operation that can be refer
 [IMPORTANT]
 ====
 The reduce function relies on the sort order of the underlying stream.
-Accordingly the sort order of the underlying stream must be aligned with the group by field.
+Accordingly, the sort order of the underlying stream must be aligned with the group by field.
 ====
 
 === reduce Parameters
@@ -1490,7 +1490,7 @@ The `update` function wraps another functions and sends the tuples to a SolrClou
 
 === update Parameters
 
-* `destinationCollection`: (Mandatory) The collection where the tuples will indexed.
+* `destinationCollection`: (Mandatory) The collection where the tuples will be indexed.
 * `batchSize`: (Optional, defaults to `250`) The indexing batch size.
 * `pruneVersionField`: (Optional, defaults to `true`) Whether to prune `\_version_` values from tuples
 * `StreamExpression`: (Mandatory)
diff --git a/solr/solr-ref-guide/modules/query-guide/pages/stream-evaluator-reference.adoc b/solr/solr-ref-guide/modules/query-guide/pages/stream-evaluator-reference.adoc
index ff4ef07db7b..61c17c96b31 100644
--- a/solr/solr-ref-guide/modules/query-guide/pages/stream-evaluator-reference.adoc
+++ b/solr/solr-ref-guide/modules/query-guide/pages/stream-evaluator-reference.adoc
@@ -18,9 +18,9 @@
 // under the License.
 
 
-Stream evaluators are different then stream sources or stream decorators.
+Stream evaluators are different from stream sources or stream decorators.
 Both stream sources and stream decorators return streams of tuples.
-Stream evaluators are more like a traditional function that evaluates its parameters and returns an result.
+Stream evaluators are more like a traditional function that evaluates its parameters and returns a result.
 That result can be a single value, array, map or other structure.
 
 Stream evaluators can be nested so that the output of an evaluator becomes the input for another evaluator.
@@ -513,7 +513,7 @@ number | matrix: Either the covariance or covariance matrix.
 == cumulativeProbability
 
 The `cumulativeProbability` function returns the cumulative probability of a random variable within a probability distribution.
-The cumulative probability is the total probability of all random variables less then or equal to a random variable.
+The cumulative probability is the total probability of all random variables less than or equal to a random variable.
 
 === cumulativeProbability Parameters
 
@@ -814,7 +814,7 @@ eor(eq(fieldA,fieldB),eq(fieldC,fieldD)) // true iff either fieldA == fieldB or
 The `eq` function will return whether all the parameters are equal, as per Java's standard `equals(...)` function.
 The function accepts parameters of any type, but will fail to execute if all the parameters are not of the same type.
 That is, all are Boolean, all are String, or all are Numeric.
-If any any parameters are null and there is at least one parameter that is not null then false will be returned.
+If any parameters are null and there is at least one parameter that is not null then false will be returned.
 Returns a boolean value.
 
 === eq Parameters
@@ -1085,7 +1085,7 @@ number: the sum of all the values in the matrix.
 The `gt` function will return whether the first parameter is greater than the second parameter.
 The function accepts numeric or string parameters, but will fail to execute if all the parameters are not of the same type.
 That is, all are String or all are Numeric.
-If any any parameters are null then an error will be raised.
+If any parameters are null then an error will be raised.
 Returns a boolean value.
 
 === gt Parameters
@@ -1110,7 +1110,7 @@ gt(add(fieldA,fieldB),6) // fieldA + fieldB > 6
 The `gteq` function will return whether the first parameter is greater than or equal to the second parameter.
 The function accepts numeric and string parameters, but will fail to execute if all the parameters are not of the same type.
 That is, all are String or all are Numeric.
-If any any parameters are null then an error will be raised.
+If any parameters are null then an error will be raised.
 Returns a boolean value.
 
 === gteq Parameters
@@ -1338,7 +1338,7 @@ kolmogorovSmirnov(normalDistribution(10, 2), sampleSet)
 The `lt` function will return whether the first parameter is less than the second parameter.
 The function accepts numeric or string parameters, but will fail to execute if all the parameters are not of the same type.
 That is, all are String or all are Numeric.
-If any any parameters are null then an error will be raised.
+If any parameters are null then an error will be raised.
 Returns a boolean value.
 
 === lt Parameters
@@ -1363,7 +1363,7 @@ lt(add(fieldA,fieldB),6) // fieldA + fieldB < 6
 The `lteq` function will return whether the first parameter is less than or equal to the second parameter.
 The function accepts numeric and string parameters, but will fail to execute if all the parameters are not of the same type.
 That is, all are String or all are Numeric.
-If any any parameters are null then an error will be raised.
+If any parameters are null then an error will be raised.
 Returns a boolean value.
 
 === lteq Parameters
diff --git a/solr/solr-ref-guide/modules/query-guide/pages/stream-source-reference.adoc b/solr/solr-ref-guide/modules/query-guide/pages/stream-source-reference.adoc
index 3808a812f4c..39352261a2f 100644
--- a/solr/solr-ref-guide/modules/query-guide/pages/stream-source-reference.adoc
+++ b/solr/solr-ref-guide/modules/query-guide/pages/stream-source-reference.adoc
@@ -22,7 +22,7 @@
 The `search` function searches a SolrCloud collection and emits a stream of tuples that match the query.
 This is very similar to a standard Solr query, and uses many of the same parameters.
 
-This expression allows you to specify a request hander using the `qt` parameter.
+This expression allows you to specify a request handler using the `qt` parameter.
 By default, the `/select` handler is used.
 The `/select` handler can be used for simple rapid prototyping of expressions.
 For production, however, you will most likely want to use the `/export` handler which is designed to `sort` and `export` entire result sets.
@@ -316,7 +316,7 @@ After the model is retrieved it can be used by the xref:stream-decorator-referen
 
 A single model tuple is fetched and returned based on the *id* parameter.
 The model is retrieved by matching the *id* parameter with a model name in the index.
-If more then one iteration of the named model is stored in the index, the highest iteration is selected.
+If more than one iteration of the named model is stored in the index, the highest iteration is selected.
 
 === Caching with model
 
@@ -399,12 +399,12 @@ The foreground and background counts are global for the collection.
 * `limit`: (Optional, Default 20) The max number of terms to return.
 * `minDocFreq`: (Optional, Defaults to 5 documents) The minimum number of documents the term must appear in on a shard.
 This is a float value.
-If greater then 1.0 then it's considered the absolute number of documents.
-If less then 1.0 it's treated as a percentage of documents.
+If greater than 1.0 then it's considered the absolute number of documents.
+If less than 1.0 it's treated as a percentage of documents.
 * `maxDocFreq`: (Optional, Defaults to 30% of documents) The maximum number of documents the term can appear in on a shard.
 This is a float value.
-If greater then 1.0 then it's considered the absolute number of documents.
-If less then 1.0 it's treated as a percentage of documents.
+If greater than 1.0 then it's considered the absolute number of documents.
+If less than 1.0 it's treated as a percentage of documents.
 * `minTermLength`: (Optional, Default 4) The minimum length of the term to be considered significant.
 
 === significantTerms Syntax
@@ -420,7 +420,7 @@ significantTerms(collection1,
                  minTermLength="5")
 ----
 
-In the example above the `significantTerms` function is querying `collection1` and returning at most 50 significant terms from the `authors` field that appear in 10 or more documents but not more then 20% of the corpus.
+In the example above the `significantTerms` function is querying `collection1` and returning at most 50 significant terms from the `authors` field that appear in 10 or more documents but not more than 20% of the corpus.
 
 == shortestPath
 
diff --git a/solr/solr-ref-guide/modules/query-guide/pages/streaming-expressions.adoc b/solr/solr-ref-guide/modules/query-guide/pages/streaming-expressions.adoc
index f61bca2477a..502e41fa7c5 100644
--- a/solr/solr-ref-guide/modules/query-guide/pages/streaming-expressions.adoc
+++ b/solr/solr-ref-guide/modules/query-guide/pages/streaming-expressions.adoc
@@ -26,7 +26,7 @@
 Streaming expressions exposes the capabilities of SolrCloud as composable functions.
 These functions provide a system for searching, transforming, analyzing, and visualizing data stored in SolrCloud collections.
 
-At a high level there a four main capabilities that will be explored in the documentation:
+At a high level there are four main capabilities that will be explored in the documentation:
 
 * *Searching*, sampling and aggregating results from Solr.
 
@@ -121,7 +121,7 @@ A full reference to all available decorator expressions is available in xref:str
 Math expressions are a vector and matrix math library that can be combined with streaming expressions to perform analysis and build mathematical models
 of the result sets.
 From a language standpoint math expressions are a sub-language of streaming expressions that don't return streams of tuples.
-Instead they operate on and return numbers, vectors, matrices and mathematical models.
+Instead, they operate on and return numbers, vectors, matrices and mathematical models.
 The documentation will show how to combine streaming expressions and math
 expressions.
 
diff --git a/solr/solr-ref-guide/modules/query-guide/pages/suggester.adoc b/solr/solr-ref-guide/modules/query-guide/pages/suggester.adoc
index 3907ecfdabe..fa0e78d3859 100644
--- a/solr/solr-ref-guide/modules/query-guide/pages/suggester.adoc
+++ b/solr/solr-ref-guide/modules/query-guide/pages/suggester.adoc
@@ -181,7 +181,7 @@ Use `buildOnCommit` to rebuild the dictionary with every soft commit, or `buildO
 +
 Some lookup implementations may take a long time to build, especially with large indexes.
 In such cases, using `buildOnCommit` or `buildOnOptimize`, particularly with a high frequency of soft commits is not recommended.
-Instead build the suggester at a lower frequency by manually issuing requests with `suggest.build=true`.
+Instead, build the suggester at a lower frequency by manually issuing requests with `suggest.build=true`.
 
 `buildOnStartup`::
 +
diff --git a/solr/solr-ref-guide/modules/query-guide/pages/tagger-handler.adoc b/solr/solr-ref-guide/modules/query-guide/pages/tagger-handler.adoc
index 41ecaf0aae5..81b0f176779 100644
--- a/solr/solr-ref-guide/modules/query-guide/pages/tagger-handler.adoc
+++ b/solr/solr-ref-guide/modules/query-guide/pages/tagger-handler.adoc
@@ -161,7 +161,7 @@ Let this default to `false` unless you know that such tokens can't be avoided.
 +
 A boolean flag that causes stopwords (or any condition causing positions to skip like >255 char words) to be ignored as if they aren't there.
 Otherwise, the behavior is to treat them as breaks in tagging on the presumption your indexed text-analysis configuration doesn't have a `StopWordFilter` defined.
-By default the indexed analysis chain is checked for the presence of a `StopWordFilter` and if found then `ignoreStopWords` is true if unspecified.
+By default, the indexed analysis chain is checked for the presence of a `StopWordFilter` and if found then `ignoreStopWords` is true if unspecified.
 You probably shouldn't have a `StopWordFilter` configured and probably won't need to set this parameter either.
 
 `xmlOffsetAdjust`::
@@ -202,7 +202,7 @@ declare a field type, 2 fields, and a copy-field.
 
 The critical part
 up-front is to define the "tag" field type.
-There are many many ways to
+There are many ways to
 configure text analysis; and we're not going to get into those choices
 here.
 But an important bit is the `ConcatenateGraphFilterFactory` at the
diff --git a/solr/solr-ref-guide/modules/query-guide/pages/term-vector-component.adoc b/solr/solr-ref-guide/modules/query-guide/pages/term-vector-component.adoc
index cd11b8617a0..ca92dcbb0d4 100644
--- a/solr/solr-ref-guide/modules/query-guide/pages/term-vector-component.adoc
+++ b/solr/solr-ref-guide/modules/query-guide/pages/term-vector-component.adoc
@@ -18,7 +18,7 @@
 
 The TermVectorComponent is a search component designed to return additional information about documents matching your search.
 
-For each document in the response, the TermVectorCcomponent can return the term vector, the term frequency, inverse document frequency, position, and offset information.
+For each document in the response, the TermVectorComponent can return the term vector, the term frequency, inverse document frequency, position, and offset information.
 
 == Term Vector Component Configuration
 
diff --git a/solr/solr-ref-guide/modules/query-guide/pages/transform.adoc b/solr/solr-ref-guide/modules/query-guide/pages/transform.adoc
index fa0dc933058..5cf5e5d58ed 100644
--- a/solr/solr-ref-guide/modules/query-guide/pages/transform.adoc
+++ b/solr/solr-ref-guide/modules/query-guide/pages/transform.adoc
@@ -65,7 +65,7 @@ The example below is using the `isNull` function inside of `select` function to
 The `if` function takes 3 parameters.
 The first is a boolean expression, in this case `isNull`.
 The `if` function returns the second parameter if the boolean function returns true, and the third parameter if it returns false.
-In this case `isNull` is always true because its checking for a field in the tuples that is not included in the result set.
+In this case `isNull` is always true because it's checking for a field in the tuples that is not included in the result set.
 
 image::math-expressions/select2.png[]
 
@@ -100,7 +100,7 @@ image::math-expressions/search-resort.png[]
 == Rollups
 
 The `rollup` and `hashRollup` functions can be used to perform aggregations over result sets.
-This is different then the `facet`, `facet2D` and `timeseries` aggregation functions which push the aggregations into the search engine using the JSON facet API.
+This is different from the `facet`, `facet2D` and `timeseries` aggregation functions which push the aggregations into the search engine using the JSON facet API.
 
 The `rollup` function performs map-reduce style rollups, which requires the result stream be sorted by the grouping fields.
 This allows for aggregations over very high cardinality fields.
diff --git a/solr/solr-ref-guide/modules/query-guide/pages/variables.adoc b/solr/solr-ref-guide/modules/query-guide/pages/variables.adoc
index 2df2df6acd4..c8b0c1d3ecb 100644
--- a/solr/solr-ref-guide/modules/query-guide/pages/variables.adoc
+++ b/solr/solr-ref-guide/modules/query-guide/pages/variables.adoc
@@ -185,7 +185,7 @@ When this expression is sent to the `/stream` handler it responds with:
 }
 ----
 
-Using this approach variables can by visualized using Zeppelin-Solr.
+Using this approach variables can be visualized using Zeppelin-Solr.
 In the example below the arrays are shown in table format.
 
 image::math-expressions/variables.png[]

From 6055af7a76ba8126249f413a0de7d9329531b7c7 Mon Sep 17 00:00:00 2001
From: Mikhail Khludnev <mkhludnev@users.noreply.github.com>
Date: Wed, 13 Dec 2023 13:07:00 +0300
Subject: [PATCH 08/21] Update package-manager-internals.adoc follow up #2147
 (#2151)

larger -> later
---
 .../configuration-guide/pages/package-manager-internals.adoc    | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/solr/solr-ref-guide/modules/configuration-guide/pages/package-manager-internals.adoc b/solr/solr-ref-guide/modules/configuration-guide/pages/package-manager-internals.adoc
index 964b67aa771..57185d86e03 100644
--- a/solr/solr-ref-guide/modules/configuration-guide/pages/package-manager-internals.adoc
+++ b/solr/solr-ref-guide/modules/configuration-guide/pages/package-manager-internals.adoc
@@ -412,7 +412,7 @@ Note that the `Version` value is `"2"`, which means the plugin is updated.
 
 The default version used in any collection is always the latest.
 However, setting a per-collection property in `params.json` ensures that the collection uses the same
-package version (i.e., version *2.0*), irrespective of any versions larger than *2.0* that may be added to Solr
+package version (i.e., version *2.0*), irrespective of any versions later than *2.0* that may be added to Solr
 at a later point.
 
 [source,bash]

From 384e7b80f20325a9f6e5b40f351ef0f03242f3f5 Mon Sep 17 00:00:00 2001
From: Houston Putman <houston@apache.org>
Date: Wed, 13 Dec 2023 11:24:56 -0500
Subject: [PATCH 09/21] Improve jsClient building for gradle caching (#2149)

Running "gradle clean" should no longer be necessary when changing
branches.
---
 solr/webapp/build.gradle | 52 ++++++++++++++++++++++++----------------
 1 file changed, 31 insertions(+), 21 deletions(-)

diff --git a/solr/webapp/build.gradle b/solr/webapp/build.gradle
index 6cd0189ac61..f2b830f544f 100644
--- a/solr/webapp/build.gradle
+++ b/solr/webapp/build.gradle
@@ -32,6 +32,7 @@ configurations {
 
 ext {
   jsClientWorkspace = layout.buildDirectory.dir("jsClientWorkspace").get()
+  jsClientBuildDir = layout.buildDirectory.dir("jsClientBuild").get()
   jsClientBundleDir = layout.buildDirectory.dir("jsClientBundle").get()
   browserifyVersion = "17.0.0"
 }
@@ -45,7 +46,7 @@ dependencies {
 
   generatedJSClient project(path: ":solr:api", configuration: "jsClient")
   generatedJSClientBundle files(jsClientBundleDir) {
-    builtBy "generateJsClientBundle"
+    builtBy "finalizeJsBundleDir"
   }
 }
 
@@ -53,7 +54,12 @@ task syncJSClientSourceCode(type: Sync) {
   group = 'Solr JS Client'
   from configurations.generatedJSClient
 
-  into project.jsClientWorkspace
+  into jsClientWorkspace
+
+  // Keep the node modules, so that they don't need to be re-downloaded
+  preserve {
+    include "node_modules/**"
+  }
 }
 
 task jsClientDownloadDeps(type: NpmTask) {
@@ -61,7 +67,7 @@ task jsClientDownloadDeps(type: NpmTask) {
   dependsOn tasks.syncJSClientSourceCode
 
   args = ["install"]
-  workingDir = file(project.jsClientWorkspace)
+  workingDir = file(jsClientWorkspace)
 
   inputs.dir("${jsClientWorkspace}/src")
   inputs.file("${jsClientWorkspace}/package.json")
@@ -73,7 +79,7 @@ task jsClientBuild(type: NpmTask) {
   dependsOn tasks.jsClientDownloadDeps
 
   args = ["run", "build"]
-  workingDir = file(project.jsClientWorkspace)
+  workingDir = file(jsClientWorkspace)
 
   inputs.dir("${jsClientWorkspace}/src")
   inputs.file("${jsClientWorkspace}/package.json")
@@ -83,36 +89,40 @@ task jsClientBuild(type: NpmTask) {
 
 task downloadBrowserify(type: NpmTask) {
   group = 'Build Dependency Download'
-  args = ["install", "browserify@${project.browserifyVersion}"]
+  args = ["install", "browserify@${browserifyVersion}"]
 
-  inputs.property("browserify version", project.browserifyVersion)
-  outputs.dir("${project.nodeProjectDir}/node_modules/browserify")
+  inputs.property("browserify version", browserifyVersion)
+  outputs.dir("${nodeProjectDir}/node_modules/browserify")
 }
 
-task setupJsBundleDir(type: Sync) {
+task generateJsClientBundle(type: NpxTask) {
   group = 'Solr JS Client'
-  dependsOn tasks.syncJSClientSourceCode
+  dependsOn tasks.downloadBrowserify
+  dependsOn tasks.jsClientBuild
 
-  from configurations.generatedJSClient
+  command = 'browserify'
+  args = ['dist/index.js', '-s', 'solrApi', '-o', "${jsClientBuildDir}/index.js"]
+  workingDir = file(jsClientWorkspace)
 
-  include "README.md"
-  include "docs/**"
+  inputs.dir(jsClientWorkspace)
+  inputs.property("browserify version", browserifyVersion)
 
-  into project.jsClientBundleDir
+  outputs.file("${jsClientBuildDir}/index.js")
 }
 
-task generateJsClientBundle(type: NpxTask) {
+task finalizeJsBundleDir(type: Sync) {
   group = 'Solr JS Client'
-  dependsOn tasks.downloadBrowserify
-  dependsOn tasks.jsClientBuild
-  dependsOn tasks.setupJsBundleDir
 
-  command = 'browserify'
-  args = ['dist/index.js', '-s', 'solrApi', '-o', "${jsClientBundleDir}/index.js"]
-  workingDir = file(project.jsClientWorkspace)
+  from configurations.generatedJSClient {
+    include "README.md"
+    include "docs/**"
+  }
 
+  from tasks.generateJsClientBundle {
+    include "index.js"
+  }
 
-  outputs.dir("${jsClientBundleDir}")
+  into jsClientBundleDir
 }
 
 war {

From 15534754f492079e52288dd11abaf1c4261b3ea4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20H=C3=B8ydahl?= <janhoy@apache.org>
Date: Wed, 13 Dec 2023 22:49:23 +0100
Subject: [PATCH 10/21] SOLR-16949: Restrict certain file types from being
 uploaded to or downloaded from Config Sets

---
 solr/CHANGES.txt                              |   2 +
 solr/core/build.gradle                        |   2 +
 .../apache/solr/cli/ConfigSetUploadTool.java  |   2 +
 .../apache/solr/cloud/ZkConfigSetService.java |  21 ++-
 .../solr/core/FileSystemConfigSetService.java |  28 ++-
 .../solr/core/backup/BackupManager.java       |  23 ++-
 .../configsets/UploadConfigSetFileAPI.java    |   8 +-
 .../apache/solr/util/FileTypeMagicUtil.java   | 166 ++++++++++++++++++
 solr/core/src/resources/magic/executables     |  74 ++++++++
 .../src/test-files/magic/HelloWorld.java.txt  |   5 +
 .../magic/HelloWorldJavaClass.class.bin       | Bin 0 -> 426 bytes
 solr/core/src/test-files/magic/README.md      |  29 +++
 solr/core/src/test-files/magic/hello.tar.bin  | Bin 0 -> 4096 bytes
 solr/core/src/test-files/magic/plain.txt      |   1 +
 solr/core/src/test-files/magic/shell.sh.txt   |   2 +
 .../apache/solr/cloud/TestConfigSetsAPI.java  | 141 ++++++++++-----
 .../solr/util/FileTypeMagicUtilTest.java      |  54 ++++++
 solr/licenses/simplemagic-1.17.jar.sha1       |   1 +
 .../licenses/simplemagic-LICENSE-BSD_LIKE.txt |  15 ++
 solr/licenses/simplemagic-NOTICE.txt          |   0
 .../solr/common/cloud/ZkMaintenanceUtils.java |   2 +
 versions.lock                                 |   1 +
 versions.props                                |   1 +
 23 files changed, 522 insertions(+), 56 deletions(-)
 create mode 100644 solr/core/src/java/org/apache/solr/util/FileTypeMagicUtil.java
 create mode 100644 solr/core/src/resources/magic/executables
 create mode 100644 solr/core/src/test-files/magic/HelloWorld.java.txt
 create mode 100644 solr/core/src/test-files/magic/HelloWorldJavaClass.class.bin
 create mode 100644 solr/core/src/test-files/magic/README.md
 create mode 100644 solr/core/src/test-files/magic/hello.tar.bin
 create mode 100644 solr/core/src/test-files/magic/plain.txt
 create mode 100644 solr/core/src/test-files/magic/shell.sh.txt
 create mode 100644 solr/core/src/test/org/apache/solr/util/FileTypeMagicUtilTest.java
 create mode 100644 solr/licenses/simplemagic-1.17.jar.sha1
 create mode 100644 solr/licenses/simplemagic-LICENSE-BSD_LIKE.txt
 create mode 100644 solr/licenses/simplemagic-NOTICE.txt

diff --git a/solr/CHANGES.txt b/solr/CHANGES.txt
index 40da8c435ac..2fd94304a24 100644
--- a/solr/CHANGES.txt
+++ b/solr/CHANGES.txt
@@ -169,6 +169,8 @@ Other Changes
 * SOLR-17091: dev tools script cloud.sh became broken after changes in 9.3 added a new -slim.tgz file it was not expecting
   cloud.sh has been updated to ignore the -slim.tgz version of the tarball.
 
+* SOLR-16949: Restrict certain file types from being uploaded to or downloaded from Config Sets (janhoy, Houston Putman)
+
 ==================  9.4.0 ==================
 New Features
 ---------------------
diff --git a/solr/core/build.gradle b/solr/core/build.gradle
index 61ecd1713af..ed2c8a370ae 100644
--- a/solr/core/build.gradle
+++ b/solr/core/build.gradle
@@ -159,6 +159,8 @@ dependencies {
 
   compileOnly 'com.github.stephenc.jcip:jcip-annotations'
 
+  implementation 'com.j256.simplemagic:simplemagic'
+
   // -- Test Dependencies
 
   testRuntimeOnly 'org.slf4j:jcl-over-slf4j'
diff --git a/solr/core/src/java/org/apache/solr/cli/ConfigSetUploadTool.java b/solr/core/src/java/org/apache/solr/cli/ConfigSetUploadTool.java
index 5fd4a538bd7..6576742a195 100644
--- a/solr/core/src/java/org/apache/solr/cli/ConfigSetUploadTool.java
+++ b/solr/core/src/java/org/apache/solr/cli/ConfigSetUploadTool.java
@@ -27,6 +27,7 @@
 import org.apache.solr.common.cloud.SolrZkClient;
 import org.apache.solr.common.cloud.ZkMaintenanceUtils;
 import org.apache.solr.core.ConfigSetService;
+import org.apache.solr.util.FileTypeMagicUtil;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -101,6 +102,7 @@ public void runImpl(CommandLine cli) throws Exception {
               + cli.getOptionValue("confname")
               + " to ZooKeeper at "
               + zkHost);
+      FileTypeMagicUtil.assertConfigSetFolderLegal(confPath);
       ZkMaintenanceUtils.uploadToZK(
           zkClient,
           confPath,
diff --git a/solr/core/src/java/org/apache/solr/cloud/ZkConfigSetService.java b/solr/core/src/java/org/apache/solr/cloud/ZkConfigSetService.java
index f02404d636d..9abde098e1c 100644
--- a/solr/core/src/java/org/apache/solr/cloud/ZkConfigSetService.java
+++ b/solr/core/src/java/org/apache/solr/cloud/ZkConfigSetService.java
@@ -22,6 +22,7 @@
 import java.util.ArrayList;
 import java.util.Collections;
 import java.util.List;
+import java.util.Locale;
 import java.util.Map;
 import java.util.Objects;
 import org.apache.solr.client.solrj.cloud.SolrCloudManager;
@@ -39,6 +40,7 @@
 import org.apache.solr.core.CoreDescriptor;
 import org.apache.solr.core.SolrConfig;
 import org.apache.solr.core.SolrResourceLoader;
+import org.apache.solr.util.FileTypeMagicUtil;
 import org.apache.zookeeper.CreateMode;
 import org.apache.zookeeper.KeeperException;
 import org.apache.zookeeper.data.Stat;
@@ -199,6 +201,15 @@ public void uploadFileToConfig(
     try {
       if (ZkMaintenanceUtils.isFileForbiddenInConfigSets(fileName)) {
         log.warn("Not including uploading file to config, as it is a forbidden type: {}", fileName);
+      } else if (FileTypeMagicUtil.isFileForbiddenInConfigset(data)) {
+        String mimeType = FileTypeMagicUtil.INSTANCE.guessMimeType(data);
+        throw new SolrException(
+            SolrException.ErrorCode.BAD_REQUEST,
+            String.format(
+                Locale.ROOT,
+                "Not uploading file %s to config, as it matched the MAGIC signature of a forbidden mime type %s",
+                fileName,
+                mimeType));
       } else {
         // if overwriteOnExists is true then zkClient#makePath failOnExists is set to false
         zkClient.makePath(filePath, data, CreateMode.PERSISTENT, null, !overwriteOnExists, true);
@@ -340,7 +351,15 @@ private void copyData(String fromZkFilePath, String toZkFilePath)
     } else {
       log.debug("Copying zk node {} to {}", fromZkFilePath, toZkFilePath);
       byte[] data = zkClient.getData(fromZkFilePath, null, null, true);
-      zkClient.makePath(toZkFilePath, data, true);
+      if (!FileTypeMagicUtil.isFileForbiddenInConfigset(data)) {
+        zkClient.makePath(toZkFilePath, data, true);
+      } else {
+        String mimeType = FileTypeMagicUtil.INSTANCE.guessMimeType(data);
+        log.warn(
+            "Skipping copy of file {} in ZK, as it matched the MAGIC signature of a forbidden mime type {}",
+            fromZkFilePath,
+            mimeType);
+      }
     }
   }
 
diff --git a/solr/core/src/java/org/apache/solr/core/FileSystemConfigSetService.java b/solr/core/src/java/org/apache/solr/core/FileSystemConfigSetService.java
index 1f1a42b15e1..4b041252211 100644
--- a/solr/core/src/java/org/apache/solr/core/FileSystemConfigSetService.java
+++ b/solr/core/src/java/org/apache/solr/core/FileSystemConfigSetService.java
@@ -37,6 +37,7 @@
 import org.apache.solr.common.SolrException;
 import org.apache.solr.common.cloud.ZkMaintenanceUtils;
 import org.apache.solr.common.util.Utils;
+import org.apache.solr.util.FileTypeMagicUtil;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -150,9 +151,17 @@ public void uploadFileToConfig(
     if (ZkMaintenanceUtils.isFileForbiddenInConfigSets(fileName)) {
       log.warn("Not including uploading file to config, as it is a forbidden type: {}", fileName);
     } else {
-      Path filePath = getConfigDir(configName).resolve(normalizePathToOsSeparator(fileName));
-      if (!Files.exists(filePath) || overwriteOnExists) {
-        Files.write(filePath, data);
+      if (!FileTypeMagicUtil.isFileForbiddenInConfigset(data)) {
+        Path filePath = getConfigDir(configName).resolve(normalizePathToOsSeparator(fileName));
+        if (!Files.exists(filePath) || overwriteOnExists) {
+          Files.write(filePath, data);
+        }
+      } else {
+        String mimeType = FileTypeMagicUtil.INSTANCE.guessMimeType(data);
+        log.warn(
+            "Not including uploading file {}, as it matched the MAGIC signature of a forbidden mime type {}",
+            fileName,
+            mimeType);
       }
     }
   }
@@ -205,8 +214,17 @@ public FileVisitResult visitFile(Path file, BasicFileAttributes attrs)
                     "Not including uploading file to config, as it is a forbidden type: {}",
                     file.getFileName());
               } else {
-                Files.copy(
-                    file, target.resolve(source.relativize(file).toString()), REPLACE_EXISTING);
+                if (!FileTypeMagicUtil.isFileForbiddenInConfigset(Files.newInputStream(file))) {
+                  Files.copy(
+                      file, target.resolve(source.relativize(file).toString()), REPLACE_EXISTING);
+                } else {
+                  String mimeType =
+                      FileTypeMagicUtil.INSTANCE.guessMimeType(Files.newInputStream(file));
+                  log.warn(
+                      "Not copying file {}, as it matched the MAGIC signature of a forbidden mime type {}",
+                      file.getFileName(),
+                      mimeType);
+                }
               }
               return FileVisitResult.CONTINUE;
             }
diff --git a/solr/core/src/java/org/apache/solr/core/backup/BackupManager.java b/solr/core/src/java/org/apache/solr/core/backup/BackupManager.java
index be6a1a83c2f..8ff78b27e08 100644
--- a/solr/core/src/java/org/apache/solr/core/backup/BackupManager.java
+++ b/solr/core/src/java/org/apache/solr/core/backup/BackupManager.java
@@ -40,6 +40,7 @@
 import org.apache.solr.common.util.Utils;
 import org.apache.solr.core.ConfigSetService;
 import org.apache.solr.core.backup.repository.BackupRepository;
+import org.apache.solr.util.FileTypeMagicUtil;
 import org.apache.zookeeper.CreateMode;
 import org.apache.zookeeper.KeeperException;
 import org.slf4j.Logger;
@@ -349,8 +350,16 @@ private void downloadConfigToRepo(ConfigSetService configSetService, String conf
           if (data == null) {
             data = new byte[0];
           }
-          try (OutputStream os = repository.createOutput(uri)) {
-            os.write(data);
+          if (!FileTypeMagicUtil.isFileForbiddenInConfigset(data)) {
+            try (OutputStream os = repository.createOutput(uri)) {
+              os.write(data);
+            }
+          } else {
+            String mimeType = FileTypeMagicUtil.INSTANCE.guessMimeType(data);
+            log.warn(
+                "Not including zookeeper file {} in backup, as it matched the MAGIC signature of a forbidden mime type {}",
+                filePath,
+                mimeType);
           }
         }
       } else {
@@ -379,7 +388,15 @@ private void uploadConfigToSolrCloud(
                 // probably ok since the config file should be small.
                 byte[] arr = new byte[(int) is.length()];
                 is.readBytes(arr, 0, (int) is.length());
-                configSetService.uploadFileToConfig(configName, filePath, arr, false);
+                if (!FileTypeMagicUtil.isFileForbiddenInConfigset(arr)) {
+                  configSetService.uploadFileToConfig(configName, filePath, arr, false);
+                } else {
+                  String mimeType = FileTypeMagicUtil.INSTANCE.guessMimeType(arr);
+                  log.warn(
+                      "Not including zookeeper file {} in restore, as it matched the MAGIC signature of a forbidden mime type {}",
+                      filePath,
+                      mimeType);
+                }
               }
             }
             break;
diff --git a/solr/core/src/java/org/apache/solr/handler/configsets/UploadConfigSetFileAPI.java b/solr/core/src/java/org/apache/solr/handler/configsets/UploadConfigSetFileAPI.java
index 98889aff563..2380a79a92b 100644
--- a/solr/core/src/java/org/apache/solr/handler/configsets/UploadConfigSetFileAPI.java
+++ b/solr/core/src/java/org/apache/solr/handler/configsets/UploadConfigSetFileAPI.java
@@ -27,6 +27,7 @@
 import org.apache.solr.core.CoreContainer;
 import org.apache.solr.request.SolrQueryRequest;
 import org.apache.solr.response.SolrQueryResponse;
+import org.apache.solr.util.FileTypeMagicUtil;
 
 /**
  * V2 API for adding or updating a single file within a configset.
@@ -67,11 +68,13 @@ public void updateConfigSetFile(SolrQueryRequest req, SolrQueryResponse rsp) thr
     if (fixedSingleFilePath.charAt(0) == '/') {
       fixedSingleFilePath = fixedSingleFilePath.substring(1);
     }
+    byte[] data = inputStream.readAllBytes();
     if (fixedSingleFilePath.isEmpty()) {
       throw new SolrException(
           SolrException.ErrorCode.BAD_REQUEST,
           "The file path provided for upload, '" + singleFilePath + "', is not valid.");
-    } else if (ZkMaintenanceUtils.isFileForbiddenInConfigSets(fixedSingleFilePath)) {
+    } else if (ZkMaintenanceUtils.isFileForbiddenInConfigSets(fixedSingleFilePath)
+        || FileTypeMagicUtil.isFileForbiddenInConfigset(data)) {
       throw new SolrException(
           SolrException.ErrorCode.BAD_REQUEST,
           "The file type provided for upload, '"
@@ -87,8 +90,7 @@ public void updateConfigSetFile(SolrQueryRequest req, SolrQueryResponse rsp) thr
       // For creating the baseNode, the cleanup parameter is only allowed to be true when
       // singleFilePath is not passed.
       createBaseNode(configSetService, overwritesExisting, requestIsTrusted, configSetName);
-      configSetService.uploadFileToConfig(
-          configSetName, fixedSingleFilePath, inputStream.readAllBytes(), allowOverwrite);
+      configSetService.uploadFileToConfig(configSetName, fixedSingleFilePath, data, allowOverwrite);
     }
   }
 }
diff --git a/solr/core/src/java/org/apache/solr/util/FileTypeMagicUtil.java b/solr/core/src/java/org/apache/solr/util/FileTypeMagicUtil.java
new file mode 100644
index 00000000000..cfb6c9fa0af
--- /dev/null
+++ b/solr/core/src/java/org/apache/solr/util/FileTypeMagicUtil.java
@@ -0,0 +1,166 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.solr.util;
+
+import com.j256.simplemagic.ContentInfo;
+import com.j256.simplemagic.ContentInfoUtil;
+import com.j256.simplemagic.ContentType;
+import java.io.ByteArrayInputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.nio.file.FileVisitResult;
+import java.nio.file.Files;
+import java.nio.file.Path;
+import java.nio.file.SimpleFileVisitor;
+import java.nio.file.attribute.BasicFileAttributes;
+import java.util.Arrays;
+import java.util.HashSet;
+import java.util.Locale;
+import java.util.Set;
+import org.apache.solr.common.SolrException;
+
+/** Utility class to guess the mime type of file based on its magic number. */
+public class FileTypeMagicUtil implements ContentInfoUtil.ErrorCallBack {
+  private final ContentInfoUtil util;
+  private static final Set<String> SKIP_FOLDERS = new HashSet<>(Arrays.asList(".", ".."));
+
+  public static FileTypeMagicUtil INSTANCE = new FileTypeMagicUtil();
+
+  FileTypeMagicUtil() {
+    try {
+      util = new ContentInfoUtil("/magic/executables", this);
+    } catch (IOException e) {
+      throw new SolrException(SolrException.ErrorCode.SERVER_ERROR, "Error parsing magic file", e);
+    }
+  }
+
+  /**
+   * Asserts that an entire configset folder is legal to upload.
+   *
+   * @param confPath the path to the folder
+   * @throws SolrException if an illegal file is found in the folder structure
+   */
+  public static void assertConfigSetFolderLegal(Path confPath) throws IOException {
+    Files.walkFileTree(
+        confPath,
+        new SimpleFileVisitor<Path>() {
+          @Override
+          public FileVisitResult visitFile(Path file, BasicFileAttributes attrs)
+              throws IOException {
+            // Read first 100 bytes of the file to determine the mime type
+            try (InputStream fileStream = Files.newInputStream(file)) {
+              byte[] bytes = new byte[100];
+              fileStream.read(bytes);
+              if (FileTypeMagicUtil.isFileForbiddenInConfigset(bytes)) {
+                throw new SolrException(
+                    SolrException.ErrorCode.BAD_REQUEST,
+                    String.format(
+                        Locale.ROOT,
+                        "Not uploading file %s to configset, as it matched the MAGIC signature of a forbidden mime type %s",
+                        file,
+                        FileTypeMagicUtil.INSTANCE.guessMimeType(bytes)));
+              }
+              return FileVisitResult.CONTINUE;
+            }
+          }
+
+          @Override
+          public FileVisitResult preVisitDirectory(Path dir, BasicFileAttributes attrs)
+              throws IOException {
+            if (SKIP_FOLDERS.contains(dir.getFileName().toString()))
+              return FileVisitResult.SKIP_SUBTREE;
+
+            return FileVisitResult.CONTINUE;
+          }
+        });
+  }
+
+  /**
+   * Guess the mime type of file based on its magic number.
+   *
+   * @param stream input stream of the file
+   * @return string with content-type or "application/octet-stream" if unknown
+   */
+  public String guessMimeType(InputStream stream) {
+    try {
+      ContentInfo info = util.findMatch(stream);
+      if (info == null) {
+        return ContentType.OTHER.getMimeType();
+      }
+      return info.getContentType().getMimeType();
+    } catch (IOException e) {
+      throw new SolrException(SolrException.ErrorCode.SERVER_ERROR, e);
+    }
+  }
+
+  /**
+   * Guess the mime type of file bytes based on its magic number.
+   *
+   * @param bytes the first bytes at start of the file
+   * @return string with content-type or "application/octet-stream" if unknown
+   */
+  public String guessMimeType(byte[] bytes) {
+    return guessMimeType(new ByteArrayInputStream(bytes));
+  }
+
+  @Override
+  public void error(String line, String details, Exception e) {
+    throw new SolrException(
+        SolrException.ErrorCode.SERVER_ERROR,
+        String.format(Locale.ROOT, "%s: %s", line, details),
+        e);
+  }
+
+  /**
+   * Determine forbidden file type based on magic bytes matching of the file itself. Forbidden types
+   * are:
+   *
+   * <ul>
+   *   <li><code>application/x-java-applet</code>: java class file
+   *   <li><code>application/zip</code>: jar or zip archives
+   *   <li><code>application/x-tar</code>: tar archives
+   *   <li><code>text/x-shellscript</code>: shell or bash script
+   * </ul>
+   *
+   * @param fileStream stream from the file content
+   * @return true if file is among the forbidden mime-types
+   */
+  public static boolean isFileForbiddenInConfigset(InputStream fileStream) {
+    return forbiddenTypes.contains(FileTypeMagicUtil.INSTANCE.guessMimeType(fileStream));
+  }
+
+  /**
+   * Determine forbidden file type based on magic bytes matching of the first bytes of the file.
+   *
+   * @param bytes byte array of the file content
+   * @return true if file is among the forbidden mime-types
+   */
+  public static boolean isFileForbiddenInConfigset(byte[] bytes) {
+    if (bytes == null || bytes.length == 0)
+      return false; // A ZK znode may be a folder with no content
+    return isFileForbiddenInConfigset(new ByteArrayInputStream(bytes));
+  }
+
+  private static final Set<String> forbiddenTypes =
+      new HashSet<>(
+          Arrays.asList(
+              System.getProperty(
+                      "solr.configset.upload.mimetypes.forbidden",
+                      "application/x-java-applet,application/zip,application/x-tar,text/x-shellscript")
+                  .split(",")));
+}
diff --git a/solr/core/src/resources/magic/executables b/solr/core/src/resources/magic/executables
new file mode 100644
index 00000000000..04094eaf797
--- /dev/null
+++ b/solr/core/src/resources/magic/executables
@@ -0,0 +1,74 @@
+#  Licensed to the Apache Software Foundation (ASF) under one or more
+#  contributor license agreements.  See the NOTICE file distributed with
+#  this work for additional information regarding copyright ownership.
+#  The ASF licenses this file to You under the Apache License, Version 2.0
+#  (the "License"); you may not use this file except in compliance with
+#  the License.  You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+#  Unless required by applicable law or agreed to in writing, software
+#  distributed under the License is distributed on an "AS IS" BASIS,
+#  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#  See the License for the specific language governing permissions and
+#  limitations under the License.
+
+# POSIX tar archives
+# URL: https://en.wikipedia.org/wiki/Tar_(computing)
+# Reference: https://www.freebsd.org/cgi/man.cgi?query=tar&sektion=5&manpath=FreeBSD+8-current
+# header mainly padded with nul bytes
+500	quad		0
+!:strength /2
+# filename or extended attribute printable strings in range space null til umlaut ue
+>0	ubeshort	>0x1F00
+>>0	ubeshort	<0xFCFD
+# last 4 header bytes often null but tar\0 in gtarfail2.tar gtarfail.tar-bad
+# at https://sourceforge.net/projects/s-tar/files/testscripts/
+>>>508	ubelong&0x8B9E8DFF	0
+# nul, space or ascii digit 0-7 at start of mode
+>>>>100	ubyte&0xC8	=0
+>>>>>101 ubyte&0xC8	=0
+# nul, space at end of check sum
+>>>>>>155 ubyte&0xDF	=0
+# space or ascii digit 0 at start of check sum
+>>>>>>>148	ubyte&0xEF	=0x20
+# check for specific 1st member name that indicates other mime type and file name suffix
+>>>>>>>>0	string		TpmEmuTpms/permall
+!:mime	application/x-tar
+!:ext	tar
+# other stuff in padding
+# some implementations add new fields to the blank area at the end of the header record
+# created for example by DOS TAR 3.20g 1994 Tim V.Shapore with -j option
+>>257	ulong		!0		tar archive (old)
+!:mime	application/x-tar
+!:ext	tar
+# magic in newer, GNU, posix variants
+>257	string		=ustar
+# 2 last char of magic and UStar version because string expression does not work
+# 2 space characters followed by a null for GNU variant
+>>261	ubelong		=0x72202000	POSIX tar archive (GNU)
+!:mime	application/x-gtar
+!:ext	tar/gtar
+
+
+# Zip archives (Greg Roelofs, c/o zip-bugs@wkuvx1.wku.edu)
+0	string		PK\005\006	Zip archive data (empty)
+0	string		PK\003\004  Zip archive data
+!:strength +1
+!:mime application/zip
+!:ext zip/cbz
+
+
+# JAVA
+0	belong		0xcafebabe
+>4	ubelong		>30		compiled Java class data,
+!:mime	application/x-java-applet
+#!:mime	application/java-byte-code
+!:ext	class
+
+
+# SHELL scripts
+#0	string/w	:			shell archive or script for antique kernel text
+0	regex	\^#!\\s?(/bin/|/usr/)		POSIX shell script text executable
+!:mime	text/x-shellscript
+!:ext	sh/bash
\ No newline at end of file
diff --git a/solr/core/src/test-files/magic/HelloWorld.java.txt b/solr/core/src/test-files/magic/HelloWorld.java.txt
new file mode 100644
index 00000000000..ca9518d2afa
--- /dev/null
+++ b/solr/core/src/test-files/magic/HelloWorld.java.txt
@@ -0,0 +1,5 @@
+class HelloWorld {
+  public static void main(String[] args) {
+    System.out.println("Hellow world");
+  }
+}
\ No newline at end of file
diff --git a/solr/core/src/test-files/magic/HelloWorldJavaClass.class.bin b/solr/core/src/test-files/magic/HelloWorldJavaClass.class.bin
new file mode 100644
index 0000000000000000000000000000000000000000..e15d0a6c5b9d1a5b33df67614dd715ff6150d225
GIT binary patch
literal 426
zcmZvZ%}T>i5QWb)vA2oQ)YjJDLN`L{!aP9LjUX<H3X!^Sm9&>~OMWCK79UF&3NCyA
zA4;4X7e(k@%pB&P`50!te?GqeoS|o<21CGfu!cIJIS-#hKMvEGe-q8+q#)E!RjP_}
zg5eFu78<YwYzOOb{@H_<r$Q#|%1UnPj4F`I{M%fmMNs52Ook0?5}Yd;$JwI4$ntn<
zqlqnnmV-973GEeK1o5aDamrZlk6R7MP?gSxgRwxDU{~0C4JDWt*;EqTkxJ!tnM5+b
z3!|7TW)dpqbiIdFAf^OanNQ@U(q?ywJkf)pj}EU(KOK2tAndT}aVA|k{s6tQAnbC~
l-&$MP!#-ziJ>phfwca3F8}D$Jc6|!K;0>E>IbdDG;V+0cSK$Bv

literal 0
HcmV?d00001

diff --git a/solr/core/src/test-files/magic/README.md b/solr/core/src/test-files/magic/README.md
new file mode 100644
index 00000000000..6e499a2f711
--- /dev/null
+++ b/solr/core/src/test-files/magic/README.md
@@ -0,0 +1,29 @@
+<!--
+    Licensed to the Apache Software Foundation (ASF) under one or more
+    contributor license agreements.  See the NOTICE file distributed with
+    this work for additional information regarding copyright ownership.
+    The ASF licenses this file to You under the Apache License, Version 2.0
+    the "License"); you may not use this file except in compliance with
+    the License.  You may obtain a copy of the License at
+
+        http://www.apache.org/licenses/LICENSE-2.0
+
+    Unless required by applicable law or agreed to in writing, software
+    distributed under the License is distributed on an "AS IS" BASIS,
+    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+    See the License for the specific language governing permissions and
+    limitations under the License.
+ -->
+
+The two binary files were created by the following commands:
+
+```bash
+echo "Hello" > hello.txt && \
+  tar -cvf hello.tar.bin hello.txt && \
+  rm hello.txt
+
+cp HelloWorld.java.txt HelloWorld.java && \
+  javac HelloWorld.java && \
+  mv HelloWorld.class HelloWorldJavaClass.class.bin && \
+  rm HelloWorld.java
+```
\ No newline at end of file
diff --git a/solr/core/src/test-files/magic/hello.tar.bin b/solr/core/src/test-files/magic/hello.tar.bin
new file mode 100644
index 0000000000000000000000000000000000000000..68ca23c362ac50e132f7fba22fe858d178b0f546
GIT binary patch
literal 4096
zcmdOk&q&S5$=55XC}E%#FfcGMGci$M0Mh1WreNB@2*L*n835VF3Wg@8#%6}b#s+5Q
z3I>M8W(I}~3I?=t5VE<Y#U+VFK&NFT=4IqpBFmt%fy&a-P=!!<V4oO3JZAu;hYDa7
zV`pGuVDL>$R`3s2h){q6kQf6e5E}t;ArOQ3i-DL3;207T1XTvoF$0LX(X=rl#6^?y
zbM+Dn3UX5Q3X1Z}Qu7k?l2aLg3O0P~;5y?waW0zHQ7$z@ARw{ABQ-H4wMd_K<p3~i
z;LraC=4kof)Y#aRL7{@09>rzW2+#jUmI}EgnYpR9hUUO>*uc`<!dTD3+``n@#K?ln
z)Lg;G)5$T&*~2r;Rj(qkq@+j>TW+;=40LoX4siE$F0Sy)jxyjfu~Y~KYVwK1rwJ*G
zbK#1eQE?iF0PS);!r_GSKd^W}%m2o}w!mopj|f59u{=PnztQYRy8s?Fc{Bt@Ltr!n
I25ATY0C-`G*Z=?k

literal 0
HcmV?d00001

diff --git a/solr/core/src/test-files/magic/plain.txt b/solr/core/src/test-files/magic/plain.txt
new file mode 100644
index 00000000000..70c379b63ff
--- /dev/null
+++ b/solr/core/src/test-files/magic/plain.txt
@@ -0,0 +1 @@
+Hello world
\ No newline at end of file
diff --git a/solr/core/src/test-files/magic/shell.sh.txt b/solr/core/src/test-files/magic/shell.sh.txt
new file mode 100644
index 00000000000..9ea411e111d
--- /dev/null
+++ b/solr/core/src/test-files/magic/shell.sh.txt
@@ -0,0 +1,2 @@
+#! /usr/bin/env bash
+echo Hello
\ No newline at end of file
diff --git a/solr/core/src/test/org/apache/solr/cloud/TestConfigSetsAPI.java b/solr/core/src/test/org/apache/solr/cloud/TestConfigSetsAPI.java
index 1da60d85ff9..f7c9431c296 100644
--- a/solr/core/src/test/org/apache/solr/cloud/TestConfigSetsAPI.java
+++ b/solr/core/src/test/org/apache/solr/cloud/TestConfigSetsAPI.java
@@ -45,6 +45,7 @@
 import java.util.List;
 import java.util.Locale;
 import java.util.Map;
+import java.util.Objects;
 import java.util.Properties;
 import java.util.Set;
 import java.util.concurrent.TimeUnit;
@@ -592,14 +593,14 @@ public void testOverwrite(boolean v2) throws Exception {
       assertEquals(
           "Can't overwrite an existing configset unless the overwrite parameter is set",
           400,
-          uploadConfigSet(configsetName, configsetSuffix, null, false, false, v2, false));
+          uploadConfigSet(configsetName, configsetSuffix, null, false, false, v2, false, false));
       unIgnoreException("The configuration regulartestOverwrite-1 already exists in zookeeper");
       assertEquals(
           "Expecting version to remain equal",
           solrconfigZkVersion,
           getConfigZNodeVersion(zkClient, configsetName, configsetSuffix, "solrconfig.xml"));
       assertEquals(
-          0, uploadConfigSet(configsetName, configsetSuffix, null, true, false, v2, false));
+          0, uploadConfigSet(configsetName, configsetSuffix, null, true, false, v2, false, false));
       assertTrue(
           "Expecting version bump",
           solrconfigZkVersion
@@ -638,13 +639,14 @@ public void testOverwriteWithCleanup(boolean v2) throws Exception {
         zkClient.makePath(f, true);
       }
       assertEquals(
-          0, uploadConfigSet(configsetName, configsetSuffix, null, true, false, v2, false));
+          0, uploadConfigSet(configsetName, configsetSuffix, null, true, false, v2, false, false));
       for (String f : extraFiles) {
         assertTrue(
             "Expecting file " + f + " to exist in ConfigSet but it's gone",
             zkClient.exists(f, true));
       }
-      assertEquals(0, uploadConfigSet(configsetName, configsetSuffix, null, true, true, v2, false));
+      assertEquals(
+          0, uploadConfigSet(configsetName, configsetSuffix, null, true, true, v2, false, false));
       for (String f : extraFiles) {
         assertFalse(
             "Expecting file " + f + " to be deleted from ConfigSet but it wasn't",
@@ -675,7 +677,8 @@ public void testOverwriteWithForbiddenFiles(boolean v2) throws Exception {
             .withConnTimeOut(45000, TimeUnit.MILLISECONDS)
             .build()) {
       String configPath = "/configs/" + configsetName + configsetSuffix;
-      assertEquals(0, uploadConfigSet(configsetName, configsetSuffix, null, true, false, v2, true));
+      assertEquals(
+          0, uploadConfigSet(configsetName, configsetSuffix, null, true, false, v2, true, false));
       for (String fileEnding : ZkMaintenanceUtils.DEFAULT_FORBIDDEN_FILE_TYPES) {
         String f = configPath + "/test." + fileEnding;
         assertFalse(
@@ -710,7 +713,7 @@ public void testOverwriteWithTrust(boolean v2) throws Exception {
           getConfigZNodeVersion(zkClient, configsetName, configsetSuffix, "solrconfig.xml");
       // Was untrusted, overwrite with untrusted
       assertEquals(
-          0, uploadConfigSet(configsetName, configsetSuffix, null, true, false, v2, false));
+          0, uploadConfigSet(configsetName, configsetSuffix, null, true, false, v2, false, false));
       assertTrue(
           "Expecting version bump",
           solrconfigZkVersion
@@ -721,7 +724,8 @@ public void testOverwriteWithTrust(boolean v2) throws Exception {
 
       // Was untrusted, overwrite with trusted but no cleanup
       assertEquals(
-          0, uploadConfigSet(configsetName, configsetSuffix, "solr", true, false, v2, false));
+          0,
+          uploadConfigSet(configsetName, configsetSuffix, "solr", true, false, v2, false, false));
       assertTrue(
           "Expecting version bump",
           solrconfigZkVersion
@@ -747,7 +751,7 @@ public void testOverwriteWithTrust(boolean v2) throws Exception {
 
       // Was untrusted, overwrite with trusted with cleanup
       assertEquals(
-          0, uploadConfigSet(configsetName, configsetSuffix, "solr", true, true, v2, false));
+          0, uploadConfigSet(configsetName, configsetSuffix, "solr", true, true, v2, false, false));
       assertTrue(
           "Expecting version bump",
           solrconfigZkVersion
@@ -761,7 +765,7 @@ public void testOverwriteWithTrust(boolean v2) throws Exception {
       assertEquals(
           "Can't upload a trusted configset with an untrusted request",
           400,
-          uploadConfigSet(configsetName, configsetSuffix, null, true, false, v2, false));
+          uploadConfigSet(configsetName, configsetSuffix, null, true, false, v2, false, false));
       assertEquals(
           "Expecting version to remain equal",
           solrconfigZkVersion,
@@ -773,7 +777,7 @@ public void testOverwriteWithTrust(boolean v2) throws Exception {
       assertEquals(
           "Can't upload a trusted configset with an untrusted request",
           400,
-          uploadConfigSet(configsetName, configsetSuffix, null, true, true, v2, false));
+          uploadConfigSet(configsetName, configsetSuffix, null, true, true, v2, false, false));
       assertEquals(
           "Expecting version to remain equal",
           solrconfigZkVersion,
@@ -783,7 +787,8 @@ public void testOverwriteWithTrust(boolean v2) throws Exception {
 
       // Was trusted, overwrite with trusted no cleanup
       assertEquals(
-          0, uploadConfigSet(configsetName, configsetSuffix, "solr", true, false, v2, false));
+          0,
+          uploadConfigSet(configsetName, configsetSuffix, "solr", true, false, v2, false, false));
       assertTrue(
           "Expecting version bump",
           solrconfigZkVersion
@@ -794,7 +799,7 @@ public void testOverwriteWithTrust(boolean v2) throws Exception {
 
       // Was trusted, overwrite with trusted with cleanup
       assertEquals(
-          0, uploadConfigSet(configsetName, configsetSuffix, "solr", true, true, v2, false));
+          0, uploadConfigSet(configsetName, configsetSuffix, "solr", true, true, v2, false, false));
       assertTrue(
           "Expecting version bump",
           solrconfigZkVersion
@@ -1457,6 +1462,13 @@ public void testUploadWithLibDirective() throws Exception {
             .get("id"));
   }
 
+  @Test
+  public void testUploadWithForbiddenContent() throws Exception {
+    // Uploads a config set containing a script, a class file and jar file, will return 400 error
+    long res = uploadConfigSet("forbidden", "suffix", "foo", true, false, true, false, true);
+    assertEquals(400, res);
+  }
+
   private static String getSecurityJson() {
     return "{\n"
         + "  'authentication':{\n"
@@ -1511,7 +1523,7 @@ private long uploadConfigSet(
       String configSetName, String suffix, String username, SolrZkClient zkClient, boolean v2)
       throws IOException {
     assertFalse(getConfigSetService().checkConfigExists(configSetName + suffix));
-    return uploadConfigSet(configSetName, suffix, username, false, false, v2, false);
+    return uploadConfigSet(configSetName, suffix, username, false, false, v2, false, false);
   }
 
   private long uploadConfigSet(
@@ -1521,21 +1533,25 @@ private long uploadConfigSet(
       boolean overwrite,
       boolean cleanup,
       boolean v2,
-      boolean forbiddenTypes)
+      boolean forbiddenTypes,
+      boolean forbiddenContent)
       throws IOException {
 
+    File zipFile;
+    if (forbiddenTypes) {
+      log.info("Uploading configset with forbidden file endings");
+      zipFile =
+          createTempZipFileWithForbiddenTypes(
+              "solr/configsets/upload/" + configSetName + "/solrconfig.xml");
+    } else if (forbiddenContent) {
+      log.info("Uploading configset with forbidden file content");
+      zipFile = createTempZipFileWithForbiddenContent("magic");
+    } else {
+      zipFile = createTempZipFile("solr/configsets/upload/" + configSetName);
+    }
+
     // Read zipped sample config
-    return uploadGivenConfigSet(
-        forbiddenTypes
-            ? createTempZipFileWithForbiddenTypes(
-                "solr/configsets/upload/" + configSetName + "/solrconfig.xml")
-            : createTempZipFile("solr/configsets/upload/" + configSetName),
-        configSetName,
-        suffix,
-        username,
-        overwrite,
-        cleanup,
-        v2);
+    return uploadGivenConfigSet(zipFile, configSetName, suffix, username, overwrite, cleanup, v2);
   }
 
   private long uploadBadConfigSet(String configSetName, String suffix, String username, boolean v2)
@@ -1702,31 +1718,68 @@ private File createTempZipFileWithForbiddenTypes(String file) {
     }
   }
 
-  private static void zipWithForbiddenEndings(File file, File zipfile) throws IOException {
-    OutputStream out = new FileOutputStream(zipfile);
-    ZipOutputStream zout = new ZipOutputStream(out);
+  /** Create a zip file (in the temp directory) containing files with forbidden content */
+  private File createTempZipFileWithForbiddenContent(String resourcePath) {
     try {
-      for (String fileType : ZkMaintenanceUtils.DEFAULT_FORBIDDEN_FILE_TYPES) {
-        zout.putNextEntry(new ZipEntry("test." + fileType));
+      final File zipFile = createTempFile("configset", "zip").toFile();
+      final File directory = SolrTestCaseJ4.getFile(resourcePath);
+      if (log.isInfoEnabled()) {
+        log.info("Directory: {}", directory.getAbsolutePath());
+      }
+      zipWithForbiddenContent(directory, zipFile);
+      if (log.isInfoEnabled()) {
+        log.info("Zipfile: {}", zipFile.getAbsolutePath());
+      }
+      return zipFile;
+    } catch (IOException e) {
+      throw new RuntimeException(e);
+    }
+  }
 
-        InputStream in = new FileInputStream(file);
-        try {
-          byte[] buffer = new byte[1024];
-          while (true) {
-            int readCount = in.read(buffer);
-            if (readCount < 0) {
-              break;
+  private static void zipWithForbiddenContent(File directory, File zipfile) throws IOException {
+    OutputStream out = Files.newOutputStream(zipfile.toPath());
+    assertTrue(directory.isDirectory());
+    try (ZipOutputStream zout = new ZipOutputStream(out)) {
+      // Copy in all files from the directory
+      for (File file : Objects.requireNonNull(directory.listFiles())) {
+        zout.putNextEntry(new ZipEntry(file.getName()));
+        zout.write(Files.readAllBytes(file.toPath()));
+        zout.closeEntry();
+      }
+    }
+  }
+
+  private static void zipWithForbiddenEndings(File fileOrDirectory, File zipfile)
+      throws IOException {
+    OutputStream out = new FileOutputStream(zipfile);
+    try (ZipOutputStream zout = new ZipOutputStream(out)) {
+      if (fileOrDirectory.isFile()) {
+        // Create entries with given file, one for each forbidden endding
+        for (String fileType : ZkMaintenanceUtils.DEFAULT_FORBIDDEN_FILE_TYPES) {
+          zout.putNextEntry(new ZipEntry("test." + fileType));
+
+          try (InputStream in = new FileInputStream(fileOrDirectory)) {
+            byte[] buffer = new byte[1024];
+            while (true) {
+              int readCount = in.read(buffer);
+              if (readCount < 0) {
+                break;
+              }
+              zout.write(buffer, 0, readCount);
             }
-            zout.write(buffer, 0, readCount);
           }
-        } finally {
-          in.close();
-        }
 
-        zout.closeEntry();
+          zout.closeEntry();
+        }
+      }
+      if (fileOrDirectory.isDirectory()) {
+        // Copy in all files from the directory
+        for (File file : Objects.requireNonNull(fileOrDirectory.listFiles())) {
+          zout.putNextEntry(new ZipEntry(file.getName()));
+          zout.write(Files.readAllBytes(file.toPath()));
+          zout.closeEntry();
+        }
       }
-    } finally {
-      zout.close();
     }
   }
 
diff --git a/solr/core/src/test/org/apache/solr/util/FileTypeMagicUtilTest.java b/solr/core/src/test/org/apache/solr/util/FileTypeMagicUtilTest.java
new file mode 100644
index 00000000000..b8e9a35a3d9
--- /dev/null
+++ b/solr/core/src/test/org/apache/solr/util/FileTypeMagicUtilTest.java
@@ -0,0 +1,54 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.solr.util;
+
+import org.apache.solr.SolrTestCaseJ4;
+
+public class FileTypeMagicUtilTest extends SolrTestCaseJ4 {
+  public void testGuessMimeType() {
+    assertEquals(
+        "application/x-java-applet",
+        FileTypeMagicUtil.INSTANCE.guessMimeType(
+            FileTypeMagicUtil.class.getResourceAsStream("/magic/HelloWorldJavaClass.class.bin")));
+    assertEquals(
+        "application/zip",
+        FileTypeMagicUtil.INSTANCE.guessMimeType(
+            FileTypeMagicUtil.class.getResourceAsStream(
+                "/runtimecode/containerplugin.v.1.jar.bin")));
+    assertEquals(
+        "application/x-tar",
+        FileTypeMagicUtil.INSTANCE.guessMimeType(
+            FileTypeMagicUtil.class.getResourceAsStream("/magic/hello.tar.bin")));
+    assertEquals(
+        "text/x-shellscript",
+        FileTypeMagicUtil.INSTANCE.guessMimeType(
+            FileTypeMagicUtil.class.getResourceAsStream("/magic/shell.sh.txt")));
+  }
+
+  public void testIsFileForbiddenInConfigset() {
+    assertTrue(
+        FileTypeMagicUtil.isFileForbiddenInConfigset(
+            FileTypeMagicUtil.class.getResourceAsStream("/magic/HelloWorldJavaClass.class.bin")));
+    assertTrue(
+        FileTypeMagicUtil.isFileForbiddenInConfigset(
+            FileTypeMagicUtil.class.getResourceAsStream("/magic/shell.sh.txt")));
+    assertFalse(
+        FileTypeMagicUtil.isFileForbiddenInConfigset(
+            FileTypeMagicUtil.class.getResourceAsStream("/magic/plain.txt")));
+  }
+}
diff --git a/solr/licenses/simplemagic-1.17.jar.sha1 b/solr/licenses/simplemagic-1.17.jar.sha1
new file mode 100644
index 00000000000..cf101094cc8
--- /dev/null
+++ b/solr/licenses/simplemagic-1.17.jar.sha1
@@ -0,0 +1 @@
+b6e2d1e47d7172e57fa858a2e3940c09a590e61e
diff --git a/solr/licenses/simplemagic-LICENSE-BSD_LIKE.txt b/solr/licenses/simplemagic-LICENSE-BSD_LIKE.txt
new file mode 100644
index 00000000000..9228230f933
--- /dev/null
+++ b/solr/licenses/simplemagic-LICENSE-BSD_LIKE.txt
@@ -0,0 +1,15 @@
+ISC License (https://opensource.org/licenses/ISC)
+
+Copyright 2021, Gray Watson
+
+Permission to use, copy, modify, and/or distribute this software for any
+purpose with or without fee is hereby granted, provided that the above
+copyright notice and this permission notice appear in all copies.
+
+THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
\ No newline at end of file
diff --git a/solr/licenses/simplemagic-NOTICE.txt b/solr/licenses/simplemagic-NOTICE.txt
new file mode 100644
index 00000000000..e69de29bb2d
diff --git a/solr/solrj-zookeeper/src/java/org/apache/solr/common/cloud/ZkMaintenanceUtils.java b/solr/solrj-zookeeper/src/java/org/apache/solr/common/cloud/ZkMaintenanceUtils.java
index d571339880c..e40294a6683 100644
--- a/solr/solrj-zookeeper/src/java/org/apache/solr/common/cloud/ZkMaintenanceUtils.java
+++ b/solr/solrj-zookeeper/src/java/org/apache/solr/common/cloud/ZkMaintenanceUtils.java
@@ -348,6 +348,7 @@ public FileVisitResult visitFile(Path file, BasicFileAttributes attrs)
                   USE_FORBIDDEN_FILE_TYPES);
               return FileVisitResult.CONTINUE;
             }
+            // TODO: Cannot check MAGIC header for file since FileTypeGuesser is in core
             String zkNode = createZkNodeName(zkPath, rootPath, file);
             try {
               // if the path exists (and presumably we're uploading data to it) just set its data
@@ -437,6 +438,7 @@ public static void downloadFromZK(SolrZkClient zkClient, String zkPath, Path fil
         if (isFileForbiddenInConfigSets(zkPath)) {
           log.warn("Skipping download of file from ZK, as it is a forbidden type: {}", zkPath);
         } else {
+          // TODO: Cannot check MAGIC header for file since FileTypeGuesser is in core
           if (copyDataDown(zkClient, zkPath, file) == 0) {
             Files.createFile(file);
           }
diff --git a/versions.lock b/versions.lock
index 9c0f9ef53d4..6b6ea467e0d 100644
--- a/versions.lock
+++ b/versions.lock
@@ -62,6 +62,7 @@ com.googlecode.plist:dd-plist:1.24 (1 constraints: 300c84f5)
 com.healthmarketscience.jackcess:jackcess:4.0.2 (1 constraints: 5d0cf201)
 com.healthmarketscience.jackcess:jackcess-encrypt:4.0.1 (1 constraints: 5c0cf101)
 com.ibm.icu:icu4j:70.1 (1 constraints: a90f1784)
+com.j256.simplemagic:simplemagic:1.17 (1 constraints: dd04f830)
 com.jayway.jsonpath:json-path:2.8.0 (2 constraints: 6c12952c)
 com.lmax:disruptor:3.4.4 (1 constraints: 0d050a36)
 com.mchange:c3p0:0.9.5.5 (1 constraints: c80c571b)
diff --git a/versions.props b/versions.props
index 10b583c43e2..cfa127e1094 100644
--- a/versions.props
+++ b/versions.props
@@ -13,6 +13,7 @@ com.google.cloud:google-cloud-bom=0.204.0
 com.google.errorprone:*=2.23.0
 com.google.guava:guava=32.1.3-jre
 com.google.re2j:re2j=1.7
+com.j256.simplemagic:simplemagic=1.17
 com.jayway.jsonpath:json-path=2.8.0
 com.lmax:disruptor=3.4.4
 com.tdunning:t-digest=3.1

From 955074b8b3a9213c9b106d3b6d273e8562de453f Mon Sep 17 00:00:00 2001
From: Jason Gerlowski <gerlowskija@apache.org>
Date: Thu, 14 Dec 2023 12:36:05 -0500
Subject: [PATCH 11/21] SOLR-16880: Add OAS to release automation (#2125)

Modifies our 'assembleRelease' gradle task and smoketester to handle a
new release artifact: an OpenAPI spec ("OAS") covering Solr's v2 APIs.

The spec (along with associated checksum and signature files) are made
available under a separate 'openApi' directory, similar to our 'changes' files.
---------

Co-authored-by: Houston Putman <houston@apache.org>
---
 dev-tools/scripts/smokeTestRelease.py | 22 +++++++++++++++++
 solr/CHANGES.txt                      |  3 +++
 solr/api/build.gradle                 |  5 ++--
 solr/distribution/build.gradle        | 35 ++++++++++++++++++++++++---
 4 files changed, 60 insertions(+), 5 deletions(-)

diff --git a/dev-tools/scripts/smokeTestRelease.py b/dev-tools/scripts/smokeTestRelease.py
index 554c664559d..3d57f6d98f9 100755
--- a/dev-tools/scripts/smokeTestRelease.py
+++ b/dev-tools/scripts/smokeTestRelease.py
@@ -220,6 +220,7 @@ def checkSigs(urlString, version, tmpDir, isSigned, keysFile):
   ents = getDirEntries(urlString)
   artifact = None
   changesURL = None
+  openApiURL = None
   mavenURL = None
   dockerURL = None
   artifactURL = None
@@ -243,6 +244,10 @@ def checkSigs(urlString, version, tmpDir, isSigned, keysFile):
       if text not in ('changes/', 'changes-%s/' % version):
         raise RuntimeError('solr: found %s vs expected changes-%s/' % (text, version))
       changesURL = subURL
+    elif text.startswith('openApi'):
+      if text not in ('openApi/', 'openApi-%s/' % version):
+        raise RuntimeError('solr: found %s vs expected openApi-%s/' % (text, version))
+      openApiURL = subURL
     elif artifact is None:
       artifact = text
       artifactURL = subURL
@@ -296,6 +301,12 @@ def checkSigs(urlString, version, tmpDir, isSigned, keysFile):
     raise RuntimeError('solr is missing changes-%s' % version)
   testChanges(version, changesURL)
 
+  if openApiURL is None:
+    stopGpgAgent(gpgHomeDir, logfile)
+    raise RuntimeError('solr is missing OpenAPI specification' % version)
+  testOpenApi(version, openApiURL)
+
+
   for artifact, urlString in artifacts: # pylint: disable=redefined-argument-from-local
     print('  download %s...' % artifact)
     scriptutil.download(artifact, urlString, tmpDir, force_clean=FORCE_CLEAN)
@@ -349,6 +360,17 @@ def testChanges(version, changesURLString):
   s = load(changesURL)
   checkChangesContent(s, version, changesURL, True)
 
+def testOpenApi(version, openApiDirUrl):
+  print('  check OpenAPI specification...')
+  specFound = False
+  expectedSpecFileName = 'solr-openapi-' + version + '.json'
+  for text, subURL in getDirEntries(openApiDirUrl):
+    if text == expectedSpecFileName:
+      specFound = True
+
+  if not specFound:
+    raise RuntimeError('Did not see %s in %s' % expectedSpecFileName, openApiDirUrl)
+
 
 def testChangesText(dir, version):
   "Checks all CHANGES.txt under this dir."
diff --git a/solr/CHANGES.txt b/solr/CHANGES.txt
index 2fd94304a24..9505b2c6f53 100644
--- a/solr/CHANGES.txt
+++ b/solr/CHANGES.txt
@@ -171,6 +171,9 @@ Other Changes
 
 * SOLR-16949: Restrict certain file types from being uploaded to or downloaded from Config Sets (janhoy, Houston Putman)
 
+* SOLR-16880: Solr now produces an OpenAPI Specification artifact on releases ("solr-openapi-x.y.z.json") that covers
+  Solr's v2 APIs. (Jason Gerlowski, Houston Putman)
+
 ==================  9.4.0 ==================
 New Features
 ---------------------
diff --git a/solr/api/build.gradle b/solr/api/build.gradle
index ecd93125e86..bbcf66170e1 100644
--- a/solr/api/build.gradle
+++ b/solr/api/build.gradle
@@ -28,7 +28,7 @@ ext {
     jsClientDir = "${buildDir}/generated/js"
     pythonClientDir = "${buildDir}/generated/python"
     openApiSpecDir = "${buildDir}/generated/openapi"
-    openApiSpecFile = "${project.openApiSpecDir}/openapi.json"
+    openApiSpecFile = "${project.openApiSpecDir}/solr-openapi-${version}.json"
 }
 
 configurations {
@@ -50,6 +50,7 @@ resolve {
   classpath = sourceSets.main.runtimeClasspath
   resourcePackages = ["org.apache.solr.client.api.util", "org.apache.solr.client.api.endpoint"]
   outputDir = file(project.openApiSpecDir)
+  outputFileName = "solr-openapi-${version}"
   prettyPrint = true
 }
 
@@ -91,7 +92,7 @@ tasks.withType(org.openapitools.generator.gradle.plugin.tasks.GenerateTask) {
 
 artifacts {
     // Ensure the OAS is available to other modules who want to generate code (i.e. solrj)
-    openapiSpec resolve.outputDir, {
+    openapiSpec file(openApiSpecFile), {
         builtBy resolve
     }
 
diff --git a/solr/distribution/build.gradle b/solr/distribution/build.gradle
index d1ad6b62256..8ebc5872f53 100644
--- a/solr/distribution/build.gradle
+++ b/solr/distribution/build.gradle
@@ -54,11 +54,13 @@ apply from: buildscript.sourceFile.toPath().resolveSibling("source-release.gradl
 // Set up the HTML-rendered "changes" distribution artifact by linking to documentation's output.
 configurations {
   changesHtml
+  openApiSpecFile
   docker
 }
 
 dependencies {
   changesHtml project(path: ":solr:documentation", configuration: "changesHtml")
+  openApiSpecFile project(path: ":solr:api", configuration: "openapiSpec")
   docker project(path: ':solr:docker', configuration: 'packagingOfficial')
 }
 
@@ -73,11 +75,13 @@ task computeChecksums(type: Checksum) {
   [
       tasks.assembleSourceTgz,
       fullDistTarTask,
-      slimDistTarTask,
+      slimDistTarTask
   ].each { dep ->
     dependsOn dep
     files += dep.outputs.files
   }
+  dependsOn configurations.openApiSpecFile
+  files += configurations.openApiSpecFile
 
   outputDir = file("${buildDir}/checksums")
 }
@@ -93,11 +97,19 @@ task signSourceTgz(type: Sign) {
   dependsOn tasks.assembleSourceTgz
   sign tasks.assembleSourceTgz.destination
 }
+task signOpenApiSpec(type: Sign) {
+  dependsOn configurations.openApiSpecFile
+  // This is not an artifact, so we need to use "file" not "configuration" signing
+  doFirst {
+    sign configurations.openApiSpecFile.singleFile
+  }
+}
 
 task signReleaseArchives(type: Sync) {
   from tasks.signFullBinaryTgz
   from tasks.signSlimBinaryTgz
   from tasks.signSourceTgz
+  from tasks.signOpenApiSpec
 
   into "${buildDir}/signatures"
 }
@@ -125,6 +137,10 @@ task assembleRelease(type: Sync) {
     into "changes"
   })
 
+  from(configurations.openApiSpecFile, {
+    into "openApi"
+  })
+
   from(configurations.docker, {
     include 'Dockerfile.official*'
     into "docker"
@@ -139,11 +155,24 @@ task assembleRelease(type: Sync) {
   from fullDistTarTask
   from slimDistTarTask
 
-  from tasks.computeChecksums
+  from(tasks.computeChecksums, {
+    exclude { it.file.getName().contains("openapi") }
+  })
+  from(tasks.computeChecksums, {
+    include { it.file.getName().contains("openapi") }
+    into "openApi"
+  })
 
   // Conditionally, attach signatures of all the release archives.
   if (project.ext.withSignedArtifacts) {
-    from tasks.signReleaseArchives
+    from(tasks.signReleaseArchives, {
+      exclude { it.file.getName().contains("openapi") }
+    })
+
+    from(tasks.signReleaseArchives, {
+      include { it.file.getName().contains("openapi") }
+      into "openApi"
+    })
   }
 
   into releaseDir

From 8768be25387336184de7248abf39fe488826be67 Mon Sep 17 00:00:00 2001
From: mariemat <mathieu.marie@gmail.com>
Date: Fri, 15 Dec 2023 10:10:51 +0100
Subject: [PATCH 12/21] Update replica-placement-plugins.adoc (#2155)

---
 .../configuration-guide/pages/replica-placement-plugins.adoc    | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/solr/solr-ref-guide/modules/configuration-guide/pages/replica-placement-plugins.adoc b/solr/solr-ref-guide/modules/configuration-guide/pages/replica-placement-plugins.adoc
index 0ce84efaf68..6cf06903014 100644
--- a/solr/solr-ref-guide/modules/configuration-guide/pages/replica-placement-plugins.adoc
+++ b/solr/solr-ref-guide/modules/configuration-guide/pages/replica-placement-plugins.adoc
@@ -133,7 +133,7 @@ If `withCollection` or `withCollectionShards` are defined and applicable to the
 ** Iterate over the number of replicas to place (for the current replica type for the current shard):
 *** Based on the number of replicas per AZ collected previously, pick the non-empty set of nodes having the lowest number of replicas.
 Then pick the first node in that set.
-That's the node the replica is placed one.
+That's the node the replica is placed on.
 Remove the node from the set of available nodes for the given AZ and increase the number of replicas placed on that AZ.
 ** During this process, the number of cores on the nodes in general is tracked to take into account placement decisions so that not all shards decide to put their replicas on the same nodes (they might though if these are the less loaded nodes).
 

From 0b2326d701f7a19d2a2e4091eb6685736234c83c Mon Sep 17 00:00:00 2001
From: Jason Gerlowski <gerlowskija@apache.org>
Date: Fri, 15 Dec 2023 15:32:59 -0500
Subject: [PATCH 13/21] SOLR-17066: Add 'defaultCollection' to SolrClients
 (#2066)

This commit adds a setter ('withDefaultCollection(String)') to all
SolrClient builders, and propagates the field down to each client
implementation.  All SolrClient implementations now have a getter to
fetch this property ('getDefaultCollection').

This will help users replace the anti-pattern of baking the collection/
core name into their client's base URL to achieve a sort of "poor
man's" default.
---
 solr/CHANGES.txt                              |  4 ++++
 .../apache/solr/client/solrj/SolrClient.java  | 10 +++++++++
 .../solrj/impl/CloudLegacySolrClient.java     |  7 -------
 .../client/solrj/impl/CloudSolrClient.java    |  6 ------
 .../impl/ConcurrentUpdateHttp2SolrClient.java |  9 ++++++++
 .../impl/ConcurrentUpdateSolrClient.java      |  2 ++
 .../client/solrj/impl/Http2SolrClient.java    | 10 ++++++++-
 .../client/solrj/impl/HttpSolrClient.java     |  2 ++
 .../client/solrj/impl/LBHttp2SolrClient.java  | 21 ++++++++++++-------
 .../client/solrj/impl/LBHttpSolrClient.java   |  4 ++++
 .../solr/client/solrj/impl/LBSolrClient.java  |  1 +
 .../client/solrj/impl/SolrClientBuilder.java  |  6 ++++++
 .../impl/CloudHttp2SolrClientBuilderTest.java | 11 ++++++++++
 .../impl/CloudSolrClientBuilderTest.java      | 10 +++++++++
 ...ConcurrentUpdateSolrClientBuilderTest.java | 11 ++++++++++
 .../solrj/impl/HttpSolrClientBuilderTest.java |  9 ++++++++
 .../impl/LBHttpSolrClientBuilderTest.java     | 11 ++++++++++
 17 files changed, 112 insertions(+), 22 deletions(-)

diff --git a/solr/CHANGES.txt b/solr/CHANGES.txt
index 9505b2c6f53..6f8e0477bf9 100644
--- a/solr/CHANGES.txt
+++ b/solr/CHANGES.txt
@@ -124,6 +124,10 @@ Improvements
 
 * SOLR-17063: Do not retain log param references in LogWatcher (Michael Gibney)
 
+* SOLR-17066: SolrClient builders now allow users to specify a "default" collection or core
+  using the `withDefaultCollection` method.  This is preferable to including the collection
+  in the base URL accepted by certain client implementations. (Jason Gerlowski)
+
 Optimizations
 ---------------------
 * SOLR-17084: LBSolrClient (used by CloudSolrClient) now returns the count of core tracked as not live AKA zombies
diff --git a/solr/solrj/src/java/org/apache/solr/client/solrj/SolrClient.java b/solr/solrj/src/java/org/apache/solr/client/solrj/SolrClient.java
index f79bba0a64b..a134e2f001a 100644
--- a/solr/solrj/src/java/org/apache/solr/client/solrj/SolrClient.java
+++ b/solr/solrj/src/java/org/apache/solr/client/solrj/SolrClient.java
@@ -52,6 +52,7 @@ public abstract class SolrClient implements Serializable, Closeable {
   private static final long serialVersionUID = 1L;
 
   private DocumentObjectBinder binder;
+  protected String defaultCollection;
 
   /**
    * Adds a collection of documents
@@ -1215,4 +1216,13 @@ public DocumentObjectBinder getBinder() {
   public SolrRequest.SolrClientContext getContext() {
     return SolrRequest.SolrClientContext.CLIENT;
   }
+
+  /**
+   * Gets the collection used by default for collection or core-based requests
+   *
+   * <p>If no value is specified at client-creation time, this method will return null.
+   */
+  public String getDefaultCollection() {
+    return defaultCollection;
+  }
 }
diff --git a/solr/solrj/src/java/org/apache/solr/client/solrj/impl/CloudLegacySolrClient.java b/solr/solrj/src/java/org/apache/solr/client/solrj/impl/CloudLegacySolrClient.java
index c1bc6811411..3547c652293 100644
--- a/solr/solrj/src/java/org/apache/solr/client/solrj/impl/CloudLegacySolrClient.java
+++ b/solr/solrj/src/java/org/apache/solr/client/solrj/impl/CloudLegacySolrClient.java
@@ -167,7 +167,6 @@ public static class Builder extends SolrClientBuilder<Builder> {
     protected boolean shardLeadersOnly = true;
     protected boolean directUpdatesToLeadersOnly = false;
     protected boolean parallelUpdates = true;
-    protected String defaultCollection;
     protected long retryExpiryTimeNano =
         TimeUnit.NANOSECONDS.convert(3, TimeUnit.SECONDS); // 3 seconds or 3 million nanos
     protected ClusterStateProvider stateProvider;
@@ -343,12 +342,6 @@ public Builder withParallelUpdates(boolean parallelUpdates) {
       return this;
     }
 
-    /** Sets the default collection for request. */
-    public Builder withDefaultCollection(String collection) {
-      this.defaultCollection = collection;
-      return this;
-    }
-
     /**
      * Sets the Zk connection timeout
      *
diff --git a/solr/solrj/src/java/org/apache/solr/client/solrj/impl/CloudSolrClient.java b/solr/solrj/src/java/org/apache/solr/client/solrj/impl/CloudSolrClient.java
index 58f98c6bbc8..2d08fac6a35 100644
--- a/solr/solrj/src/java/org/apache/solr/client/solrj/impl/CloudSolrClient.java
+++ b/solr/solrj/src/java/org/apache/solr/client/solrj/impl/CloudSolrClient.java
@@ -90,7 +90,6 @@ public abstract class CloudSolrClient extends SolrClient {
 
   private static final Logger log = LoggerFactory.getLogger(MethodHandles.lookup().lookupClass());
 
-  protected volatile String defaultCollection;
   // no of times collection state to be reloaded if stale state error is received
   private static final int MAX_STALE_RETRIES =
       Integer.parseInt(System.getProperty("cloudSolrClientMaxStaleRetries", "5"));
@@ -292,11 +291,6 @@ public RequestWriter getRequestWriter() {
     return getLbClient().getRequestWriter();
   }
 
-  /** Gets the default collection for request */
-  public String getDefaultCollection() {
-    return defaultCollection;
-  }
-
   /** Gets whether direct updates are sent in parallel */
   public boolean isParallelUpdates() {
     return parallelUpdates;
diff --git a/solr/solrj/src/java/org/apache/solr/client/solrj/impl/ConcurrentUpdateHttp2SolrClient.java b/solr/solrj/src/java/org/apache/solr/client/solrj/impl/ConcurrentUpdateHttp2SolrClient.java
index 69c54ba693a..617e853db52 100644
--- a/solr/solrj/src/java/org/apache/solr/client/solrj/impl/ConcurrentUpdateHttp2SolrClient.java
+++ b/solr/solrj/src/java/org/apache/solr/client/solrj/impl/ConcurrentUpdateHttp2SolrClient.java
@@ -149,6 +149,7 @@ protected ConcurrentUpdateHttp2SolrClient(Builder builder) {
     this.runners = new ArrayDeque<>();
     this.streamDeletes = builder.streamDeletes;
     this.basePath = builder.baseSolrUrl;
+    this.defaultCollection = builder.defaultCollection;
     this.pollQueueTimeMillis = builder.pollQueueTimeMillis;
     this.stallTimeMillis = Integer.getInteger("solr.cloud.client.stallTime", 15000);
 
@@ -359,6 +360,7 @@ private void addRunner() {
   @Override
   public NamedList<Object> request(final SolrRequest<?> request, String collection)
       throws SolrServerException, IOException {
+    if (collection == null) collection = defaultCollection;
     if (!(request instanceof UpdateRequest)) {
       request.setBasePath(basePath);
       return client.request(request, collection);
@@ -697,6 +699,7 @@ public void shutdownNow() {
   public static class Builder {
     protected Http2SolrClient client;
     protected String baseSolrUrl;
+    protected String defaultCollection;
     protected int queueSize = 10;
     protected int threadCount;
     protected ExecutorService executorService;
@@ -787,6 +790,12 @@ public Builder neverStreamDeletes() {
       return this;
     }
 
+    /** Sets a default collection for collection-based requests. */
+    public Builder withDefaultCollection(String defaultCollection) {
+      this.defaultCollection = defaultCollection;
+      return this;
+    }
+
     /**
      * @param pollQueueTime time for an open connection to wait for updates when the queue is empty.
      */
diff --git a/solr/solrj/src/java/org/apache/solr/client/solrj/impl/ConcurrentUpdateSolrClient.java b/solr/solrj/src/java/org/apache/solr/client/solrj/impl/ConcurrentUpdateSolrClient.java
index 298811c8f39..6bac5c0457b 100644
--- a/solr/solrj/src/java/org/apache/solr/client/solrj/impl/ConcurrentUpdateSolrClient.java
+++ b/solr/solrj/src/java/org/apache/solr/client/solrj/impl/ConcurrentUpdateSolrClient.java
@@ -116,6 +116,7 @@ protected ConcurrentUpdateSolrClient(Builder builder) {
     this.soTimeout = builder.socketTimeoutMillis;
     this.pollQueueTimeMillis = builder.pollQueueTime;
     this.stallTimeMillis = Integer.getInteger("solr.cloud.client.stallTime", 15000);
+    this.defaultCollection = builder.defaultCollection;
 
     // make sure the stall time is larger than the polling time
     // to give a chance for the queue to change
@@ -475,6 +476,7 @@ public void setCollection(String collection) {
   @Override
   public NamedList<Object> request(final SolrRequest<?> request, String collection)
       throws SolrServerException, IOException {
+    if (collection == null) collection = defaultCollection;
     if (!(request instanceof UpdateRequest)) {
       return client.request(request, collection);
     }
diff --git a/solr/solrj/src/java/org/apache/solr/client/solrj/impl/Http2SolrClient.java b/solr/solrj/src/java/org/apache/solr/client/solrj/impl/Http2SolrClient.java
index 00e94715cfd..af5164f2611 100644
--- a/solr/solrj/src/java/org/apache/solr/client/solrj/impl/Http2SolrClient.java
+++ b/solr/solrj/src/java/org/apache/solr/client/solrj/impl/Http2SolrClient.java
@@ -191,6 +191,7 @@ protected Http2SolrClient(String serverBaseUrl, Builder builder) {
       this.parser = builder.responseParser;
     }
     updateDefaultMimeTypeForParser();
+    this.defaultCollection = builder.defaultCollection;
     if (builder.requestTimeoutMillis != null) {
       this.requestTimeoutMillis = builder.requestTimeoutMillis;
     } else {
@@ -554,7 +555,7 @@ public void onFailure(Response response, Throwable failure) {
   @Override
   public NamedList<Object> request(SolrRequest<?> solrRequest, String collection)
       throws SolrServerException, IOException {
-
+    if (collection == null) collection = defaultCollection;
     String url = getRequestPath(solrRequest, collection);
     Throwable abortCause = null;
     Request req = null;
@@ -1070,6 +1071,7 @@ public static class Builder {
     private ExecutorService executor;
     protected RequestWriter requestWriter;
     protected ResponseParser responseParser;
+    protected String defaultCollection;
     private Set<String> urlParamNames;
     private CookieStore cookieStore = getDefaultCookieStore();
     private String proxyHost;
@@ -1194,6 +1196,12 @@ public Builder withResponseParser(ResponseParser responseParser) {
       return this;
     }
 
+    /** Sets a default collection for collection-based requests. */
+    public Builder withDefaultCollection(String defaultCollection) {
+      this.defaultCollection = defaultCollection;
+      return this;
+    }
+
     public Builder withFollowRedirects(boolean followRedirects) {
       this.followRedirects = followRedirects;
       return this;
diff --git a/solr/solrj/src/java/org/apache/solr/client/solrj/impl/HttpSolrClient.java b/solr/solrj/src/java/org/apache/solr/client/solrj/impl/HttpSolrClient.java
index 67f3162f1cb..9d11dbe7768 100644
--- a/solr/solrj/src/java/org/apache/solr/client/solrj/impl/HttpSolrClient.java
+++ b/solr/solrj/src/java/org/apache/solr/client/solrj/impl/HttpSolrClient.java
@@ -188,6 +188,7 @@ protected HttpSolrClient(Builder builder) {
     this.soTimeout = builder.socketTimeoutMillis;
     this.useMultiPartPost = builder.useMultiPartPost;
     this.urlParamNames = builder.urlParamNames;
+    this.defaultCollection = builder.defaultCollection;
   }
 
   public Set<String> getUrlParamNames() {
@@ -242,6 +243,7 @@ public NamedList<Object> request(final SolrRequest<?> request, final ResponsePar
   public NamedList<Object> request(
       final SolrRequest<?> request, final ResponseParser processor, String collection)
       throws SolrServerException, IOException {
+    if (collection == null) collection = defaultCollection;
     HttpRequestBase method = createMethod(request, collection);
     setBasicAuthHeader(request, method);
     if (request.getHeaders() != null) {
diff --git a/solr/solrj/src/java/org/apache/solr/client/solrj/impl/LBHttp2SolrClient.java b/solr/solrj/src/java/org/apache/solr/client/solrj/impl/LBHttp2SolrClient.java
index 18b89440568..82650e525b1 100644
--- a/solr/solrj/src/java/org/apache/solr/client/solrj/impl/LBHttp2SolrClient.java
+++ b/solr/solrj/src/java/org/apache/solr/client/solrj/impl/LBHttp2SolrClient.java
@@ -23,7 +23,6 @@
 import java.net.SocketException;
 import java.net.SocketTimeoutException;
 import java.util.Arrays;
-import java.util.List;
 import java.util.Set;
 import java.util.concurrent.TimeUnit;
 import java.util.concurrent.atomic.AtomicBoolean;
@@ -86,9 +85,11 @@
 public class LBHttp2SolrClient extends LBSolrClient {
   private final Http2SolrClient solrClient;
 
-  private LBHttp2SolrClient(Http2SolrClient solrClient, List<String> baseSolrUrls) {
-    super(baseSolrUrls);
-    this.solrClient = solrClient;
+  private LBHttp2SolrClient(Builder builder) {
+    super(Arrays.asList(builder.baseSolrUrls));
+    this.solrClient = builder.http2SolrClient;
+    this.aliveCheckIntervalMillis = builder.aliveCheckIntervalMillis;
+    this.defaultCollection = builder.defaultCollection;
   }
 
   @Override
@@ -258,6 +259,7 @@ public static class Builder {
     private final String[] baseSolrUrls;
     private long aliveCheckIntervalMillis =
         TimeUnit.MILLISECONDS.convert(60, TimeUnit.SECONDS); // 1 minute between checks
+    protected String defaultCollection;
 
     public Builder(Http2SolrClient http2Client, String... baseSolrUrls) {
       this.http2SolrClient = http2Client;
@@ -279,11 +281,14 @@ public LBHttp2SolrClient.Builder setAliveCheckInterval(int aliveCheckInterval, T
       return this;
     }
 
+    /** Sets a default collection for collection-based requests. */
+    public LBHttp2SolrClient.Builder withDefaultCollection(String defaultCollection) {
+      this.defaultCollection = defaultCollection;
+      return this;
+    }
+
     public LBHttp2SolrClient build() {
-      LBHttp2SolrClient solrClient =
-          new LBHttp2SolrClient(this.http2SolrClient, Arrays.asList(this.baseSolrUrls));
-      solrClient.aliveCheckIntervalMillis = this.aliveCheckIntervalMillis;
-      return solrClient;
+      return new LBHttp2SolrClient(this);
     }
   }
 }
diff --git a/solr/solrj/src/java/org/apache/solr/client/solrj/impl/LBHttpSolrClient.java b/solr/solrj/src/java/org/apache/solr/client/solrj/impl/LBHttpSolrClient.java
index 1ba16f521f2..923d651afb3 100644
--- a/solr/solrj/src/java/org/apache/solr/client/solrj/impl/LBHttpSolrClient.java
+++ b/solr/solrj/src/java/org/apache/solr/client/solrj/impl/LBHttpSolrClient.java
@@ -93,6 +93,10 @@ protected LBHttpSolrClient(Builder builder) {
         builder.httpClient == null
             ? constructClient(builder.baseSolrUrls.toArray(new String[0]))
             : builder.httpClient;
+    this.defaultCollection = builder.defaultCollection;
+    if (httpSolrClientBuilder != null && this.defaultCollection != null) {
+      httpSolrClientBuilder.defaultCollection = this.defaultCollection;
+    }
     this.connectionTimeoutMillis = builder.connectionTimeoutMillis;
     this.soTimeoutMillis = builder.socketTimeoutMillis;
     this.parser = builder.responseParser;
diff --git a/solr/solrj/src/java/org/apache/solr/client/solrj/impl/LBSolrClient.java b/solr/solrj/src/java/org/apache/solr/client/solrj/impl/LBSolrClient.java
index 2723465b739..6acf04aea57 100644
--- a/solr/solrj/src/java/org/apache/solr/client/solrj/impl/LBSolrClient.java
+++ b/solr/solrj/src/java/org/apache/solr/client/solrj/impl/LBSolrClient.java
@@ -574,6 +574,7 @@ public NamedList<Object> request(
     final int maxTries = (numServersToTry == null ? serverList.length : numServersToTry.intValue());
     int numServersTried = 0;
     Map<String, ServerWrapper> justFailed = null;
+    if (collection == null) collection = defaultCollection;
 
     boolean timeAllowedExceeded = false;
     long timeAllowedNano = getTimeAllowedInNanos(request);
diff --git a/solr/solrj/src/java/org/apache/solr/client/solrj/impl/SolrClientBuilder.java b/solr/solrj/src/java/org/apache/solr/client/solrj/impl/SolrClientBuilder.java
index d0c97f8ed22..aee3bf55f23 100644
--- a/solr/solrj/src/java/org/apache/solr/client/solrj/impl/SolrClientBuilder.java
+++ b/solr/solrj/src/java/org/apache/solr/client/solrj/impl/SolrClientBuilder.java
@@ -41,6 +41,7 @@ public abstract class SolrClientBuilder<B extends SolrClientBuilder<B>> {
   protected int socketTimeoutMillis = 120000; // 120 seconds
   private boolean socketTimeoutMillisUpdate = false;
   protected boolean followRedirects = false;
+  protected String defaultCollection;
   protected Set<String> urlParamNames;
 
   /** The solution for the unchecked cast warning. */
@@ -97,6 +98,11 @@ public B withFollowRedirects(boolean followRedirects) {
     return getThis();
   }
 
+  public B withDefaultCollection(String defaultCollection) {
+    this.defaultCollection = defaultCollection;
+    return getThis();
+  }
+
   /**
    * Tells {@link Builder} that created clients should obey the following timeout when connecting to
    * Solr servers.
diff --git a/solr/solrj/src/test/org/apache/solr/client/solrj/impl/CloudHttp2SolrClientBuilderTest.java b/solr/solrj/src/test/org/apache/solr/client/solrj/impl/CloudHttp2SolrClientBuilderTest.java
index 6cf26e440b6..b776755a2ed 100644
--- a/solr/solrj/src/test/org/apache/solr/client/solrj/impl/CloudHttp2SolrClientBuilderTest.java
+++ b/solr/solrj/src/test/org/apache/solr/client/solrj/impl/CloudHttp2SolrClientBuilderTest.java
@@ -161,4 +161,15 @@ public void testProvideExternalClient() throws IOException {
     // it's external, should be NOT closed when closing CloudSolrClient
     verify(http2Client, never()).close();
   }
+
+  @Test
+  public void testDefaultCollectionPassedFromBuilderToClient() throws IOException {
+    try (CloudHttp2SolrClient createdClient =
+        new CloudHttp2SolrClient.Builder(
+                Collections.singletonList(ANY_ZK_HOST), Optional.of(ANY_CHROOT))
+            .withDefaultCollection("aCollection")
+            .build()) {
+      assertEquals("aCollection", createdClient.getDefaultCollection());
+    }
+  }
 }
diff --git a/solr/solrj/src/test/org/apache/solr/client/solrj/impl/CloudSolrClientBuilderTest.java b/solr/solrj/src/test/org/apache/solr/client/solrj/impl/CloudSolrClientBuilderTest.java
index b96d5762c5d..348e8e1d65e 100644
--- a/solr/solrj/src/test/org/apache/solr/client/solrj/impl/CloudSolrClientBuilderTest.java
+++ b/solr/solrj/src/test/org/apache/solr/client/solrj/impl/CloudSolrClientBuilderTest.java
@@ -101,4 +101,14 @@ public void test0Timeouts() throws IOException {
       assertNotNull(createdClient);
     }
   }
+
+  @Test
+  public void testDefaultCollectionPassedFromBuilderToClient() throws IOException {
+    try (CloudSolrClient createdClient =
+        new Builder(Collections.singletonList(ANY_ZK_HOST), Optional.of(ANY_CHROOT))
+            .withDefaultCollection("aCollection")
+            .build()) {
+      assertEquals("aCollection", createdClient.getDefaultCollection());
+    }
+  }
 }
diff --git a/solr/solrj/src/test/org/apache/solr/client/solrj/impl/ConcurrentUpdateSolrClientBuilderTest.java b/solr/solrj/src/test/org/apache/solr/client/solrj/impl/ConcurrentUpdateSolrClientBuilderTest.java
index 902aeb61842..c6cd4779f96 100644
--- a/solr/solrj/src/test/org/apache/solr/client/solrj/impl/ConcurrentUpdateSolrClientBuilderTest.java
+++ b/solr/solrj/src/test/org/apache/solr/client/solrj/impl/ConcurrentUpdateSolrClientBuilderTest.java
@@ -23,6 +23,7 @@
 import java.net.SocketTimeoutException;
 import java.util.concurrent.TimeUnit;
 import org.apache.solr.SolrTestCase;
+import org.apache.solr.client.solrj.SolrClient;
 import org.apache.solr.client.solrj.SolrServerException;
 import org.apache.solr.client.solrj.impl.ConcurrentUpdateSolrClient.Builder;
 import org.junit.Test;
@@ -71,4 +72,14 @@ public void testSocketTimeoutOnCommit() throws IOException, SolrServerException
       // else test passses
     }
   }
+
+  @Test
+  public void testDefaultCollectionPassedFromBuilderToClient() throws IOException {
+    try (SolrClient createdClient =
+        new ConcurrentUpdateSolrClient.Builder("someurl")
+            .withDefaultCollection("aCollection")
+            .build()) {
+      assertEquals("aCollection", createdClient.getDefaultCollection());
+    }
+  }
 }
diff --git a/solr/solrj/src/test/org/apache/solr/client/solrj/impl/HttpSolrClientBuilderTest.java b/solr/solrj/src/test/org/apache/solr/client/solrj/impl/HttpSolrClientBuilderTest.java
index eea4fcfc3b8..6aba55d47bf 100644
--- a/solr/solrj/src/test/org/apache/solr/client/solrj/impl/HttpSolrClientBuilderTest.java
+++ b/solr/solrj/src/test/org/apache/solr/client/solrj/impl/HttpSolrClientBuilderTest.java
@@ -22,6 +22,7 @@
 import org.apache.http.impl.client.HttpClientBuilder;
 import org.apache.solr.SolrTestCase;
 import org.apache.solr.client.solrj.ResponseParser;
+import org.apache.solr.client.solrj.SolrClient;
 import org.apache.solr.client.solrj.impl.HttpSolrClient.Builder;
 import org.apache.solr.common.params.ModifiableSolrParams;
 import org.junit.Test;
@@ -83,4 +84,12 @@ public void testDefaultsToBinaryResponseParserWhenNoneProvided() throws IOExcept
       assertTrue(usedParser instanceof BinaryResponseParser);
     }
   }
+
+  @Test
+  public void testDefaultCollectionPassedFromBuilderToClient() throws IOException {
+    try (final SolrClient createdClient =
+        new Builder(ANY_BASE_SOLR_URL).withDefaultCollection("aCollection").build()) {
+      assertEquals("aCollection", createdClient.getDefaultCollection());
+    }
+  }
 }
diff --git a/solr/solrj/src/test/org/apache/solr/client/solrj/impl/LBHttpSolrClientBuilderTest.java b/solr/solrj/src/test/org/apache/solr/client/solrj/impl/LBHttpSolrClientBuilderTest.java
index 25a70f5460c..6db869cf96b 100644
--- a/solr/solrj/src/test/org/apache/solr/client/solrj/impl/LBHttpSolrClientBuilderTest.java
+++ b/solr/solrj/src/test/org/apache/solr/client/solrj/impl/LBHttpSolrClientBuilderTest.java
@@ -77,4 +77,15 @@ public void testUsesTimeoutProvidedByHttpClient() throws IOException {
     }
     HttpClientUtil.close(httpClient);
   }
+
+  @Test
+  public void testDefaultCollectionPassedFromBuilderToClient() throws IOException {
+    try (LBHttpSolrClient createdClient =
+        new LBHttpSolrClient.Builder()
+            .withBaseSolrUrl(ANY_BASE_SOLR_URL)
+            .withDefaultCollection("aCollection")
+            .build()) {
+      assertEquals("aCollection", createdClient.getDefaultCollection());
+    }
+  }
 }

From c89813a675663bb82f18236840b2a84cac05e1ee Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20H=C3=B8ydahl?= <janhoy@apache.org>
Date: Sun, 17 Dec 2023 23:19:14 +0100
Subject: [PATCH 14/21] SOLR-16949: Handle inputStream leaks

---
 .../solr/core/FileSystemConfigSetService.java |  5 +-
 .../apache/solr/util/FileTypeMagicUtil.java   | 93 +++++++++++++------
 .../solr/util/FileTypeMagicUtilTest.java      | 58 ++++++------
 3 files changed, 96 insertions(+), 60 deletions(-)

diff --git a/solr/core/src/java/org/apache/solr/core/FileSystemConfigSetService.java b/solr/core/src/java/org/apache/solr/core/FileSystemConfigSetService.java
index 4b041252211..c4686195d64 100644
--- a/solr/core/src/java/org/apache/solr/core/FileSystemConfigSetService.java
+++ b/solr/core/src/java/org/apache/solr/core/FileSystemConfigSetService.java
@@ -214,12 +214,11 @@ public FileVisitResult visitFile(Path file, BasicFileAttributes attrs)
                     "Not including uploading file to config, as it is a forbidden type: {}",
                     file.getFileName());
               } else {
-                if (!FileTypeMagicUtil.isFileForbiddenInConfigset(Files.newInputStream(file))) {
+                if (!FileTypeMagicUtil.isFileForbiddenInConfigset(file)) {
                   Files.copy(
                       file, target.resolve(source.relativize(file).toString()), REPLACE_EXISTING);
                 } else {
-                  String mimeType =
-                      FileTypeMagicUtil.INSTANCE.guessMimeType(Files.newInputStream(file));
+                  String mimeType = FileTypeMagicUtil.INSTANCE.guessMimeType(file);
                   log.warn(
                       "Not copying file {}, as it matched the MAGIC signature of a forbidden mime type {}",
                       file.getFileName(),
diff --git a/solr/core/src/java/org/apache/solr/util/FileTypeMagicUtil.java b/solr/core/src/java/org/apache/solr/util/FileTypeMagicUtil.java
index cfb6c9fa0af..692cda83bd3 100644
--- a/solr/core/src/java/org/apache/solr/util/FileTypeMagicUtil.java
+++ b/solr/core/src/java/org/apache/solr/util/FileTypeMagicUtil.java
@@ -20,7 +20,6 @@
 import com.j256.simplemagic.ContentInfo;
 import com.j256.simplemagic.ContentInfoUtil;
 import com.j256.simplemagic.ContentType;
-import java.io.ByteArrayInputStream;
 import java.io.IOException;
 import java.io.InputStream;
 import java.nio.file.FileVisitResult;
@@ -58,30 +57,23 @@ public class FileTypeMagicUtil implements ContentInfoUtil.ErrorCallBack {
   public static void assertConfigSetFolderLegal(Path confPath) throws IOException {
     Files.walkFileTree(
         confPath,
-        new SimpleFileVisitor<Path>() {
+        new SimpleFileVisitor<>() {
           @Override
-          public FileVisitResult visitFile(Path file, BasicFileAttributes attrs)
-              throws IOException {
-            // Read first 100 bytes of the file to determine the mime type
-            try (InputStream fileStream = Files.newInputStream(file)) {
-              byte[] bytes = new byte[100];
-              fileStream.read(bytes);
-              if (FileTypeMagicUtil.isFileForbiddenInConfigset(bytes)) {
-                throw new SolrException(
-                    SolrException.ErrorCode.BAD_REQUEST,
-                    String.format(
-                        Locale.ROOT,
-                        "Not uploading file %s to configset, as it matched the MAGIC signature of a forbidden mime type %s",
-                        file,
-                        FileTypeMagicUtil.INSTANCE.guessMimeType(bytes)));
-              }
-              return FileVisitResult.CONTINUE;
+          public FileVisitResult visitFile(Path file, BasicFileAttributes attrs) {
+            if (FileTypeMagicUtil.isFileForbiddenInConfigset(file)) {
+              throw new SolrException(
+                  SolrException.ErrorCode.BAD_REQUEST,
+                  String.format(
+                      Locale.ROOT,
+                      "Not uploading file %s to configset, as it matched the MAGIC signature of a forbidden mime type %s",
+                      file,
+                      FileTypeMagicUtil.INSTANCE.guessMimeType(file)));
             }
+            return FileVisitResult.CONTINUE;
           }
 
           @Override
-          public FileVisitResult preVisitDirectory(Path dir, BasicFileAttributes attrs)
-              throws IOException {
+          public FileVisitResult preVisitDirectory(Path dir, BasicFileAttributes attrs) {
             if (SKIP_FOLDERS.contains(dir.getFileName().toString()))
               return FileVisitResult.SKIP_SUBTREE;
 
@@ -90,19 +82,29 @@ public FileVisitResult preVisitDirectory(Path dir, BasicFileAttributes attrs)
         });
   }
 
+  /**
+   * Guess the mime type of file based on its magic number.
+   *
+   * @param file file to check
+   * @return string with content-type or "application/octet-stream" if unknown
+   */
+  public String guessMimeType(Path file) {
+    try {
+      return guessTypeFallbackToOctetStream(util.findMatch(file.toFile()));
+    } catch (IOException e) {
+      throw new SolrException(SolrException.ErrorCode.SERVER_ERROR, e);
+    }
+  }
+
   /**
    * Guess the mime type of file based on its magic number.
    *
    * @param stream input stream of the file
    * @return string with content-type or "application/octet-stream" if unknown
    */
-  public String guessMimeType(InputStream stream) {
+  String guessMimeType(InputStream stream) {
     try {
-      ContentInfo info = util.findMatch(stream);
-      if (info == null) {
-        return ContentType.OTHER.getMimeType();
-      }
-      return info.getContentType().getMimeType();
+      return guessTypeFallbackToOctetStream(util.findMatch(stream));
     } catch (IOException e) {
       throw new SolrException(SolrException.ErrorCode.SERVER_ERROR, e);
     }
@@ -115,7 +117,7 @@ public String guessMimeType(InputStream stream) {
    * @return string with content-type or "application/octet-stream" if unknown
    */
   public String guessMimeType(byte[] bytes) {
-    return guessMimeType(new ByteArrayInputStream(bytes));
+    return guessTypeFallbackToOctetStream(util.findMatch(bytes));
   }
 
   @Override
@@ -126,6 +128,31 @@ public void error(String line, String details, Exception e) {
         e);
   }
 
+  /**
+   * Determine forbidden file type based on magic bytes matching of the file itself. Forbidden types
+   * are:
+   *
+   * <ul>
+   *   <li><code>application/x-java-applet</code>: java class file
+   *   <li><code>application/zip</code>: jar or zip archives
+   *   <li><code>application/x-tar</code>: tar archives
+   *   <li><code>text/x-shellscript</code>: shell or bash script
+   * </ul>
+   *
+   * @param file file to check
+   * @return true if file is among the forbidden mime-types
+   */
+  public static boolean isFileForbiddenInConfigset(Path file) {
+    try (InputStream fileStream = Files.newInputStream(file)) {
+      return isFileForbiddenInConfigset(fileStream);
+    } catch (IOException e) {
+      throw new SolrException(
+          SolrException.ErrorCode.SERVER_ERROR,
+          String.format(Locale.ROOT, "Error reading file %s", file),
+          e);
+    }
+  }
+
   /**
    * Determine forbidden file type based on magic bytes matching of the file itself. Forbidden types
    * are:
@@ -140,7 +167,7 @@ public void error(String line, String details, Exception e) {
    * @param fileStream stream from the file content
    * @return true if file is among the forbidden mime-types
    */
-  public static boolean isFileForbiddenInConfigset(InputStream fileStream) {
+  static boolean isFileForbiddenInConfigset(InputStream fileStream) {
     return forbiddenTypes.contains(FileTypeMagicUtil.INSTANCE.guessMimeType(fileStream));
   }
 
@@ -153,7 +180,7 @@ public static boolean isFileForbiddenInConfigset(InputStream fileStream) {
   public static boolean isFileForbiddenInConfigset(byte[] bytes) {
     if (bytes == null || bytes.length == 0)
       return false; // A ZK znode may be a folder with no content
-    return isFileForbiddenInConfigset(new ByteArrayInputStream(bytes));
+    return forbiddenTypes.contains(FileTypeMagicUtil.INSTANCE.guessMimeType(bytes));
   }
 
   private static final Set<String> forbiddenTypes =
@@ -163,4 +190,12 @@ public static boolean isFileForbiddenInConfigset(byte[] bytes) {
                       "solr.configset.upload.mimetypes.forbidden",
                       "application/x-java-applet,application/zip,application/x-tar,text/x-shellscript")
                   .split(",")));
+
+  private String guessTypeFallbackToOctetStream(ContentInfo contentInfo) {
+    if (contentInfo == null) {
+      return ContentType.OTHER.getMimeType();
+    } else {
+      return contentInfo.getContentType().getMimeType();
+    }
+  }
 }
diff --git a/solr/core/src/test/org/apache/solr/util/FileTypeMagicUtilTest.java b/solr/core/src/test/org/apache/solr/util/FileTypeMagicUtilTest.java
index b8e9a35a3d9..5c02528a7f4 100644
--- a/solr/core/src/test/org/apache/solr/util/FileTypeMagicUtilTest.java
+++ b/solr/core/src/test/org/apache/solr/util/FileTypeMagicUtilTest.java
@@ -17,38 +17,40 @@
 
 package org.apache.solr.util;
 
+import java.io.IOException;
+import java.io.InputStream;
 import org.apache.solr.SolrTestCaseJ4;
 
 public class FileTypeMagicUtilTest extends SolrTestCaseJ4 {
-  public void testGuessMimeType() {
-    assertEquals(
-        "application/x-java-applet",
-        FileTypeMagicUtil.INSTANCE.guessMimeType(
-            FileTypeMagicUtil.class.getResourceAsStream("/magic/HelloWorldJavaClass.class.bin")));
-    assertEquals(
-        "application/zip",
-        FileTypeMagicUtil.INSTANCE.guessMimeType(
-            FileTypeMagicUtil.class.getResourceAsStream(
-                "/runtimecode/containerplugin.v.1.jar.bin")));
-    assertEquals(
-        "application/x-tar",
-        FileTypeMagicUtil.INSTANCE.guessMimeType(
-            FileTypeMagicUtil.class.getResourceAsStream("/magic/hello.tar.bin")));
-    assertEquals(
-        "text/x-shellscript",
-        FileTypeMagicUtil.INSTANCE.guessMimeType(
-            FileTypeMagicUtil.class.getResourceAsStream("/magic/shell.sh.txt")));
+  public void testGuessMimeType() throws IOException {
+    assertResourceMimeType("application/x-java-applet", "/magic/HelloWorldJavaClass.class.bin");
+    assertResourceMimeType("application/zip", "/runtimecode/containerplugin.v.1.jar.bin");
+    assertResourceMimeType("application/x-tar", "/magic/hello.tar.bin");
+    assertResourceMimeType("text/x-shellscript", "/magic/shell.sh.txt");
   }
 
-  public void testIsFileForbiddenInConfigset() {
-    assertTrue(
-        FileTypeMagicUtil.isFileForbiddenInConfigset(
-            FileTypeMagicUtil.class.getResourceAsStream("/magic/HelloWorldJavaClass.class.bin")));
-    assertTrue(
-        FileTypeMagicUtil.isFileForbiddenInConfigset(
-            FileTypeMagicUtil.class.getResourceAsStream("/magic/shell.sh.txt")));
-    assertFalse(
-        FileTypeMagicUtil.isFileForbiddenInConfigset(
-            FileTypeMagicUtil.class.getResourceAsStream("/magic/plain.txt")));
+  public void testIsFileForbiddenInConfigset() throws IOException {
+    assertResourceForbiddenInConfigset("/magic/HelloWorldJavaClass.class.bin");
+    assertResourceForbiddenInConfigset("/magic/shell.sh.txt");
+    assertResourceAllowedInConfigset("/magic/plain.txt");
+  }
+
+  private void assertResourceMimeType(String mimeType, String resourcePath) throws IOException {
+    try (InputStream stream =
+        FileTypeMagicUtil.class.getResourceAsStream("/magic/HelloWorldJavaClass.class.bin")) {
+      assertEquals("application/x-java-applet", FileTypeMagicUtil.INSTANCE.guessMimeType(stream));
+    }
+  }
+
+  private void assertResourceForbiddenInConfigset(String resourcePath) throws IOException {
+    try (InputStream stream = FileTypeMagicUtil.class.getResourceAsStream(resourcePath)) {
+      assertTrue(FileTypeMagicUtil.isFileForbiddenInConfigset(stream));
+    }
+  }
+
+  private void assertResourceAllowedInConfigset(String resourcePath) throws IOException {
+    try (InputStream stream = FileTypeMagicUtil.class.getResourceAsStream(resourcePath)) {
+      assertFalse(FileTypeMagicUtil.isFileForbiddenInConfigset(stream));
+    }
   }
 }

From 602edbd7ce8b0d6830d251d4044e62fd3c19a06d Mon Sep 17 00:00:00 2001
From: James Dyer <jdyer@apache.org>
Date: Mon, 18 Dec 2023 09:26:48 -0600
Subject: [PATCH 15/21] Copy the file from the "solrj" module (#2158)

---
 .../solrj-streaming/src/test-files/log4j2.xml | 42 +++++++++++++++++++
 1 file changed, 42 insertions(+)
 create mode 100644 solr/solrj-streaming/src/test-files/log4j2.xml

diff --git a/solr/solrj-streaming/src/test-files/log4j2.xml b/solr/solrj-streaming/src/test-files/log4j2.xml
new file mode 100644
index 00000000000..96f69f1dc8b
--- /dev/null
+++ b/solr/solrj-streaming/src/test-files/log4j2.xml
@@ -0,0 +1,42 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  Licensed to the Apache Software Foundation (ASF) under one or more
+  contributor license agreements.  See the NOTICE file distributed with
+  this work for additional information regarding copyright ownership.
+  The ASF licenses this file to You under the Apache License, Version 2.0
+  (the "License"); you may not use this file except in compliance with
+  the License.  You may obtain a copy of the License at
+
+      http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+  -->
+<!-- We're configuring testing to be synchronous due to "logging polution", see SOLR-13268 -->
+<Configuration>
+  <Appenders>
+    <Console name="STDERR" target="SYSTEM_ERR">
+      <PatternLayout>
+        <Pattern>
+          %maxLen{%-4r %-5p (%t) [%notEmpty{n:%X{node_name}}%notEmpty{ c:%X{collection}}%notEmpty{ s:%X{shard}}%notEmpty{ r:%X{replica}}%notEmpty{ x:%X{core}}%notEmpty{ t:%X{trace_id}}] %c{1.} %m%notEmpty{
+          =>%ex{short}}}{10240}%n
+        </Pattern>
+      </PatternLayout>
+    </Console>
+  </Appenders>
+  <Loggers>
+    <!-- Use <AsyncLogger/<AsyncRoot and <Logger/<Root for asynchronous logging or synchonous logging respectively -->
+    <Logger name="org.apache.zookeeper" level="WARN"/>
+    <Logger name="org.apache.hadoop" level="WARN"/>
+    <Logger name="org.apache.directory" level="WARN"/>
+    <Logger name="org.apache.solr.hadoop" level="INFO"/>
+    <Logger name="org.eclipse.jetty" level="INFO"/>
+
+    <Root level="INFO">
+      <AppenderRef ref="STDERR"/>
+    </Root>
+  </Loggers>
+</Configuration>

From 5e87f8ecef5f890f9bacc1377df66b15eec9bf4e Mon Sep 17 00:00:00 2001
From: Drini Cami <cdrini@gmail.com>
Date: Tue, 19 Dec 2023 02:57:45 -0500
Subject: [PATCH 16/21] Update outdated link in PULL_REQUEST_TEMPLATE.md
 (#2163)

The previous link was a soft redirect to the github page, so replace it.
---
 .github/PULL_REQUEST_TEMPLATE.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md
index 84d3023d91f..960021a380c 100644
--- a/.github/PULL_REQUEST_TEMPLATE.md
+++ b/.github/PULL_REQUEST_TEMPLATE.md
@@ -35,7 +35,7 @@ Please describe the tests you've developed or run to confirm this patch implemen
 
 Please review the following and check all that apply:
 
-- [ ] I have reviewed the guidelines for [How to Contribute](https://wiki.apache.org/solr/HowToContribute) and my code conforms to the standards described there to the best of my ability.
+- [ ] I have reviewed the guidelines for [How to Contribute](https://github.com/apache/solr/blob/main/CONTRIBUTING.md) and my code conforms to the standards described there to the best of my ability.
 - [ ] I have created a Jira issue and added the issue ID to my pull request title.
 - [ ] I have given Solr maintainers [access](https://help.github.com/en/articles/allowing-changes-to-a-pull-request-branch-created-from-a-fork) to contribute to my PR branch. (optional but recommended)
 - [ ] I have developed this patch against the `main` branch.

From 5876c530c6e3e86891a36432acd29c9e64cdc774 Mon Sep 17 00:00:00 2001
From: Alex D <stillalex@apache.org>
Date: Tue, 19 Dec 2023 12:48:36 -0800
Subject: [PATCH 17/21] SOLR-17060 CoreContainer#create may deadlock with
 concurrent requests for metrics (#2101)

---
 solr/CHANGES.txt                              |  2 +
 .../java/org/apache/solr/core/SolrCore.java   | 17 ++++--
 .../org/apache/solr/core/SolrCoreTest.java    | 60 +++++++++++++++++++
 .../handler/admin/MetricsHandlerTest.java     |  4 ++
 4 files changed, 78 insertions(+), 5 deletions(-)

diff --git a/solr/CHANGES.txt b/solr/CHANGES.txt
index 6f8e0477bf9..a6b21ee9fb3 100644
--- a/solr/CHANGES.txt
+++ b/solr/CHANGES.txt
@@ -156,6 +156,8 @@ Bug Fixes
 * SOLR-17057: JSON Query regression: If "query" is specified with a String (not JSON structure),
   "defType" should parse it.  Since 9.4 defType was ignored.  (David Smiley)
 
+* SOLR-17060: CoreContainer#create may deadlock with concurrent requests for metrics (Alex Deparvu, David Smiley)
+
 Dependency Upgrades
 ---------------------
 * SOLR-17012: Update Apache Hadoop to 3.3.6 and Apache Curator to 5.5.0 (Kevin Risden)
diff --git a/solr/core/src/java/org/apache/solr/core/SolrCore.java b/solr/core/src/java/org/apache/solr/core/SolrCore.java
index 5f22e95b3fc..be6f7526b3d 100644
--- a/solr/core/src/java/org/apache/solr/core/SolrCore.java
+++ b/solr/core/src/java/org/apache/solr/core/SolrCore.java
@@ -259,6 +259,7 @@ public class SolrCore implements SolrInfoBean, Closeable {
   private Counter newSearcherCounter;
   private Counter newSearcherMaxReachedCounter;
   private Counter newSearcherOtherErrorsCounter;
+  private volatile boolean newSearcherReady = false;
 
   private final String metricTag = SolrMetricProducer.getUniqueMetricTag(this, null);
   private final SolrMetricsContext solrMetricsContext;
@@ -1338,14 +1339,14 @@ public void initializeMetrics(SolrMetricsContext parentContext, String scope) {
         "sizeInBytes",
         Category.INDEX.toString());
     parentContext.gauge(
-        () -> isClosed() ? parentContext.nullNumber() : getSegmentCount(),
+        () -> isClosed() ? parentContext.nullString() : NumberUtils.readableSize(getIndexSize()),
         true,
-        "segments",
+        "size",
         Category.INDEX.toString());
     parentContext.gauge(
-        () -> isClosed() ? parentContext.nullString() : NumberUtils.readableSize(getIndexSize()),
+        () -> isReady() ? getSegmentCount() : parentContext.nullNumber(),
         true,
-        "size",
+        "segments",
         Category.INDEX.toString());
 
     final CloudDescriptor cd = getCoreDescriptor().getCloudDescriptor();
@@ -1899,6 +1900,11 @@ public boolean isClosed() {
     return refCount.get() <= 0;
   }
 
+  /** Returns true if the core is ready for use. It is not initializing or closing/closed. */
+  public boolean isReady() {
+    return !isClosed() && newSearcherReady;
+  }
+
   private Collection<CloseHook> closeHooks = null;
 
   /** Add a close callback hook */
@@ -2107,6 +2113,7 @@ public RefCounted<SolrIndexSearcher> getSearcher() {
    * because it might be closed soon after this method returns; it really depends.
    */
   public <R> R withSearcher(IOFunction<SolrIndexSearcher, R> lambda) throws IOException {
+    assert isReady();
     final RefCounted<SolrIndexSearcher> refCounted = getSearcher();
     try {
       return lambda.apply(refCounted.get());
@@ -2704,7 +2711,6 @@ public RefCounted<SolrIndexSearcher> getSearcher(
 
       if (!success) {
         newSearcherOtherErrorsCounter.inc();
-        ;
         synchronized (searcherLock) {
           onDeckSearchers--;
 
@@ -2734,6 +2740,7 @@ public RefCounted<SolrIndexSearcher> getSearcher(
       // we want to do this after we decrement onDeckSearchers so another thread
       // doesn't increment first and throw a false warning.
       openSearcherLock.unlock();
+      newSearcherReady = true;
     }
   }
 
diff --git a/solr/core/src/test/org/apache/solr/core/SolrCoreTest.java b/solr/core/src/test/org/apache/solr/core/SolrCoreTest.java
index e401bcc695a..28cfbc70cae 100644
--- a/solr/core/src/test/org/apache/solr/core/SolrCoreTest.java
+++ b/solr/core/src/test/org/apache/solr/core/SolrCoreTest.java
@@ -16,6 +16,8 @@
  */
 package org.apache.solr.core;
 
+import com.codahale.metrics.Gauge;
+import com.codahale.metrics.MetricFilter;
 import java.util.ArrayList;
 import java.util.HashMap;
 import java.util.List;
@@ -24,6 +26,7 @@
 import java.util.concurrent.ExecutorService;
 import java.util.concurrent.Future;
 import java.util.concurrent.TimeUnit;
+import java.util.concurrent.atomic.AtomicBoolean;
 import org.apache.solr.SolrTestCaseJ4;
 import org.apache.solr.common.SolrException;
 import org.apache.solr.common.util.ExecutorUtil;
@@ -32,6 +35,7 @@
 import org.apache.solr.handler.RequestHandlerBase;
 import org.apache.solr.handler.component.QueryComponent;
 import org.apache.solr.handler.component.SpellCheckComponent;
+import org.apache.solr.metrics.SolrMetricManager;
 import org.apache.solr.request.SolrQueryRequest;
 import org.apache.solr.request.SolrRequestHandler;
 import org.apache.solr.response.SolrQueryResponse;
@@ -327,6 +331,62 @@ public void testReloadLeak() throws Exception {
     assertTrue(core.areAllSearcherReferencesEmpty());
   }
 
+  /**
+   * Best effort attempt to recreate a deadlock between SolrCore initialization and Index metrics
+   * poll.
+   *
+   * <p>See https://issues.apache.org/jira/browse/SOLR-17060
+   */
+  @Test
+  public void testCoreInitDeadlockMetrics() throws Exception {
+    SolrMetricManager metricManager = h.getCoreContainer().getMetricManager();
+    CoreContainer coreContainer = h.getCoreContainer();
+
+    String coreName = "tmpCore";
+    AtomicBoolean created = new AtomicBoolean(false);
+    AtomicBoolean atLeastOnePoll = new AtomicBoolean(false);
+
+    final ExecutorService executor =
+        ExecutorUtil.newMDCAwareFixedThreadPool(
+            1, new SolrNamedThreadFactory("testCoreInitDeadlockMetrics"));
+    executor.submit(
+        () -> {
+          while (!created.get()) {
+            var metrics =
+                metricManager.getMetrics(
+                    "solr.core." + coreName,
+                    MetricFilter.startsWith(SolrInfoBean.Category.INDEX.toString()));
+            for (var m : metrics.values()) {
+              if (m instanceof Gauge) {
+                var v = ((Gauge<?>) m).getValue();
+                atLeastOnePoll.compareAndSet(false, v != null);
+              }
+            }
+
+            try {
+              TimeUnit.MILLISECONDS.sleep(5);
+            } catch (InterruptedException e1) {
+              throw new RuntimeException(e1);
+            }
+          }
+        });
+
+    TimeUnit.MILLISECONDS.sleep(25);
+    try (var tmpCore = coreContainer.create(coreName, Map.of("configSet", "minimal"))) {
+      tmpCore.open();
+      for (int i = 0; i < 10; i++) {
+        TimeUnit.MILLISECONDS.sleep(50); // to allow metrics to be checked at least once
+        if (atLeastOnePoll.get()) {
+          break;
+        }
+      }
+    } finally {
+      created.set(true);
+      ExecutorUtil.shutdownAndAwaitTermination(executor);
+    }
+    assertTrue(atLeastOnePoll.get());
+  }
+
   private static class NewSearcherRunnable implements Runnable {
     private final SolrCore core;
 
diff --git a/solr/core/src/test/org/apache/solr/handler/admin/MetricsHandlerTest.java b/solr/core/src/test/org/apache/solr/handler/admin/MetricsHandlerTest.java
index 1f4697ecc10..c2ccdb43baf 100644
--- a/solr/core/src/test/org/apache/solr/handler/admin/MetricsHandlerTest.java
+++ b/solr/core/src/test/org/apache/solr/handler/admin/MetricsHandlerTest.java
@@ -93,6 +93,10 @@ public void test() throws Exception {
     // response wasn't serialized, so we get here whatever MetricUtils produced instead of NamedList
     assertNotNull(((MapWriter) o)._get("count", null));
     assertEquals(0L, ((MapWriter) nl.get("SEARCHER.new.errors"))._get("count", null));
+    assertNotNull(nl.get("INDEX.segments")); // int gauge
+    assertTrue((int) ((MapWriter) nl.get("INDEX.segments"))._get("value", null) >= 0);
+    assertNotNull(nl.get("INDEX.sizeInBytes")); // long gauge
+    assertTrue((long) ((MapWriter) nl.get("INDEX.sizeInBytes"))._get("value", null) >= 0);
     nl = (NamedList<?>) values.get("solr.node");
     assertNotNull(nl.get("CONTAINER.cores.loaded")); // int gauge
     assertEquals(1, ((MapWriter) nl.get("CONTAINER.cores.loaded"))._get("value", null));

From 65920af20553d71b403a82fbf1e7b4bdf37cafd4 Mon Sep 17 00:00:00 2001
From: Zauberfisch <zauberfisch@zauberfisch.at>
Date: Wed, 20 Dec 2023 15:10:29 +0100
Subject: [PATCH 18/21] Update outdated link in docker-networking.adoc (#2164)

---
 .../modules/deployment-guide/pages/docker-networking.adoc       | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/solr/solr-ref-guide/modules/deployment-guide/pages/docker-networking.adoc b/solr/solr-ref-guide/modules/deployment-guide/pages/docker-networking.adoc
index 463fde67a92..364f06b1042 100644
--- a/solr/solr-ref-guide/modules/deployment-guide/pages/docker-networking.adoc
+++ b/solr/solr-ref-guide/modules/deployment-guide/pages/docker-networking.adoc
@@ -16,7 +16,7 @@
 // specific language governing permissions and limitations
 // under the License.
 
-_Note: this article dates from Jan 2016. While this approach would still work, in Jan 2019 this would typically done with Docker cluster and orchestration tools like Kubernetes. See for example https://lucidworks.com/2019/02/07/running-solr-on-kubernetes-part-1/[this blog post]._
+_Note: this article dates from Jan 2016. While this approach would still work, in Jan 2019 this would typically done with Docker cluster and orchestration tools like Kubernetes. See for example https://lucidworks.com/post/running-solr-on-kubernetes-part-1/[this blog post]._
 
 In this example I'll create a cluster with 3 ZooKeeper nodes and 3 Solr nodes, distributed over 3 machines (trinity10, trinity20, trinity30).
 I'll use an overlay network, specify fixed IP addresses when creating containers, and I'll pass in explicit `/etc/hosts` entries to make sure they are available even when nodes are down.

From e2bf1f434aad873fbb24c21d46ac00e888806d98 Mon Sep 17 00:00:00 2001
From: Houston Putman <houston@apache.org>
Date: Tue, 5 Dec 2023 14:35:25 -0500
Subject: [PATCH 19/21] SOLR-17098: Only use ZK ACLs for default ZK Host

---
 solr/CHANGES.txt                              |  3 +
 .../org/apache/solr/core/CoreContainer.java   |  1 +
 .../pages/stream-decorator-reference.adoc     |  1 +
 .../pages/stream-source-reference.adoc        |  3 +
 .../solr/client/solrj/io/SolrClientCache.java | 45 +++++++++--
 .../client/solrj/io/SolrClientCacheTest.java  | 77 +++++++++++++++++++
 .../impl/ZkClientClusterStateProvider.java    | 11 ++-
 .../solr/common/cloud/SolrZkClient.java       | 24 ++++--
 .../solr/common/cloud/ZkStateReader.java      | 15 +++-
 .../solrj/impl/CloudHttp2SolrClient.java      | 10 ++-
 .../solrj/impl/CloudLegacySolrClient.java     | 10 ++-
 .../solrj/impl/ClusterStateProvider.java      |  6 +-
 solr/solrj/src/test-files/solrj/solr/solr.xml |  3 +
 .../solr/cloud/MiniSolrCloudCluster.java      |  1 +
 14 files changed, 190 insertions(+), 20 deletions(-)
 create mode 100644 solr/solrj-streaming/src/test/org/apache/solr/client/solrj/io/SolrClientCacheTest.java

diff --git a/solr/CHANGES.txt b/solr/CHANGES.txt
index a6b21ee9fb3..128d6e06839 100644
--- a/solr/CHANGES.txt
+++ b/solr/CHANGES.txt
@@ -158,6 +158,9 @@ Bug Fixes
 
 * SOLR-17060: CoreContainer#create may deadlock with concurrent requests for metrics (Alex Deparvu, David Smiley)
 
+* SOLR-17098: ZK Credentials and ACLs are no longer sent to all ZK Servers when using Streaming Expressions.
+  They will only be used when sent to the default ZK Host. (Houston Putman, Jan Høydahl, David Smiley, Gus Heck, Qing Xu)
+
 Dependency Upgrades
 ---------------------
 * SOLR-17012: Update Apache Hadoop to 3.3.6 and Apache Curator to 5.5.0 (Kevin Risden)
diff --git a/solr/core/src/java/org/apache/solr/core/CoreContainer.java b/solr/core/src/java/org/apache/solr/core/CoreContainer.java
index 6681e71c814..1514aafe2ee 100644
--- a/solr/core/src/java/org/apache/solr/core/CoreContainer.java
+++ b/solr/core/src/java/org/apache/solr/core/CoreContainer.java
@@ -829,6 +829,7 @@ private void loadInternal() {
 
     zkSys.initZooKeeper(this, cfg.getCloudConfig());
     if (isZooKeeperAware()) {
+      solrClientCache.setDefaultZKHost(getZkController().getZkServerAddress());
       // initialize ZkClient metrics
       zkSys.getZkMetricsProducer().initializeMetrics(solrMetricsContext, "zkClient");
       pkiAuthenticationSecurityBuilder =
diff --git a/solr/solr-ref-guide/modules/query-guide/pages/stream-decorator-reference.adoc b/solr/solr-ref-guide/modules/query-guide/pages/stream-decorator-reference.adoc
index 1c2d8afccdf..d5e25ba98fa 100644
--- a/solr/solr-ref-guide/modules/query-guide/pages/stream-decorator-reference.adoc
+++ b/solr/solr-ref-guide/modules/query-guide/pages/stream-decorator-reference.adoc
@@ -1187,6 +1187,7 @@ Worker collections can be empty collections that exist only to execute streaming
 * `StreamExpression`: Expression to send to the worker collection.
 * `workers`: Number of workers in the worker collection to send the expression to.
 * `zkHost`: (Optional) The ZooKeeper connect string where the worker collection resides.
+Zookeeper Credentials and ACLs will only be included if the same ZkHost is used as the Solr instance that you are connecting to (the `chroot` can be different).
 * `sort`: The sort criteria for ordering tuples returned by the worker nodes.
 
 === parallel Syntax
diff --git a/solr/solr-ref-guide/modules/query-guide/pages/stream-source-reference.adoc b/solr/solr-ref-guide/modules/query-guide/pages/stream-source-reference.adoc
index 39352261a2f..a4213776f6b 100644
--- a/solr/solr-ref-guide/modules/query-guide/pages/stream-source-reference.adoc
+++ b/solr/solr-ref-guide/modules/query-guide/pages/stream-source-reference.adoc
@@ -36,6 +36,7 @@ To read more about the `/export` handler requirements review the section xref:ex
 * `fl`: (Mandatory) The list of fields to return.
 * `sort`: (Mandatory) The sort criteria.
 * `zkHost`: Only needs to be defined if the collection being searched is found in a different zkHost than the local stream handler.
+Zookeeper Credentials and ACLs will only be included if the same ZkHost is used as the Solr instance that you are connecting to (the `chroot` can be different).
 * `qt`: Specifies the query type, or request handler, to use.
 Set this to `/export` to work with large result sets.
 The default is `/select`.
@@ -484,6 +485,7 @@ When used in parallel mode the partitionKeys parameter must be provided.
 * `fl`: (Mandatory) The list of fields to return.
 * `sort`: (Mandatory) The sort criteria.
 * `zkHost`: Only needs to be defined if the collection being searched is found in a different zkHost than the local stream handler.
+Zookeeper Credentials and ACLs will only be included if the same ZkHost is used as the Solr instance that you are connecting to (the `chroot` can be different).
 * `partitionKeys`: Comma delimited list of keys to partition the search results by.
 To be used with the parallel function for parallelizing operations across worker nodes.
 See the xref:stream-decorator-reference.adoc#parallel[parallel] function for details.
@@ -648,6 +650,7 @@ The checkpoints will be saved under this id.
 If not set, it defaults to the highest version in the index.
 Setting to 0 will process all records that match query in the index.
 * `zkHost`: (Optional) Only needs to be defined if the collection being searched is found in a different zkHost than the local stream handler.
+Zookeeper Credentials and ACLs will only be included if the same ZkHost is used as the Solr instance that you are connecting to (the `chroot` can be different).
 
 === topic Syntax
 
diff --git a/solr/solrj-streaming/src/java/org/apache/solr/client/solrj/io/SolrClientCache.java b/solr/solrj-streaming/src/java/org/apache/solr/client/solrj/io/SolrClientCache.java
index e56d1a55c13..915d9fbafc7 100644
--- a/solr/solrj-streaming/src/java/org/apache/solr/client/solrj/io/SolrClientCache.java
+++ b/solr/solrj-streaming/src/java/org/apache/solr/client/solrj/io/SolrClientCache.java
@@ -25,6 +25,7 @@
 import java.util.Optional;
 import java.util.concurrent.TimeUnit;
 import java.util.concurrent.atomic.AtomicBoolean;
+import java.util.concurrent.atomic.AtomicReference;
 import org.apache.http.client.HttpClient;
 import org.apache.solr.client.solrj.SolrClient;
 import org.apache.solr.client.solrj.impl.CloudHttp2SolrClient;
@@ -57,6 +58,7 @@ public class SolrClientCache implements Closeable {
   private final HttpClient apacheHttpClient;
   private final Http2SolrClient http2SolrClient;
   private final AtomicBoolean isClosed = new AtomicBoolean(false);
+  private final AtomicReference<String> defaultZkHost = new AtomicReference<>();
 
   public SolrClientCache() {
     this.apacheHttpClient = null;
@@ -74,40 +76,71 @@ public SolrClientCache(Http2SolrClient http2SolrClient) {
     this.http2SolrClient = http2SolrClient;
   }
 
+  public void setDefaultZKHost(String zkHost) {
+    if (zkHost != null) {
+      zkHost = zkHost.split("/")[0];
+      if (!zkHost.isEmpty()) {
+        defaultZkHost.set(zkHost);
+      } else {
+        defaultZkHost.set(null);
+      }
+    }
+  }
+
   public synchronized CloudSolrClient getCloudSolrClient(String zkHost) {
     ensureOpen();
     Objects.requireNonNull(zkHost, "ZooKeeper host cannot be null!");
     if (solrClients.containsKey(zkHost)) {
       return (CloudSolrClient) solrClients.get(zkHost);
     }
+    // Can only use ZK ACLs if there is a default ZK Host, and the given ZK host contains that
+    // default.
+    // Basically the ZK ACLs are assumed to be only used for the default ZK host,
+    // thus we should only provide the ACLs to that Zookeeper instance.
+    String zkHostNoChroot = zkHost.split("/")[0];
+    boolean canUseACLs =
+        Optional.ofNullable(defaultZkHost.get()).map(zkHostNoChroot::equals).orElse(false);
     final CloudSolrClient client;
     if (apacheHttpClient != null) {
-      client = newCloudLegacySolrClient(zkHost, apacheHttpClient);
+      client = newCloudLegacySolrClient(zkHost, apacheHttpClient, canUseACLs);
     } else {
-      client = newCloudHttp2SolrClient(zkHost, http2SolrClient);
+      client = newCloudHttp2SolrClient(zkHost, http2SolrClient, canUseACLs);
     }
     solrClients.put(zkHost, client);
     return client;
   }
 
   @Deprecated
-  private static CloudSolrClient newCloudLegacySolrClient(String zkHost, HttpClient httpClient) {
+  private static CloudSolrClient newCloudLegacySolrClient(
+      String zkHost, HttpClient httpClient, boolean canUseACLs) {
     final List<String> hosts = List.of(zkHost);
     var builder = new CloudLegacySolrClient.Builder(hosts, Optional.empty());
+    builder.canUseZkACLs(canUseACLs);
     adjustTimeouts(builder, httpClient);
     var client = builder.build();
-    client.connect();
+    try {
+      client.connect();
+    } catch (Exception e) {
+      IOUtils.closeQuietly(client);
+      throw e;
+    }
     return client;
   }
 
   private static CloudHttp2SolrClient newCloudHttp2SolrClient(
-      String zkHost, Http2SolrClient http2SolrClient) {
+      String zkHost, Http2SolrClient http2SolrClient, boolean canUseACLs) {
     final List<String> hosts = List.of(zkHost);
     var builder = new CloudHttp2SolrClient.Builder(hosts, Optional.empty());
+    builder.canUseZkACLs(canUseACLs);
     // using internal builder to ensure the internal client gets closed
     builder = builder.withInternalClientBuilder(newHttp2SolrClientBuilder(null, http2SolrClient));
     var client = builder.build();
-    client.connect();
+    try {
+      client.connect();
+    } catch (Exception e) {
+      IOUtils.closeQuietly(client);
+      throw e;
+    }
     return client;
   }
 
diff --git a/solr/solrj-streaming/src/test/org/apache/solr/client/solrj/io/SolrClientCacheTest.java b/solr/solrj-streaming/src/test/org/apache/solr/client/solrj/io/SolrClientCacheTest.java
new file mode 100644
index 00000000000..1f7ee0cffbf
--- /dev/null
+++ b/solr/solrj-streaming/src/test/org/apache/solr/client/solrj/io/SolrClientCacheTest.java
@@ -0,0 +1,77 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.solr.client.solrj.io;
+
+import java.util.Map;
+import org.apache.solr.cloud.SolrCloudTestCase;
+import org.apache.solr.common.SolrException;
+import org.apache.solr.common.cloud.DigestZkACLProvider;
+import org.apache.solr.common.cloud.DigestZkCredentialsProvider;
+import org.apache.solr.common.cloud.SolrZkClient;
+import org.apache.solr.common.cloud.VMParamsZkCredentialsInjector;
+import org.junit.AfterClass;
+import org.junit.BeforeClass;
+import org.junit.Test;
+
+public class SolrClientCacheTest extends SolrCloudTestCase {
+
+  private static final Map<String, String> sysProps =
+      Map.of(
+          SolrZkClient.ZK_CREDENTIALS_INJECTOR_CLASS_NAME_VM_PARAM_NAME,
+              VMParamsZkCredentialsInjector.class.getName(),
+          SolrZkClient.ZK_CRED_PROVIDER_CLASS_NAME_VM_PARAM_NAME,
+              DigestZkCredentialsProvider.class.getName(),
+          SolrZkClient.ZK_ACL_PROVIDER_CLASS_NAME_VM_PARAM_NAME,
+              DigestZkACLProvider.class.getName(),
+          VMParamsZkCredentialsInjector.DEFAULT_DIGEST_USERNAME_VM_PARAM_NAME, "admin-user",
+          VMParamsZkCredentialsInjector.DEFAULT_DIGEST_PASSWORD_VM_PARAM_NAME, "pass",
+          VMParamsZkCredentialsInjector.DEFAULT_DIGEST_READONLY_USERNAME_VM_PARAM_NAME, "read-user",
+          VMParamsZkCredentialsInjector.DEFAULT_DIGEST_READONLY_PASSWORD_VM_PARAM_NAME, "pass");
+
+  @BeforeClass
+  public static void before() throws Exception {
+    sysProps.forEach(System::setProperty);
+    configureCluster(1)
+        .formatZkServer(true)
+        .addConfig("config", getFile("solrj/solr/configsets/streaming/conf").toPath())
+        .configure();
+  }
+
+  @AfterClass
+  public static void after() {
+    sysProps.keySet().forEach(System::clearProperty);
+  }
+
+  @Test
+  public void testZkACLsNotUsedWithDifferentZkHost() {
+    try (SolrClientCache cache = new SolrClientCache()) {
+      // This ZK Host is fake, thus the ZK ACLs should not be used
+      cache.setDefaultZKHost("test:2181");
+      expectThrows(
+          SolrException.class, () -> cache.getCloudSolrClient(zkClient().getZkServerAddress()));
+    }
+  }
+
+  @Test
+  public void testZkACLsUsedWithDifferentChroot() {
+    try (SolrClientCache cache = new SolrClientCache()) {
+      // The same ZK Host is used, so the ZK ACLs should still be applied
+      cache.setDefaultZKHost(zkClient().getZkServerAddress() + "/random/chroot");
+      cache.getCloudSolrClient(zkClient().getZkServerAddress());
+    }
+  }
+}
diff --git a/solr/solrj-zookeeper/src/java/org/apache/solr/client/solrj/impl/ZkClientClusterStateProvider.java b/solr/solrj-zookeeper/src/java/org/apache/solr/client/solrj/impl/ZkClientClusterStateProvider.java
index 075c1e4d3de..36c5891da1e 100644
--- a/solr/solrj-zookeeper/src/java/org/apache/solr/client/solrj/impl/ZkClientClusterStateProvider.java
+++ b/solr/solrj-zookeeper/src/java/org/apache/solr/client/solrj/impl/ZkClientClusterStateProvider.java
@@ -48,6 +48,7 @@ public class ZkClientClusterStateProvider
   volatile ZkStateReader zkStateReader;
   private boolean closeZkStateReader = true;
   private final String zkHost;
+  private final boolean canUseZkACLs;
   private int zkConnectTimeout = SolrZkClientTimeout.DEFAULT_ZK_CONNECT_TIMEOUT;
   private int zkClientTimeout = SolrZkClientTimeout.DEFAULT_ZK_CLIENT_TIMEOUT;
 
@@ -65,14 +66,22 @@ public ZkClientClusterStateProvider(ZkStateReader zkStateReader) {
     this.zkStateReader = zkStateReader;
     this.closeZkStateReader = false;
     this.zkHost = null;
+    this.canUseZkACLs = true;
   }
 
   public ZkClientClusterStateProvider(Collection<String> zkHosts, String chroot) {
+    this(zkHosts, chroot, true);
+  }
+
+  public ZkClientClusterStateProvider(
+      Collection<String> zkHosts, String chroot, boolean canUseZkACLs) {
     zkHost = buildZkHostString(zkHosts, chroot);
+    this.canUseZkACLs = canUseZkACLs;
   }
 
   public ZkClientClusterStateProvider(String zkHost) {
     this.zkHost = zkHost;
+    this.canUseZkACLs = true;
   }
 
   /**
@@ -212,7 +221,7 @@ public ZkStateReader getZkStateReader() {
         if (zkStateReader == null) {
           ZkStateReader zk = null;
           try {
-            zk = new ZkStateReader(zkHost, zkClientTimeout, zkConnectTimeout);
+            zk = new ZkStateReader(zkHost, zkClientTimeout, zkConnectTimeout, canUseZkACLs);
             zk.createClusterStateWatchersAndUpdate();
             log.info("Cluster at {} ready", zkHost);
             zkStateReader = zk;
diff --git a/solr/solrj-zookeeper/src/java/org/apache/solr/common/cloud/SolrZkClient.java b/solr/solrj-zookeeper/src/java/org/apache/solr/common/cloud/SolrZkClient.java
index ddbd70d375f..4ae9d16f123 100644
--- a/solr/solrj-zookeeper/src/java/org/apache/solr/common/cloud/SolrZkClient.java
+++ b/solr/solrj-zookeeper/src/java/org/apache/solr/common/cloud/SolrZkClient.java
@@ -118,7 +118,8 @@ public SolrZkClient(Builder builder) {
         builder.zkACLProvider,
         builder.higherLevelIsClosed,
         builder.compressor,
-        builder.solrClassLoader);
+        builder.solrClassLoader,
+        builder.useDefaultCredsAndACLs);
   }
 
   private SolrZkClient(
@@ -131,7 +132,8 @@ private SolrZkClient(
       ZkACLProvider zkACLProvider,
       IsClosed higherLevelIsClosed,
       Compressor compressor,
-      SolrClassLoader solrClassLoader) {
+      SolrClassLoader solrClassLoader,
+      boolean useDefaultCredsAndACLs) {
 
     if (zkServerAddress == null) {
       // only tests should create one without server address
@@ -148,9 +150,14 @@ private SolrZkClient(
 
     this.solrClassLoader = solrClassLoader;
     if (!strat.hasZkCredentialsToAddAutomatically()) {
-      zkCredentialsInjector = createZkCredentialsInjector();
+      zkCredentialsInjector =
+          useDefaultCredsAndACLs
+              ? createZkCredentialsInjector()
+              : new DefaultZkCredentialsInjector();
       ZkCredentialsProvider zkCredentialsToAddAutomatically =
-          createZkCredentialsToAddAutomatically();
+          useDefaultCredsAndACLs
+              ? createZkCredentialsToAddAutomatically()
+              : new DefaultZkCredentialsProvider();
       strat.setZkCredentialsToAddAutomatically(zkCredentialsToAddAutomatically);
     }
 
@@ -210,7 +217,8 @@ private SolrZkClient(
     }
     assert ObjectReleaseTracker.track(this);
     if (zkACLProvider == null) {
-      this.zkACLProvider = createZkACLProvider();
+      this.zkACLProvider =
+          useDefaultCredsAndACLs ? createZkACLProvider() : new DefaultZkACLProvider();
     } else {
       this.zkACLProvider = zkACLProvider;
     }
@@ -1134,6 +1142,7 @@ public static class Builder {
     public ZkACLProvider zkACLProvider;
     public IsClosed higherLevelIsClosed;
     public SolrClassLoader solrClassLoader;
+    public boolean useDefaultCredsAndACLs = true;
 
     public Compressor compressor;
 
@@ -1199,6 +1208,11 @@ public Builder withSolrClassLoader(SolrClassLoader solrClassLoader) {
       return this;
     }
 
+    public Builder withUseDefaultCredsAndACLs(boolean useDefaultCredsAndACLs) {
+      this.useDefaultCredsAndACLs = useDefaultCredsAndACLs;
+      return this;
+    }
+
     public SolrZkClient build() {
       return new SolrZkClient(this);
     }
diff --git a/solr/solrj-zookeeper/src/java/org/apache/solr/common/cloud/ZkStateReader.java b/solr/solrj-zookeeper/src/java/org/apache/solr/common/cloud/ZkStateReader.java
index a89b3f8dd60..715d9858195 100644
--- a/solr/solrj-zookeeper/src/java/org/apache/solr/common/cloud/ZkStateReader.java
+++ b/solr/solrj-zookeeper/src/java/org/apache/solr/common/cloud/ZkStateReader.java
@@ -405,11 +405,20 @@ public ZkStateReader(SolrZkClient zkClient, Runnable securityNodeListener) {
   }
 
   public ZkStateReader(String zkServerAddress, int zkClientTimeout, int zkClientConnectTimeout) {
-    this.zkClient =
+    this(zkServerAddress, zkClientTimeout, zkClientConnectTimeout, true);
+  }
+
+  public ZkStateReader(
+      String zkServerAddress,
+      int zkClientTimeout,
+      int zkClientConnectTimeout,
+      boolean canUseZkACLs) {
+    SolrZkClient.Builder builder =
         new SolrZkClient.Builder()
             .withUrl(zkServerAddress)
             .withTimeout(zkClientTimeout, TimeUnit.MILLISECONDS)
             .withConnTimeOut(zkClientConnectTimeout, TimeUnit.MILLISECONDS)
+            .withUseDefaultCredsAndACLs(canUseZkACLs)
             .withReconnectListener(
                 () -> {
                   // on reconnect, reload cloud info
@@ -425,8 +434,8 @@ public ZkStateReader(String zkServerAddress, int zkClientTimeout, int zkClientCo
                     log.error("Interrupted", e);
                     throw new ZooKeeperException(ErrorCode.SERVER_ERROR, "Interrupted", e);
                   }
-                })
-            .build();
+                });
+    this.zkClient = builder.build();
     this.closeClient = true;
     this.securityNodeWatcher = null;
 
diff --git a/solr/solrj/src/java/org/apache/solr/client/solrj/impl/CloudHttp2SolrClient.java b/solr/solrj/src/java/org/apache/solr/client/solrj/impl/CloudHttp2SolrClient.java
index d32a8ecbec9..cc3861cc5b5 100644
--- a/solr/solrj/src/java/org/apache/solr/client/solrj/impl/CloudHttp2SolrClient.java
+++ b/solr/solrj/src/java/org/apache/solr/client/solrj/impl/CloudHttp2SolrClient.java
@@ -138,6 +138,7 @@ public static class Builder {
     private int parallelCacheRefreshesLocks = 3;
     private int zkConnectTimeout = SolrZkClientTimeout.DEFAULT_ZK_CONNECT_TIMEOUT;
     private int zkClientTimeout = SolrZkClientTimeout.DEFAULT_ZK_CLIENT_TIMEOUT;
+    private boolean canUseZkACLs = true;
 
     /**
      * Provide a series of Solr URLs to be used when configuring {@link CloudHttp2SolrClient}
@@ -189,6 +190,12 @@ public Builder(List<String> zkHosts, Optional<String> zkChroot) {
       if (zkChroot.isPresent()) this.zkChroot = zkChroot.get();
     }
 
+    /** Whether or not to use the default ZK ACLs when building a ZK Client. */
+    public Builder canUseZkACLs(boolean canUseZkACLs) {
+      this.canUseZkACLs = canUseZkACLs;
+      return this;
+    }
+
     /**
      * Tells {@link Builder} that created clients should be configured such that {@link
      * CloudSolrClient#isUpdatesToLeaders} returns <code>true</code>.
@@ -406,7 +413,8 @@ public CloudHttp2SolrClient build() {
           throw new IllegalArgumentException(
               "Both zkHost(s) & solrUrl(s) have been specified. Only specify one.");
         } else if (!zkHosts.isEmpty()) {
-          stateProvider = ClusterStateProvider.newZkClusterStateProvider(zkHosts, zkChroot);
+          stateProvider =
+              ClusterStateProvider.newZkClusterStateProvider(zkHosts, zkChroot, canUseZkACLs);
           if (stateProvider instanceof SolrZkClientTimeoutAware) {
             var timeoutAware = (SolrZkClientTimeoutAware) stateProvider;
             timeoutAware.setZkClientTimeout(zkClientTimeout);
diff --git a/solr/solrj/src/java/org/apache/solr/client/solrj/impl/CloudLegacySolrClient.java b/solr/solrj/src/java/org/apache/solr/client/solrj/impl/CloudLegacySolrClient.java
index 3547c652293..e1f3840cfbd 100644
--- a/solr/solrj/src/java/org/apache/solr/client/solrj/impl/CloudLegacySolrClient.java
+++ b/solr/solrj/src/java/org/apache/solr/client/solrj/impl/CloudLegacySolrClient.java
@@ -172,6 +172,7 @@ public static class Builder extends SolrClientBuilder<Builder> {
     protected ClusterStateProvider stateProvider;
     private int zkConnectTimeout = SolrZkClientTimeout.DEFAULT_ZK_CONNECT_TIMEOUT;
     private int zkClientTimeout = SolrZkClientTimeout.DEFAULT_ZK_CLIENT_TIMEOUT;
+    private boolean canUseZkACLs = true;
 
     /** Constructor for use by subclasses. This constructor was public prior to version 9.0 */
     protected Builder() {}
@@ -231,6 +232,12 @@ public Builder(List<String> zkHosts, Optional<String> zkChroot) {
       if (zkChroot.isPresent()) this.zkChroot = zkChroot.get();
     }
 
+    /** Whether or not to use the default ZK ACLs when building a ZK Client. */
+    public Builder canUseZkACLs(boolean canUseZkACLs) {
+      this.canUseZkACLs = canUseZkACLs;
+      return this;
+    }
+
     /** Provides a {@link HttpClient} for the builder to use when creating clients. */
     public Builder withLBHttpSolrClientBuilder(LBHttpSolrClient.Builder lbHttpSolrClientBuilder) {
       this.lbClientBuilder = lbHttpSolrClientBuilder;
@@ -371,7 +378,8 @@ public CloudLegacySolrClient build() {
           throw new IllegalArgumentException(
               "Both zkHost(s) & solrUrl(s) have been specified. Only specify one.");
         } else if (!zkHosts.isEmpty()) {
-          this.stateProvider = ClusterStateProvider.newZkClusterStateProvider(zkHosts, zkChroot);
+          this.stateProvider =
+              ClusterStateProvider.newZkClusterStateProvider(zkHosts, zkChroot, canUseZkACLs);
           if (stateProvider instanceof SolrZkClientTimeoutAware) {
             var timeoutAware = (SolrZkClientTimeoutAware) stateProvider;
             timeoutAware.setZkClientTimeout(zkClientTimeout);
diff --git a/solr/solrj/src/java/org/apache/solr/client/solrj/impl/ClusterStateProvider.java b/solr/solrj/src/java/org/apache/solr/client/solrj/impl/ClusterStateProvider.java
index 9673f08e48d..e6b7f2097a4 100644
--- a/solr/solrj/src/java/org/apache/solr/client/solrj/impl/ClusterStateProvider.java
+++ b/solr/solrj/src/java/org/apache/solr/client/solrj/impl/ClusterStateProvider.java
@@ -31,14 +31,14 @@
 public interface ClusterStateProvider extends SolrCloseable {
 
   static ClusterStateProvider newZkClusterStateProvider(
-      Collection<String> zkHosts, String zkChroot) {
+      Collection<String> zkHosts, String zkChroot, boolean canUseZkACLs) {
     // instantiate via reflection so that we don't depend on ZK
     try {
       var constructor =
           Class.forName("org.apache.solr.client.solrj.impl.ZkClientClusterStateProvider")
               .asSubclass(ClusterStateProvider.class)
-              .getConstructor(Collection.class, String.class);
-      return constructor.newInstance(zkHosts, zkChroot);
+              .getConstructor(Collection.class, String.class, Boolean.TYPE);
+      return constructor.newInstance(zkHosts, zkChroot, canUseZkACLs);
     } catch (InvocationTargetException e) {
       if (e.getCause() instanceof RuntimeException) {
         throw (RuntimeException) e.getCause();
diff --git a/solr/solrj/src/test-files/solrj/solr/solr.xml b/solr/solrj/src/test-files/solrj/solr/solr.xml
index c4413d38ce3..81e2e31ac8a 100644
--- a/solr/solrj/src/test-files/solrj/solr/solr.xml
+++ b/solr/solrj/src/test-files/solrj/solr/solr.xml
@@ -41,6 +41,9 @@
     <int name="leaderVoteWait">0</int>
     <int name="distribUpdateConnTimeout">${distribUpdateConnTimeout:45000}</int>
     <int name="distribUpdateSoTimeout">${distribUpdateSoTimeout:340000}</int>
+    <str name="zkCredentialsProvider">${zkCredentialsProvider:org.apache.solr.common.cloud.DefaultZkCredentialsProvider}</str>
+    <str name="zkACLProvider">${zkACLProvider:org.apache.solr.common.cloud.DefaultZkACLProvider}</str>
+    <str name="zkCredentialsInjector">${zkCredentialsInjector:org.apache.solr.common.cloud.DefaultZkCredentialsInjector}</str>
   </solrcloud>
 
 </solr>
diff --git a/solr/test-framework/src/java/org/apache/solr/cloud/MiniSolrCloudCluster.java b/solr/test-framework/src/java/org/apache/solr/cloud/MiniSolrCloudCluster.java
index a8ac4b1ac60..42879306f61 100644
--- a/solr/test-framework/src/java/org/apache/solr/cloud/MiniSolrCloudCluster.java
+++ b/solr/test-framework/src/java/org/apache/solr/cloud/MiniSolrCloudCluster.java
@@ -129,6 +129,7 @@ public class MiniSolrCloudCluster {
           + "    <int name=\"leaderVoteWait\">${leaderVoteWait:10000}</int>\n"
           + "    <int name=\"distribUpdateConnTimeout\">${distribUpdateConnTimeout:45000}</int>\n"
           + "    <int name=\"distribUpdateSoTimeout\">${distribUpdateSoTimeout:340000}</int>\n"
+          + "    <str name=\"zkCredentialsInjector\">${zkCredentialsInjector:org.apache.solr.common.cloud.DefaultZkCredentialsInjector}</str> \n"
           + "    <str name=\"zkCredentialsProvider\">${zkCredentialsProvider:org.apache.solr.common.cloud.DefaultZkCredentialsProvider}</str> \n"
           + "    <str name=\"zkACLProvider\">${zkACLProvider:org.apache.solr.common.cloud.DefaultZkACLProvider}</str> \n"
           + "    <str name=\"pkiHandlerPrivateKeyPath\">${pkiHandlerPrivateKeyPath:"

From 17f8ee445e5e86f9d93852232b832317784e685f Mon Sep 17 00:00:00 2001
From: Justin Sweeney <justinsweeney@fullstory.com>
Date: Fri, 22 Dec 2023 05:29:38 -0700
Subject: [PATCH 20/21] SOLR-17022: Support for glob patterns for fields in
 Export handler, Stream handler and with SelectStream streaming expression
 (#1996)

* Adding support for Glob patterns in Export handler and Select stream handler using the same logic to match glob patterns to fields as is used in select requests
---
 .../solr/handler/export/ExportWriter.java     | 77 +++++++++++--------
 .../apache/solr/search/SolrReturnFields.java  |  5 +-
 .../solr/handler/export/TestExportWriter.java | 37 +++++++++
 .../pages/exporting-result-sets.adoc          |  5 +-
 .../pages/stream-decorator-reference.adoc     |  2 +-
 .../client/solrj/io/stream/SelectStream.java  | 30 +++++++-
 .../StreamExpressionToExpessionTest.java      |  3 +-
 .../solr/common/util/GlobPatternUtil.java     | 37 +++++++++
 .../solr/common/util/TestGlobPatternUtil.java | 33 ++++++++
 9 files changed, 187 insertions(+), 42 deletions(-)
 create mode 100644 solr/solrj/src/java/org/apache/solr/common/util/GlobPatternUtil.java
 create mode 100644 solr/solrj/src/test/org/apache/solr/common/util/TestGlobPatternUtil.java

diff --git a/solr/core/src/java/org/apache/solr/handler/export/ExportWriter.java b/solr/core/src/java/org/apache/solr/handler/export/ExportWriter.java
index 51ba5551b69..e5e40e6d07e 100644
--- a/solr/core/src/java/org/apache/solr/handler/export/ExportWriter.java
+++ b/solr/core/src/java/org/apache/solr/handler/export/ExportWriter.java
@@ -27,6 +27,7 @@
 import java.io.PrintWriter;
 import java.lang.invoke.MethodHandles;
 import java.nio.charset.StandardCharsets;
+import java.util.ArrayList;
 import java.util.List;
 import java.util.Map;
 import java.util.TreeSet;
@@ -76,6 +77,7 @@
 import org.apache.solr.schema.StrField;
 import org.apache.solr.search.DocValuesIteratorCache;
 import org.apache.solr.search.SolrIndexSearcher;
+import org.apache.solr.search.SolrReturnFields;
 import org.apache.solr.search.SortSpec;
 import org.apache.solr.search.SyntaxError;
 import org.slf4j.Logger;
@@ -121,7 +123,7 @@ public boolean write(
   private int priorityQueueSize;
   StreamExpression streamExpression;
   StreamContext streamContext;
-  FieldWriter[] fieldWriters;
+  List<FieldWriter> fieldWriters;
   int totalHits = 0;
   FixedBitSet[] sets = null;
   PushWriter writer;
@@ -293,7 +295,7 @@ private void _write(OutputStream os) throws IOException {
     }
 
     try {
-      fieldWriters = getFieldWriters(fields, req.getSearcher());
+      fieldWriters = getFieldWriters(fields, req);
     } catch (Exception e) {
       writeException(e, writer, true);
       return;
@@ -473,7 +475,7 @@ void fillOutDocs(MergeIterator mergeIterator, ExportBuffers.Buffer buffer) throw
   }
 
   void writeDoc(
-      SortDoc sortDoc, List<LeafReaderContext> leaves, EntryWriter ew, FieldWriter[] writers)
+      SortDoc sortDoc, List<LeafReaderContext> leaves, EntryWriter ew, List<FieldWriter> writers)
       throws IOException {
     int ord = sortDoc.ord;
     LeafReaderContext context = leaves.get(ord);
@@ -485,82 +487,89 @@ void writeDoc(
     }
   }
 
-  public FieldWriter[] getFieldWriters(String[] fields, SolrIndexSearcher searcher)
+  public List<FieldWriter> getFieldWriters(String[] fields, SolrQueryRequest req)
       throws IOException {
-    IndexSchema schema = searcher.getSchema();
-    FieldWriter[] writers = new FieldWriter[fields.length];
-    DocValuesIteratorCache dvIterCache = new DocValuesIteratorCache(searcher, false);
-    for (int i = 0; i < fields.length; i++) {
-      String field = fields[i];
-      SchemaField schemaField = null;
+    DocValuesIteratorCache dvIterCache = new DocValuesIteratorCache(req.getSearcher(), false);
 
-      try {
-        schemaField = schema.getField(field);
-      } catch (Exception e) {
-        throw new IOException(e);
-      }
+    SolrReturnFields solrReturnFields = new SolrReturnFields(fields, req);
 
+    List<FieldWriter> writers = new ArrayList<>();
+    for (String field : req.getSearcher().getFieldNames()) {
+      if (!solrReturnFields.wantsField(field)) {
+        continue;
+      }
+      SchemaField schemaField = req.getSchema().getField(field);
       if (!schemaField.hasDocValues()) {
         throw new IOException(schemaField + " must have DocValues to use this feature.");
       }
       boolean multiValued = schemaField.multiValued();
       FieldType fieldType = schemaField.getType();
-
-      if (fieldType instanceof SortableTextField && schemaField.useDocValuesAsStored() == false) {
-        throw new IOException(
-            schemaField + " Must have useDocValuesAsStored='true' to be used with export writer");
+      FieldWriter writer;
+
+      if (fieldType instanceof SortableTextField && !schemaField.useDocValuesAsStored()) {
+        if (solrReturnFields.getRequestedFieldNames() != null
+            && solrReturnFields.getRequestedFieldNames().contains(field)) {
+          // Explicitly requested field cannot be used due to not having useDocValuesAsStored=true,
+          // throw exception
+          throw new IOException(
+              schemaField + " Must have useDocValuesAsStored='true' to be used with export writer");
+        } else {
+          // Glob pattern matched field cannot be used due to not having useDocValuesAsStored=true
+          continue;
+        }
       }
 
       DocValuesIteratorCache.FieldDocValuesSupplier docValuesCache = dvIterCache.getSupplier(field);
 
       if (docValuesCache == null) {
-        writers[i] = EMPTY_FIELD_WRITER;
+        writer = EMPTY_FIELD_WRITER;
       } else if (fieldType instanceof IntValueFieldType) {
         if (multiValued) {
-          writers[i] = new MultiFieldWriter(field, fieldType, schemaField, true, docValuesCache);
+          writer = new MultiFieldWriter(field, fieldType, schemaField, true, docValuesCache);
         } else {
-          writers[i] = new IntFieldWriter(field, docValuesCache);
+          writer = new IntFieldWriter(field, docValuesCache);
         }
       } else if (fieldType instanceof LongValueFieldType) {
         if (multiValued) {
-          writers[i] = new MultiFieldWriter(field, fieldType, schemaField, true, docValuesCache);
+          writer = new MultiFieldWriter(field, fieldType, schemaField, true, docValuesCache);
         } else {
-          writers[i] = new LongFieldWriter(field, docValuesCache);
+          writer = new LongFieldWriter(field, docValuesCache);
         }
       } else if (fieldType instanceof FloatValueFieldType) {
         if (multiValued) {
-          writers[i] = new MultiFieldWriter(field, fieldType, schemaField, true, docValuesCache);
+          writer = new MultiFieldWriter(field, fieldType, schemaField, true, docValuesCache);
         } else {
-          writers[i] = new FloatFieldWriter(field, docValuesCache);
+          writer = new FloatFieldWriter(field, docValuesCache);
         }
       } else if (fieldType instanceof DoubleValueFieldType) {
         if (multiValued) {
-          writers[i] = new MultiFieldWriter(field, fieldType, schemaField, true, docValuesCache);
+          writer = new MultiFieldWriter(field, fieldType, schemaField, true, docValuesCache);
         } else {
-          writers[i] = new DoubleFieldWriter(field, docValuesCache);
+          writer = new DoubleFieldWriter(field, docValuesCache);
         }
       } else if (fieldType instanceof StrField || fieldType instanceof SortableTextField) {
         if (multiValued) {
-          writers[i] = new MultiFieldWriter(field, fieldType, schemaField, false, docValuesCache);
+          writer = new MultiFieldWriter(field, fieldType, schemaField, false, docValuesCache);
         } else {
-          writers[i] = new StringFieldWriter(field, fieldType, docValuesCache);
+          writer = new StringFieldWriter(field, fieldType, docValuesCache);
         }
       } else if (fieldType instanceof DateValueFieldType) {
         if (multiValued) {
-          writers[i] = new MultiFieldWriter(field, fieldType, schemaField, false, docValuesCache);
+          writer = new MultiFieldWriter(field, fieldType, schemaField, false, docValuesCache);
         } else {
-          writers[i] = new DateFieldWriter(field, docValuesCache);
+          writer = new DateFieldWriter(field, docValuesCache);
         }
       } else if (fieldType instanceof BoolField) {
         if (multiValued) {
-          writers[i] = new MultiFieldWriter(field, fieldType, schemaField, true, docValuesCache);
+          writer = new MultiFieldWriter(field, fieldType, schemaField, true, docValuesCache);
         } else {
-          writers[i] = new BoolFieldWriter(field, fieldType, docValuesCache);
+          writer = new BoolFieldWriter(field, fieldType, docValuesCache);
         }
       } else {
         throw new IOException(
             "Export fields must be one of the following types: int,float,long,double,string,date,boolean,SortableText");
       }
+      writers.add(writer);
     }
     return writers;
   }
diff --git a/solr/core/src/java/org/apache/solr/search/SolrReturnFields.java b/solr/core/src/java/org/apache/solr/search/SolrReturnFields.java
index 7d0583ce63a..af35245af15 100644
--- a/solr/core/src/java/org/apache/solr/search/SolrReturnFields.java
+++ b/solr/core/src/java/org/apache/solr/search/SolrReturnFields.java
@@ -28,7 +28,6 @@
 import java.util.Map;
 import java.util.Set;
 import java.util.function.Supplier;
-import org.apache.commons.io.FilenameUtils;
 import org.apache.lucene.queries.function.FunctionQuery;
 import org.apache.lucene.queries.function.ValueSource;
 import org.apache.lucene.queries.function.valuesource.QueryValueSource;
@@ -37,6 +36,7 @@
 import org.apache.solr.common.params.CommonParams;
 import org.apache.solr.common.params.ModifiableSolrParams;
 import org.apache.solr.common.params.SolrParams;
+import org.apache.solr.common.util.GlobPatternUtil;
 import org.apache.solr.request.SolrQueryRequest;
 import org.apache.solr.response.transform.DocTransformer;
 import org.apache.solr.response.transform.DocTransformers;
@@ -577,8 +577,7 @@ public boolean wantsField(String name) {
       return true;
     }
     for (String s : globs) {
-      // TODO something better?
-      if (FilenameUtils.wildcardMatch(name, s)) {
+      if (GlobPatternUtil.matches(s, name)) {
         okFieldNames.add(name); // Don't calculate it again
         return true;
       }
diff --git a/solr/core/src/test/org/apache/solr/handler/export/TestExportWriter.java b/solr/core/src/test/org/apache/solr/handler/export/TestExportWriter.java
index 8337609faf9..e37f26efc94 100644
--- a/solr/core/src/test/org/apache/solr/handler/export/TestExportWriter.java
+++ b/solr/core/src/test/org/apache/solr/handler/export/TestExportWriter.java
@@ -1298,6 +1298,43 @@ public void testExpr() throws Exception {
             .contains("Must have useDocValuesAsStored='true'"));
   }
 
+  @Test
+  public void testGlobFields() throws Exception {
+    assertU(delQ("*:*"));
+    assertU(commit());
+    createLargeIndex();
+    SolrQueryRequest req =
+        req("q", "*:*", "qt", "/export", "fl", "id,*_udvas,*_i_p", "sort", "id asc");
+    assertJQ(
+        req,
+        "response/numFound==100000",
+        "response/docs/[0]/id=='0'",
+        "response/docs/[1]/id=='1'",
+        "response/docs/[0]/sortabledv_udvas=='0'",
+        "response/docs/[1]/sortabledv_udvas=='1'",
+        "response/docs/[0]/small_i_p==0",
+        "response/docs/[1]/small_i_p==1");
+
+    assertU(delQ("*:*"));
+    assertU(commit());
+    createLargeIndex();
+    req = req("q", "*:*", "qt", "/export", "fl", "*", "sort", "id asc");
+    assertJQ(
+        req,
+        "response/numFound==100000",
+        "response/docs/[0]/id=='0'",
+        "response/docs/[1]/id=='1'",
+        "response/docs/[0]/sortabledv_udvas=='0'",
+        "response/docs/[1]/sortabledv_udvas=='1'",
+        "response/docs/[0]/small_i_p==0",
+        "response/docs/[1]/small_i_p==1");
+
+    String jq = JQ(req);
+    assertFalse(
+        "Fields without docvalues and useDocValuesAsStored should not be returned",
+        jq.contains("\"sortabledv\""));
+  }
+
   @SuppressWarnings("rawtypes")
   private void validateSort(int numDocs) throws Exception {
     // 10 fields
diff --git a/solr/solr-ref-guide/modules/query-guide/pages/exporting-result-sets.adoc b/solr/solr-ref-guide/modules/query-guide/pages/exporting-result-sets.adoc
index 28c395daa46..bbd31c7b358 100644
--- a/solr/solr-ref-guide/modules/query-guide/pages/exporting-result-sets.adoc
+++ b/solr/solr-ref-guide/modules/query-guide/pages/exporting-result-sets.adoc
@@ -70,7 +70,10 @@ It can get worse otherwise.
 The `fl` property defines the fields that will be exported with the result set.
 Any of the field types that can be sorted (i.e., int, long, float, double, string, date, boolean) can be used in the field list.
 The fields can be single or multi-valued.
-However, returning scores and wildcards are not supported at this time.
+
+Wildcard patterns can be used for the field list (e.g. `fl=*_i`) and will be expanded to the list of fields that match the pattern and are able to be exported, see <<Field Requirements>>.
+
+Returning scores is not supported at this time.
 
 === Specifying the Local Streaming Expression
 
diff --git a/solr/solr-ref-guide/modules/query-guide/pages/stream-decorator-reference.adoc b/solr/solr-ref-guide/modules/query-guide/pages/stream-decorator-reference.adoc
index d5e25ba98fa..28a570ffae4 100644
--- a/solr/solr-ref-guide/modules/query-guide/pages/stream-decorator-reference.adoc
+++ b/solr/solr-ref-guide/modules/query-guide/pages/stream-decorator-reference.adoc
@@ -1376,7 +1376,7 @@ One can provide a list of operations and evaluators to perform on any fields, su
 === select Parameters
 
 * `StreamExpression`
-* `fieldName`: name of field to include in the output tuple (can include multiple of these), such as `outputTuple[fieldName] = inputTuple[fieldName]`
+* `fieldName`: name of field to include in the output tuple (can include multiple of these), such as `outputTuple[fieldName] = inputTuple[fieldName]`. The `fieldName` can be a wildcard pattern, e.g. `a_*` to select all fields that start with `a_`.
 * `fieldName as aliasFieldName`: aliased field name to include in the output tuple (can include multiple of these), such as `outputTuple[aliasFieldName] = incomingTuple[fieldName]`
 * `replace(fieldName, value, withValue=replacementValue)`: if `incomingTuple[fieldName] == value` then `outgoingTuple[fieldName]` will be set to `replacementValue`.
 `value` can be the string "null" to replace a null value with some other value.
diff --git a/solr/solrj-streaming/src/java/org/apache/solr/client/solrj/io/stream/SelectStream.java b/solr/solrj-streaming/src/java/org/apache/solr/client/solrj/io/stream/SelectStream.java
index 80219e797bb..647a1c59d4c 100644
--- a/solr/solrj-streaming/src/java/org/apache/solr/client/solrj/io/stream/SelectStream.java
+++ b/solr/solrj-streaming/src/java/org/apache/solr/client/solrj/io/stream/SelectStream.java
@@ -38,6 +38,7 @@
 import org.apache.solr.client.solrj.io.stream.expr.StreamExpressionParser;
 import org.apache.solr.client.solrj.io.stream.expr.StreamExpressionValue;
 import org.apache.solr.client.solrj.io.stream.expr.StreamFactory;
+import org.apache.solr.common.util.GlobPatternUtil;
 
 /**
  * Selects fields from the incoming stream and applies optional field renaming. Does not reorder the
@@ -52,14 +53,21 @@ public class SelectStream extends TupleStream implements Expressible {
   private TupleStream stream;
   private StreamContext streamContext;
   private Map<String, String> selectedFields;
+  private List<String> selectedFieldGlobPatterns;
   private Map<StreamEvaluator, String> selectedEvaluators;
   private List<StreamOperation> operations;
 
   public SelectStream(TupleStream stream, List<String> selectedFields) throws IOException {
     this.stream = stream;
     this.selectedFields = new HashMap<>();
+    this.selectedFieldGlobPatterns = new ArrayList<>();
     for (String selectedField : selectedFields) {
-      this.selectedFields.put(selectedField, selectedField);
+      if (selectedField.contains("*")) {
+        // selected field is a glob pattern
+        this.selectedFieldGlobPatterns.add(selectedField);
+      } else {
+        this.selectedFields.put(selectedField, selectedField);
+      }
     }
     operations = new ArrayList<>();
     selectedEvaluators = new LinkedHashMap<>();
@@ -68,6 +76,7 @@ public SelectStream(TupleStream stream, List<String> selectedFields) throws IOEx
   public SelectStream(TupleStream stream, Map<String, String> selectedFields) throws IOException {
     this.stream = stream;
     this.selectedFields = selectedFields;
+    selectedFieldGlobPatterns = new ArrayList<>();
     operations = new ArrayList<>();
     selectedEvaluators = new LinkedHashMap<>();
   }
@@ -123,6 +132,7 @@ public SelectStream(StreamExpression expression, StreamFactory factory) throws I
     stream = factory.constructStream(streamExpressions.get(0));
 
     selectedFields = new HashMap<>();
+    selectedFieldGlobPatterns = new ArrayList<>();
     selectedEvaluators = new LinkedHashMap<>();
     for (StreamExpressionParameter parameter : selectAsFieldsExpressions) {
       StreamExpressionValue selectField = (StreamExpressionValue) parameter;
@@ -175,7 +185,11 @@ public SelectStream(StreamExpression expression, StreamFactory factory) throws I
           selectedFields.put(asValue, asName);
         }
       } else {
-        selectedFields.put(value, value);
+        if (value.contains("*")) {
+          selectedFieldGlobPatterns.add(value);
+        } else {
+          selectedFields.put(value, value);
+        }
       }
     }
 
@@ -217,6 +231,11 @@ private StreamExpression toExpression(StreamFactory factory, boolean includeStre
       }
     }
 
+    // selected glob patterns
+    for (String selectFieldGlobPattern : selectedFieldGlobPatterns) {
+      expression.addParameter(selectFieldGlobPattern);
+    }
+
     // selected evaluators
     for (Map.Entry<StreamEvaluator, String> selectedEvaluator : selectedEvaluators.entrySet()) {
       expression.addParameter(
@@ -308,6 +327,13 @@ public Tuple read() throws IOException {
       workingForEvaluators.put(fieldName, original.get(fieldName));
       if (selectedFields.containsKey(fieldName)) {
         workingToReturn.put(selectedFields.get(fieldName), original.get(fieldName));
+      } else {
+        for (String globPattern : selectedFieldGlobPatterns) {
+          if (GlobPatternUtil.matches(globPattern, fieldName)) {
+            workingToReturn.put(fieldName, original.get(fieldName));
+            break;
+          }
+        }
       }
     }
 
diff --git a/solr/solrj-streaming/src/test/org/apache/solr/client/solrj/io/stream/StreamExpressionToExpessionTest.java b/solr/solrj-streaming/src/test/org/apache/solr/client/solrj/io/stream/StreamExpressionToExpessionTest.java
index 4069b671b32..2c941f142d7 100644
--- a/solr/solrj-streaming/src/test/org/apache/solr/client/solrj/io/stream/StreamExpressionToExpessionTest.java
+++ b/solr/solrj-streaming/src/test/org/apache/solr/client/solrj/io/stream/StreamExpressionToExpessionTest.java
@@ -105,7 +105,7 @@ public void testSelectStream() throws Exception {
     try (SelectStream stream =
         new SelectStream(
             StreamExpressionParser.parse(
-                "select(\"a_s as fieldA\", search(collection1, q=*:*, fl=\"id,a_s,a_i,a_f\", sort=\"a_f asc, a_i asc\"))"),
+                "select(\"a_s as fieldA\", a_*, search(collection1, q=*:*, fl=\"id,a_s,a_i,a_f\", sort=\"a_f asc, a_i asc\"))"),
             factory)) {
       expressionString = stream.toExpression(factory).toString();
       assertTrue(expressionString.contains("select(search(collection1,"));
@@ -113,6 +113,7 @@ public void testSelectStream() throws Exception {
       assertTrue(expressionString.contains("fl=\"id,a_s,a_i,a_f\""));
       assertTrue(expressionString.contains("sort=\"a_f asc, a_i asc\""));
       assertTrue(expressionString.contains("a_s as fieldA"));
+      assertTrue(expressionString.contains("a_*"));
     }
   }
 
diff --git a/solr/solrj/src/java/org/apache/solr/common/util/GlobPatternUtil.java b/solr/solrj/src/java/org/apache/solr/common/util/GlobPatternUtil.java
new file mode 100644
index 00000000000..8b26ab5a355
--- /dev/null
+++ b/solr/solrj/src/java/org/apache/solr/common/util/GlobPatternUtil.java
@@ -0,0 +1,37 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.solr.common.util;
+
+import java.nio.file.FileSystems;
+import java.nio.file.Paths;
+
+/** Provides methods for matching glob patterns against input strings. */
+public class GlobPatternUtil {
+
+  /**
+   * Matches an input string against a provided glob patterns. This uses Java NIO FileSystems
+   * PathMatcher to match glob patterns in the same way to how glob patterns are matches for file
+   * paths, rather than implementing our own glob pattern matching.
+   *
+   * @param pattern the glob pattern to match against
+   * @param input the input string to match against a glob pattern
+   * @return true if the input string matches the glob pattern, false otherwise
+   */
+  public static boolean matches(String pattern, String input) {
+    return FileSystems.getDefault().getPathMatcher("glob:" + pattern).matches(Paths.get(input));
+  }
+}
diff --git a/solr/solrj/src/test/org/apache/solr/common/util/TestGlobPatternUtil.java b/solr/solrj/src/test/org/apache/solr/common/util/TestGlobPatternUtil.java
new file mode 100644
index 00000000000..a5bdcad92fa
--- /dev/null
+++ b/solr/solrj/src/test/org/apache/solr/common/util/TestGlobPatternUtil.java
@@ -0,0 +1,33 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.solr.common.util;
+
+import org.apache.solr.SolrTestCase;
+
+public class TestGlobPatternUtil extends SolrTestCase {
+
+  public void testMatches() {
+    assertTrue(GlobPatternUtil.matches("*_str", "user_str"));
+    assertFalse(GlobPatternUtil.matches("*_str", "str_user"));
+    assertTrue(GlobPatternUtil.matches("str_*", "str_user"));
+    assertFalse(GlobPatternUtil.matches("str_*", "user_str"));
+    assertTrue(GlobPatternUtil.matches("str?", "str1"));
+    assertFalse(GlobPatternUtil.matches("str?", "str_user"));
+    assertTrue(GlobPatternUtil.matches("user_*_str", "user_type_str"));
+    assertFalse(GlobPatternUtil.matches("user_*_str", "user_str"));
+  }
+}

From a04ec07eadf72a5957d1f159f77f36a2c7b990ee Mon Sep 17 00:00:00 2001
From: Vincent P <vincent.primault@gmail.com>
Date: Sat, 23 Dec 2023 07:15:05 +0100
Subject: [PATCH 21/21] SOLR-17094: Close ObjectCache when closing
 CoreContainer (#2166)

Co-authored-by: Vincent Primault <vprimault@salesforce.com>
---
 solr/core/src/java/org/apache/solr/core/CoreContainer.java | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/solr/core/src/java/org/apache/solr/core/CoreContainer.java b/solr/core/src/java/org/apache/solr/core/CoreContainer.java
index 1514aafe2ee..ce5e05b2657 100644
--- a/solr/core/src/java/org/apache/solr/core/CoreContainer.java
+++ b/solr/core/src/java/org/apache/solr/core/CoreContainer.java
@@ -1299,7 +1299,11 @@ public void shutdown() {
         }
       }
 
-      objectCache.clear();
+      try {
+        objectCache.close();
+      } catch (IOException e) {
+        log.warn("Exception while closing ObjectCache.", e);
+      }
 
       // It's still possible that one of the pending dynamic load operation is waiting, so wake it
       // up if so. Since all the pending operations queues have been drained, there should be