On 11/6/2014 5:56 AM, Prasanth Gangaraju wrote: > I do realise Solr doesn't concern itself with access control as stated > in the wiki page, but I think a general warning message in the admin > page if the server is publicly accessible will help. Also, it would be > nice if one of the developers can send a passive email to the users list > telling them to lock up their solr setup.
I think it's a good idea for the Solr dashboard to include a message about publicly-accessible Solr servers. If Stefan thinks this is a good idea, I'm not sure exactly how it should be worded. Maybe something like this: "A Solr server that can be accessed by the public is a major security hazard. The best option is to keep it behind a firewall that does not allow the public to reach it at all. Securing a publicly accessible Solr server is not a trivial task, and must be accomplished with third-party software." The problem with an email telling users how to secure their Solr server is simply that Solr itself has no mechanisms for security, and we have no idea what servlet container the user is running under. Solr does not control its own network layer. We do have plans to eliminate the separate servlet container and put Solr in charge of its own network layer, which would allow Solr itself to control security. That is likely to happen first in a 6.0-SNAPSHOT version, and if it proves to be stable, may be backported to a future 5.x release as an alternate build target. Thanks, Shawn --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
