[
https://issues.apache.org/jira/browse/SOLR-7207?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14356672#comment-14356672
]
Jan Høydahl commented on SOLR-7207:
-----------------------------------
More questions about the PKI solution.
A) The project aims to support most Solr actions through the Admin UI. How can
the PKI based solution be wired so that an OPS-user with his public key stored
in Solr/ZK can e.g. delete a core or upload documents, while others cannot?
B) OPS personnel use curl or in-house tools for various Solr management tasks.
If those are not an option anymore, won't people request PKI aware CLI tooling
for all our APIs?
C) Some users need to authenticate queries as well, so user A can only query
collection A and user B can only query collection B. Do you see the PKI
solution as extendable to SEARCH operations in the future? Or would that
require queries to be POSTed too?
> Securing operations in Solr
> ---------------------------
>
> Key: SOLR-7207
> URL: https://issues.apache.org/jira/browse/SOLR-7207
> Project: Solr
> Issue Type: New Feature
> Reporter: Noble Paul
>
> Historically, Solr has always stayed away from securing any operations and we
> even allow GET operation on an HTTP end point to manipulate almost anything
> inside a Solr cluster
> We can categorize the operations such as
> * Loading executable (runtime jars) SOLR-7126
> * conf files SOLR-6736
> * schema API
> * config API
> * collections API
> * /update/* operation to any collection
> SOLR-7126 has solved this problem using PKI where the public keys can be
> uploaded to {{/keys/exe}} and all jars loaded are verified using one of the
> public keys.
> A similar scheme can be used for other operations as well. We can add keys to
> other directories and use them to verify other operations. The only catch is
> , that we will need to send all the payload via POST
> The advantage of this scheme is that Solr does not need to manage any
> credentials or take care of storing anything secretly. It just needs a few
> public keys to be stored in ZK and security will kick in automatically.
> External solutions can build on top of these and provide authentication etc
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
