[
https://issues.apache.org/jira/browse/SOLR-7896?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14661364#comment-14661364
]
Shalin Shekhar Mangar commented on SOLR-7896:
---------------------------------------------
bq. SSL should be enabled by default.
I disagree. We have the option. People who need it can use them. We also have
kerberos support so you can use that too along with SSL if you're really
paranoid about security.
bq. It's all well and good to say that users shouldn't do things, but they're
being done, and the code needs to be written to account for real-world use, not
some hypothetical ideal that doesn't exist.
Yeah, which is why we are building some support for security. But enabling it
by default requires a lot of education for new users. We need to balance
between the two. Perhaps some of this can be done via documentation? For
example, we can link to the guides on SSL/Kerberos/BasicAuth on the "Taking
Solr to Production" page?
https://cwiki.apache.org/confluence/display/solr/Taking+Solr+to+Production
bq. Also, I would love for Solr to just be exposed exclusively on my server's
internal IP address(es)--but I have no idea how to do that.
You can do that by setting the "SOLR_HOST" property to the internal hostname or
IP address in solr.in.{sh,cmd}. The problem with doing that from the admin web
interface is:
# Solr has already started and bound to a port by then so reconfiguring from
the UI is a bit difficult
# We don't have enough people contributing to the admin UI sadly so
contributions are hard to come by. That being said, we have a new committer
(Upayavira) who is working on improving the UI these days, so there's still
hope :)
> Solr Administrative Interface Lacks Password Protection
> -------------------------------------------------------
>
> Key: SOLR-7896
> URL: https://issues.apache.org/jira/browse/SOLR-7896
> Project: Solr
> Issue Type: Bug
> Components: security, web gui
> Affects Versions: 5.2.1
> Reporter: Aaron Greenspan
> Priority: Critical
>
> Out of the box, the Solr interface should require an administrative password
> that the user is required to set. Apparently there are ways of configuring
> Jetty to do this with HTTP AUTH or whatever. I'm a moderately experienced
> Linux admin and a programmer; I've tried, numerous times, and I've not once
> been able to get it to work. The point is this, though:
> *No one should have to try to get their Solr instance to support password
> authentication and preferably SSL (even if it's just with a self-signed
> certificate). Solr is designed to store huge amounts of data and is therefore
> a likely target for malicious users.*
> This needs to be addressed! It's 2015 and Solr is on version 5!
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
