[jira] [Commented] (SOLR-7896) Add a login page for Solr Administrative Interface

Thu, 29 Mar 2018 11:16:14 -0700 

    [ 
https://issues.apache.org/jira/browse/SOLR-7896?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16419519#comment-16419519
 ] 

Gus Heck commented on SOLR-7896:
--------------------------------

[~thinkcomp] While this could be implemented, permanent key systems are not 
very secure. If they key is lifted (i.e. from browser dev tools) by someone 
nefarious (think disgruntled employee for example, or code bug exposing the key 
on a request), your server is forever compromised. Unless you have some 
protocol for regenerating the key regularly, and then getting that out to the 
clients that *should* have it, you're hosed. I for one wouldn't want to invest 
time in building something like that as it will be eschewed by anyone truly 
serious about security.

Also as you point out roles are likely to be desirable. But I think we are in 
danger of mixing two things here... Authentication and Authorization. My read 
of the original ticket is that this was about adding an Authentication check 
only, and only for a single admin user. A separate issue designing a fine 
grained permission-role-user mapping system should be filed if authorization 
beyond all or nothing is desired.

The initial password setting routine however sounds good. Perhaps all requests 
to api or UI should get redirected to the password setting page when solr is 
started with passworded admin enabled.

 

> Add a login page for Solr Administrative Interface
> --------------------------------------------------
>
>                 Key: SOLR-7896
>                 URL: https://issues.apache.org/jira/browse/SOLR-7896
>             Project: Solr
>          Issue Type: New Feature
>          Components: Admin UI, security
>    Affects Versions: 5.2.1
>            Reporter: Aaron Greenspan
>            Priority: Major
>              Labels: authentication, login, password
>
> Out of the box, the Solr Administrative interface should require a password 
> that the user is required to set.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org
For additional commands, e-mail: dev-h...@lucene.apache.org

Reply via email to