[
https://issues.apache.org/jira/browse/SOLR-13972?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16988869#comment-16988869
]
Jason Gerlowski commented on SOLR-13972:
----------------------------------------
I've taken a quick stab at this. It's not ready to go yet (see below), but
it's enough that people can give feedback on the wording if anyone cares.
If Solr is started without any auth (according to {{solr.in.sh}} env vars), the
following message is displayed:
{code}
*** [WARN] *** Solr has no authentication enabled. If you intend to expose
Solr directly to users,
consider enabling authentication with a command such as:
bin/solr auth enable -type basicAuth -credentials firstUser:firstUserPass
-blockUnknown true
Run 'bin/solr auth --help' for more authentication options
{code}
If auth is enabled but SSL is off, this warning is displayed:
{code}
*** [WARN] *** Solr authentication is enabled, but SSL is off. Credentials
sent to Solr will be unencrypted
If Solr is not in a secured network, consider enabling SSL to protect request
credentials and user data.
{code}
----
Right now these messages are printed to stdout and are implemented in
{{bin/solr}}
There's a slight problem with this - SolrCloud can startup and use auth without
any of the auth-related vars set in {{solr.in.sh}}. We could move the warning
into Java-land (where it can read security.json) and have it still go to
stdout, but it might appear after the "Happy searching!" message or collide
with it. We could also move the warning into Java-land and have it go to
{{solr.log}}, but that's less visible.
Need to think about it a little bit.
> Insecure Solr should generate startup warning
> ---------------------------------------------
>
> Key: SOLR-13972
> URL: https://issues.apache.org/jira/browse/SOLR-13972
> Project: Solr
> Issue Type: Bug
> Security Level: Public(Default Security Level. Issues are Public)
> Reporter: Ishan Chattopadhyaya
> Priority: Critical
> Time Spent: 10m
> Remaining Estimate: 0h
>
> Warning to the effect of, start Solr with: "solr auth enable -credentials
> solr:foo -blockUnknown true” (or some other way to achieve the same effect)
> if you want to expose this Solr instance directly to users. Maybe the link to
> the ref guide discussing all this might be in good measure here.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
