[
https://issues.apache.org/jira/browse/SOLR-14014?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16989623#comment-16989623
]
Jan Høydahl commented on SOLR-14014:
------------------------------------
{quote}Having the convenience of the admin UI has led us to neglect our APIs.
{quote}
That's a simplification and no excuse for designing bad APIs, but I get your
point that you don't feel the pain of awkward APIs every day if you always just
use the UI. But it is anyway not an argument to remove the UI. Remember where
we came from with JSP and no APIs - the only way to do certain things was
through inline Java code in those JSPs (yuck!).
I support the idea of a way to disable Admin UI for those that do not use it
anyway. I think too that something like {{-DenableAdminUI=false}} is a better
value. Also there should be no reason to disable it by default. The presence of
the UI is no threat in itself, it is in the moment an Admin person loads it and
becomes victim of XSS, cliks a link etc that it can hurt the Solr server.
My proposal is thus to educate the user through the AdminUI itself by adding a
big fat INFO message on top of the dashboard that everyone will see. The
message will be something like this:
{noformat}
IMPORTANT NOTICE
This is the Solr Administrative interface. It is a HTML5 application running in
your browser. It talks to the Apache Solr server using HTTP calls, just as any
other client. The UI gives great power, and can open up new security threats
such as XSS attacks, if you as an administrator is not very careful when using
it. Please read our recommendations in the Reference Guide <link> on what
precautions to take. The most important are:
* Require some form of authentication to Solr
* Use a separate web browser for Solr, do not load other web sites in other tabs
* Log out when you are done
* Keep up to date on CVE vulnerabilities and keep Solr updated <link>
If you do not need the Admin UI, it can be disabled by starting Solr with the
System property -DenableAdminUI=false.
WARNING: Your Solr instance is not protected by Authentication. <link>
WARNING: Your Solr instance does not use SSL. <link>
WARNING: Your Solr instance allows config edit though REST API <link>
WARNING: There is a newer version of Solr available, consider upgrading <link>
[Learn more about securing Solr] [Dismiss. We'll set a cookie and not
show this again]{noformat}
This would probably be a better channel to reach out to Admins than both the
Ref-guide, mailing list and the Web page combined :)
> Allow Solr to start with Admin UI disabled
> ------------------------------------------
>
> Key: SOLR-14014
> URL: https://issues.apache.org/jira/browse/SOLR-14014
> Project: Solr
> Issue Type: Improvement
> Security Level: Public(Default Security Level. Issues are Public)
> Components: Admin UI, security
> Affects Versions: master (9.0), 8.3.1
> Reporter: Jason Gerlowski
> Priority: Major
>
> Currently Solr always runs the Admin UI. With the history of XSS issues and
> other security concerns that have been found in the Admin UI, Solr should
> offer a mode where the Admin UI is disabled. Maybe, and this is a topic
> that'll need some serious discussion, this should even be the default when
> Solr starts.
> NOTE: Disabling the Admin UI removes XSS and other attack vectors. But even
> with the Admin UI disabled, Solr will still be inherently unsafe without
> firewall protection on a public network.
> *Proposed design:*
> A java system property called *headless* will be used as an internal flag for
> starting Solr in headless mode. This property will default to true. A java
> property can be used at startup to set this flag to false.
> Here is an example:
> {code:java}
> bin/solr start -Dheadless=false {code}
> A message will be added following startup describing the mode.
> In headless mode the following message will be displayed:
> "solr is running in headless mode. The admin console is unavailable. To to
> turn off headless mode and allow the admin console use the following
> parameter startup parameter:
> -Dheadless=false
>
> In non-headless mode the following message will be displayed:
> "solr is running with headless mode turned off. The admin console is
> available in this mode. Disabling the Admin UI removes XSS and other attack
> vectors"
> If a user attempts to access the admin console while Solr is in headless mode
> it Solr will return 401 unauthorized.
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org
For additional commands, e-mail: issues-h...@lucene.apache.org
