[
https://issues.apache.org/jira/browse/SOLR-14014?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16989758#comment-16989758
]
Jason Gerlowski commented on SOLR-14014:
----------------------------------------
bq. I don't like it; I liken it to removing useful features just because of the
possibility of bugs.
I don't think that comparison is accurate. The proposal here isn't to rip out
the Admin UI, it's just to add a feature flag for it. No one's suggesting
removing features. We should 100% fix the problems we know about in the Admin
UI, and this shouldn't replace that work. I'd like to think that work will
prevent all future UI vulnerabilities but we've been wrong so many times
recently that it seems prudent to give our users a safety net just in case.
Other thoughts.
1. Don't feel strongly about the name. +1 to {{enableAdminUI}} if people like
that.
2. I don't feel strongly about whether the UI is enabled/disabled by default. A
smarter option (maybe?) would be to have this ticket set the default to
"disabled" and make changing the default back to "enabled" be a part of
SOLR-13987. That way the UI being enabled (by default) would be contingent on
fixing the XSS exploit paths. But again, I think the important thing is
getting a feature flag in, I think the default is secondary.
> Allow Solr to start with Admin UI disabled
> ------------------------------------------
>
> Key: SOLR-14014
> URL: https://issues.apache.org/jira/browse/SOLR-14014
> Project: Solr
> Issue Type: Improvement
> Security Level: Public(Default Security Level. Issues are Public)
> Components: Admin UI, security
> Affects Versions: master (9.0), 8.3.1
> Reporter: Jason Gerlowski
> Priority: Major
>
> Currently Solr always runs the Admin UI. With the history of XSS issues and
> other security concerns that have been found in the Admin UI, Solr should
> offer a mode where the Admin UI is disabled. Maybe, and this is a topic
> that'll need some serious discussion, this should even be the default when
> Solr starts.
> NOTE: Disabling the Admin UI removes XSS and other attack vectors. But even
> with the Admin UI disabled, Solr will still be inherently unsafe without
> firewall protection on a public network.
> *Proposed design:*
> A java system property called *headless* will be used as an internal flag for
> starting Solr in headless mode. This property will default to true. A java
> property can be used at startup to set this flag to false.
> Here is an example:
> {code:java}
> bin/solr start -Dheadless=false {code}
> A message will be added following startup describing the mode.
> In headless mode the following message will be displayed:
> "solr is running in headless mode. The admin console is unavailable. To to
> turn off headless mode and allow the admin console use the following
> parameter startup parameter:
> -Dheadless=false
>
> In non-headless mode the following message will be displayed:
> "solr is running with headless mode turned off. The admin console is
> available in this mode. Disabling the Admin UI removes XSS and other attack
> vectors"
> If a user attempts to access the admin console while Solr is in headless mode
> it Solr will return 401 unauthorized.
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org
For additional commands, e-mail: issues-h...@lucene.apache.org
