[
https://issues.apache.org/jira/browse/SOLR-7896?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Erick Erickson resolved SOLR-7896.
----------------------------------
Resolution: Not A Problem
Please bring this kind of thing up on the user's list rather than raise JIRAs
to be sure you're not simply misunderstanding things. If it's a real problem in
Solr, _then_ raise a JIRA.
Solr has _never_ been intended to allow end-user access and thus has never
implemented this kind of security. You allow me to get to the Solr URL directly
and I can
http://machine:port/solr/collection/update?commit=true&stream.body=<delete><query>*:*</query></delete>
All your docs are gone.
> Solr Administrative Interface Lacks Password Protection
> -------------------------------------------------------
>
> Key: SOLR-7896
> URL: https://issues.apache.org/jira/browse/SOLR-7896
> Project: Solr
> Issue Type: Bug
> Components: security, web gui
> Affects Versions: 5.2.1
> Reporter: Aaron Greenspan
> Priority: Critical
>
> Out of the box, the Solr interface should require an administrative password
> that the user is required to set. Apparently there are ways of configuring
> Jetty to do this with HTTP AUTH or whatever. I'm a moderately experienced
> Linux admin and a programmer; I've tried, numerous times, and I've not once
> been able to get it to work. The point is this, though:
> *No one should have to try to get their Solr instance to support password
> authentication and preferably SSL (even if it's just with a self-signed
> certificate). Solr is designed to store huge amounts of data and is therefore
> a likely target for malicious users.*
> This needs to be addressed! It's 2015 and Solr is on version 5!
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org
For additional commands, e-mail: dev-h...@lucene.apache.org
