Re: How do *you* restrict access to Solr?
On Mon, Mar 16, 2020 at 11:43:10AM -0400, Ryan W wrote: > On Mon, Mar 16, 2020 at 11:40 AM Walter Underwood > wrote: > > > Also, even if you prevent access to the admin UI, a request to /update can > > delete > > all the content. It is really easy. This Gist shows how. > > > > https://gist.github.com/nz/673027/313f70681daa985ea13ba33a385753aef951a0f3 > > > > This seems important. In other words, my work isn't necessarily done if > I've secured the graphical UI. I can't just visit the admin UI page to see > if my efforts are successful. It is VERY IMPORTANT. You are correct. The Admin. GUI is just a convenience layer over extensive REST APIs. You need to secure access to the APIs, not just the admin. application that runs on top of them. If all use is from the local host, then running Solr only on the loopback address will keep outsiders from connecting to any part of it. If other internal hosts need access, then I would run Solr only on an RFC1918 (non-routed) address, and set up the Solr host's firewall to grant access to Solr's port (8983 by default) only from permitted hosts. https://tools.ietf.org/html/rfc1918 Who/what needs access to Solr? Do you need to grant different levels of access to specific groups of users? Then you need something like Role-Based Access Control. This is true even if access is only internal or even just from the same host. Address-based controls only divide the universe between those who can do nothing to your Solr and those who can do *everything* to your Solr. -- Mark H. Wood Lead Technology Analyst University Library Indiana University - Purdue University Indianapolis 755 W. Michigan Street Indianapolis, IN 46202 317-274-0749 www.ulib.iupui.edu signature.asc Description: PGP signature
Re: How do *you* restrict access to Solr?
> My application framework (Drupal) doesn't support Solr 8. That's not true. Like Solr itself you just have to update to recent drupal module versions. As you can see at https://travis-ci.org/github/mkalkbrenner/search_api_solr/builds/663153535 the automated tests run against Solr 6.6.6, 7.7.2 and 8.4.1. Best, Markus
Re: How do *you* restrict access to Solr?
On Tue, Mar 17, 2020 at 6:05 AM Jan Høydahl wrote: > You can consider upgrading to Solr 8.5 which is to be released in a couple > of days, which makes it easy to whitelist IP addresses in solr.in.sh: > Thanks. That is good news, though it won't help me this time around. My application framework (Drupal) doesn't support Solr 8. I may try Solr 6 again, or take another stab at getting the Basic Authentication plugin to work in Solr 7. My Solr install isn't web-accessible, so the only threats would come from inside the network. > > # Allow IPv4/IPv6 localhost, the 192.168.0.x IPv4 network, and > 2000:123:4:5:: IPv6 network. > SOLR_IP_WHITELIST="127.0.0.1, [::1], 192.168.0.0/24, [2000:123:4:5::]/64" > > > https://lucene.apache.org/solr/guide/8_5/securing-solr.html#enable-ip-access-control > > But please please do not expose Solr, even if secured, to untrusted > networks and never to the public internet. > > Jan > > > 16. mar. 2020 kl. 16:46 skrev Ryan W : > > > > On Mon, Mar 16, 2020 at 10:51 AM Susheel Kumar > > wrote: > > > >> Basic auth should help you to start > >> > >> > https://lucene.apache.org/solr/guide/8_1/basic-authentication-plugin.html > > > > > > > > Thanks. I think I will give up on the plugin system. I haven't been > able > > to get the plugin system to work, and it creates too many opportunities > for > > human error. Even if I can get it working this week, what about 6 months > > from now or a year from now when something goes wrong and I have to debug > > it. It seems like far too much overhead to provide the desired security > > benefit, except perhaps in situations where an organization has Solr > > specialists who can maintain the system. > >
Re: How do *you* restrict access to Solr?
You can consider upgrading to Solr 8.5 which is to be released in a couple of days, which makes it easy to whitelist IP addresses in solr.in.sh: # Allow IPv4/IPv6 localhost, the 192.168.0.x IPv4 network, and 2000:123:4:5:: IPv6 network. SOLR_IP_WHITELIST="127.0.0.1, [::1], 192.168.0.0/24, [2000:123:4:5::]/64" https://lucene.apache.org/solr/guide/8_5/securing-solr.html#enable-ip-access-control But please please do not expose Solr, even if secured, to untrusted networks and never to the public internet. Jan > 16. mar. 2020 kl. 16:46 skrev Ryan W : > > On Mon, Mar 16, 2020 at 10:51 AM Susheel Kumar > wrote: > >> Basic auth should help you to start >> >> https://lucene.apache.org/solr/guide/8_1/basic-authentication-plugin.html > > > > Thanks. I think I will give up on the plugin system. I haven't been able > to get the plugin system to work, and it creates too many opportunities for > human error. Even if I can get it working this week, what about 6 months > from now or a year from now when something goes wrong and I have to debug > it. It seems like far too much overhead to provide the desired security > benefit, except perhaps in situations where an organization has Solr > specialists who can maintain the system.
RE: How do *you* restrict access to Solr?
First off, use basic authentication to at least partially lock it down. Only the application server has access to the password. Second, our IT people thought Solr security insufficient to even remotely consider exposing to external web. It lives behind firewall so do a kind of proxy. External queries are passed to an internal application server which examines, modifies and add security to queries and then passes to SOLR. Results sent back up chain to external application server. I believe variations of this is what is expected. Our deconstruct/reconstruct queries are unusual but it does allow us to use a rights-based access to functionality. Ie general public can do searches against the title,author, abstract. Privileged and internal users can query against the full text of the technical reports. -Original Message- From: Ryan W Sent: Tuesday, 17 March 2020 03:44 To: solr-user@lucene.apache.org Subject: How do *you* restrict access to Solr? How do you, personally, do it? Do you use IPTables? Basic Authentication Plugin? Something else? I'm asking in part so I'l have something to search for. I don't know where I should begin, so I figured I would ask how others do it. I haven't been able to find anything that works, so if you can tell me what works for you, I can at least narrow it down a bit and do some Google searches. Do I need to learn Solr's plugin system? Am I starting in the right place if I follow this document: https://lucene.apache.org/solr/guide/7_0/rule-based-authorization-plugin.html#rule-based-authorization-plugin Initially, the above document seems far too comprehensive for my needs. I just want to block access to the Solr admin UI, and the list of predefined permissions in that document don't seem to be relevant. Also, it seems unlikely this plugin system is necessary just to control access to the admin UI... or maybe it necessary? In any case, what is your approach? I'm using version 7.7.2 of Solr. Thanks! Notice: This email and any attachments are confidential and may not be used, published or redistributed without the prior written consent of the Institute of Geological and Nuclear Sciences Limited (GNS Science). If received in error please destroy and immediately notify GNS Science. Do not copy or disclose the contents.
RE: How do *you* restrict access to Solr?
Setting up Apache is off-topic, but it’s just a matter of ProxyPass to the Solr app URL. I already gave you the relevant IP restriction configuration directive, “Allow from “. The rest is in httpd documentation. From: Ryan W Sent: Monday, March 16, 2020 10:41 AM To: solr-user@lucene.apache.org Subject: Re: How do *you* restrict access to Solr? WARNING: This email originated outside of Lands’ End. Please be on the lookout for phishing scams and do not open attachments or click links from people you do not know.. On Mon, Mar 16, 2020 at 11:32 AM Dunigan, Craig A. < craig.duni...@landsend.com<mailto:craig.duni...@landsend.com>> wrote: > Here are my suggestions. If you’re okay with IP restrictions only, then > iptables. Thanks! Just knowing this is an option helps. I took a stab at it but it didn't work initially, but at least now I know there's a reason to keep trying it. > If you don’t have *nix or root access, an Apache proxy server with Allow > from . I do have root access and can edit the Apache config. Can I restrict access in the Apache config? If so, that would be a great solution. My situation is fairly typical. I have a LAMP environment with Red Hat linux. I'm not quite sure how to make my Apache directives specific to the Solr install. Again, just knowing this is an option would be helpful. The Solr docs don't mention this possibility, I don't think. > If you want really, really secure, an stunnel front-end that requires > client certs that you install in your browsers. For us, we have a load > balancer with VIPs that restrict access to the internal IP range of the > building that houses IT, but not everyone has the luxury of hardware > solutions. > > From: Ryan W mailto:rya...@gmail.com>> > Sent: Monday, March 16, 2020 10:20 AM > To: solr-user@lucene.apache.org<mailto:solr-user@lucene.apache.org> > Subject: Re: How do *you* restrict access to Solr? > > WARNING: This email originated outside of Lands’ End. Please be on the > lookout for phishing scams and do not open attachments or click links from > people you do not know.. > > On Mon, Mar 16, 2020 at 10:50 AM David Hastings < > hastings.recurs...@gmail.com<mailto:hastings.recurs...@gmail.com<mailto:hastings.recurs...@gmail.com%3cmailto:hastings.recurs...@gmail.com>>> > wrote: > > > Honestly? I know this isnt what youre going to want to hear, but security > > through obscurity. no one else knows what port the servers on, and its > not > > accessible from anything outside of the internal network. > > > That doesn't sound like security through obscurity, as long as you are > confident that access to the internal network is limited... to whatever > degree you require. I'd certainly be happy if I could restrict access > based on IP. > > > > > if your solr > > install can be accessed from an external IP you have much larger issues. > > > > On Mon, Mar 16, 2020 at 10:44 AM Ryan W mailto:rya...@gmail.com%3cmailto:%0b>> rya...@gmail.com<mailto:rya...@gmail.com>>> wrote: > > > > > How do you, personally, do it? Do you use IPTables? Basic > > Authentication > > > Plugin? Something else? > > > > > > I'm asking in part so I'l have something to search for. I don't know > > where > > > I should begin, so I figured I would ask how others do it. > > > > > > I haven't been able to find anything that works, so if you can tell me > > what > > > works for you, I can at least narrow it down a bit and do some Google > > > searches. Do I need to learn Solr's plugin system? Am I starting in the > > > right place if I follow this document: > > > > > > > > > https://lucene.apache.org/solr/guide/7_0/rule-based-authorization-plugin.html#rule-based-authorization-plugin<https://lucene.apache.org/solr/guide/7_0/rule-based-authorization-plugin.html#rule-based-authorization-plugin> > < > https://lucene.apache.org/solr/guide/7_0/rule-based-authorization-plugin.html#rule-based-authorization-plugin<https://lucene.apache.org/solr/guide/7_0/rule-based-authorization-plugin.html#rule-based-authorization-plugin> > > > > > > > > Initially, the above document seems far too comprehensive for my needs. > > I > > > just want to block access to the Solr admin UI, and the list of > > predefined > > > permissions in that document don't seem to be relevant. Also, it seems > > > unlikely this plugin system is necessary just to control access to the > > > admin UI... or maybe it necessary? > > > > > > In any case, what is your approach? > > > > > > I'm using version 7.7.2 of Solr. > > > > > > Thanks! > > > > > >
Re: How do *you* restrict access to Solr?
Hi Ryan You should consider a simple rule based authorization scheme. Your staff user can be given readonly privileges to everything you want to except the admin ui. Depending on which version of solr you are on this can be trivial. - Aroop > On Mar 16, 2020, at 8:46 AM, Ryan W wrote: > > On Mon, Mar 16, 2020 at 10:51 AM Susheel Kumar > wrote: > >> Basic auth should help you to start >> >> https://lucene.apache.org/solr/guide/8_1/basic-authentication-plugin.html > > > > Thanks. I think I will give up on the plugin system. I haven't been able > to get the plugin system to work, and it creates too many opportunities for > human error. Even if I can get it working this week, what about 6 months > from now or a year from now when something goes wrong and I have to debug > it. It seems like far too much overhead to provide the desired security > benefit, except perhaps in situations where an organization has Solr > specialists who can maintain the system.
Re: How do *you* restrict access to Solr?
On Mon, Mar 16, 2020 at 10:51 AM Susheel Kumar wrote: > Basic auth should help you to start > > https://lucene.apache.org/solr/guide/8_1/basic-authentication-plugin.html Thanks. I think I will give up on the plugin system. I haven't been able to get the plugin system to work, and it creates too many opportunities for human error. Even if I can get it working this week, what about 6 months from now or a year from now when something goes wrong and I have to debug it. It seems like far too much overhead to provide the desired security benefit, except perhaps in situations where an organization has Solr specialists who can maintain the system.
Re: How do *you* restrict access to Solr?
On Mon, Mar 16, 2020 at 11:40 AM Walter Underwood wrote: > Also, even if you prevent access to the admin UI, a request to /update can > delete > all the content. It is really easy. This Gist shows how. > > https://gist.github.com/nz/673027/313f70681daa985ea13ba33a385753aef951a0f3 This seems important. In other words, my work isn't necessarily done if I've secured the graphical UI. I can't just visit the admin UI page to see if my efforts are successful. > > > wunder > Walter Underwood > wun...@wunderwood.org > http://observer.wunderwood.org/ (my blog) > > > On Mar 16, 2020, at 8:20 AM, David Hastings < > hastings.recurs...@gmail.com> wrote: > > > > master slave is the idea that you have an indexing server you do all > > indexing to and a search server that replicates the index, to deliver the > > results etc. if you keep the indexer separate you can tune it > differently > > as well as protect the data. also means you can remove the delete/update > > request handlers from the slave/searcher > > > > yes security by obscurity isnt ideal, but the over head of adding > > authentication to requests i find unnecessary, > > > > On Mon, Mar 16, 2020 at 11:16 AM Ryan W wrote: > > > >> On Mon, Mar 16, 2020 at 11:09 AM Walter Underwood < > wun...@wunderwood.org> > >> wrote: > >> > >>> What access do you want to prevent? How do you prefer to authenticate? > >>> How do you manage users or roles? Master/slave or Solr Cloud? > >>> > >> > >> I want to prevent access to the admin UI. > >> > >> I don't want to manage users or roles, preferably. I have only one > user: > >> staff. I want to prevent the public from accessing the admin UI. I'd > be > >> happy if I could set an IP address whitelist... especially if I don't > have > >> to learn a new framework (which I will never use for any other purpose) > to > >> do it. > >> > >> I don't know what master/slave is. These are new concepts that weren't > >> required to secure Solr prior to 7x, and this is my first project using > a > >> version after 6x. > >> > >> Thanks! > >> > >> > >> > >>> > >>> wunder > >>> Walter Underwood > >>> wun...@wunderwood.org > >>> http://observer.wunderwood.org/ (my blog) > >>> > On Mar 16, 2020, at 7:44 AM, Ryan W wrote: > > How do you, personally, do it? Do you use IPTables? Basic > >>> Authentication > Plugin? Something else? > > I'm asking in part so I'l have something to search for. I don't know > >>> where > I should begin, so I figured I would ask how others do it. > > I haven't been able to find anything that works, so if you can tell me > >>> what > works for you, I can at least narrow it down a bit and do some Google > searches. Do I need to learn Solr's plugin system? Am I starting in > >> the > right place if I follow this document: > > >>> > >> > https://lucene.apache.org/solr/guide/7_0/rule-based-authorization-plugin.html#rule-based-authorization-plugin > > Initially, the above document seems far too comprehensive for my > needs. > >>> I > just want to block access to the Solr admin UI, and the list of > >>> predefined > permissions in that document don't seem to be relevant. Also, it > seems > unlikely this plugin system is necessary just to control access to the > admin UI... or maybe it necessary? > > In any case, what is your approach? > > I'm using version 7.7.2 of Solr. > > Thanks! > >>> > >>> > >> > >
Re: How do *you* restrict access to Solr?
On Mon, Mar 16, 2020 at 11:32 AM Dunigan, Craig A. < craig.duni...@landsend.com> wrote: > Here are my suggestions. If you’re okay with IP restrictions only, then > iptables. Thanks! Just knowing this is an option helps. I took a stab at it but it didn't work initially, but at least now I know there's a reason to keep trying it. > If you don’t have *nix or root access, an Apache proxy server with Allow > from . I do have root access and can edit the Apache config. Can I restrict access in the Apache config? If so, that would be a great solution. My situation is fairly typical. I have a LAMP environment with Red Hat linux. I'm not quite sure how to make my Apache directives specific to the Solr install. Again, just knowing this is an option would be helpful. The Solr docs don't mention this possibility, I don't think. > If you want really, really secure, an stunnel front-end that requires > client certs that you install in your browsers. For us, we have a load > balancer with VIPs that restrict access to the internal IP range of the > building that houses IT, but not everyone has the luxury of hardware > solutions. > > From: Ryan W > Sent: Monday, March 16, 2020 10:20 AM > To: solr-user@lucene.apache.org > Subject: Re: How do *you* restrict access to Solr? > > WARNING: This email originated outside of Lands’ End. Please be on the > lookout for phishing scams and do not open attachments or click links from > people you do not know.. > > On Mon, Mar 16, 2020 at 10:50 AM David Hastings < > hastings.recurs...@gmail.com<mailto:hastings.recurs...@gmail.com>> wrote: > > > Honestly? I know this isnt what youre going to want to hear, but security > > through obscurity. no one else knows what port the servers on, and its > not > > accessible from anything outside of the internal network. > > > That doesn't sound like security through obscurity, as long as you are > confident that access to the internal network is limited... to whatever > degree you require. I'd certainly be happy if I could restrict access > based on IP. > > > > > if your solr > > install can be accessed from an external IP you have much larger issues. > > > > On Mon, Mar 16, 2020 at 10:44 AM Ryan W rya...@gmail.com>> wrote: > > > > > How do you, personally, do it? Do you use IPTables? Basic > > Authentication > > > Plugin? Something else? > > > > > > I'm asking in part so I'l have something to search for. I don't know > > where > > > I should begin, so I figured I would ask how others do it. > > > > > > I haven't been able to find anything that works, so if you can tell me > > what > > > works for you, I can at least narrow it down a bit and do some Google > > > searches. Do I need to learn Solr's plugin system? Am I starting in the > > > right place if I follow this document: > > > > > > > > > https://lucene.apache.org/solr/guide/7_0/rule-based-authorization-plugin.html#rule-based-authorization-plugin > < > https://lucene.apache.org/solr/guide/7_0/rule-based-authorization-plugin.html#rule-based-authorization-plugin > > > > > > > > Initially, the above document seems far too comprehensive for my needs. > > I > > > just want to block access to the Solr admin UI, and the list of > > predefined > > > permissions in that document don't seem to be relevant. Also, it seems > > > unlikely this plugin system is necessary just to control access to the > > > admin UI... or maybe it necessary? > > > > > > In any case, what is your approach? > > > > > > I'm using version 7.7.2 of Solr. > > > > > > Thanks! > > > > > >
Re: How do *you* restrict access to Solr?
If your data changes slowly and you don’t need to shard, master/slave is great. It is loosely coupled, so not as complicated as Solr Cloud. Each slave is an exact clone. For master/slave, you can put an HTTP server (nginx, etc.) on each server and proxy traffic to Solr. Then configure Solr to only listen to localhost. The HTTP server should have plenty of tools for configuring access. The slave servers will contact the master on the port that the HTTP server uses. Also, even if you prevent access to the admin UI, a request to /update can delete all the content. It is really easy. This Gist shows how. https://gist.github.com/nz/673027/313f70681daa985ea13ba33a385753aef951a0f3 wunder Walter Underwood wun...@wunderwood.org http://observer.wunderwood.org/ (my blog) > On Mar 16, 2020, at 8:20 AM, David Hastings > wrote: > > master slave is the idea that you have an indexing server you do all > indexing to and a search server that replicates the index, to deliver the > results etc. if you keep the indexer separate you can tune it differently > as well as protect the data. also means you can remove the delete/update > request handlers from the slave/searcher > > yes security by obscurity isnt ideal, but the over head of adding > authentication to requests i find unnecessary, > > On Mon, Mar 16, 2020 at 11:16 AM Ryan W wrote: > >> On Mon, Mar 16, 2020 at 11:09 AM Walter Underwood >> wrote: >> >>> What access do you want to prevent? How do you prefer to authenticate? >>> How do you manage users or roles? Master/slave or Solr Cloud? >>> >> >> I want to prevent access to the admin UI. >> >> I don't want to manage users or roles, preferably. I have only one user: >> staff. I want to prevent the public from accessing the admin UI. I'd be >> happy if I could set an IP address whitelist... especially if I don't have >> to learn a new framework (which I will never use for any other purpose) to >> do it. >> >> I don't know what master/slave is. These are new concepts that weren't >> required to secure Solr prior to 7x, and this is my first project using a >> version after 6x. >> >> Thanks! >> >> >> >>> >>> wunder >>> Walter Underwood >>> wun...@wunderwood.org >>> http://observer.wunderwood.org/ (my blog) >>> On Mar 16, 2020, at 7:44 AM, Ryan W wrote: How do you, personally, do it? Do you use IPTables? Basic >>> Authentication Plugin? Something else? I'm asking in part so I'l have something to search for. I don't know >>> where I should begin, so I figured I would ask how others do it. I haven't been able to find anything that works, so if you can tell me >>> what works for you, I can at least narrow it down a bit and do some Google searches. Do I need to learn Solr's plugin system? Am I starting in >> the right place if I follow this document: >>> >> https://lucene.apache.org/solr/guide/7_0/rule-based-authorization-plugin.html#rule-based-authorization-plugin Initially, the above document seems far too comprehensive for my needs. >>> I just want to block access to the Solr admin UI, and the list of >>> predefined permissions in that document don't seem to be relevant. Also, it seems unlikely this plugin system is necessary just to control access to the admin UI... or maybe it necessary? In any case, what is your approach? I'm using version 7.7.2 of Solr. Thanks! >>> >>> >>
RE: How do *you* restrict access to Solr?
Here are my suggestions. If you’re okay with IP restrictions only, then iptables. If you don’t have *nix or root access, an Apache proxy server with Allow from . If you want really, really secure, an stunnel front-end that requires client certs that you install in your browsers. For us, we have a load balancer with VIPs that restrict access to the internal IP range of the building that houses IT, but not everyone has the luxury of hardware solutions. From: Ryan W Sent: Monday, March 16, 2020 10:20 AM To: solr-user@lucene.apache.org Subject: Re: How do *you* restrict access to Solr? WARNING: This email originated outside of Lands’ End. Please be on the lookout for phishing scams and do not open attachments or click links from people you do not know.. On Mon, Mar 16, 2020 at 10:50 AM David Hastings < hastings.recurs...@gmail.com<mailto:hastings.recurs...@gmail.com>> wrote: > Honestly? I know this isnt what youre going to want to hear, but security > through obscurity. no one else knows what port the servers on, and its not > accessible from anything outside of the internal network. That doesn't sound like security through obscurity, as long as you are confident that access to the internal network is limited... to whatever degree you require. I'd certainly be happy if I could restrict access based on IP. > if your solr > install can be accessed from an external IP you have much larger issues. > On Mon, Mar 16, 2020 at 10:44 AM Ryan W > mailto:rya...@gmail.com>> wrote: > > > How do you, personally, do it? Do you use IPTables? Basic > Authentication > > Plugin? Something else? > > > > I'm asking in part so I'l have something to search for. I don't know > where > > I should begin, so I figured I would ask how others do it. > > > > I haven't been able to find anything that works, so if you can tell me > what > > works for you, I can at least narrow it down a bit and do some Google > > searches. Do I need to learn Solr's plugin system? Am I starting in the > > right place if I follow this document: > > > > > https://lucene.apache.org/solr/guide/7_0/rule-based-authorization-plugin.html#rule-based-authorization-plugin<https://lucene.apache.org/solr/guide/7_0/rule-based-authorization-plugin.html#rule-based-authorization-plugin> > > > > Initially, the above document seems far too comprehensive for my needs. > I > > just want to block access to the Solr admin UI, and the list of > predefined > > permissions in that document don't seem to be relevant. Also, it seems > > unlikely this plugin system is necessary just to control access to the > > admin UI... or maybe it necessary? > > > > In any case, what is your approach? > > > > I'm using version 7.7.2 of Solr. > > > > Thanks! > > >
Re: How do *you* restrict access to Solr?
master slave is the idea that you have an indexing server you do all indexing to and a search server that replicates the index, to deliver the results etc. if you keep the indexer separate you can tune it differently as well as protect the data. also means you can remove the delete/update request handlers from the slave/searcher yes security by obscurity isnt ideal, but the over head of adding authentication to requests i find unnecessary, On Mon, Mar 16, 2020 at 11:16 AM Ryan W wrote: > On Mon, Mar 16, 2020 at 11:09 AM Walter Underwood > wrote: > > > What access do you want to prevent? How do you prefer to authenticate? > > How do you manage users or roles? Master/slave or Solr Cloud? > > > > I want to prevent access to the admin UI. > > I don't want to manage users or roles, preferably. I have only one user: > staff. I want to prevent the public from accessing the admin UI. I'd be > happy if I could set an IP address whitelist... especially if I don't have > to learn a new framework (which I will never use for any other purpose) to > do it. > > I don't know what master/slave is. These are new concepts that weren't > required to secure Solr prior to 7x, and this is my first project using a > version after 6x. > > Thanks! > > > > > > > wunder > > Walter Underwood > > wun...@wunderwood.org > > http://observer.wunderwood.org/ (my blog) > > > > > On Mar 16, 2020, at 7:44 AM, Ryan W wrote: > > > > > > How do you, personally, do it? Do you use IPTables? Basic > > Authentication > > > Plugin? Something else? > > > > > > I'm asking in part so I'l have something to search for. I don't know > > where > > > I should begin, so I figured I would ask how others do it. > > > > > > I haven't been able to find anything that works, so if you can tell me > > what > > > works for you, I can at least narrow it down a bit and do some Google > > > searches. Do I need to learn Solr's plugin system? Am I starting in > the > > > right place if I follow this document: > > > > > > https://lucene.apache.org/solr/guide/7_0/rule-based-authorization-plugin.html#rule-based-authorization-plugin > > > > > > Initially, the above document seems far too comprehensive for my needs. > > I > > > just want to block access to the Solr admin UI, and the list of > > predefined > > > permissions in that document don't seem to be relevant. Also, it seems > > > unlikely this plugin system is necessary just to control access to the > > > admin UI... or maybe it necessary? > > > > > > In any case, what is your approach? > > > > > > I'm using version 7.7.2 of Solr. > > > > > > Thanks! > > > > >
Re: How do *you* restrict access to Solr?
On Mon, Mar 16, 2020 at 10:50 AM David Hastings < hastings.recurs...@gmail.com> wrote: > Honestly? I know this isnt what youre going to want to hear, but security > through obscurity. no one else knows what port the servers on, and its not > accessible from anything outside of the internal network. That doesn't sound like security through obscurity, as long as you are confident that access to the internal network is limited... to whatever degree you require. I'd certainly be happy if I could restrict access based on IP. > if your solr > install can be accessed from an external IP you have much larger issues. > On Mon, Mar 16, 2020 at 10:44 AM Ryan W wrote: > > > How do you, personally, do it? Do you use IPTables? Basic > Authentication > > Plugin? Something else? > > > > I'm asking in part so I'l have something to search for. I don't know > where > > I should begin, so I figured I would ask how others do it. > > > > I haven't been able to find anything that works, so if you can tell me > what > > works for you, I can at least narrow it down a bit and do some Google > > searches. Do I need to learn Solr's plugin system? Am I starting in the > > right place if I follow this document: > > > > > https://lucene.apache.org/solr/guide/7_0/rule-based-authorization-plugin.html#rule-based-authorization-plugin > > > > Initially, the above document seems far too comprehensive for my needs. > I > > just want to block access to the Solr admin UI, and the list of > predefined > > permissions in that document don't seem to be relevant. Also, it seems > > unlikely this plugin system is necessary just to control access to the > > admin UI... or maybe it necessary? > > > > In any case, what is your approach? > > > > I'm using version 7.7.2 of Solr. > > > > Thanks! > > >
Re: How do *you* restrict access to Solr?
On Mon, Mar 16, 2020 at 11:09 AM Walter Underwood wrote: > What access do you want to prevent? How do you prefer to authenticate? > How do you manage users or roles? Master/slave or Solr Cloud? > I want to prevent access to the admin UI. I don't want to manage users or roles, preferably. I have only one user: staff. I want to prevent the public from accessing the admin UI. I'd be happy if I could set an IP address whitelist... especially if I don't have to learn a new framework (which I will never use for any other purpose) to do it. I don't know what master/slave is. These are new concepts that weren't required to secure Solr prior to 7x, and this is my first project using a version after 6x. Thanks! > > wunder > Walter Underwood > wun...@wunderwood.org > http://observer.wunderwood.org/ (my blog) > > > On Mar 16, 2020, at 7:44 AM, Ryan W wrote: > > > > How do you, personally, do it? Do you use IPTables? Basic > Authentication > > Plugin? Something else? > > > > I'm asking in part so I'l have something to search for. I don't know > where > > I should begin, so I figured I would ask how others do it. > > > > I haven't been able to find anything that works, so if you can tell me > what > > works for you, I can at least narrow it down a bit and do some Google > > searches. Do I need to learn Solr's plugin system? Am I starting in the > > right place if I follow this document: > > > https://lucene.apache.org/solr/guide/7_0/rule-based-authorization-plugin.html#rule-based-authorization-plugin > > > > Initially, the above document seems far too comprehensive for my needs. > I > > just want to block access to the Solr admin UI, and the list of > predefined > > permissions in that document don't seem to be relevant. Also, it seems > > unlikely this plugin system is necessary just to control access to the > > admin UI... or maybe it necessary? > > > > In any case, what is your approach? > > > > I'm using version 7.7.2 of Solr. > > > > Thanks! > >
Re: How do *you* restrict access to Solr?
What access do you want to prevent? How do you prefer to authenticate? How do you manage users or roles? Master/slave or Solr Cloud? wunder Walter Underwood wun...@wunderwood.org http://observer.wunderwood.org/ (my blog) > On Mar 16, 2020, at 7:44 AM, Ryan W wrote: > > How do you, personally, do it? Do you use IPTables? Basic Authentication > Plugin? Something else? > > I'm asking in part so I'l have something to search for. I don't know where > I should begin, so I figured I would ask how others do it. > > I haven't been able to find anything that works, so if you can tell me what > works for you, I can at least narrow it down a bit and do some Google > searches. Do I need to learn Solr's plugin system? Am I starting in the > right place if I follow this document: > https://lucene.apache.org/solr/guide/7_0/rule-based-authorization-plugin.html#rule-based-authorization-plugin > > Initially, the above document seems far too comprehensive for my needs. I > just want to block access to the Solr admin UI, and the list of predefined > permissions in that document don't seem to be relevant. Also, it seems > unlikely this plugin system is necessary just to control access to the > admin UI... or maybe it necessary? > > In any case, what is your approach? > > I'm using version 7.7.2 of Solr. > > Thanks!
Re: How do *you* restrict access to Solr?
Thanks Jorn, though this all seems unrealistic. Because the technical skill required to secure Solr far exceeds the technical skill required to install it, I suspect there are probably a lot of insecure installs out there. In many cases this will not apply: "if you work with people that know a bit about those topics in your enterprise." Solr is used in many situations where the developer does not have access to a large enterprise with highly specialized assistance. On Mon, Mar 16, 2020 at 11:00 AM Jörn Franke wrote: > Solr should not be accessible to end users directly - only through a > dedicated application in between. > > Then in an enterprise setting it is mostly Kerberos auth. and https (do > not forget about zookeeper when using Solr cloud here you can also have > Kerberos auth and in recent version also SSL). It is not that difficult to > configure if you work with people that know a bit about those topics in > your enterprise. > > In a Cloud based scenario jwt token can make sense. > > Do not do security by obscurity. You owe it to the users that potentially > also have private data on Solr. > > > Am 16.03.2020 um 15:44 schrieb Ryan W : > > > > How do you, personally, do it? Do you use IPTables? Basic > Authentication > > Plugin? Something else? > > > > I'm asking in part so I'l have something to search for. I don't know > where > > I should begin, so I figured I would ask how others do it. > > > > I haven't been able to find anything that works, so if you can tell me > what > > works for you, I can at least narrow it down a bit and do some Google > > searches. Do I need to learn Solr's plugin system? Am I starting in the > > right place if I follow this document: > > > https://lucene.apache.org/solr/guide/7_0/rule-based-authorization-plugin.html#rule-based-authorization-plugin > > > > Initially, the above document seems far too comprehensive for my needs. > I > > just want to block access to the Solr admin UI, and the list of > predefined > > permissions in that document don't seem to be relevant. Also, it seems > > unlikely this plugin system is necessary just to control access to the > > admin UI... or maybe it necessary? > > > > In any case, what is your approach? > > > > I'm using version 7.7.2 of Solr. > > > > Thanks! >
Re: How do *you* restrict access to Solr?
Solr should not be accessible to end users directly - only through a dedicated application in between. Then in an enterprise setting it is mostly Kerberos auth. and https (do not forget about zookeeper when using Solr cloud here you can also have Kerberos auth and in recent version also SSL). It is not that difficult to configure if you work with people that know a bit about those topics in your enterprise. In a Cloud based scenario jwt token can make sense. Do not do security by obscurity. You owe it to the users that potentially also have private data on Solr. > Am 16.03.2020 um 15:44 schrieb Ryan W : > > How do you, personally, do it? Do you use IPTables? Basic Authentication > Plugin? Something else? > > I'm asking in part so I'l have something to search for. I don't know where > I should begin, so I figured I would ask how others do it. > > I haven't been able to find anything that works, so if you can tell me what > works for you, I can at least narrow it down a bit and do some Google > searches. Do I need to learn Solr's plugin system? Am I starting in the > right place if I follow this document: > https://lucene.apache.org/solr/guide/7_0/rule-based-authorization-plugin.html#rule-based-authorization-plugin > > Initially, the above document seems far too comprehensive for my needs. I > just want to block access to the Solr admin UI, and the list of predefined > permissions in that document don't seem to be relevant. Also, it seems > unlikely this plugin system is necessary just to control access to the > admin UI... or maybe it necessary? > > In any case, what is your approach? > > I'm using version 7.7.2 of Solr. > > Thanks!
Re: How do *you* restrict access to Solr?
IPtables seems like the way to go, at least for me. Even if this basic-auth-plugin works, then you'll have to deal with denial-of-service attacks (although these can also happen indirectly, by hitting the website that uses Solr). > On 16 Mar 2020, at 15:44, Ryan W wrote: > > How do you, personally, do it? Do you use IPTables? Basic Authentication > Plugin? Something else? > > I'm asking in part so I'l have something to search for. I don't know where > I should begin, so I figured I would ask how others do it. > > I haven't been able to find anything that works, so if you can tell me what > works for you, I can at least narrow it down a bit and do some Google > searches. Do I need to learn Solr's plugin system? Am I starting in the > right place if I follow this document: > https://lucene.apache.org/solr/guide/7_0/rule-based-authorization-plugin.html#rule-based-authorization-plugin > > Initially, the above document seems far too comprehensive for my needs. I > just want to block access to the Solr admin UI, and the list of predefined > permissions in that document don't seem to be relevant. Also, it seems > unlikely this plugin system is necessary just to control access to the > admin UI... or maybe it necessary? > > In any case, what is your approach? > > I'm using version 7.7.2 of Solr. > > Thanks!
Re: How do *you* restrict access to Solr?
Basic auth should help you to start https://lucene.apache.org/solr/guide/8_1/basic-authentication-plugin.html On Mon, Mar 16, 2020 at 10:44 AM Ryan W wrote: > How do you, personally, do it? Do you use IPTables? Basic Authentication > Plugin? Something else? > > I'm asking in part so I'l have something to search for. I don't know where > I should begin, so I figured I would ask how others do it. > > I haven't been able to find anything that works, so if you can tell me what > works for you, I can at least narrow it down a bit and do some Google > searches. Do I need to learn Solr's plugin system? Am I starting in the > right place if I follow this document: > > https://lucene.apache.org/solr/guide/7_0/rule-based-authorization-plugin.html#rule-based-authorization-plugin > > Initially, the above document seems far too comprehensive for my needs. I > just want to block access to the Solr admin UI, and the list of predefined > permissions in that document don't seem to be relevant. Also, it seems > unlikely this plugin system is necessary just to control access to the > admin UI... or maybe it necessary? > > In any case, what is your approach? > > I'm using version 7.7.2 of Solr. > > Thanks! >
Re: How do *you* restrict access to Solr?
Honestly? I know this isnt what youre going to want to hear, but security through obscurity. no one else knows what port the servers on, and its not accessible from anything outside of the internal network. if your solr install can be accessed from an external IP you have much larger issues. On Mon, Mar 16, 2020 at 10:44 AM Ryan W wrote: > How do you, personally, do it? Do you use IPTables? Basic Authentication > Plugin? Something else? > > I'm asking in part so I'l have something to search for. I don't know where > I should begin, so I figured I would ask how others do it. > > I haven't been able to find anything that works, so if you can tell me what > works for you, I can at least narrow it down a bit and do some Google > searches. Do I need to learn Solr's plugin system? Am I starting in the > right place if I follow this document: > > https://lucene.apache.org/solr/guide/7_0/rule-based-authorization-plugin.html#rule-based-authorization-plugin > > Initially, the above document seems far too comprehensive for my needs. I > just want to block access to the Solr admin UI, and the list of predefined > permissions in that document don't seem to be relevant. Also, it seems > unlikely this plugin system is necessary just to control access to the > admin UI... or maybe it necessary? > > In any case, what is your approach? > > I'm using version 7.7.2 of Solr. > > Thanks! >
How do *you* restrict access to Solr?
How do you, personally, do it? Do you use IPTables? Basic Authentication Plugin? Something else? I'm asking in part so I'l have something to search for. I don't know where I should begin, so I figured I would ask how others do it. I haven't been able to find anything that works, so if you can tell me what works for you, I can at least narrow it down a bit and do some Google searches. Do I need to learn Solr's plugin system? Am I starting in the right place if I follow this document: https://lucene.apache.org/solr/guide/7_0/rule-based-authorization-plugin.html#rule-based-authorization-plugin Initially, the above document seems far too comprehensive for my needs. I just want to block access to the Solr admin UI, and the list of predefined permissions in that document don't seem to be relevant. Also, it seems unlikely this plugin system is necessary just to control access to the admin UI... or maybe it necessary? In any case, what is your approach? I'm using version 7.7.2 of Solr. Thanks!
