: We should have a good notice in the config warning people to have some
: security running before enabling streaming.
yeah ... you had me convinced of that before, but i'm leaning more
towards yonik's point now: Solr has a lot of inherient trust to anyone
that can hit it directly. if/when we allow the list of RequestParsers to
be configurable in solrconfig.xml, then the STREAM_URL support could be
another RequestParser that they either refer to
directly, or register as a "hook" on other RequestParsers.
In the meantime though: having that option might misslead people to a
false sense of security.
With no security and no streaming, the worst that can happen (i think)
is that anyone can trash your database. That's obviously bad, but for
many people who just install the thing and don't have any real data in
it yet, that is fine. While you evaluate solr, you don't really need
security. (correct me if i'm wrong)
No if we add streaming to the mix, anyone from anywhere can see any
file on your system. (Assuming the example solrconfig.xml includes
the dump handler) With multipart upload it is easy to upload an
enormous .exe to solr. I think the potential problems opened up by
streaming and multi-part upload deserve *some* special treatment.