On 3/26/2015 3:38 PM, Oded Sofer wrote: > There are many blogs discussing this issue but it is hard to find if someone > had managed to resolve that. > We have many nodes in the SolrCloud, implementing the iptable restriction > will fill the iptable with many rules that will affect performance. > We are using 4.3.10, on Tomcat 5.
Because Solr is a webapp, it relies on software outside itself to provide network and protocol (HTTP) communication. In your case, that software is Tomcat. For others, it is Jetty, JBoss, Weblogic, or one of several other possibilities. This means that there are many things that are impossible (or extremely difficult) for Solr to handle within its own code. Security is one of them. This is one of the major reasons that Solr will become a true application at some point in the future. When Solr can control the network and the HTTP server, we will be able to restrict access to the admin UI separately from access to the query interface, the update interface, replication, etc. As far as your iptables rule list ... are your Solr servers contained within discrete IP address blocks that could be added to the rule list as subnets instead of individual addresses? Ideally you will handle complicated access controls on edge firewalls or as ACLs on internal routing devices, not at the host level. Thanks, Shawn
