Where you want true Role-Based Access Control (RBAC) on each index (core or collection), one solution is to buy Solr Enterprise from LucidWorks.
My personal practice is mostly dictated by financial decisions: - Each core/index has its configuration directory in a Git repository/branch where the Git repository software provides RBAC. - This relies on developers to keep a separate Solr for development, and then to check-in their configuration directory changes when they are satisfied with the changes. This is probably a best practice anyway :) - "Continuous Integration" pushes the Git configuration appropriately when a particular branch changes. - The main URL "/solr" has security provided by Apache httpd on port 80 (a reverse proxy to http://localhost:8983/solr/) - That port is also open, secured by IP address, to other Solr nodes in the cluster. - The /select request Handler for each core/collection is reverse proxied to "/search/<corename>". - The Solr Amin UI uses a authentication/authorization handler such that only the "Search Administrators" group has access to it. The security here relies on search developers not enabling "handleSelect" in their solrconfig.xml. The security can also be extended by adding security on reverse proxied URLs such as "/search/<corename>" and "/update/<corename>" so that the client application needs to know some key, or have access to an SSL private key file. The downside is that only "Search Administrators" group has access to the QA or production Solr Admin UI. On Mon, Apr 13, 2015 at 6:13 AM, Suresh Vanasekaran < suresh_vanaseka...@infosys.com> wrote: > Hi, > > We are having the solr index maintained in a central server and multiple > users might be able to access the index data. > > May I know what are best practice for securing the solr index folder where > ideally only application user should be able to access. Even an admin user > should not be able to copy the data and use it in another schema. > > Thanks > > > > **************** CAUTION - Disclaimer ***************** > This e-mail contains PRIVILEGED AND CONFIDENTIAL INFORMATION intended > solely > for the use of the addressee(s). If you are not the intended recipient, > please > notify the sender by e-mail and delete the original message. Further, you > are not > to copy, disclose, or distribute this e-mail or its contents to any other > person and > any such actions are unlawful. This e-mail may contain viruses. Infosys > has taken > every reasonable precaution to minimize this risk, but is not liable for > any damage > you may sustain as a result of any virus in this e-mail. You should carry > out your > own virus checks before opening the e-mail or attachment. Infosys reserves > the > right to monitor and review the content of all messages sent to or from > this e-mail > address. Messages sent to or from this e-mail address may be stored on the > Infosys e-mail system. > ***INFOSYS******** End of Disclaimer ********INFOSYS*** >
