-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Terry,
On 3/6/18 4:08 PM, Terry Steichen wrote: > Is it possible to run solr in a read-only directory? > > I'm running it just fine on a ubuntu server which is accessible > only through SSH tunneling. At the platform level, this is fine: > only authorized users can access it (via a browser on their machine > accessing a forwarded port). > > The problem is that it's an all-or-nothing situation so everyone > who's authorized access to the platform has, in effect, > administrator privileges on solr. I understand that authentication > is coming, but that it isn't here yet. (Or, to add complexity, I > had to downgrade from 7.2.1 to 6.4.2 to overcome a new bug > concerning indexing of eml files, and 6.4.2 definitely doesn't have > authentication.) > > Anyway, what I was wondering is if it might be possible to run solr > not as me (the administrator), but as a user with lesser privileges > so that no one who came through the SSH tunnel could (inadvertently > or otherwise) screw up the indexes. With shell access, the only protection you could provide would be through file-permissions. But of course Solr will need to be read-write in order to build the index in the first place. So you'd probably have to run read-write at first, build the index (perhaps that's already been done in the past), then (possibly) restart in read-only mode. Read-only can be achieved by simply revoking write-access to the data directories from the euid of the Solr process. Theoretically, you could switch from being read-write to read-only merely by changing file-permissions... no Solr restarts required. I'm not sure if it matters to you very much, but a user can still do some damage to the index even if the "server" is read-only (through file-permissions): they can issue a batch of DELETE or ADD requests that will effect the in-memory copies of the index. It might be temporary, but it might require that you restart the Solr instance to get back to a sane state. Hope that helps, - -chris -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlqfBiEdHGNocmlzQGNo cmlzdG9waGVyc2NodWx0ei5uZXQACgkQHPApP6U8pFg9WBAAw1AoqeNTmndplMwT YRLznWAaiSi2/bCzxQEFf8KlTXh80rMc9zVPvMhgqJQYx0EGiMqyUqQEAk1xc/Vq 5XGNk0Vf2efnjA4HVS5pHvhWJz2t4ATagqX6Z98qFvvO0OqkX7lpZat8612jfDYA f2PmZ1GGlkxZhU7eP4u7FX1drVTFJPBWeUndZoPiSZg6Sj/zz4+rbfaCIEhcl2hC 1CorI3OIos4NgJjLwCqHLCuurkN0+NEJOFE+n2wsEJA69UES8sBo4rwZMR7TECWN mv+bFHVc4RQIvmppFPSptQIAX4T0k7PgNY38pfGPKgpHgET8RbvpKP34S434uR06 w8jhwOCUOSY7iUP718vbzK9RKcJFzYB6hb2hIUe/C8Hig2K1EfOys7NHd96uBYvS 7fKL6zHByCw9Fw+XiA1O8q5D6Clo3DAWEix5JUl7FDmbXIeUftHEmzb7axfDisec B80ZYFSUmtOAshaRhKT1dSaw6wIi8io/VDYw+UMIyKh4MFZFDDiN2fF8JLwGkFF4 whZvIaaP8iUBdrhc6ZlOupMA2mjjq+ugAjelyeVjxc/ogaqSOQzIyah7NgW0yvYY u7xaMsVSg6OJWluAe6lEh0U1CYpdBABgdkSjs7rHefIQ/n4du+7sq0fQUcE32dX8 jMOD3In9TqX4JXP3c6EDfMQCN1g= =FrpI -----END PGP SIGNATURE-----
