On 3/6/2018 2:08 PM, Terry Steichen wrote: > Is it possible to run solr in a read-only directory?
Solr can be installed as a service on most operating systems other than Windows. A service installer script comes with the download. It is installed to run as an unprivileged user, "solr" by default. The program directory (defaulting to /opt/solr-X.Y.Z, with a symlink at /opt/solr pointing to the real directory) gets set up so it is owned by root, so that directory *is* effectively read-only. The "var dir" defaults to /var/solr and is fully writable by the solr user. The solr home defaults to /var/solr/data. If you want the solr home to be read only, then you will need to turn off all index locking in your solrconfig.xml files. When locking is enabled, which it is by default, Lucene *will* write to the index directory at startup, and the index will fail to start if it's not able to make that write. On startup, it writes to a lockfile, not the index itself. https://lucene.apache.org/solr/guide/7_2/indexconfig-in-solrconfig.html#index-locks Looks like the lockType "none" is not in the documentation, but I'm pretty sure it's a value you can use. I would strongly recommend *NOT* making the solr home read only, *especially* if you're running in SolrCloud mode. > The problem is that it's an all-or-nothing situation so everyone who's > authorized access to the platform has, in effect, administrator > privileges on solr. I understand that authentication is coming, but > that it isn't here yet. (Or, to add complexity, I had to downgrade from > 7.2.1 to 6.4.2 to overcome a new bug concerning indexing of eml files, > and 6.4.2 definitely doesn't have authentication.) Solr has authentication, and has had for a very long time. Basic authentication required SolrCloud when it became a workable feature in 5.3. If you're running standalone mode instead of SolrCloud, then you need version 6.5.0 to use the authentication plugin. Is this what you mean when you say that 6.4.2 doesn't have authentication? One option that you DO have with 6.4.2 (and a number of other earlier versions) is to configure authentication with Kerberos. But this is a lot more involved than basic authentication. If you are using Tika to index those emails, then you should not be running Tika within Solr. Eventually Tika is probably going to crash when trying to read a document with a layout the authors have never seen before, and when that happens, it'll take any other software (like Solr) running in the same process down with it. > Anyway, what I was wondering is if it might be possible to run solr not > as me (the administrator), but as a user with lesser privileges so that > no one who came through the SSH tunnel could (inadvertently or > otherwise) screw up the indexes. As of version 6.3, Solr will refuse to start if it's run as root, without a special option to force it. So this is already there. https://issues.apache.org/jira/browse/SOLR-9547 I would definitely recommend installing the service so there is a dedicated unprivileged user account for Solr. Thanks, Shawn
