On 3/6/2018 2:08 PM, Terry Steichen wrote:
> Is it possible to run solr in a read-only directory?

Solr can be installed as a service on most operating systems other than
Windows.  A service installer script comes with the download.  It is
installed to run as an unprivileged user, "solr" by default.

The program directory (defaulting to /opt/solr-X.Y.Z, with a symlink at
/opt/solr pointing to the real directory) gets set up so it is owned by
root, so that directory *is* effectively read-only.

The "var dir" defaults to /var/solr and is fully writable by the solr
user.  The solr home defaults to /var/solr/data.

If you want the solr home to be read only, then you will need to turn
off all index locking in your solrconfig.xml files.  When locking is
enabled, which it is by default, Lucene *will* write to the index
directory at startup, and the index will fail to start if it's not able
to make that write.  On startup, it writes to a lockfile, not the index


Looks like the lockType "none" is not in the documentation, but I'm
pretty sure it's a value you can use.

I would strongly recommend *NOT* making the solr home read only,
*especially* if you're running in SolrCloud mode.

> The problem is that it's an all-or-nothing situation so everyone who's
> authorized access to the platform has, in effect, administrator
> privileges on solr.  I understand that authentication is coming, but
> that it isn't here yet.  (Or, to add complexity, I had to downgrade from
> 7.2.1 to 6.4.2 to overcome a new bug concerning indexing of eml files,
> and 6.4.2 definitely doesn't have authentication.)

Solr has authentication, and has had for a very long time.  Basic
authentication required SolrCloud when it became a workable feature in
5.3.  If you're running standalone mode instead of SolrCloud, then you
need version 6.5.0 to use the authentication plugin.  Is this what you
mean when you say that 6.4.2 doesn't have authentication?  One option
that you DO have with 6.4.2 (and a number of other earlier versions) is
to configure authentication with Kerberos.  But this is a lot more
involved than basic authentication.

If you are using Tika to index those emails, then you should not be
running Tika within Solr.  Eventually Tika is probably going to crash
when trying to read a document with a layout the authors have never seen
before, and when that happens, it'll take any other software (like Solr)
running in the same process down with it.

> Anyway, what I was wondering is if it might be possible to run solr not
> as me (the administrator), but as a user with lesser privileges so that
> no one who came through the SSH tunnel could (inadvertently or
> otherwise) screw up the indexes.

As of version 6.3, Solr will refuse to start if it's run as root,
without a special option to force it.  So this is already there.


I would definitely recommend installing the service so there is a
dedicated unprivileged user account for Solr.


Reply via email to