> On Jun 15, 2019, at 1:50 PM, Shawn Heisey <apa...@elyograg.org> wrote:
>
> On 6/15/2019 9:15 AM, Felipe Gasper wrote:
>> Has it ever been proposed to have Solr listen on a UNIX socket or D-Bus
>> rather than TCP?
>> This would alleviate the need for local Solr integrations (e.g.,
>> Dovecot) to store “dummy” credentials, and it would tighten security by
>> eliminating the possibility for those credentials to be stolen.
>
> Since Solr is currently a webapp and doesn't have any networking code, that
> would have to be implemented by the container, which is currently Jetty.
>
> It looks like Jetty does have an option that implements UNIX sockets. Using
> it would require adding at least one jar to Jetty (in server/lib), and might
> require adding other files to enable the module. By adding the necessary
> bits and configuring it correctly, you could enable listening on a socket in
> your setup. You might need to ask the jetty mailing list for help with
> exactly what needs to be added.
Cool!
Does Solr do its own authentication, or does Jetty do that? One of the benefits
of UNIX sockets is that the socket exposes the peer’s credentials, so
Solr/Jetty could implement logic that says, “ah, you’re root? Cool, you’re in.”
Ideally I’d like Solr/Jetty to be able to white-list any connection from a
root-owned socket.
> I do not see the word "bus" on the documentation page for Jetty connectors
> ... if d-bus is different than UNIX sockets, that might not be possible.
D-Bus is an IPC mechanism that most (if not all) Linux distros--and several
other OSes--run as a standard daemon. Notable uses include systemd and X-based
applications, but any service can expose an interface on D-Bus. It would be an
alternative to REST, one advantage of which being that Solr could send messages
itself rather than merely answering requests.
-F
