On 6/16/2019 10:43 PM, Felipe Gasper wrote:
Does Solr do its own authentication, or does Jetty do that? One of the benefits of UNIX sockets is that the socket exposes the peer’s credentials, so Solr/Jetty could implement logic that says, “ah, you’re root? Cool, you’re in.”
As far as I know, when authentication is configured in Solr, Solr takes that config and uses the Servlet API to configure authentication, and then that is handled by the container. Which is Jetty, unless the user takes the webapp and installs it in another container.
Ideally I’d like Solr/Jetty to be able to white-list any connection from a root-owned socket.
Solr typically runs as a non-privileged user. If the start script detects that it's running as root, it will refuse to start without an option to force it. We strongly recommend not running as root. About the only legitimate reason to run as root is to bind to a port number below 1025... and that is discouraged because Solr should never be accessible by the open Internet.
I'm sure that configuring a socket would be outside of Solr entirely -- all in Jetty. I don't know that any of the built-in Solr client stuff can use a socket, though -- that would likely need to be a custom client.
D-Bus is an IPC mechanism that most (if not all) Linux distros--and several other OSes--run as a standard daemon. Notable uses include systemd and X-based applications, but any service can expose an interface on D-Bus. It would be an alternative to REST, one advantage of which being that Solr could send messages itself rather than merely answering requests.
I don't think Jetty can do that. Maybe another container can ... but you'd be in unsupported territory at that point. And you'd need to have a custom client for this too.
https://wiki.apache.org/solr/WhyNoWar Thanks, Shawn
