On Mon, Mar 16, 2020 at 11:40 AM Walter Underwood <wun...@wunderwood.org> wrote:
> Also, even if you prevent access to the admin UI, a request to /update can > delete > all the content. It is really easy. This Gist shows how. > > https://gist.github.com/nz/673027/313f70681daa985ea13ba33a385753aef951a0f3 This seems important. In other words, my work isn't necessarily done if I've secured the graphical UI. I can't just visit the admin UI page to see if my efforts are successful. > > > wunder > Walter Underwood > wun...@wunderwood.org > http://observer.wunderwood.org/ (my blog) > > > On Mar 16, 2020, at 8:20 AM, David Hastings < > hastings.recurs...@gmail.com> wrote: > > > > master slave is the idea that you have an indexing server you do all > > indexing to and a search server that replicates the index, to deliver the > > results etc. if you keep the indexer separate you can tune it > differently > > as well as protect the data. also means you can remove the delete/update > > request handlers from the slave/searcher > > > > yes security by obscurity isnt ideal, but the over head of adding > > authentication to requests i find unnecessary, > > > > On Mon, Mar 16, 2020 at 11:16 AM Ryan W <rya...@gmail.com> wrote: > > > >> On Mon, Mar 16, 2020 at 11:09 AM Walter Underwood < > wun...@wunderwood.org> > >> wrote: > >> > >>> What access do you want to prevent? How do you prefer to authenticate? > >>> How do you manage users or roles? Master/slave or Solr Cloud? > >>> > >> > >> I want to prevent access to the admin UI. > >> > >> I don't want to manage users or roles, preferably. I have only one > user: > >> staff. I want to prevent the public from accessing the admin UI. I'd > be > >> happy if I could set an IP address whitelist... especially if I don't > have > >> to learn a new framework (which I will never use for any other purpose) > to > >> do it. > >> > >> I don't know what master/slave is. These are new concepts that weren't > >> required to secure Solr prior to 7x, and this is my first project using > a > >> version after 6x. > >> > >> Thanks! > >> > >> > >> > >>> > >>> wunder > >>> Walter Underwood > >>> wun...@wunderwood.org > >>> http://observer.wunderwood.org/ (my blog) > >>> > >>>> On Mar 16, 2020, at 7:44 AM, Ryan W <rya...@gmail.com> wrote: > >>>> > >>>> How do you, personally, do it? Do you use IPTables? Basic > >>> Authentication > >>>> Plugin? Something else? > >>>> > >>>> I'm asking in part so I'l have something to search for. I don't know > >>> where > >>>> I should begin, so I figured I would ask how others do it. > >>>> > >>>> I haven't been able to find anything that works, so if you can tell me > >>> what > >>>> works for you, I can at least narrow it down a bit and do some Google > >>>> searches. Do I need to learn Solr's plugin system? Am I starting in > >> the > >>>> right place if I follow this document: > >>>> > >>> > >> > https://lucene.apache.org/solr/guide/7_0/rule-based-authorization-plugin.html#rule-based-authorization-plugin > >>>> > >>>> Initially, the above document seems far too comprehensive for my > needs. > >>> I > >>>> just want to block access to the Solr admin UI, and the list of > >>> predefined > >>>> permissions in that document don't seem to be relevant. Also, it > seems > >>>> unlikely this plugin system is necessary just to control access to the > >>>> admin UI... or maybe it necessary? > >>>> > >>>> In any case, what is your approach? > >>>> > >>>> I'm using version 7.7.2 of Solr. > >>>> > >>>> Thanks! > >>> > >>> > >> > >