My favorite "other external firewall'ish technology" is just an apache
front-end reverse proxying to the Java servlet (such as Solr), with access
controls in apache.
I haven't actually done it with Solr myself though, my Solr is behind a
firewall accessed by trusted apps only. Be careful making your Solr viewable to
the world, even behind an "other external firewall'ish technology." There are
several features in Solr you do NOT to expose to the world (the ability to
change the index in general, of which there are a variety of ways to do it in
addition to the /update/csv handler, the straight /update handler. Also
consider the replication commands -- the example Solr solrconfig.xml, at least,
will allow an HTTP request that tells Solr to replicate from arbitrarily
specified 'master', definitely not something you'd want open to the world
either! There may be other examples too you might not think of at first.).
My impression is that Solr is written assuming it will be safely ensconced
behind a firewall and accessed by trusted applications only. If you're not
going to do this, you're going to have to be careful to make sure to lock down
or remove a lot of things, /update/csv is just barely a start. I don't know if
anyone has analyzed and written up secure ways to do this -- it sounds like
there would be interest for such since it keeps coming up on the list.
Kind of personally curious _why_ it keeps coming up on the list so much. Is
everyone trying to go into business vending Solr in the cloud to customers who
will write their own apps, or are there some other less obvious (to me) use
cases?
________________________________________
From: Erik Hatcher [erik.hatc...@gmail.com]
Sent: Sunday, January 23, 2011 1:47 PM
To: solr-user@lucene.apache.org
Subject: Re: filter update by IP
No. SolrQueryRequest doesn't (currently) have access to the actual HTTP
request coming in. You'll need to do this either with a servlet filter and
register it into web.xml or restrict it from some other external firewall'ish
technology.
Erik
On Jan 23, 2011, at 13:21 , Teebo wrote:
> Hi
>
> I would like to restrict access to /update/csv request handler
>
> Is there a ready to use UpdateRequestProcessor for that ?
>
>
> My first idea was to heritate from CSVRequestHandler and to overload
> public void handleRequest(SolrQueryRequest req, SolrQueryResponse rsp) {
> ...
> restrict by IP code
> ...
> super(req, rsp);
> }
>
> What do you think ?
>
> Regards,
> t.
