[jira] [Commented] (SOLR-7236) Securing Solr (umbrella issue)

Thu, 12 Mar 2015 02:56:35 -0700 

    [ 
https://issues.apache.org/jira/browse/SOLR-7236?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14358401#comment-14358401
 ] 

Jan Høydahl commented on SOLR-7236:
-----------------------------------

There are multiple existing frameworks to simplify the task of abstracting 
security implementations in Java apps, among them are 
[JAAS|https://en.wikipedia.org/wiki/Java_Authentication_and_Authorization_Service]
 , [Spring Security|http://projects.spring.io/spring-security/] and [Apache 
Shiro|http://shiro.apache.org/]. They are created to do the hard and scary 
stuff, provide simple APIs for developers and also provide out of the box 
integrations with all the various protocols. We really don't want to maintain 
support for Kerberos etc in Solr-code.

Although any of these could probably do the job, I'm pitching Apache Shiro as 
the main API for all security related implementations in Solr. Without having 
used it, seems to be built just for this purpose. Solr users with some crazy 
legacy security system inhouse can write plugins for that to Shiro itself, 
instead of writing Solr code. http://shiro.apache.org/

> Securing Solr (umbrella issue)
> ------------------------------
>
>                 Key: SOLR-7236
>                 URL: https://issues.apache.org/jira/browse/SOLR-7236
>             Project: Solr
>          Issue Type: New Feature
>            Reporter: Jan Høydahl
>              Labels: Security
>
> This is an umbrella issue for adding security to Solr. The discussion here 
> should discuss real user needs and high-level strategy, before deciding on 
> implementation details. All work will be done in sub tasks and linked issues.
> Solr has not traditionally concerned itself with security. And It has been a 
> general view among the committers that it may be better to stay out of it to 
> avoid "blood on our hands" in this mine-field. Still, Solr has lately seen 
> SSL support, securing of ZK, and signing of jars, and discussions have begun 
> about securing operations in Solr.
> Some of the topics to address are
> * User management (flat file, AD/LDAP etc)
> * Authentication (Admin UI, Admin and data/query operations. Tons of auth 
> protocols: basic, digest, oauth, pki..)
> * Authorization (who can do what with what API, collection, doc)
> * Pluggability (no user's needs are equal)
> * And we could go on and on but this is what we've seen the most demand for



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org
For additional commands, e-mail: dev-h...@lucene.apache.org

Reply via email to