[
https://issues.apache.org/jira/browse/SOLR-7236?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14384536#comment-14384536
]
Shawn Heisey commented on SOLR-7236:
------------------------------------
bq. I am trying to understand why Solr wants to move away from being a web-app
running in a servlet-container. A servlet-container can deal with all of the
things you mention in a standardized way
Because as long as the network and HTTP are handled by software that is outside
of Solr, Solr has absolutely no ability to control it. Ideally, you should be
able to drop a configuration right in a handler definition (such as the one for
/select) found in solrconfig.xml, listing security credentials
(username/password, IP address, perhaps even certificate information) that you
are willing to accept for that handler, along with exceptions or credentials
that will allow SolrCloud inter-node communication to work.
Bringing the servlet container under our control as we did with 5.0 (with
initial work in 4.10) allows us to tell people how to configure the servlet
container for security in a predictable manner, but it is still not *Solr* and
its configuration that's controlling it.
> Securing Solr (umbrella issue)
> ------------------------------
>
> Key: SOLR-7236
> URL: https://issues.apache.org/jira/browse/SOLR-7236
> Project: Solr
> Issue Type: New Feature
> Reporter: Jan Høydahl
> Labels: Security
>
> This is an umbrella issue for adding security to Solr. The discussion here
> should discuss real user needs and high-level strategy, before deciding on
> implementation details. All work will be done in sub tasks and linked issues.
> Solr has not traditionally concerned itself with security. And It has been a
> general view among the committers that it may be better to stay out of it to
> avoid "blood on our hands" in this mine-field. Still, Solr has lately seen
> SSL support, securing of ZK, and signing of jars, and discussions have begun
> about securing operations in Solr.
> Some of the topics to address are
> * User management (flat file, AD/LDAP etc)
> * Authentication (Admin UI, Admin and data/query operations. Tons of auth
> protocols: basic, digest, oauth, pki..)
> * Authorization (who can do what with what API, collection, doc)
> * Pluggability (no user's needs are equal)
> * And we could go on and on but this is what we've seen the most demand for
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org
For additional commands, e-mail: dev-h...@lucene.apache.org
