[ https://issues.apache.org/jira/browse/SOLR-7236?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14384536#comment-14384536 ]
Shawn Heisey commented on SOLR-7236: ------------------------------------ bq. I am trying to understand why Solr wants to move away from being a web-app running in a servlet-container. A servlet-container can deal with all of the things you mention in a standardized way Because as long as the network and HTTP are handled by software that is outside of Solr, Solr has absolutely no ability to control it. Ideally, you should be able to drop a configuration right in a handler definition (such as the one for /select) found in solrconfig.xml, listing security credentials (username/password, IP address, perhaps even certificate information) that you are willing to accept for that handler, along with exceptions or credentials that will allow SolrCloud inter-node communication to work. Bringing the servlet container under our control as we did with 5.0 (with initial work in 4.10) allows us to tell people how to configure the servlet container for security in a predictable manner, but it is still not *Solr* and its configuration that's controlling it. > Securing Solr (umbrella issue) > ------------------------------ > > Key: SOLR-7236 > URL: https://issues.apache.org/jira/browse/SOLR-7236 > Project: Solr > Issue Type: New Feature > Reporter: Jan Høydahl > Labels: Security > > This is an umbrella issue for adding security to Solr. The discussion here > should discuss real user needs and high-level strategy, before deciding on > implementation details. All work will be done in sub tasks and linked issues. > Solr has not traditionally concerned itself with security. And It has been a > general view among the committers that it may be better to stay out of it to > avoid "blood on our hands" in this mine-field. Still, Solr has lately seen > SSL support, securing of ZK, and signing of jars, and discussions have begun > about securing operations in Solr. > Some of the topics to address are > * User management (flat file, AD/LDAP etc) > * Authentication (Admin UI, Admin and data/query operations. Tons of auth > protocols: basic, digest, oauth, pki..) > * Authorization (who can do what with what API, collection, doc) > * Pluggability (no user's needs are equal) > * And we could go on and on but this is what we've seen the most demand for -- This message was sent by Atlassian JIRA (v6.3.4#6332) --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org