[
https://issues.apache.org/jira/browse/SOLR-7236?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14386883#comment-14386883
]
Shawn Heisey commented on SOLR-7236:
------------------------------------
I admit that I do not know what is possible when the servlet container is
external to Solr, but I've heard that there are many things that we cannot do.
One of the big ones is that we don't even know the port the container is
listening on for our webapp, until we actually receive a request. SolrCloud
needs this information before requests are received, so we have overrides we
can use if the port is not 8983, Java doesn't detect the correct IP address,
etc ... but they are separate config items from what actually configures the
servlet container, so it's possible to get the config wrong.
Just taking the step of embedding Jetty into the application would give us far
more capability and consistency than we currently have, but again I am ignorant
of what kind of limitations we would face, and how that would compare to using
Netty instead.
> Securing Solr (umbrella issue)
> ------------------------------
>
> Key: SOLR-7236
> URL: https://issues.apache.org/jira/browse/SOLR-7236
> Project: Solr
> Issue Type: New Feature
> Reporter: Jan Høydahl
> Labels: Security
>
> This is an umbrella issue for adding security to Solr. The discussion here
> should discuss real user needs and high-level strategy, before deciding on
> implementation details. All work will be done in sub tasks and linked issues.
> Solr has not traditionally concerned itself with security. And It has been a
> general view among the committers that it may be better to stay out of it to
> avoid "blood on our hands" in this mine-field. Still, Solr has lately seen
> SSL support, securing of ZK, and signing of jars, and discussions have begun
> about securing operations in Solr.
> Some of the topics to address are
> * User management (flat file, AD/LDAP etc)
> * Authentication (Admin UI, Admin and data/query operations. Tons of auth
> protocols: basic, digest, oauth, pki..)
> * Authorization (who can do what with what API, collection, doc)
> * Pluggability (no user's needs are equal)
> * And we could go on and on but this is what we've seen the most demand for
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org
For additional commands, e-mail: dev-h...@lucene.apache.org
