[jira] [Commented] (SOLR-7896) Solr Administrative Interface Lacks Password Protection

Thu, 06 Aug 2015 22:33:59 -0700 

    [ 
https://issues.apache.org/jira/browse/SOLR-7896?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14661360#comment-14661360
 ] 

Upayavira commented on SOLR-7896:
---------------------------------

Given we have a new auth framework, and SSL support, this is do-able. I've not 
yet payed with, nor needed to, play with either.

The benefit of discussing on the User list first, as Erick suggests, is to get 
more of an understanding of the use-cases you are looking at before we decide 
on an approach to solving them.

Erick is right - Solr is not something that has traditionally been placed 
outside a firewall, because, well, it hasn't offered features that would allow 
that. This is starting to change, and I think auth on the admin UI would be a 
good thing, although I'm not yet in a position to work on it.

Therefore, I'm inclined to re-open, even if I'm aware it'd take me some time to 
get around to it.

> Solr Administrative Interface Lacks Password Protection
> -------------------------------------------------------
>
>                 Key: SOLR-7896
>                 URL: https://issues.apache.org/jira/browse/SOLR-7896
>             Project: Solr
>          Issue Type: Bug
>          Components: security, web gui
>    Affects Versions: 5.2.1
>            Reporter: Aaron Greenspan
>            Priority: Critical
>
> Out of the box, the Solr interface should require an administrative password 
> that the user is required to set. Apparently there are ways of configuring 
> Jetty to do this with HTTP AUTH or whatever. I'm a moderately experienced 
> Linux admin and a programmer; I've tried, numerous times, and I've not once 
> been able to get it to work. The point is this, though:
> *No one should have to try to get their Solr instance to support password 
> authentication and preferably SSL (even if it's just with a self-signed 
> certificate). Solr is designed to store huge amounts of data and is therefore 
> a likely target for malicious users.*
> This needs to be addressed! It's 2015 and Solr is on version 5!



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to