[
https://issues.apache.org/jira/browse/SOLR-7896?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14661410#comment-14661410
]
Shawn Heisey commented on SOLR-7896:
------------------------------------
Regarding SSL on by default ... while this would provide some security out of
the box, it annoys me when I try to connect to a web interface and I am
immediately greeted by a security warning regarding a certificate that doesn't
validate. An experienced user knows that it is safe to ignore that warning and
proceed anyway, but a beginner may misinterpret what their browser is telling
them, decide that Solr has security problems, and go looking for a different
solution.
I would rather present an insecure interface out of the box so that a new user
can *immediately* see that their install is operational. I'd be OK with a
warning box on every page telling the user that they should enable SSL, as long
as it could be removed with a config change. Turning on SSL should be very
easy for a novice to do. Another piece that must be straightforward is the
installation of a custom certificate that the user might get from a public CA,
and any required intermediate certificates.
As already mentioned, we have a framework for authentication coming in 5.3.
Once we are sure it's stable and effective, turning on authentication for the
admin UI by default would be a good idea. The out-of-the-box credentials
should be easy to locate on our website, in the first few pages of the
documentation, and one or more of the .txt files included in the download.
> Solr Administrative Interface Lacks Password Protection
> -------------------------------------------------------
>
> Key: SOLR-7896
> URL: https://issues.apache.org/jira/browse/SOLR-7896
> Project: Solr
> Issue Type: Bug
> Components: security, web gui
> Affects Versions: 5.2.1
> Reporter: Aaron Greenspan
> Priority: Critical
>
> Out of the box, the Solr interface should require an administrative password
> that the user is required to set. Apparently there are ways of configuring
> Jetty to do this with HTTP AUTH or whatever. I'm a moderately experienced
> Linux admin and a programmer; I've tried, numerous times, and I've not once
> been able to get it to work. The point is this, though:
> *No one should have to try to get their Solr instance to support password
> authentication and preferably SSL (even if it's just with a self-signed
> certificate). Solr is designed to store huge amounts of data and is therefore
> a likely target for malicious users.*
> This needs to be addressed! It's 2015 and Solr is on version 5!
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
