[jira] [Commented] (SOLR-7896) Solr Administrative Interface Lacks Password Protection

Mon, 24 Aug 2015 02:05:47 -0700 

    [ 
https://issues.apache.org/jira/browse/SOLR-7896?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14708990#comment-14708990
 ] 

Jan Høydahl commented on SOLR-7896:
-----------------------------------

bq. I would rather present an insecure interface out of the box so that a new 
user can immediately see that their install is operational. I'd be OK with a 
warning box on every page telling the user that they should enable SSL, as long 
as it could be removed with a config change. Turning on SSL should be very easy 
for a novice to do.
+1

bq. turning on authentication for the admin UI by default would be a good idea. 
The out-of-the-box credentials should be easy to locate on our website, in the 
first few pages of the documentation, and one or more of the .txt files 
included in the download.
-0

Perhaps not by default, it would make the simplest tutorial unnecessary 
complicated. And it would only work for cloud anyway. How about adding some 
warnings to Admin UI in cloud mode if authentication is not enabled and another 
warning if it is enabled with ootb passwords. And we could add an {{-auth}} 
flag to {{/bin/solr -e cloud}} to optionally start the cloud example with basic 
auth enabled...

> Solr Administrative Interface Lacks Password Protection
> -------------------------------------------------------
>
>                 Key: SOLR-7896
>                 URL: https://issues.apache.org/jira/browse/SOLR-7896
>             Project: Solr
>          Issue Type: Bug
>          Components: security, web gui
>    Affects Versions: 5.2.1
>            Reporter: Aaron Greenspan
>            Priority: Critical
>
> Out of the box, the Solr interface should require an administrative password 
> that the user is required to set. Apparently there are ways of configuring 
> Jetty to do this with HTTP AUTH or whatever. I'm a moderately experienced 
> Linux admin and a programmer; I've tried, numerous times, and I've not once 
> been able to get it to work. The point is this, though:
> *No one should have to try to get their Solr instance to support password 
> authentication and preferably SSL (even if it's just with a self-signed 
> certificate). Solr is designed to store huge amounts of data and is therefore 
> a likely target for malicious users.*
> This needs to be addressed! It's 2015 and Solr is on version 5!



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org
For additional commands, e-mail: dev-h...@lucene.apache.org

Reply via email to