[ https://issues.apache.org/jira/browse/SOLR-13442?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Ishan Chattopadhyaya updated SOLR-13442: ---------------------------------------- Description: With lots and lots of out of the box features come the possibility of security vulnerabilities. A managed / hosted Solr cluster should have only minimal functionality turned on. Through this issue, we'd like to explore the possibility of starting up Solr such that just basic cloud based indexing and querying works (under basic auth), and fancy stuff like the following be turned off (maybe by a startup parameter): # Tika # DIH # Funky shards parameter usage (unless specific to implicit routing) # HDFS # Streaming expressions # non whitelisted function queries (with a whitelist of only few that are essential) # configset upload # blob store # etc. The motivation of this work is to have a public facing minimal Solr that is bullet proof, secure against external exposure (with the help of basic auth and rule based authorization). was: With lots and lots of out of the box features come the possibility of security vulnerabilities. A managed / hosted Solr cluster should have only minimal functionality turned on. Through this issue, I plan to explore the possibility of starting up Solr such that just basic cloud based indexing and querying works (under basic auth), and fancy stuff like the following be turned off (maybe by a startup parameter): # Tika # DIH # Funky shards parameter usage (unless specific to implicit routing) # HDFS # Streaming expressions # non whitelisted function queries (with a whitelist of only few that are essential) # configset upload # blob store # etc. My motivation is to have a public facing minimal Solr that is bullet proof secure against external exposure (with the help of basic auth and rule based authorization). > Safe mode with minimal functionality > ------------------------------------ > > Key: SOLR-13442 > URL: https://issues.apache.org/jira/browse/SOLR-13442 > Project: Solr > Issue Type: Task > Security Level: Public(Default Security Level. Issues are Public) > Reporter: Ishan Chattopadhyaya > Priority: Major > > With lots and lots of out of the box features come the possibility of > security vulnerabilities. A managed / hosted Solr cluster should have only > minimal functionality turned on. > Through this issue, we'd like to explore the possibility of starting up Solr > such that just basic cloud based indexing and querying works (under basic > auth), and fancy stuff like the following be turned off (maybe by a startup > parameter): > # Tika > # DIH > # Funky shards parameter usage (unless specific to implicit routing) > # HDFS > # Streaming expressions > # non whitelisted function queries (with a whitelist of only few that are > essential) > # configset upload > # blob store > # etc. > The motivation of this work is to have a public facing minimal Solr that is > bullet proof, secure against external exposure (with the help of basic auth > and rule based authorization). -- This message was sent by Atlassian JIRA (v7.6.3#76005) --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org