ctargett commented on a change in pull request #635: SOLR-13371 improve security chapters in refguide URL: https://github.com/apache/lucene-solr/pull/635#discussion_r291791708
########## File path: solr/solr-ref-guide/src/securing-solr.adoc ########## @@ -17,18 +17,44 @@ // specific language governing permissions and limitations // under the License. -When planning how to secure Solr, you should consider which of the available features or approaches are right for you. - -* Authentication or authorization of users using: -** <<kerberos-authentication-plugin.adoc#kerberos-authentication-plugin,Kerberos Authentication Plugin>> -** <<basic-authentication-plugin.adoc#basic-authentication-plugin,Basic Authentication Plugin>> -** <<rule-based-authorization-plugin.adoc#rule-based-authorization-plugin,Rule-Based Authorization Plugin>> -** <<authentication-and-authorization-plugins.adoc#authentication-and-authorization-plugins,Custom authentication or authorization plugin>> -* <<enabling-ssl.adoc#enabling-ssl,Enabling SSL>> -* If using SolrCloud, <<zookeeper-access-control.adoc#zookeeper-access-control,ZooKeeper Access Control>> -* <<audit-logging.adoc#audit-logging,Audit logging>> for recording an audit trail - [WARNING] ==== No Solr API, including the Admin UI, is designed to be exposed to non-trusted parties. Tune your firewall so that only trusted computers and people are allowed access. Because of this, the project will not regard e.g., Admin UI XSS issues as security vulnerabilities. However, we still ask you to report such issues in JIRA. ==== + +When planning how to secure Solr, you should consider which of the available features or approaches are right for you: + +=== Encryption with TLS (SSL) certificates + +Ecrypting traffic to/from Solr and between Solr nodes prevents sensitive data to be leaked out on the network. TLS is also normally a requirement to prevent credential sniffing when using Authentication. + +See the page <<enabling-ssl.adoc#enabling-ssl,Enabling TLS (SSL)>> for details. + +=== Authentication, Authorization and Audit logging + +See chapter <<authentication-and-authorization-plugins.adoc#authentication-and-authorization-plugins,Configuring Authentication, Authorization and Auditlogging plugins>> to learn how to work with the `security.json` file. Review comment: This is an example of the inconsistency I mentioned in my comment on the `authentication-and-authorization-plugins.adoc` page. The title of the section uses "Audit logging", but right below it the link to the page uses "Auditlogging". ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
