I imagine that some users have build custom UIs to manage stopwords or synonyms over REST instead of having to copy files to Solr or Zookeeper. Question is whether to try improve the security of the APIs, or disable them by default and document the limitations related to using them, which could be tradeoff for users to make until we come up with a better set of APIs to replace it?
Jan > 14. aug. 2020 kl. 09:32 skrev Matthias Krueger <m...@mkr.io>: > > > > As authentication is plugged into the SolrDispatchFilter I would assume that > you would need to be authenticated to read/write Managed Resources but no > authorization is checked (i.e. any authenticated user can read/write them), > correct? > > Anyway, I came across Managed Resources in at least two scenarios: > > The LTR plugin is using them for updating model/features. > I use MangedResource#StorageIO and its implementations as a convenient way to > abstract away the underlying config storage when creating plugins that need > to support both, SolrCloud and Solr Standalone. > IMO an abstraction that allows distributing configuration (ML models, > configuration snippets, external file fields...) that exceeds the typical ZK > size limits to SolrCloud while also supporting Solr Standalone would be nice > to have. > > Matt > > > > On 12.08.20 02:08, Noble Paul wrote: >> The end point is served by restlet. So, your rules are not going to be >> honored. The rules work only if it is served by a Solr request handler >> >> On Wed, Aug 12, 2020, 12:46 AM Jason Gerlowski <gerlowsk...@gmail.com >> <mailto:gerlowsk...@gmail.com>> wrote: >> Hey Noble, >> >> Can you explain what you mean when you say it's not secured? Just for >> those of us who haven't been following the discussion so far? On the >> surface of things users taking advantage of our RuleBasedAuth plugin >> can secure this API like they can any other HTTP API. Or are you >> talking about some other security aspect here? >> >> Jason >> >> On Tue, Aug 11, 2020 at 9:55 AM Noble Paul <noble.p...@gmail.com >> <mailto:noble.p...@gmail.com>> wrote: >> > >> > Hi all, >> > The end-point for Managed resources is not secured. So it needs to be >> > fixed/eliminated. >> > >> > I would like to know what is the level of adoption for that feature >> > and if it is a critical feature for users. >> > >> > Another possibility is to offer a replacement for the feature using a >> > different API >> > >> > Your feedback will help us decide on what a potential solution should be >> > >> > -- >> > ----------------------------------------------------- >> > Noble Paul
