[ https://issues.apache.org/jira/browse/SOLR-14014?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17071695#comment-17071695 ]
Jason Gerlowski commented on SOLR-14014: ---------------------------------------- Thanks for putting a patch together for this Marcus. (To save others time, the patch uses {{-DenableAdminUI=true|false}} and defaults to "true".) My concern at this point though is that there was some disagreement about adding this improvement at all. I think Christine, Alexandre, Jan, Ishan, and myself were (y) for having some switch to enable/disable the Admin UI (with differences in what the default should be, ideal property name, etc.). But David seemed pretty against. He didn't leave an explicit veto, so we're not blocked if we want to move forward, strictly speaking. But for the sake of courtesy I'd like to check first whether he finds any of the discussion above persuasive, or feels strongly enough to veto. I tried to respond to some of his points above but wasn't sure what he thought. Tagging him now: [~dsmiley] > Allow Solr to start with Admin UI disabled > ------------------------------------------ > > Key: SOLR-14014 > URL: https://issues.apache.org/jira/browse/SOLR-14014 > Project: Solr > Issue Type: Improvement > Components: Admin UI, security > Affects Versions: master (9.0), 8.3.1 > Reporter: Jason Gerlowski > Priority: Major > Time Spent: 20m > Remaining Estimate: 0h > > Currently Solr always runs the Admin UI. With the history of XSS issues and > other security concerns that have been found in the Admin UI, Solr should > offer a mode where the Admin UI is disabled. Maybe, and this is a topic > that'll need some serious discussion, this should even be the default when > Solr starts. > NOTE: Disabling the Admin UI removes XSS and other attack vectors. But even > with the Admin UI disabled, Solr will still be inherently unsafe without > firewall protection on a public network. > *Proposed design:* > A java system property called *headless* will be used as an internal flag for > starting Solr in headless mode. This property will default to true. A java > property can be used at startup to set this flag to false. > Here is an example: > {code:java} > bin/solr start -Dheadless=false {code} > A message will be added following startup describing the mode. > In headless mode the following message will be displayed: > "solr is running in headless mode. The admin console is unavailable. To to > turn off headless mode and allow the admin console use the following > parameter startup parameter: > -Dheadless=false > > In non-headless mode the following message will be displayed: > "solr is running with headless mode turned off. The admin console is > available in this mode. Disabling the Admin UI removes XSS and other attack > vectors" > If a user attempts to access the admin console while Solr is in headless mode > it Solr will return 401 unauthorized. > -- This message was sent by Atlassian Jira (v8.3.4#803005) --------------------------------------------------------------------- To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org For additional commands, e-mail: issues-h...@lucene.apache.org