Well, there's a difference between disabling the UI and disabling the API. The UI can be disabled (I think) by deleting the contents of server/solr-webapp/webapp (leaving behind the WEB-INF directory). But really, all that is doing is hiding a heap of code that is public already.
As has been said, it is the APIs that that UI (which is just HTML/CSS/JS) uses that really need to be protected. Without these, they don't really tell the user much (except, perhaps, if they really look and changes have been made to the UI, which version of Solr is in use). Personally, I'd rather the authentication framework be able to prevent access to the HTML/CSS/JS, as this is what users expect of a UI. Hiding the API is needed for security, hiding the UI is valuable in terms of user experience - e.g. what does a user see if the API is blocked? Probably a heap of nasty exceptions. Upayavira On Mon, Oct 5, 2015, at 07:38 PM, Walter Underwood wrote: > You understand that disabling the admin API will leave you with an > unmaintainable Solr installation, right? You might not even be able to > diagnose the problem. > > wunder > Walter Underwood > wun...@wunderwood.org > http://observer.wunderwood.org/ (my blog) > > > On Oct 5, 2015, at 11:34 AM, Siddhartha Singh Sandhu <sandhus...@gmail.com> > > wrote: > > > > Help please? > > > > On Sun, Oct 4, 2015 at 5:07 PM, Siddhartha Singh Sandhu < > > sandhus...@gmail.com> wrote: > > > >> Hi Shawn and Andrew, > >> > >> I am on page with you guys about the ssh authentication and communicating > >> with the API's that SOLR has to provide. I simply don't want the GUI as it > >> is nobody will be able to access it once I set the policy on my server > >> except for servers in the same network. Also, now that we are on that > >> issue, does SOLR URL's have checks to guard against penetration attacks as > >> the "prod setup" guide is so openly available? > >> > >> Regards, > >> Sid. > >> > >> On Sun, Oct 4, 2015 at 4:55 AM, Andrea Open Source < > >> andrearoggerone.o...@gmail.com> wrote: > >> > >>> Hi, > >>> As Shawn is saying, disabling the Admin interface is not the right way to > >>> go. If you just disable the admin interface users could still run queries > >>> and you don't want that. The solution that you're looking for, is enabling > >>> the ssh authentication so only the users with the right certificate can > >>> query Solr or reach the admin. > >>> > >>> > >>> King Regards, > >>> Andrea Roggerone > >>> > >>>> On 04/ott/2015, at 08:11, Shawn Heisey <apa...@elyograg.org> wrote: > >>>> > >>>>> On 10/3/2015 9:17 PM, Siddhartha Singh Sandhu wrote: > >>>>> I want to disable the admin interface in SOLR. I understand that > >>>>> authentication is available in the solrcloud mode but until that > >>> happens I > >>>>> want to disable the admin interface in my prod environment. > >>>>> > >>>>> How can I do this? > >>>> > >>>> Why do you need to disable the admin interface? The admin interface is > >>>> just a bunch of HTML, CSS, and Javascript. It downloads code that runs > >>>> inside your browser and turns it into a tool that can manipulate Solr. > >>>> > >>>> The parts of Solr that need protecting are the APIs that the admin > >>>> interface calls. When authentication is enabled in the newest Solr > >>>> versions, it is not the admin interface that is protected, it is those > >>>> APIs called by the admin interface. Anyone can use those APIs directly, > >>>> completely independent of the interface. > >>>> > >>>> Thanks > >>>> Shawn > >>>> > >>> > >> > >> >
