This could have multiple solutions 1) "read" should cover all the paths 2) system properties are a strict NO . This can be strictly a property of the Authentication plugin. So , you can use the API to modify the property.
On Sat, Nov 21, 2015 at 3:57 AM, Jan Høydahl <jan....@cominvent.com> wrote: >> ideally we should have a simple permission name called "all" (which we >> don't have) >> >> so that one rule should be enough >> >> "name":"all", >> "role":"somerole" >> >> Open a ticket and we should fix it for 5.4.0 >> It should also include the admin paths as well > > Yes, that would be convenient. > > I still don’t like the existing "open-by-default” security mode of Solr. It > is very fragile to mis-configuration without people noticing. Take the > well-known permission “read” for instance. It protects /select and /get. But > it won’t protect /query, /browse, /export, /spell, /suggest, /tvrh, /terms, > /clustering or /elevate, all which also expose sensitive info. > > How about allowing to choose between three different security modes? > > -Dsolr.security.mode=open : As today - paths not configured are wide > open > -Dsolr.security.mode=authenticated : Paths not configured are open to any > authenticated user > -Dsolr.security.mode=explicit : Paths not configured are closed to all. > All acccess is explicitly configured > > /Jan -- ----------------------------------------------------- Noble Paul
