On 3/19/2018 11:19 AM, Jesus Olivan wrote: > i'm trying to password protect only Solr web interface (not queries > launched from my app). I'm currently using SolrCloud 6.6.0 with external > zookeepers. I've read tons of Docs about it, but i couldn't find a proper > way to secure ONLY the web admin console. Can anybody give me some light > about it, please? =)
When you add authentication, it's not actually the admin UI that needs authentication. It's all the API requests (queries and the like) that the admin UI makes which require authentication. The admin UI itself is completely static HTML, CSS, Javascript, and images -- it doesn't have ANY information about your installation. Requiring authentication for that doesn't make any sense at all -- there's nothing sensitive in those files. When you access the admin UI, the UI pieces are downloaded to your browser, and then the UI actually runs in your browser, accessing the API endpoints. When the UI running in your browser first accesses one of those endpoints, you get the authentication prompt. If we only secured the admin UI and not the API, then somebody who has direct access to your Solr server could do whatever they wanted. The admin UI is just a convenience. Everything it does can be done directly. Thanks, Shawn
