On Nov 16, 2008, at 6:18 PM, Ryan McKinley wrote:
my assumption with solrjs is that you are hitting "read-only" solr
servers that you don't mind if people query directly.
Exactly the assumption I'm going with too.
It would not be appropriate for something where you don't want
people (who really care) to know you are running solr and could
execute arbitrary queries.
Since it is an example, I don't mind leaving the /admin interface
open on:
http://example.solrstuff.org/solrjs/admin/
but /update has a password:
http://example.solrstuff.org/solrjs/update
I have said in the past I like the idea of a "read-only" flag in
solr config that would throw an error if you try to do something
with the UpdateHandler. However there are other ways to do that also.
Yes, I was asked about this elusive read-only switch at Solr Boot Camp
at ApacheCon as well.
How are you password protecting the update handler? This is the kind
of goody I'd like to distill out of this thread and wikify <http://wiki.apache.org/solr/SolrSecurity
>
What's it take to make a read-only Solr server now? Can replication
still be made to work? (I plead ignorance on the guts of the Java-
based replication feature) - requires password protected handlers?
Shouldn't we bake some of this into the default example configuration
instead of update handlers being wide open by default?
Erik
