[
https://issues.apache.org/jira/browse/SOLR-7236?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14388227#comment-14388227
]
Per Steffensen commented on SOLR-7236:
--------------------------------------
I am ok with embedding Jetty, and you are right, that there are probably lots
of things that would be easier. Just make sure that you can still participate
in configuring it from the outside - jetty.xml and web.xml. At least until an
alternative solution gives the same flexibility. What I fear is that we remove
all the flexibility of web-container - because we are using - including its
ability to handle security.
I checked out 5.0.0 code, but I am not able to see that Solr-node is not still
just Jetty on top-level, and that Solr does not control anything before
web.xml/SolrDispatchFilter. Can you please point me to some of the more
important JIRAs around this "hiding/removing web-container" initiative. Thanks!
Just want to understand what has been done/achieved until now.
> Securing Solr (umbrella issue)
> ------------------------------
>
> Key: SOLR-7236
> URL: https://issues.apache.org/jira/browse/SOLR-7236
> Project: Solr
> Issue Type: New Feature
> Reporter: Jan Høydahl
> Labels: Security
>
> This is an umbrella issue for adding security to Solr. The discussion here
> should discuss real user needs and high-level strategy, before deciding on
> implementation details. All work will be done in sub tasks and linked issues.
> Solr has not traditionally concerned itself with security. And It has been a
> general view among the committers that it may be better to stay out of it to
> avoid "blood on our hands" in this mine-field. Still, Solr has lately seen
> SSL support, securing of ZK, and signing of jars, and discussions have begun
> about securing operations in Solr.
> Some of the topics to address are
> * User management (flat file, AD/LDAP etc)
> * Authentication (Admin UI, Admin and data/query operations. Tons of auth
> protocols: basic, digest, oauth, pki..)
> * Authorization (who can do what with what API, collection, doc)
> * Pluggability (no user's needs are equal)
> * And we could go on and on but this is what we've seen the most demand for
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
