[
https://issues.apache.org/jira/browse/SOLR-7896?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14661341#comment-14661341
]
Aaron Greenspan edited comment on SOLR-7896 at 8/7/15 5:23 AM:
---------------------------------------------------------------
It's all well and good to say that users shouldn't do things, but they're being
done, and the code needs to be written to account for real-world use, not some
hypothetical ideal that doesn't exist.
Also, I would love for Solr to just be exposed exclusively on my server's
internal IP address(es)--but I have no idea how to do that. The administrative
web interface certainly doesn't let me select which IPs to bind to, which would
be the easy way to implement that ideal. But regardless, it should never be
assumed that every user will want to or know to operate Solr the same way (e.g.
exclusively on a LAN behind a firewall).
was (Author: thinkcomp):
It's all well and good to say that users shouldn't do things, but they're being
done, and the code needs to be written to account for real-world use, not some
hypothetical ideal that doesn't exist.
Also, I would love for Solr to just be exposed on my server's internal IP
addresses--but I have no idea how to do that. The administrative web interface
certainly doesn't let me select which IPs to bind to, which would be the easy
way to implement that ideal. But regardless, it should never be assumed that
every user will want to or know to operate Solr the same way (e.g. exclusively
on a LAN behind a firewall).
> Solr Administrative Interface Lacks Password Protection
> -------------------------------------------------------
>
> Key: SOLR-7896
> URL: https://issues.apache.org/jira/browse/SOLR-7896
> Project: Solr
> Issue Type: Bug
> Components: security, web gui
> Affects Versions: 5.2.1
> Reporter: Aaron Greenspan
> Priority: Critical
>
> Out of the box, the Solr interface should require an administrative password
> that the user is required to set. Apparently there are ways of configuring
> Jetty to do this with HTTP AUTH or whatever. I'm a moderately experienced
> Linux admin and a programmer; I've tried, numerous times, and I've not once
> been able to get it to work. The point is this, though:
> *No one should have to try to get their Solr instance to support password
> authentication and preferably SSL (even if it's just with a self-signed
> certificate). Solr is designed to store huge amounts of data and is therefore
> a likely target for malicious users.*
> This needs to be addressed! It's 2015 and Solr is on version 5!
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
