unix socket or D-Bus?
Hello, Has it ever been proposed to have Solr listen on a UNIX socket or D-Bus rather than TCP? This would alleviate the need for local Solr integrations (e.g., Dovecot) to store “dummy” credentials, and it would tighten security by eliminating the possibility for those credentials to be stolen. Thank you! -Felipe Gasper Mississauga, Ontario
Re: unix socket or D-Bus?
> On Jun 15, 2019, at 1:50 PM, Shawn Heisey wrote: > > On 6/15/2019 9:15 AM, Felipe Gasper wrote: >> Has it ever been proposed to have Solr listen on a UNIX socket or D-Bus >> rather than TCP? >> This would alleviate the need for local Solr integrations (e.g., >> Dovecot) to store “dummy” credentials, and it would tighten security by >> eliminating the possibility for those credentials to be stolen. > > Since Solr is currently a webapp and doesn't have any networking code, that > would have to be implemented by the container, which is currently Jetty. > > It looks like Jetty does have an option that implements UNIX sockets. Using > it would require adding at least one jar to Jetty (in server/lib), and might > require adding other files to enable the module. By adding the necessary > bits and configuring it correctly, you could enable listening on a socket in > your setup. You might need to ask the jetty mailing list for help with > exactly what needs to be added. Cool! Does Solr do its own authentication, or does Jetty do that? One of the benefits of UNIX sockets is that the socket exposes the peer’s credentials, so Solr/Jetty could implement logic that says, “ah, you’re root? Cool, you’re in.” Ideally I’d like Solr/Jetty to be able to white-list any connection from a root-owned socket. > I do not see the word "bus" on the documentation page for Jetty connectors > ... if d-bus is different than UNIX sockets, that might not be possible. D-Bus is an IPC mechanism that most (if not all) Linux distros--and several other OSes--run as a standard daemon. Notable uses include systemd and X-based applications, but any service can expose an interface on D-Bus. It would be an alternative to REST, one advantage of which being that Solr could send messages itself rather than merely answering requests. -F
Dovecot integration
Hi all, https://wiki.dovecot.org/Plugins/FTS/Solr ^^ I’m looking at this documentation and am wondering if its discussion of the managed-schema and schema.xml files is inaccurate/incomplete/misleading. Dovecot’s documentation implies that it’s normal operation for the managed-schema to be generated from schema.xml; however, going by the docs here: https://lucene.apache.org/solr/guide/8_0/schema-factory-definition-in-solrconfig.html … it appears that an installation that uses Dovecot’s provided configuration file, which lacks a directive, should, in fact, have a managed-schema file, and schema.xml is of no use; the generation of managed-schema from schema.xml is actually migration logic, not normal operation. Is this correct? If so, it seems like Dovecot’s documentation could make this clearer. Thank you! -Felipe Gasper
Re: unix socket or D-Bus?
> On Jun 17, 2019, at 1:17 PM, Shawn Heisey wrote: > >> Ideally I’d like Solr/Jetty to be able to white-list any connection from a >> root-owned socket. > > Solr typically runs as a non-privileged user. If the start script detects > that it's running as root, it will refuse to start without an option to force > it. We strongly recommend not running as root. About the only legitimate > reason to run as root is to bind to a port number below 1025... and that is > discouraged because Solr should never be accessible by the open Internet. Solr wouldn’t need to run as root; the process just needs to determine whom it’s talking to, which the kernel can answer regardless of the server’s privilege level. I’m new to Java, but the jnr.unixsocket library--which Jetty uses for its UNIX socket logic--does provide this information: https://github.com/jnr/jnr-unixsocket/blob/master/src/main/java/jnr/unixsocket/UnixSocket.java On the Solr side, then, would it be a matter of creating a new plugin as an alternative to BasicAuthPlugin that manipulates whatever control Jetty exposes (or would need to be altered to expose) that exposes the socket credentials from jnr.unixsocket? -FG
