Eric, right, filesystem level encryption is the way. Making encryption part of the lucene data structures would be a tall order.
On Thu, Mar 12, 2015 at 5:22 PM, Erick Erickson <erickerick...@gmail.com> wrote: > About <1>. Gotta be careful here about what would be promised. You > really _can't_ encrypt the _indexed_ terms in a meaningful way and > still search. And, as you well know, you can reconstruct documents > from the indexed terms. It's lossy, but still coherent enough to give > security folks fits. > > For instance, to do a wildcard search I need to have the "run" in > "run" match "running", "runner" "runs" etc. Any but trivial encryption > will break that, and the trivial encryption is easy to break. > > So putting all this over an encrypting filesystem is an approach > that's often used. > > FWIW > > > On Thu, Mar 12, 2015 at 5:22 AM, Dmitry Kan <solrexp...@gmail.com> wrote: > > Hi, > > > > Things you have mentioned would be useful for our use-case. > > > > On top we've seen these two requests for securing Solr: > > > > 1. Encrypting the index (with a customer private key for instance). There > > are certainly other ways to go about this, like using virtual private > > clouds, but having the feature in solr could allow multitenant Solr > > installations. > > > > 2. ACLs: giving access rights to parts of the index / document sets > > depending on the user access rights. > > > > > > > > On Thu, Mar 12, 2015 at 1:32 PM, Jan Høydahl <jan....@cominvent.com> > wrote: > > > >> Hi, > >> > >> Securing various Solr APIs has once again surfaced as a discussion in > the > >> developer list. See e.g. SOLR-7236 > >> Would be useful to get some feedback from Solr users about needs "in the > >> field". > >> > >> Please reply to this email and let us know what security aspect(s) would > >> be most important for your company to see supported in a future version > of > >> Solr. > >> Examples: Local user management, AD/LDAP integration, SSL, authenticated > >> login to Admin UI, authorization for Admin APIs, e.g. admin user vs > >> read-only user etc > >> > >> -- > >> Jan Høydahl, search solution architect > >> Cominvent AS - www.cominvent.com > >> > >> > > > > > > -- > > Dmitry Kan > > Luke Toolbox: http://github.com/DmitryKey/luke > > Blog: http://dmitrykan.blogspot.com > > Twitter: http://twitter.com/dmitrykan > > SemanticAnalyzer: www.semanticanalyzer.info > -- Dmitry Kan Luke Toolbox: http://github.com/DmitryKey/luke Blog: http://dmitrykan.blogspot.com Twitter: http://twitter.com/dmitrykan SemanticAnalyzer: www.semanticanalyzer.info
