On 12/13/2017 11:51 PM, Solrmails wrote: > Is it safe to give users access to /admin/luke ? I restricted access for > normal users and I also restrict acces per solr document(via a plugin). But > for some reasonse users need informations from /admin/luke. > Can they destroy something or retrieve informations that they shouldn't have?
In general, end users should NEVER have direct access to Solr. Only trusted administrators and your application should have access. I would even put requests to the luke handler behind the application -- write something for the front end that pulls the information they need and provides it to them. If you can guarantee that /solr/XXXX/admin/luke is the ONLY thing they can get to, then it might be pretty safe, although it still might be possible for users to bombard it with requests and create a denial of service situation for your search engine. If you can actually *trust* those who have this access, you're probably OK. Thanks, Shawn
