Thanks Jorn, though this all seems unrealistic. Because the technical skill required to secure Solr far exceeds the technical skill required to install it, I suspect there are probably a lot of insecure installs out there. In many cases this will not apply: "if you work with people that know a bit about those topics in your enterprise." Solr is used in many situations where the developer does not have access to a large enterprise with highly specialized assistance.
On Mon, Mar 16, 2020 at 11:00 AM Jörn Franke <jornfra...@gmail.com> wrote: > Solr should not be accessible to end users directly - only through a > dedicated application in between. > > Then in an enterprise setting it is mostly Kerberos auth. and https (do > not forget about zookeeper when using Solr cloud here you can also have > Kerberos auth and in recent version also SSL). It is not that difficult to > configure if you work with people that know a bit about those topics in > your enterprise. > > In a Cloud based scenario jwt token can make sense. > > Do not do security by obscurity. You owe it to the users that potentially > also have private data on Solr. > > > Am 16.03.2020 um 15:44 schrieb Ryan W <rya...@gmail.com>: > > > > How do you, personally, do it? Do you use IPTables? Basic > Authentication > > Plugin? Something else? > > > > I'm asking in part so I'l have something to search for. I don't know > where > > I should begin, so I figured I would ask how others do it. > > > > I haven't been able to find anything that works, so if you can tell me > what > > works for you, I can at least narrow it down a bit and do some Google > > searches. Do I need to learn Solr's plugin system? Am I starting in the > > right place if I follow this document: > > > https://lucene.apache.org/solr/guide/7_0/rule-based-authorization-plugin.html#rule-based-authorization-plugin > > > > Initially, the above document seems far too comprehensive for my needs. > I > > just want to block access to the Solr admin UI, and the list of > predefined > > permissions in that document don't seem to be relevant. Also, it seems > > unlikely this plugin system is necessary just to control access to the > > admin UI... or maybe it necessary? > > > > In any case, what is your approach? > > > > I'm using version 7.7.2 of Solr. > > > > Thanks! >
