All geek questions in one place

How to protect Solr in order to allow SELECT query only to users and deny anything else?

This is what I have done so far to protect my SOLR application.

In SOLR web.xml I am trying to do the following

  • Allow / select the request only for user or administrator requests.
  • Deny any other SOLR request to another, and then to the administrator.

I have added security restrictions to the SOLR web.xml file

<security-constraint> <web-resource-collection> <web-resource-name>Solr Admin</web-resource-name> <url-pattern>/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>admin</role-name> </auth-constraint> </security-constraint> <security-constraint> <web-resource-collection> <web-resource-name>Public</web-resource-name> <url-pattern>/primary/select/*</url-pattern> <url-pattern>/reindex/select/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>user</role-name> <role-name>admin</role-name> </auth-constraint> </security-constraint>

This is how I create a SOLR HTTP connection in my client application

 //primary core HttpSolrServer primaryindex = new HttpSolrServer(serverUrl + "/" + PRIMARYINDEX); HttpClientUtil.setBasicAuth((DefaultHttpClient) primaryindex.getHttpClient(), "user", "user"); //reindex core HttpSolrServer reindex = new HttpSolrServer(serverUrl + "/" + REINDEX); HttpClientUtil.setBasicAuth((DefaultHttpClient) reindex.getHttpClient(), "user", "user");

The tomcat-users.xml file has roles and users installed as

 <role rolename="user"/> <user username="user" password="user" roles="user"/> <user password="admin" roles="manager-script,admin" username="admin"/>

The above works fine. Obviously, in production I will have a stronger username and password.

Question

Is there anything else to protect my SOLR instances or is this enough? I have 1 instance of Tomcat 7 that runs the client application and the SOLR application. This is what I am trying to achieve.

  • Do not let anyone enter the admin without a username and password.
  • You don’t want someone accessing another kernel, not my client application.

I can add Spring Security to SOLR on top of the above, but is this necessary?

+4
source share
2 answers

I did not know that / admin was the context for the SOLR administrator, because / admin does not really appear in the URL. But adding security-contraints for / admin in web.xml provided an admin application.

 <security-constraint> <web-resource-collection> <web-resource-name>Admin</web-resource-name> <url-pattern>/admin/*</url-pattern> <url-pattern>/admin.html</url-pattern> </web-resource-collection> <auth-constraint> <role-name>admin</role-name> </auth-constraint> </security-constraint> <security-constraint> <!-- This one is necessary to show the image on the Solr start page --> <web-resource-collection> <web-resource-name>Admin images</web-resource-name> <url-pattern>*.png</url-pattern> </web-resource-collection> <auth-contraint> <role-name>admin</role-name> </auth-contraint> </security-constraint> <login-config> <auth-method>DIGEST</auth-method> <realm-name>admin</realm-name> </login-config>
+2
source

If you have a replication processor enabled, be sure to install it for one of the protected roles. Another thing I saw was running an administrator on a different port. It is best to use SSL on pages for which authorization is required, so you do not send passwords in clearness, so the administrator and replication will be performed, say, 8443, while normal requests will be executed on 8080.

If you intend to sign your own certificate, check out this useful SO page:

How to use different certificates for certain connections?

+3
source

Source: https://habr.com/ru/post/1491104/

More articles:


All Articles