lucene-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Shawn Heisey (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (SOLR-7896) Solr Administrative Interface Lacks Password Protection
Date Fri, 07 Aug 2015 06:51:46 GMT

    [ https://issues.apache.org/jira/browse/SOLR-7896?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14661410#comment-14661410
] 

Shawn Heisey commented on SOLR-7896:
------------------------------------

Regarding SSL on by default ... while this would provide some security out of the box, it
annoys me when I try to connect to a web interface and I am immediately greeted by a security
warning regarding a certificate that doesn't validate.  An experienced user knows that it
is safe to ignore that warning and proceed anyway, but a beginner may misinterpret what their
browser is telling them, decide that Solr has security problems, and go looking for a different
solution.

I would rather present an insecure interface out of the box so that a new user can *immediately*
see that their install is operational.  I'd be OK with a warning box on every page telling
the user that they should enable SSL, as long as it could be removed with a config change.
 Turning on SSL should be very easy for a novice to do.  Another piece that must be straightforward
is the installation of a custom certificate that the user might get from a public CA, and
any required intermediate certificates.

As already mentioned, we have a framework for authentication coming in 5.3.  Once we are sure
it's stable and effective, turning on authentication for the admin UI by default would be
a good idea.  The out-of-the-box credentials should be easy to locate on our website, in the
first few pages of the documentation, and one or more of the .txt files included in the download.

> Solr Administrative Interface Lacks Password Protection
> -------------------------------------------------------
>
>                 Key: SOLR-7896
>                 URL: https://issues.apache.org/jira/browse/SOLR-7896
>             Project: Solr
>          Issue Type: Bug
>          Components: security, web gui
>    Affects Versions: 5.2.1
>            Reporter: Aaron Greenspan
>            Priority: Critical
>
> Out of the box, the Solr interface should require an administrative password that the
user is required to set. Apparently there are ways of configuring Jetty to do this with HTTP
AUTH or whatever. I'm a moderately experienced Linux admin and a programmer; I've tried, numerous
times, and I've not once been able to get it to work. The point is this, though:
> *No one should have to try to get their Solr instance to support password authentication
and preferably SSL (even if it's just with a self-signed certificate). Solr is designed to
store huge amounts of data and is therefore a likely target for malicious users.*
> This needs to be addressed! It's 2015 and Solr is on version 5!



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lucene.apache.org
For additional commands, e-mail: dev-help@lucene.apache.org


Mime
View raw message