lucene-solr-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Otis Gospodnetic <otis_gospodne...@yahoo.com>
Subject Re: Extending Solr's Admin functionality
Date Wed, 27 Sep 2006 03:33:59 GMT
Regarding the security/authentication comment, perhaps something as simple as Basic HTTP Auth
would work.  That is what i use for Simpy's REST API - this example shows how it works with
wget, for example:  http://www.simpy.com/doc/api/rest#auth

But I feel like that's something that can wait.  There are other ways to secure a service
from outsiders (but not insiders).

Otis

----- Original Message ----
From: Erik Hatcher <erik@ehatchersolutions.com>
To: solr-user@lucene.apache.org
Sent: Sunday, September 24, 2006 11:16:19 AM
Subject: Re: Extending Solr's Admin functionality


On Sep 23, 2006, at 3:57 PM, Otis Gospodnetic wrote:
> How about another approach - expose all Solr admin data via HTTP/ 
> XML, just like it's done with search requests?

i think that would be fantastic.  thinking of solr as a hard core  
service above and beyond lucene exposing all of its internals via  
request handlers is the way to go.

having the schema and solrconfig files exposed opens interesting  
possibilities for a client to introspect solr to that degree already,  
but even more so exposing text analysis tools like analysis.jsp,  
spell checking and highlighting services, and including all the stats  
data for the caches.  yeah!  i'm +1.

the inevitable question is where does security fit into the picture.   
solr has a couple of options for that without making things complicated:

   * secure solr behind a firewall that is only open to your front- 
end application
   * configuring the request handlers in solrconfig.xml (or by  
default not opening admin ones unless you uncomment example  
configuration) so clients have a narrowing view of the solr system  
(heh) than it allows (like decommissioning Pluto)

i think solr probably ought to up front mention all the security  
options currently available and cut to the chase on why anything more  
sophisticated is out of its scope.  perhaps some authentication/ 
authorization as well as HTTPS should eventually make it into the  
core, but getting more fine grained is unnecessary.  thoughts?

    Erik





Mime
View raw message