lucene-solr-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Roman Chyla <roman.ch...@gmail.com>
Subject Re: New UI for SOLR-based projects
Date Sat, 31 Jan 2015 03:36:35 GMT
I gather from your comment that I should update readme, because there could
be people who would be inclined to use bumblebee development server in
production: Beware those who enter through this gate! :-)

Your point, that so far you haven't seen anybody share their middle layer
can be addressed by pointing to the following projects:

https://github.com/adsabs/solr-service
https://github.com/adsabs/adsws

These are also open source, we use them in production, and have oauth,
microservices, rest, and rate limits, we know it is not perfect, but what
is? ;-) pull requests welcome!

Thanks,

Roman
On 30 Jan 2015 21:51, "Shawn Heisey" <apache@elyograg.org> wrote:

> On 1/30/2015 1:07 PM, Roman Chyla wrote:
> > There exists a new open-source implementation of a search interface for
> > SOLR. It is written in Javascript (using Backbone), currently in version
> > v1.0.19 - but new features are constantly coming. Rather than describing
> it
> > in words, please see it in action for yourself at http://ui.adslabs.org
> -
> > I'd recommend exploring facets, the query form, and visualizations.
> >
> > The code lives at: http://github.com/adsabs/bumblebee
>
> I have no wish to trivialize the work you've done.  I haven't looked
> into the code, but a high-level glance at the documentation suggests
> that you've put a lot of work into it.
>
> I do however have a strong caveat for your users.  I'm the guy holding
> the big sign that says "the end is near" to anyone who will listen!
>
> By itself, this is an awesome tool for prototyping, but without some
> additional expertise and work, there are severe security implications.
>
> If this gets used for a public Internet facing service, the Solr server
> must be accessible from the end user's machine, which might mean that it
> must be available to the entire Internet.
>
> If the Solr server is not sitting behind some kind of intelligent proxy
> that can detect and deny aattempts to access certain parts of the Solr
> API, then Solr will be wide open to attack.  A knowledgeable user that
> has unfiltered access to a Solr server will be able to completely delete
> the index, change any piece of information in the index, or send denial
> of service queries that will make it unable to respond to legitimate
> traffic.
>
> Setting up such a proxy is not a trivial task.  I know that some people
> have done it, but so far I have not seen anyone share those
> configurations.  Even with such a proxy, it might still be possible to
> easily send denial of service queries.
>
> I cannot find any information in your README or the documentation links
> that mentions any of these concerns.  I suspect that many who
> incorporate this client into their websites will be unaware that their
> setup may be insecure, or how to protect it.
>
> Thanks,
> Shawn
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message