Need feedback on solr security

[Vijayant Kumar <vi...@websitetoolbox.com>]

Hi Group,

I need some feedback on  solr security.

For Making by solr admin password protected,
 I had used the Path Based Authentication form
http://wiki.apache.org/solr/SolrSecurity.

In this way my admin area,search,delete,add to index is protected.But Now 
when I make solr authenticated then for every update/delete from the fornt
end is blocked without authentication.

I do not need this authentication from the front end so I simply pass the
username and password to the solr in my fornt end scripts and it is
working fine. I had done it in the below way.

http://username:password@localhost:8983/solr/admin/update
I need your suggestion and feed back on the above method.Is it fessiable
method and secure? TO over come from this issue is there any alternate
method?




-- 

Thank you,
Vijayant Kumar
Software Engineer
Website Toolbox Inc.
http://www.websitetoolbox.com
1-800-921-7803 x211

Re: Need feedback on solr security

[Jan Høydahl / Cominvent <ja...@cominvent.com>]

Hi,

Does "open for public" mean end users through browser or web sites through API?
In either case you should have a front end proxying the traffic through to Solr, which explicitly allows only parameters that you allow.

--
Jan Høydahl  - search architect
Cominvent AS - www.cominvent.com

On 17. feb. 2010, at 14.07, Vijayant Kumar wrote:

> Hi Xavier,
> 
> Thanks for your feedback
> the firewall rule for the trusted IP is not fessiable for us because the
> application is open for public so we can not work through IP banning.
>> Vijayant Kumar wrote:
>>> Hi Group,
>>> 
>>> I need some feedback on  solr security.
>>> 
>>> For Making by solr admin password protected,
>>> I had used the Path Based Authentication form
>>> http://wiki.apache.org/solr/SolrSecurity.
>>> 
>>> In this way my admin area,search,delete,add to index is protected.But
>>> Now
>>> when I make solr authenticated then for every update/delete from the
>>> fornt
>>> end is blocked without authentication.
>>> 
>>> I do not need this authentication from the front end so I simply pass
>>> the
>>> username and password to the solr in my fornt end scripts and it is
>>> working fine. I had done it in the below way.
>>> 
>>> http://username:password@localhost:8983/solr/admin/update
>>> I need your suggestion and feed back on the above method.Is it fessiable
>>> method and secure? TO over come from this issue is there any alternate
>>> method?
>> Hey,
>> 
>> there is at least another solution. You can set a firewall rule that
>> allow  connections to the Solr's port only from trusted IPs.
>> 
> 
> 
> -- 
> 
> Thank you,
> Vijayant Kumar
> Software Engineer
> Website Toolbox Inc.
> http://www.websitetoolbox.com
> 1-800-921-7803 x211
> 

RE: Need feedback on solr security

[Fuad Efendi <fu...@efendi.ca>]

>>>> For Making by solr admin password protected,
>>>>  I had used the Path Based Authentication form
>>>> http://wiki.apache.org/solr/SolrSecurity.
>>>> In this way my admin area,search,delete,add to index is protected.But
>>>> Now
>>>> when I make solr authenticated then for every update/delete from the
>>>> fornt
>>>> end is blocked without authentication.


Correct, SOLR doesn't use HTTP Session (Session Cookies, Session IDs); and
it shouldn't do that.

If you have such use case (Authenticated Session) you will need front-end
web application.

Re: Need feedback on solr security

[Gora Mohanty <go...@srijan.in>]

On Wed, 17 Feb 2010 10:13:46 -0400
"Fuad Efendi" <fu...@efendi.ca> wrote:

> > You could set a firewall that forbid any connection to your
> > Solr's server port to everyone, except the computer that host
> > your application that connect to Solr.
> > So, only your application will be able to connect to Solr.
> 
> 
> I believe firewalling is the only possible solution since SOLR
> doesn't use cookies/sessionIDs
> 
> However, 'firewall' can be implemented as an Apache HTTPD Server
> (or any other front-end configured to authenticate users). (you
> can even configure CISCO PIX (etc.) Firewall to authenticate
> users.)
[...]

If you are on Linux, or another system that supports it, iptable
rules are quite easy to set up to restrict access only to
desired Solr client(s).

Regards,
Gora

RE: Need feedback on solr security

[Fuad Efendi <fu...@efendi.ca>]

> You could set a firewall that forbid any connection to your Solr's
> server port to everyone, except the computer that host your application
> that connect to Solr.
> So, only your application will be able to connect to Solr.


I believe firewalling is the only possible solution since SOLR doesn't use
cookies/sessionIDs

However, 'firewall' can be implemented as an Apache HTTPD Server (or any
other front-end configured to authenticate users). (you can even configure
CISCO PIX (etc.) Firewall to authenticate users.)

HTTPD is easiest, but I haven't tried.

But again, if your use case is "many users, many IPs" you need good
front-end (web application); if it is not the case - just restrict access to
specific IP.


-Fuad
http://www.tokenizer.ca

Re: Need feedback on solr security

[Xavier Schepler <xa...@sciences-po.fr>]

Xavier Schepler wrote:
> Vijayant Kumar wrote:
>> Hi Xavier,
>>
>> Thanks for your feedback
>> the firewall rule for the trusted IP is not fessiable for us because the
>> application is open for public so we can not work through IP banning.
>>  
>>> Vijayant Kumar wrote:
>>>    
>>>> Hi Group,
>>>>
>>>> I need some feedback on  solr security.
>>>>
>>>> For Making by solr admin password protected,
>>>>  I had used the Path Based Authentication form
>>>> http://wiki.apache.org/solr/SolrSecurity.
>>>>
>>>> In this way my admin area,search,delete,add to index is protected.But
>>>> Now
>>>> when I make solr authenticated then for every update/delete from the
>>>> fornt
>>>> end is blocked without authentication.
>>>>
>>>> I do not need this authentication from the front end so I simply pass
>>>> the
>>>> username and password to the solr in my fornt end scripts and it is
>>>> working fine. I had done it in the below way.
>>>>
>>>> http://username:password@localhost:8983/solr/admin/update
>>>> I need your suggestion and feed back on the above method.Is it 
>>>> fessiable
>>>> method and secure? TO over come from this issue is there any alternate
>>>> method?
>>>>       
>>> Hey,
>>>
>>> there is at least another solution. You can set a firewall rule that
>>> allow  connections to the Solr's port only from trusted IPs.
>>>
>>>     
>>
>>
>>   
> Do your users connect directly to Solr ?
> I mean, the firewall rule is for the solr client, i.e. the computer 
> that host the application that connect to Solr.
>


You could set a firewall that forbid any connection to your Solr's 
server port to everyone, except the computer that host your application 
that connect to Solr.
So, only your application will be able to connect to Solr.

This idea comes from the book Solr 1.4 Entreprise Search Server.

Re: Need feedback on solr security

[Xavier Schepler <xa...@sciences-po.fr>]

Vijayant Kumar wrote:
> Hi Xavier,
>
> Thanks for your feedback
> the firewall rule for the trusted IP is not fessiable for us because the
> application is open for public so we can not work through IP banning.
>   
>> Vijayant Kumar wrote:
>>     
>>> Hi Group,
>>>
>>> I need some feedback on  solr security.
>>>
>>> For Making by solr admin password protected,
>>>  I had used the Path Based Authentication form
>>> http://wiki.apache.org/solr/SolrSecurity.
>>>
>>> In this way my admin area,search,delete,add to index is protected.But
>>> Now
>>> when I make solr authenticated then for every update/delete from the
>>> fornt
>>> end is blocked without authentication.
>>>
>>> I do not need this authentication from the front end so I simply pass
>>> the
>>> username and password to the solr in my fornt end scripts and it is
>>> working fine. I had done it in the below way.
>>>
>>> http://username:password@localhost:8983/solr/admin/update
>>> I need your suggestion and feed back on the above method.Is it fessiable
>>> method and secure? TO over come from this issue is there any alternate
>>> method?
>>>       
>> Hey,
>>
>> there is at least another solution. You can set a firewall rule that
>> allow  connections to the Solr's port only from trusted IPs.
>>
>>     
>
>
>   
Do your users connect directly to Solr ?
I mean, the firewall rule is for the solr client, i.e. the computer that 
host the application that connect to Solr.

Re: Need feedback on solr security

[Vijayant Kumar <vi...@websitetoolbox.com>]

Hi Xavier,

Thanks for your feedback
the firewall rule for the trusted IP is not fessiable for us because the
application is open for public so we can not work through IP banning.
> Vijayant Kumar wrote:
>> Hi Group,
>>
>> I need some feedback on  solr security.
>>
>> For Making by solr admin password protected,
>>  I had used the Path Based Authentication form
>> http://wiki.apache.org/solr/SolrSecurity.
>>
>> In this way my admin area,search,delete,add to index is protected.But
>> Now
>> when I make solr authenticated then for every update/delete from the
>> fornt
>> end is blocked without authentication.
>>
>> I do not need this authentication from the front end so I simply pass
>> the
>> username and password to the solr in my fornt end scripts and it is
>> working fine. I had done it in the below way.
>>
>> http://username:password@localhost:8983/solr/admin/update
>> I need your suggestion and feed back on the above method.Is it fessiable
>> method and secure? TO over come from this issue is there any alternate
>> method?
> Hey,
>
> there is at least another solution. You can set a firewall rule that
> allow  connections to the Solr's port only from trusted IPs.
>


-- 

Thank you,
Vijayant Kumar
Software Engineer
Website Toolbox Inc.
http://www.websitetoolbox.com
1-800-921-7803 x211

Re: Need feedback on solr security

[Xavier Schepler <xa...@sciences-po.fr>]

Vijayant Kumar wrote:
> Hi Group,
>
> I need some feedback on  solr security.
>
> For Making by solr admin password protected,
>  I had used the Path Based Authentication form
> http://wiki.apache.org/solr/SolrSecurity.
>
> In this way my admin area,search,delete,add to index is protected.But Now 
> when I make solr authenticated then for every update/delete from the fornt
> end is blocked without authentication.
>
> I do not need this authentication from the front end so I simply pass the
> username and password to the solr in my fornt end scripts and it is
> working fine. I had done it in the below way.
>
> http://username:password@localhost:8983/solr/admin/update
> I need your suggestion and feed back on the above method.Is it fessiable
> method and secure? TO over come from this issue is there any alternate
> method?
Hey,

there is at least another solution. You can set a firewall rule that 
allow  connections to the Solr's port only from trusted IPs.