You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@lucene.apache.org by "Jan Høydahl (JIRA)" <ji...@apache.org> on 2015/03/12 10:55:38 UTC

[jira] [Commented] (SOLR-7236) Securing Solr (umbrella issue)

    [ https://issues.apache.org/jira/browse/SOLR-7236?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14358401#comment-14358401 ] 

Jan Høydahl commented on SOLR-7236:
-----------------------------------

There are multiple existing frameworks to simplify the task of abstracting security implementations in Java apps, among them are [JAAS|https://en.wikipedia.org/wiki/Java_Authentication_and_Authorization_Service] , [Spring Security|http://projects.spring.io/spring-security/] and [Apache Shiro|http://shiro.apache.org/]. They are created to do the hard and scary stuff, provide simple APIs for developers and also provide out of the box integrations with all the various protocols. We really don't want to maintain support for Kerberos etc in Solr-code.

Although any of these could probably do the job, I'm pitching Apache Shiro as the main API for all security related implementations in Solr. Without having used it, seems to be built just for this purpose. Solr users with some crazy legacy security system inhouse can write plugins for that to Shiro itself, instead of writing Solr code. http://shiro.apache.org/

> Securing Solr (umbrella issue)
> ------------------------------
>
>                 Key: SOLR-7236
>                 URL: https://issues.apache.org/jira/browse/SOLR-7236
>             Project: Solr
>          Issue Type: New Feature
>            Reporter: Jan Høydahl
>              Labels: Security
>
> This is an umbrella issue for adding security to Solr. The discussion here should discuss real user needs and high-level strategy, before deciding on implementation details. All work will be done in sub tasks and linked issues.
> Solr has not traditionally concerned itself with security. And It has been a general view among the committers that it may be better to stay out of it to avoid "blood on our hands" in this mine-field. Still, Solr has lately seen SSL support, securing of ZK, and signing of jars, and discussions have begun about securing operations in Solr.
> Some of the topics to address are
> * User management (flat file, AD/LDAP etc)
> * Authentication (Admin UI, Admin and data/query operations. Tons of auth protocols: basic, digest, oauth, pki..)
> * Authorization (who can do what with what API, collection, doc)
> * Pluggability (no user's needs are equal)
> * And we could go on and on but this is what we've seen the most demand for



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lucene.apache.org
For additional commands, e-mail: dev-help@lucene.apache.org