Which Solr releases contain SOLR-4470 (Security for inter-solr-node requests)

[Yuan Jerry <Je...@sentry.com>]

I am currently working on SolrCloud and its related security configurations for securing Solr web applications using HTTP Basic Authentication mechanism. Among the Solr nodes inside the SolrCloud clustered env, there seem to be existing some inter-solr-node communication issues due to the security configurations, which are the HTTP Authentication errors. Based on my research, the patch SOLR-4470 (Security for inter-solr-node requests) would be ideal for resolving these issues (please refer to the address: https://wiki.apache.org/solr/SolrSecurity#Security_for_inter-solr-node_requests). However, it seems to me that these security patches are out-of-box additions to the current Solr source codebase, which don't seem to be available in the recent Solr releases.

If someone could point out which Solr releases or the jars from some online repositories that contain this patch, it would be appreciated very much.

Jerry


This e-mail is confidential.  If you are not the intended recipient, you must not disclose or use the information contained in it. If you have received this e-mail in error, please tell us immediately by return e-mail and delete the document. No recipient may use the information in this e-mail in violation of any civil or criminal statute. Sentry disclaims all liability for any unauthorized uses of this e-mail or its contents. Sentry accepts no liability or responsibility for any damage caused by any virus transmitted with this e-mail.

Re: Which Solr releases contain SOLR-4470 (Security for inter-solr-node requests)

[Jan Høydahl <ja...@cominvent.com>]

You find the answer to such questions by looking at the state of the JIRA issue
https://issues.apache.org/jira/browse/SOLR-4470

Staus: Open
Fix version: Trunk

Which means that this feature is not included in any released Solr version (yet).

--
Jan Høydahl, search solution architect
Cominvent AS - www.cominvent.com

> 3. nov. 2014 kl. 22.39 skrev Yuan Jerry <Je...@sentry.com>:
> 
> I am currently working on SolrCloud and its related security configurations for securing Solr web applications using HTTP Basic Authentication mechanism. Among the Solr nodes inside the SolrCloud clustered env, there seem to be existing some inter-solr-node communication issues due to the security configurations, which are the HTTP Authentication errors. Based on my research, the patch SOLR-4470 (Security for inter-solr-node requests) would be ideal for resolving these issues (please refer to the address: https://wiki.apache.org/solr/SolrSecurity#Security_for_inter-solr-node_requests). However, it seems to me that these security patches are out-of-box additions to the current Solr source codebase, which don't seem to be available in the recent Solr releases.
> 
> If someone could point out which Solr releases or the jars from some online repositories that contain this patch, it would be appreciated very much.
> 
> Jerry
> 
> 
> This e-mail is confidential.  If you are not the intended recipient, you must not disclose or use the information contained in it. If you have received this e-mail in error, please tell us immediately by return e-mail and delete the document. No recipient may use the information in this e-mail in violation of any civil or criminal statute. Sentry disclaims all liability for any unauthorized uses of this e-mail or its contents. Sentry accepts no liability or responsibility for any damage caused by any virus transmitted with this e-mail.

Re: Which Solr releases contain SOLR-4470 (Security for inter-solr-node requests)

[Chris Hostetter <ho...@fucit.org>]

: I am currently working on SolrCloud and its related security 
: configurations for securing Solr web applications using HTTP Basic 
: Authentication mechanism. Among the Solr nodes inside the SolrCloud 
: clustered env, there seem to be existing some inter-solr-node 
: communication issues due to the security configurations, which are the 
: HTTP Authentication errors. Based on my research, the patch SOLR-4470 

In my opinion, your best bet to "secure" Solr is to avoid any and all 
involvement of Basic Auth and instead use SSL with Client certificates...

https://cwiki.apache.org/confluence/display/solr/Enabling+SSL


1) Already supported in Solr today - no patches needed

2) eliminates the complexity of needing a proxy in front of solr to handle 
the client auth, so that the solr nodes can talk to eachother w/o auth -- 
and/or: having solr nodes "forward" the client auth arround.  Instead each 
solr node authenticates the client using the client's cert, and each node 
authenticates itself for the inter-node requests using it's own cert.

3) much more secure then Basic-Auth headers which could be sniffed by a 
man-in-the-middle (you could use SSL + Basic Auth - but if you are going 
to enable SSL anyway, why bother with Basic Auth? just configure the 
client certs)


-Hoss
http://www.lucidworks.com/