SolrCloud -- Blocking access to administration commands while keeping the solr internal communication

[Oded Sofer <od...@yahoo.com.INVALID>]

Hello there, 

There are many blogs discussing this issue but it is hard to find if someone had managed to resolve that. 
We have many nodes in the SolrCloud, implementing the iptable restriction will fill the iptable with many rules that will affect performance. 
We are using 4.3.10, on Tomcat 5. 

Re: SolrCloud -- Blocking access to administration commands while keeping the solr internal communication

[Shawn Heisey <ap...@elyograg.org>]

On 3/26/2015 3:38 PM, Oded Sofer wrote:
> There are many blogs discussing this issue but it is hard to find if someone had managed to resolve that. 
> We have many nodes in the SolrCloud, implementing the iptable restriction will fill the iptable with many rules that will affect performance. 
> We are using 4.3.10, on Tomcat 5. 

Because Solr is a webapp, it relies on software outside itself to
provide network and protocol (HTTP) communication.  In your case, that
software is Tomcat.  For others, it is Jetty, JBoss, Weblogic, or one of
several other possibilities.  This means that there are many things that
are impossible (or extremely difficult) for Solr to handle within its
own code.  Security is one of them.

This is one of the major reasons that Solr will become a true
application at some point in the future.  When Solr can control the
network and the HTTP server, we will be able to restrict access to the
admin UI separately from access to the query interface, the update
interface, replication, etc.

As far as your iptables rule list ... are your Solr servers contained
within discrete IP address blocks that could be added to the rule list
as subnets instead of individual addresses?  Ideally you will handle
complicated access controls on edge firewalls or as ACLs on internal
routing devices, not at the host level.

Thanks,
Shawn