You are viewing a plain text version of this content. The canonical link for it is here.
Posted to solr-user@lucene.apache.org by Teebo <la...@gmail.com> on 2011/01/23 19:21:47 UTC
filter update by IP
Hi
I would like to restrict access to /update/csv request handler
Is there a ready to use UpdateRequestProcessor for that ?
My first idea was to heritate from CSVRequestHandler and to overload
public void handleRequest(SolrQueryRequest req, SolrQueryResponse rsp) {
...
restrict by IP code
...
super(req, rsp);
}
What do you think ?
Regards,
t.
Re: filter update by IP
Posted by Dennis Gearon <ge...@sbcglobal.net>.
Most times people do this by running solr ONLY local host, and running some kind
of permission scheme through a server site application.
Dennis Gearon
Signature Warning
----------------
It is always a good idea to learn from your own mistakes. It is usually a better
idea to learn from others’ mistakes, so you do not have to make them yourself.
from 'http://blogs.techrepublic.com.com/security/?p=4501&tag=nl.e036'
EARTH has a Right To Life,
otherwise we all die.
----- Original Message ----
From: Erik Hatcher <er...@gmail.com>
To: solr-user@lucene.apache.org
Sent: Sun, January 23, 2011 10:47:02 AM
Subject: Re: filter update by IP
No. SolrQueryRequest doesn't (currently) have access to the actual HTTP request
coming in. You'll need to do this either with a servlet filter and register it
into web.xml or restrict it from some other external firewall'ish technology.
Erik
On Jan 23, 2011, at 13:21 , Teebo wrote:
> Hi
>
> I would like to restrict access to /update/csv request handler
>
> Is there a ready to use UpdateRequestProcessor for that ?
>
>
> My first idea was to heritate from CSVRequestHandler and to overload
> public void handleRequest(SolrQueryRequest req, SolrQueryResponse rsp) {
> ...
> restrict by IP code
> ...
> super(req, rsp);
> }
>
> What do you think ?
>
> Regards,
> t.
Re: filter update by IP
Posted by Thibaut <la...@gmail.com>.
On 01/24/2011 02:02 AM, Jonathan Rochkind wrote:
> Kind of personally curious_why_ it keeps coming up on the list so much. Is everyone trying to go into business vending Solr in the cloud to customers who will write their own apps, or are there some other less obvious (to me) use cases?
In my case, it's to index stuff (content, csv ...) and to use it in
javascript apps.
I wrote a thin wrapper around solr to embed it in Lutece portal :
http://goo.gl/f3pGA
Lutece portal administrator can write and read solr and the rest can
read it.
RE: filter update by IP
Posted by Jonathan Rochkind <ro...@jhu.edu>.
My favorite "other external firewall'ish technology" is just an apache front-end reverse proxying to the Java servlet (such as Solr), with access controls in apache.
I haven't actually done it with Solr myself though, my Solr is behind a firewall accessed by trusted apps only. Be careful making your Solr viewable to the world, even behind an "other external firewall'ish technology." There are several features in Solr you do NOT to expose to the world (the ability to change the index in general, of which there are a variety of ways to do it in addition to the /update/csv handler, the straight /update handler. Also consider the replication commands -- the example Solr solrconfig.xml, at least, will allow an HTTP request that tells Solr to replicate from arbitrarily specified 'master', definitely not something you'd want open to the world either! There may be other examples too you might not think of at first.).
My impression is that Solr is written assuming it will be safely ensconced behind a firewall and accessed by trusted applications only. If you're not going to do this, you're going to have to be careful to make sure to lock down or remove a lot of things, /update/csv is just barely a start. I don't know if anyone has analyzed and written up secure ways to do this -- it sounds like there would be interest for such since it keeps coming up on the list.
Kind of personally curious _why_ it keeps coming up on the list so much. Is everyone trying to go into business vending Solr in the cloud to customers who will write their own apps, or are there some other less obvious (to me) use cases?
________________________________________
From: Erik Hatcher [erik.hatcher@gmail.com]
Sent: Sunday, January 23, 2011 1:47 PM
To: solr-user@lucene.apache.org
Subject: Re: filter update by IP
No. SolrQueryRequest doesn't (currently) have access to the actual HTTP request coming in. You'll need to do this either with a servlet filter and register it into web.xml or restrict it from some other external firewall'ish technology.
Erik
On Jan 23, 2011, at 13:21 , Teebo wrote:
> Hi
>
> I would like to restrict access to /update/csv request handler
>
> Is there a ready to use UpdateRequestProcessor for that ?
>
>
> My first idea was to heritate from CSVRequestHandler and to overload
> public void handleRequest(SolrQueryRequest req, SolrQueryResponse rsp) {
> ...
> restrict by IP code
> ...
> super(req, rsp);
> }
>
> What do you think ?
>
> Regards,
> t.
Re: filter update by IP
Posted by Erik Hatcher <er...@gmail.com>.
No. SolrQueryRequest doesn't (currently) have access to the actual HTTP request coming in. You'll need to do this either with a servlet filter and register it into web.xml or restrict it from some other external firewall'ish technology.
Erik
On Jan 23, 2011, at 13:21 , Teebo wrote:
> Hi
>
> I would like to restrict access to /update/csv request handler
>
> Is there a ready to use UpdateRequestProcessor for that ?
>
>
> My first idea was to heritate from CSVRequestHandler and to overload
> public void handleRequest(SolrQueryRequest req, SolrQueryResponse rsp) {
> ...
> restrict by IP code
> ...
> super(req, rsp);
> }
>
> What do you think ?
>
> Regards,
> t.