You are viewing a plain text version of this content. The canonical link for it is here.
Posted to solr-user@lucene.apache.org by Teebo <la...@gmail.com> on 2011/01/23 19:21:47 UTC

filter update by IP

Hi

I would like to restrict access to /update/csv request handler

Is there a ready to use UpdateRequestProcessor for that ?


My first idea was to heritate from CSVRequestHandler and to overload
public void handleRequest(SolrQueryRequest req, SolrQueryResponse rsp) {
   ...
   restrict by IP code
   ...
   super(req, rsp);
}

What do you think ?

Regards,
t.

Re: filter update by IP

Posted by Dennis Gearon <ge...@sbcglobal.net>.
Most times people do this by running solr ONLY local host, and running some kind 
of permission scheme through a server site application.

 Dennis Gearon


Signature Warning
----------------
It is always a good idea to learn from your own mistakes. It is usually a better 
idea to learn from others’ mistakes, so you do not have to make them yourself. 
from 'http://blogs.techrepublic.com.com/security/?p=4501&tag=nl.e036'


EARTH has a Right To Life,
otherwise we all die.



----- Original Message ----
From: Erik Hatcher <er...@gmail.com>
To: solr-user@lucene.apache.org
Sent: Sun, January 23, 2011 10:47:02 AM
Subject: Re: filter update by IP

No.  SolrQueryRequest doesn't (currently) have access to the actual HTTP request 
coming in.  You'll need to do this either with a servlet filter and register it 
into web.xml or restrict it from some other external firewall'ish technology.

    Erik

On Jan 23, 2011, at 13:21 , Teebo wrote:

> Hi
> 
> I would like to restrict access to /update/csv request handler
> 
> Is there a ready to use UpdateRequestProcessor for that ?
> 
> 
> My first idea was to heritate from CSVRequestHandler and to overload
> public void handleRequest(SolrQueryRequest req, SolrQueryResponse rsp) {
>  ...
>  restrict by IP code
>  ...
>  super(req, rsp);
> }
> 
> What do you think ?
> 
> Regards,
> t.

Re: filter update by IP

Posted by Thibaut <la...@gmail.com>.
On 01/24/2011 02:02 AM, Jonathan Rochkind wrote:
> Kind of personally curious_why_  it keeps coming up on the list so much. Is everyone trying to go into business vending Solr in the cloud to customers who will write their own apps, or are there some other less obvious (to me) use cases?

In my case, it's to index stuff (content, csv ...) and to use it in 
javascript apps.

I wrote a thin wrapper around solr to embed it in Lutece portal : 
http://goo.gl/f3pGA

Lutece portal administrator can write and read solr and the rest can 
read it.

RE: filter update by IP

Posted by Jonathan Rochkind <ro...@jhu.edu>.
My favorite "other external firewall'ish technology"  is just an apache front-end reverse proxying to the Java servlet (such as Solr), with access controls in apache. 

I haven't actually done it with Solr myself though, my Solr is behind a firewall accessed by trusted apps only. Be careful making your Solr viewable to the world, even behind an "other external firewall'ish technology."  There are several features in Solr you do NOT to expose to the world (the ability to change the index in general, of which there are a variety of ways to do it in addition to the /update/csv handler, the straight /update handler. Also consider the replication commands -- the example Solr solrconfig.xml, at least, will allow an HTTP request that tells Solr to replicate from arbitrarily specified 'master', definitely not something you'd want open to the world either!  There may be other examples too you might not think of at first.).  

My impression is that Solr is written assuming it will be safely ensconced behind a firewall and accessed by trusted applications only.  If you're not going to do this, you're going to have to be careful to make sure to lock down or remove a lot of things, /update/csv is just barely a start.  I don't know if anyone has analyzed and written up secure ways to do this -- it sounds like there would be interest for such since it keeps coming up on the list. 

Kind of personally curious _why_ it keeps coming up on the list so much. Is everyone trying to go into business vending Solr in the cloud to customers who will write their own apps, or are there some other less obvious (to me) use cases?

________________________________________
From: Erik Hatcher [erik.hatcher@gmail.com]
Sent: Sunday, January 23, 2011 1:47 PM
To: solr-user@lucene.apache.org
Subject: Re: filter update by IP

No.  SolrQueryRequest doesn't (currently) have access to the actual HTTP request coming in.  You'll need to do this either with a servlet filter and register it into web.xml or restrict it from some other external firewall'ish technology.

        Erik

On Jan 23, 2011, at 13:21 , Teebo wrote:

> Hi
>
> I would like to restrict access to /update/csv request handler
>
> Is there a ready to use UpdateRequestProcessor for that ?
>
>
> My first idea was to heritate from CSVRequestHandler and to overload
> public void handleRequest(SolrQueryRequest req, SolrQueryResponse rsp) {
>  ...
>  restrict by IP code
>  ...
>  super(req, rsp);
> }
>
> What do you think ?
>
> Regards,
> t.

Re: filter update by IP

Posted by Erik Hatcher <er...@gmail.com>.
No.  SolrQueryRequest doesn't (currently) have access to the actual HTTP request coming in.  You'll need to do this either with a servlet filter and register it into web.xml or restrict it from some other external firewall'ish technology.

	Erik

On Jan 23, 2011, at 13:21 , Teebo wrote:

> Hi
> 
> I would like to restrict access to /update/csv request handler
> 
> Is there a ready to use UpdateRequestProcessor for that ?
> 
> 
> My first idea was to heritate from CSVRequestHandler and to overload
> public void handleRequest(SolrQueryRequest req, SolrQueryResponse rsp) {
>  ...
>  restrict by IP code
>  ...
>  super(req, rsp);
> }
> 
> What do you think ?
> 
> Regards,
> t.