How to work with remote solr savely?

[Stavros Delisavas <st...@delisavas.de>]

Hello Solr-Friends,
I have a question about working with solr which is installed on a remote
server.
I have a php-project with a very big mysql-database of about 10gb and I
am also using solr for about 10,000,000 entries indexed for fast search
and access of the mysql-data.
I have a local copy myself so I can continue to work on the php-project
itself, but I want to make it available for more developers too. How can
I make solr accessable ONLY for those exclusive developers? For mysql
it's no problem to add an additional mysql-user with limited access.

But for Solr it seems difficult to me. I have had my administrator
restrict the java-port 8080 to localhost only. That way no one outside
can access solr or the solr-admin interface.
How can I allow access to other developers without making the whole
solr-interface (port 8080) available to the public?

Thanks,

Stavros

RE: How to work with remote solr savely?

["Hoggarth, Gil" <Gi...@bl.uk>]

We solved this issue outside of Solr. As you've done, restrict the
server to localhost access to Solr, add firewall rules to allow your
developers on port 80, and proxypass allowed port 80 transfer to Solr.
Remember to include the proxypassreverse too.
(This runs on linux and apache httpd btw.)

-----Original Message-----
From: Stavros Delisavas [mailto:stavros@delisavas.de] 
Sent: 22 November 2013 14:24
To: solr-user@lucene.apache.org
Subject: How to work with remote solr savely?

Hello Solr-Friends,
I have a question about working with solr which is installed on a remote
server.
I have a php-project with a very big mysql-database of about 10gb and I
am also using solr for about 10,000,000 entries indexed for fast search
and access of the mysql-data.
I have a local copy myself so I can continue to work on the php-project
itself, but I want to make it available for more developers too. How can
I make solr accessable ONLY for those exclusive developers? For mysql
it's no problem to add an additional mysql-user with limited access.

But for Solr it seems difficult to me. I have had my administrator
restrict the java-port 8080 to localhost only. That way no one outside
can access solr or the solr-admin interface.
How can I allow access to other developers without making the whole
solr-interface (port 8080) available to the public?

Thanks,

Stavros

Re: How to work with remote solr savely?

[Stavros Delisavas <st...@delisavas.de>]

Thanks for the suggestions. I will have a look at the suggestions and
try them out.



Am 22.11.2013 16:01, schrieb Hoggarth, Gil:
> You could also use one of the proxy scripts, such as
> http://code.google.com/p/solr-php-client/, which is coincidentally
> linked (eventually) from Michael's suggested SolrSecurity URL.
>
> -----Original Message-----
> From: michael.boom [mailto:my_sky_mc@yahoo.com] 
> Sent: 22 November 2013 14:53
> To: solr-user@lucene.apache.org
> Subject: Re: How to work with remote solr savely?
>
> http://wiki.apache.org/solr/SolrSecurity#Path_Based_Authentication
>
> Maybe you could achieve write/read access limitation by setting path
> based
> authentication:
> The update handler "/solr/core/update"  should be protected by
> authentication, with credentials only known to you. But then of course,
> your indexing client will need to authenticate in order to add docs to
> solr.
> Your select handler "/solr/core/select" could then be open or protected
> by http auth with credentials open to developers.
>
> That's the first idea that comes to mind - haven't tested it. 
> If you do, feedback and let us know how it went.
>
>
>
> -----
> Thanks,
> Michael
> --
> View this message in context:
> http://lucene.472066.n3.nabble.com/How-to-work-with-remote-solr-savely-t
> p4102612p4102618.html
> Sent from the Solr - User mailing list archive at Nabble.com.
>

RE: How to work with remote solr savely?

["Hoggarth, Gil" <Gi...@bl.uk>]

You could also use one of the proxy scripts, such as
http://code.google.com/p/solr-php-client/, which is coincidentally
linked (eventually) from Michael's suggested SolrSecurity URL.

-----Original Message-----
From: michael.boom [mailto:my_sky_mc@yahoo.com] 
Sent: 22 November 2013 14:53
To: solr-user@lucene.apache.org
Subject: Re: How to work with remote solr savely?

http://wiki.apache.org/solr/SolrSecurity#Path_Based_Authentication

Maybe you could achieve write/read access limitation by setting path
based
authentication:
The update handler "/solr/core/update"  should be protected by
authentication, with credentials only known to you. But then of course,
your indexing client will need to authenticate in order to add docs to
solr.
Your select handler "/solr/core/select" could then be open or protected
by http auth with credentials open to developers.

That's the first idea that comes to mind - haven't tested it. 
If you do, feedback and let us know how it went.



-----
Thanks,
Michael
--
View this message in context:
http://lucene.472066.n3.nabble.com/How-to-work-with-remote-solr-savely-t
p4102612p4102618.html
Sent from the Solr - User mailing list archive at Nabble.com.

Re: How to work with remote solr savely?

["michael.boom" <my...@yahoo.com>]

http://wiki.apache.org/solr/SolrSecurity#Path_Based_Authentication

Maybe you could achieve write/read access limitation by setting path based
authentication:
The update handler "/solr/core/update"  should be protected by
authentication, with credentials only known to you. But then of course, your
indexing client will need to authenticate in order to add docs to solr.
Your select handler "/solr/core/select" could then be open or protected by
http auth with credentials open to developers.

That's the first idea that comes to mind - haven't tested it. 
If you do, feedback and let us know how it went.



-----
Thanks,
Michael
--
View this message in context: http://lucene.472066.n3.nabble.com/How-to-work-with-remote-solr-savely-tp4102612p4102618.html
Sent from the Solr - User mailing list archive at Nabble.com.

Re: How to work with remote solr savely?

[Stavros Delisavas <st...@delisavas.de>]

Thanks for your fast reply.
First of all http basic authentication unfortunatly is not secure. Also
this would give every developer full admin priviliges. Anyways, can you
tell me where I can do those configurations?

Are there any alternative or more secure ways to restrict solr-access?
In general extern developers need search-query-access only. They should
not be able to write/change the documents or access solr-admin-pages.

Thank you


Am 22.11.2013 15:34, schrieb michael.boom:
> Use HTTP basic authentication, setup in your servlet container
> (jetty/tomcat).
>
> That should work fine if you are *not* using SolrCloud.
>
>
>
> -----
> Thanks,
> Michael
> --
> View this message in context: http://lucene.472066.n3.nabble.com/How-to-work-with-remote-solr-savely-tp4102612p4102613.html
> Sent from the Solr - User mailing list archive at Nabble.com.
>

Re: How to work with remote solr savely?

[Bill Bell <bi...@gmail.com>]

Do you have a sample jetty XML to setup basic auth for updates in Solr?

Sent from my iPad

> On Nov 22, 2013, at 7:34 AM, "michael.boom" <my...@yahoo.com> wrote:
> 
> Use HTTP basic authentication, setup in your servlet container
> (jetty/tomcat).
> 
> That should work fine if you are *not* using SolrCloud.
> 
> 
> 
> -----
> Thanks,
> Michael
> --
> View this message in context: http://lucene.472066.n3.nabble.com/How-to-work-with-remote-solr-savely-tp4102612p4102613.html
> Sent from the Solr - User mailing list archive at Nabble.com.

Re: How to work with remote solr savely?

["michael.boom" <my...@yahoo.com>]

Use HTTP basic authentication, setup in your servlet container
(jetty/tomcat).

That should work fine if you are *not* using SolrCloud.



-----
Thanks,
Michael
--
View this message in context: http://lucene.472066.n3.nabble.com/How-to-work-with-remote-solr-savely-tp4102612p4102613.html
Sent from the Solr - User mailing list archive at Nabble.com.