You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@lucene.apache.org by "Jan Høydahl (Jira)" <ji...@apache.org> on 2020/03/31 14:48:00 UTC
[jira] [Comment Edited] (SOLR-14014) Allow Solr to start with Admin
UI disabled
[ https://issues.apache.org/jira/browse/SOLR-14014?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17071852#comment-17071852 ]
Jan Høydahl edited comment on SOLR-14014 at 3/31/20, 2:47 PM:
--------------------------------------------------------------
Remember that the Admin UI is full of inter-links to other Solr nodes, so if you disable it on all nodes but one, you'll get 404's when you try to navigate e.g. in the Graph screen or in the Nodes screen, and several other places.
I made a class {{AdminHandlersProxy}} to be able to pull responses from other nodes through a single Solr node. It is currently used by Nodes screen to request data from {{MetricsHandler}} and {{SystemInfoHandler}} for other nodes by adding a {{&nodes=node1[,node2...]}} parameter to the request. Perhaps we could expand on that concept and let any node be a proxy to get e.g. /admin/metrics or /admin/info/system. Imagine a node-selector dropdown on the "Dashboard" screen of Admin UI, where you can switch between all nodes, and the dashboard will then show info for the selected node, and not for the node in the URL. Then we won't need the inter-node links, we could just change local Angular state of what node is "current". The "cores" dropdown could then also change with to show cores from and interact with the "current" selected node.
was (Author: janhoy):
Remember that the Admin UI is full of inter-links to other Solr nodes, so if you disable it on all nodes but one, you'll get 404's when you try to navigate e.g. in the Graph screen or in the Nodes screen, and several other places.
I made a class {{AdminHandlersProxy}} to be able to pull responses from other nodes through a single Solr node. Perhaps we could expand on that concept and let any node be a proxy to get e.g. /admin/metrics or /admin/info/system. Imagine a node-selector dropdown on the "Dashboard" screen of Admin UI, where you can switch between all nodes, and the dashboard will then show info for the selected node, and not for the node in the URL. Then we won't need the inter-node links, we could just change local Angular state of what node is "current". The "cores" dropdown could then also change with to show cores from and interact with the "current" selected node.
> Allow Solr to start with Admin UI disabled
> ------------------------------------------
>
> Key: SOLR-14014
> URL: https://issues.apache.org/jira/browse/SOLR-14014
> Project: Solr
> Issue Type: Improvement
> Components: Admin UI, security
> Affects Versions: master (9.0), 8.3.1
> Reporter: Jason Gerlowski
> Priority: Major
> Time Spent: 20m
> Remaining Estimate: 0h
>
> Currently Solr always runs the Admin UI. With the history of XSS issues and other security concerns that have been found in the Admin UI, Solr should offer a mode where the Admin UI is disabled. Maybe, and this is a topic that'll need some serious discussion, this should even be the default when Solr starts.
> NOTE: Disabling the Admin UI removes XSS and other attack vectors. But even with the Admin UI disabled, Solr will still be inherently unsafe without firewall protection on a public network.
> *Proposed design:*
> A java system property called *headless* will be used as an internal flag for starting Solr in headless mode. This property will default to true. A java property can be used at startup to set this flag to false.
> Here is an example:
> {code:java}
> bin/solr start -Dheadless=false {code}
> A message will be added following startup describing the mode.
> In headless mode the following message will be displayed:
> "solr is running in headless mode. The admin console is unavailable. To to turn off headless mode and allow the admin console use the following parameter startup parameter:
> -Dheadless=false
>
> In non-headless mode the following message will be displayed:
> "solr is running with headless mode turned off. The admin console is available in this mode. Disabling the Admin UI removes XSS and other attack vectors"
> If a user attempts to access the admin console while Solr is in headless mode it Solr will return 401 unauthorized.
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@lucene.apache.org
For additional commands, e-mail: issues-help@lucene.apache.org