You are viewing a plain text version of this content. The canonical link for it is here.

Posted to solr-user@lucene.apache.org by Solrmails <so...@protonmail.com> on 2017/12/14 06:51:31 UTC

Is it safe to give users access to /admin/luke ?

Hey there!

Is it safe to give users access to /admin/luke ? I restricted access for normal users and I also restrict acces per solr document(via a plugin). But for some reasonse users need informations from /admin/luke.
Can they destroy something or retrieve informations that they shouldn't have?

Re: Is it safe to give users access to /admin/luke ?

Posted by Emir Arnautović <em...@sematext.com>.

Hi,
Depends on what you consider safe:
  - will user be able to change index - NO.
  - will user be able to get enough info to more or less restore document content - YES.

HTH,
Emir
--
Monitoring - Log Management - Alerting - Anomaly Detection
Solr & Elasticsearch Consulting Support Training - http://sematext.com/



> On 14 Dec 2017, at 07:51, Solrmails <so...@protonmail.com> wrote:
> 
> Hey there!
> 
> Is it safe to give users access to /admin/luke ? I restricted access for normal users and I also restrict acces per solr document(via a plugin). But for some reasonse users need informations from /admin/luke.
> Can they destroy something or retrieve informations that they shouldn't have?

Re: Is it safe to give users access to /admin/luke ?

Posted by Shawn Heisey <ap...@elyograg.org>.

On 12/13/2017 11:51 PM, Solrmails wrote:
> Is it safe to give users access to /admin/luke ? I restricted access for normal users and I also restrict acces per solr document(via a plugin). But for some reasonse users need informations from /admin/luke.
> Can they destroy something or retrieve informations that they shouldn't have?

In general, end users should NEVER have direct access to Solr.  Only
trusted administrators and your application should have access.  I would
even put requests to the luke handler behind the application -- write
something for the front end that pulls the information they need and
provides it to them.

If you can guarantee that /solr/XXXX/admin/luke is the ONLY thing they
can get to, then it might be pretty safe, although it still might be
possible for users to bombard it with requests and create a denial of
service situation for your search engine.  If you can actually *trust*
those who have this access, you're probably OK.

Thanks,
Shawn