You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@lucene.apache.org by "Jason Gerlowski (Jira)" <ji...@apache.org> on 2019/12/05 14:41:00 UTC
[jira] [Commented] (SOLR-13972) Insecure Solr should generate
startup warning
[ https://issues.apache.org/jira/browse/SOLR-13972?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16988869#comment-16988869 ]
Jason Gerlowski commented on SOLR-13972:
----------------------------------------
I've taken a quick stab at this. It's not ready to go yet (see below), but it's enough that people can give feedback on the wording if anyone cares.
If Solr is started without any auth (according to {{solr.in.sh}} env vars), the following message is displayed:
{code}
*** [WARN] *** Solr has no authentication enabled. If you intend to expose Solr directly to users,
consider enabling authentication with a command such as:
bin/solr auth enable -type basicAuth -credentials firstUser:firstUserPass -blockUnknown true
Run 'bin/solr auth --help' for more authentication options
{code}
If auth is enabled but SSL is off, this warning is displayed:
{code}
*** [WARN] *** Solr authentication is enabled, but SSL is off. Credentials sent to Solr will be unencrypted
If Solr is not in a secured network, consider enabling SSL to protect request credentials and user data.
{code}
----
Right now these messages are printed to stdout and are implemented in {{bin/solr}}
There's a slight problem with this - SolrCloud can startup and use auth without any of the auth-related vars set in {{solr.in.sh}}. We could move the warning into Java-land (where it can read security.json) and have it still go to stdout, but it might appear after the "Happy searching!" message or collide with it. We could also move the warning into Java-land and have it go to {{solr.log}}, but that's less visible.
Need to think about it a little bit.
> Insecure Solr should generate startup warning
> ---------------------------------------------
>
> Key: SOLR-13972
> URL: https://issues.apache.org/jira/browse/SOLR-13972
> Project: Solr
> Issue Type: Bug
> Security Level: Public(Default Security Level. Issues are Public)
> Reporter: Ishan Chattopadhyaya
> Priority: Critical
> Time Spent: 10m
> Remaining Estimate: 0h
>
> Warning to the effect of, start Solr with: "solr auth enable -credentials solr:foo -blockUnknown true” (or some other way to achieve the same effect) if you want to expose this Solr instance directly to users. Maybe the link to the ref guide discussing all this might be in good measure here.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@lucene.apache.org
For additional commands, e-mail: issues-help@lucene.apache.org