Lucene authentication

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Lucene authentication

Aaron Schon
Hi ,

if I have a Lucene index (or Solr) that is installed in client premises. how would you go about securing the index from being queries in unauthorized fashion. For example, from malicious users or hackers, or for that matter "internal" users trying to reengineer the system and use it for purposes other than the way licensed.

any suggestions?
as


     
Reply | Threaded
Open this post in threaded view
|

Re: Lucene authentication

kkrugler

>if I have a Lucene index (or Solr) that is installed in client
>premises. how would you go about securing the index from being
>queries in unauthorized fashion. For example, from malicious users
>or hackers, or for that matter "internal" users trying to reengineer
>the system and use it for purposes other than the way licensed.
>
>any suggestions?

If all you care about is authentication, then just put something like
Apache with .htaccess in front of whatever GUI you've got that
exposes the index search functionality.

If you also need authorization (access control) for specific bits of
content, then see the Solr list for various discussions about how to
extend the index with ACL info that gets implicitly used with all
queries.

-- Ken
--
Ken Krugler
Krugle, Inc.
+1 530-210-6378
"If you can't find it, you can't fix it"
Reply | Threaded
Open this post in threaded view
|

Re: Lucene authentication

hossman

: > fashion. For example, from malicious users or hackers, or for that matter
: > "internal" users trying to reengineer the system and use it for purposes
: > other than the way licensed.

if you're taking about people whow already have access to the physical
disk the index resides on but you don't want them to use the index in any
way except what you application allows you are largely out of luck -- the
Lucene index format is well documented and many tools (like Luke) can open
an arbitrary Lucene index.

The only suggestion i can think of would be to use a RAMDirectory in your
application where the only persistent data you store is encrypted using
keys that are hardcoded into your application.



-Hoss