How do *you* restrict access to Solr?

classic Classic list List threaded Threaded
22 messages Options
12
Reply | Threaded
Open this post in threaded view
|

How do *you* restrict access to Solr?

Ryan W
How do you, personally, do it?  Do you use IPTables?  Basic Authentication
Plugin? Something else?

I'm asking in part so I'l have something to search for.  I don't know where
I should begin, so I figured I would ask how others do it.

I haven't been able to find anything that works, so if you can tell me what
works for you, I can at least narrow it down a bit and do some Google
searches.  Do I need to learn Solr's plugin system?  Am I starting in the
right place if I follow this document:
https://lucene.apache.org/solr/guide/7_0/rule-based-authorization-plugin.html#rule-based-authorization-plugin

Initially, the above document seems far too comprehensive for my needs.  I
just want to block access to the Solr admin UI, and the list of predefined
permissions in that document don't seem to be relevant.  Also, it seems
unlikely this plugin system is necessary just to control access to the
admin UI... or maybe it necessary?

In any case, what is your approach?

I'm using version 7.7.2 of Solr.

Thanks!
Reply | Threaded
Open this post in threaded view
|

Re: How do *you* restrict access to Solr?

David Hastings
Honestly?  I know this isnt what youre going to want to hear, but security
through obscurity.  no one else knows what port the servers on, and its not
accessible from anything outside of the internal network.  if your solr
install can be accessed from an external IP you have much larger issues.

On Mon, Mar 16, 2020 at 10:44 AM Ryan W <[hidden email]> wrote:

> How do you, personally, do it?  Do you use IPTables?  Basic Authentication
> Plugin? Something else?
>
> I'm asking in part so I'l have something to search for.  I don't know where
> I should begin, so I figured I would ask how others do it.
>
> I haven't been able to find anything that works, so if you can tell me what
> works for you, I can at least narrow it down a bit and do some Google
> searches.  Do I need to learn Solr's plugin system?  Am I starting in the
> right place if I follow this document:
>
> https://lucene.apache.org/solr/guide/7_0/rule-based-authorization-plugin.html#rule-based-authorization-plugin
>
> Initially, the above document seems far too comprehensive for my needs.  I
> just want to block access to the Solr admin UI, and the list of predefined
> permissions in that document don't seem to be relevant.  Also, it seems
> unlikely this plugin system is necessary just to control access to the
> admin UI... or maybe it necessary?
>
> In any case, what is your approach?
>
> I'm using version 7.7.2 of Solr.
>
> Thanks!
>
Reply | Threaded
Open this post in threaded view
|

Re: How do *you* restrict access to Solr?

Susheel Kumar-3
In reply to this post by Ryan W
Basic auth should help you to start

https://lucene.apache.org/solr/guide/8_1/basic-authentication-plugin.html

On Mon, Mar 16, 2020 at 10:44 AM Ryan W <[hidden email]> wrote:

> How do you, personally, do it?  Do you use IPTables?  Basic Authentication
> Plugin? Something else?
>
> I'm asking in part so I'l have something to search for.  I don't know where
> I should begin, so I figured I would ask how others do it.
>
> I haven't been able to find anything that works, so if you can tell me what
> works for you, I can at least narrow it down a bit and do some Google
> searches.  Do I need to learn Solr's plugin system?  Am I starting in the
> right place if I follow this document:
>
> https://lucene.apache.org/solr/guide/7_0/rule-based-authorization-plugin.html#rule-based-authorization-plugin
>
> Initially, the above document seems far too comprehensive for my needs.  I
> just want to block access to the Solr admin UI, and the list of predefined
> permissions in that document don't seem to be relevant.  Also, it seems
> unlikely this plugin system is necessary just to control access to the
> admin UI... or maybe it necessary?
>
> In any case, what is your approach?
>
> I'm using version 7.7.2 of Solr.
>
> Thanks!
>
Reply | Threaded
Open this post in threaded view
|

Re: How do *you* restrict access to Solr?

Nicolas Franck
In reply to this post by Ryan W
IPtables seems like the way to go, at least for me.
Even if this basic-auth-plugin works, then you'll have to
deal with denial-of-service attacks (although these can
also happen indirectly, by hitting the website that uses Solr).

> On 16 Mar 2020, at 15:44, Ryan W <[hidden email]> wrote:
>
> How do you, personally, do it?  Do you use IPTables?  Basic Authentication
> Plugin? Something else?
>
> I'm asking in part so I'l have something to search for.  I don't know where
> I should begin, so I figured I would ask how others do it.
>
> I haven't been able to find anything that works, so if you can tell me what
> works for you, I can at least narrow it down a bit and do some Google
> searches.  Do I need to learn Solr's plugin system?  Am I starting in the
> right place if I follow this document:
> https://lucene.apache.org/solr/guide/7_0/rule-based-authorization-plugin.html#rule-based-authorization-plugin
>
> Initially, the above document seems far too comprehensive for my needs.  I
> just want to block access to the Solr admin UI, and the list of predefined
> permissions in that document don't seem to be relevant.  Also, it seems
> unlikely this plugin system is necessary just to control access to the
> admin UI... or maybe it necessary?
>
> In any case, what is your approach?
>
> I'm using version 7.7.2 of Solr.
>
> Thanks!

Reply | Threaded
Open this post in threaded view
|

Re: How do *you* restrict access to Solr?

Jörn Franke
In reply to this post by Ryan W
Solr should not be accessible to end users directly - only through a dedicated application in between.

Then in an enterprise setting it is mostly Kerberos auth. and https (do not forget about zookeeper when using Solr cloud here you can also have Kerberos auth and in recent version also SSL). It is not that difficult to configure if you work with people that know a bit about those topics in your enterprise.

In a Cloud based scenario jwt token can make sense.

Do not do security by obscurity. You owe it to the users that potentially also have private data on Solr.

> Am 16.03.2020 um 15:44 schrieb Ryan W <[hidden email]>:
>
> How do you, personally, do it?  Do you use IPTables?  Basic Authentication
> Plugin? Something else?
>
> I'm asking in part so I'l have something to search for.  I don't know where
> I should begin, so I figured I would ask how others do it.
>
> I haven't been able to find anything that works, so if you can tell me what
> works for you, I can at least narrow it down a bit and do some Google
> searches.  Do I need to learn Solr's plugin system?  Am I starting in the
> right place if I follow this document:
> https://lucene.apache.org/solr/guide/7_0/rule-based-authorization-plugin.html#rule-based-authorization-plugin
>
> Initially, the above document seems far too comprehensive for my needs.  I
> just want to block access to the Solr admin UI, and the list of predefined
> permissions in that document don't seem to be relevant.  Also, it seems
> unlikely this plugin system is necessary just to control access to the
> admin UI... or maybe it necessary?
>
> In any case, what is your approach?
>
> I'm using version 7.7.2 of Solr.
>
> Thanks!
Reply | Threaded
Open this post in threaded view
|

Re: How do *you* restrict access to Solr?

Ryan W
Thanks Jorn, though this all seems unrealistic.  Because the technical
skill required to secure Solr far exceeds the technical skill required to
install it, I suspect there are probably a lot of insecure installs out
there.  In many cases this will not apply: "if you work with people that
know a bit about those topics in your enterprise."  Solr is used in many
situations where the developer does not have access to a large enterprise
with highly specialized assistance.

On Mon, Mar 16, 2020 at 11:00 AM Jörn Franke <[hidden email]> wrote:

> Solr should not be accessible to end users directly - only through a
> dedicated application in between.
>
> Then in an enterprise setting it is mostly Kerberos auth. and https (do
> not forget about zookeeper when using Solr cloud here you can also have
> Kerberos auth and in recent version also SSL). It is not that difficult to
> configure if you work with people that know a bit about those topics in
> your enterprise.
>
> In a Cloud based scenario jwt token can make sense.
>
> Do not do security by obscurity. You owe it to the users that potentially
> also have private data on Solr.
>
> > Am 16.03.2020 um 15:44 schrieb Ryan W <[hidden email]>:
> >
> > How do you, personally, do it?  Do you use IPTables?  Basic
> Authentication
> > Plugin? Something else?
> >
> > I'm asking in part so I'l have something to search for.  I don't know
> where
> > I should begin, so I figured I would ask how others do it.
> >
> > I haven't been able to find anything that works, so if you can tell me
> what
> > works for you, I can at least narrow it down a bit and do some Google
> > searches.  Do I need to learn Solr's plugin system?  Am I starting in the
> > right place if I follow this document:
> >
> https://lucene.apache.org/solr/guide/7_0/rule-based-authorization-plugin.html#rule-based-authorization-plugin
> >
> > Initially, the above document seems far too comprehensive for my needs.
> I
> > just want to block access to the Solr admin UI, and the list of
> predefined
> > permissions in that document don't seem to be relevant.  Also, it seems
> > unlikely this plugin system is necessary just to control access to the
> > admin UI... or maybe it necessary?
> >
> > In any case, what is your approach?
> >
> > I'm using version 7.7.2 of Solr.
> >
> > Thanks!
>
Reply | Threaded
Open this post in threaded view
|

Re: How do *you* restrict access to Solr?

Walter Underwood
In reply to this post by Ryan W
What access do you want to prevent? How do you prefer to authenticate?
How do you manage users or roles? Master/slave or Solr Cloud?

wunder
Walter Underwood
[hidden email]
http://observer.wunderwood.org/  (my blog)

> On Mar 16, 2020, at 7:44 AM, Ryan W <[hidden email]> wrote:
>
> How do you, personally, do it?  Do you use IPTables?  Basic Authentication
> Plugin? Something else?
>
> I'm asking in part so I'l have something to search for.  I don't know where
> I should begin, so I figured I would ask how others do it.
>
> I haven't been able to find anything that works, so if you can tell me what
> works for you, I can at least narrow it down a bit and do some Google
> searches.  Do I need to learn Solr's plugin system?  Am I starting in the
> right place if I follow this document:
> https://lucene.apache.org/solr/guide/7_0/rule-based-authorization-plugin.html#rule-based-authorization-plugin
>
> Initially, the above document seems far too comprehensive for my needs.  I
> just want to block access to the Solr admin UI, and the list of predefined
> permissions in that document don't seem to be relevant.  Also, it seems
> unlikely this plugin system is necessary just to control access to the
> admin UI... or maybe it necessary?
>
> In any case, what is your approach?
>
> I'm using version 7.7.2 of Solr.
>
> Thanks!

Reply | Threaded
Open this post in threaded view
|

Re: How do *you* restrict access to Solr?

Ryan W
On Mon, Mar 16, 2020 at 11:09 AM Walter Underwood <[hidden email]>
wrote:

> What access do you want to prevent? How do you prefer to authenticate?
> How do you manage users or roles? Master/slave or Solr Cloud?
>

I want to prevent access to the admin UI.

I don't want to manage users or roles, preferably.  I have only one user:
staff.  I want to prevent the public from accessing the admin UI.  I'd be
happy if I could set an IP address whitelist... especially if I don't have
to learn a new framework (which I will never use for any other purpose) to
do it.

I don't know what master/slave is.  These are new concepts that weren't
required to secure Solr prior to 7x, and this is my first project using a
version after 6x.

Thanks!



>
> wunder
> Walter Underwood
> [hidden email]
> http://observer.wunderwood.org/  (my blog)
>
> > On Mar 16, 2020, at 7:44 AM, Ryan W <[hidden email]> wrote:
> >
> > How do you, personally, do it?  Do you use IPTables?  Basic
> Authentication
> > Plugin? Something else?
> >
> > I'm asking in part so I'l have something to search for.  I don't know
> where
> > I should begin, so I figured I would ask how others do it.
> >
> > I haven't been able to find anything that works, so if you can tell me
> what
> > works for you, I can at least narrow it down a bit and do some Google
> > searches.  Do I need to learn Solr's plugin system?  Am I starting in the
> > right place if I follow this document:
> >
> https://lucene.apache.org/solr/guide/7_0/rule-based-authorization-plugin.html#rule-based-authorization-plugin
> >
> > Initially, the above document seems far too comprehensive for my needs.
> I
> > just want to block access to the Solr admin UI, and the list of
> predefined
> > permissions in that document don't seem to be relevant.  Also, it seems
> > unlikely this plugin system is necessary just to control access to the
> > admin UI... or maybe it necessary?
> >
> > In any case, what is your approach?
> >
> > I'm using version 7.7.2 of Solr.
> >
> > Thanks!
>
>
Reply | Threaded
Open this post in threaded view
|

Re: How do *you* restrict access to Solr?

Ryan W
In reply to this post by David Hastings
On Mon, Mar 16, 2020 at 10:50 AM David Hastings <
[hidden email]> wrote:

> Honestly?  I know this isnt what youre going to want to hear, but security
> through obscurity.  no one else knows what port the servers on, and its not
> accessible from anything outside of the internal network.


That doesn't sound like security through obscurity, as long as you are
confident that access to the internal network is limited... to whatever
degree you require.  I'd certainly be happy if I could restrict access
based on IP.



> if your solr
> install can be accessed from an external IP you have much larger issues.


> On Mon, Mar 16, 2020 at 10:44 AM Ryan W <[hidden email]> wrote:
>
> > How do you, personally, do it?  Do you use IPTables?  Basic
> Authentication
> > Plugin? Something else?
> >
> > I'm asking in part so I'l have something to search for.  I don't know
> where
> > I should begin, so I figured I would ask how others do it.
> >
> > I haven't been able to find anything that works, so if you can tell me
> what
> > works for you, I can at least narrow it down a bit and do some Google
> > searches.  Do I need to learn Solr's plugin system?  Am I starting in the
> > right place if I follow this document:
> >
> >
> https://lucene.apache.org/solr/guide/7_0/rule-based-authorization-plugin.html#rule-based-authorization-plugin
> >
> > Initially, the above document seems far too comprehensive for my needs.
> I
> > just want to block access to the Solr admin UI, and the list of
> predefined
> > permissions in that document don't seem to be relevant.  Also, it seems
> > unlikely this plugin system is necessary just to control access to the
> > admin UI... or maybe it necessary?
> >
> > In any case, what is your approach?
> >
> > I'm using version 7.7.2 of Solr.
> >
> > Thanks!
> >
>
Reply | Threaded
Open this post in threaded view
|

Re: How do *you* restrict access to Solr?

David Hastings
In reply to this post by Ryan W
master slave is the idea that you have an indexing server you do all
indexing to and a search server that replicates the index, to deliver the
results etc.  if you keep the indexer separate you can tune it differently
as well as protect the data.  also means you can remove the delete/update
request handlers from the slave/searcher

yes security by obscurity isnt ideal, but the over head of adding
authentication to requests i find unnecessary,

On Mon, Mar 16, 2020 at 11:16 AM Ryan W <[hidden email]> wrote:

> On Mon, Mar 16, 2020 at 11:09 AM Walter Underwood <[hidden email]>
> wrote:
>
> > What access do you want to prevent? How do you prefer to authenticate?
> > How do you manage users or roles? Master/slave or Solr Cloud?
> >
>
> I want to prevent access to the admin UI.
>
> I don't want to manage users or roles, preferably.  I have only one user:
> staff.  I want to prevent the public from accessing the admin UI.  I'd be
> happy if I could set an IP address whitelist... especially if I don't have
> to learn a new framework (which I will never use for any other purpose) to
> do it.
>
> I don't know what master/slave is.  These are new concepts that weren't
> required to secure Solr prior to 7x, and this is my first project using a
> version after 6x.
>
> Thanks!
>
>
>
> >
> > wunder
> > Walter Underwood
> > [hidden email]
> > http://observer.wunderwood.org/  (my blog)
> >
> > > On Mar 16, 2020, at 7:44 AM, Ryan W <[hidden email]> wrote:
> > >
> > > How do you, personally, do it?  Do you use IPTables?  Basic
> > Authentication
> > > Plugin? Something else?
> > >
> > > I'm asking in part so I'l have something to search for.  I don't know
> > where
> > > I should begin, so I figured I would ask how others do it.
> > >
> > > I haven't been able to find anything that works, so if you can tell me
> > what
> > > works for you, I can at least narrow it down a bit and do some Google
> > > searches.  Do I need to learn Solr's plugin system?  Am I starting in
> the
> > > right place if I follow this document:
> > >
> >
> https://lucene.apache.org/solr/guide/7_0/rule-based-authorization-plugin.html#rule-based-authorization-plugin
> > >
> > > Initially, the above document seems far too comprehensive for my needs.
> > I
> > > just want to block access to the Solr admin UI, and the list of
> > predefined
> > > permissions in that document don't seem to be relevant.  Also, it seems
> > > unlikely this plugin system is necessary just to control access to the
> > > admin UI... or maybe it necessary?
> > >
> > > In any case, what is your approach?
> > >
> > > I'm using version 7.7.2 of Solr.
> > >
> > > Thanks!
> >
> >
>
Reply | Threaded
Open this post in threaded view
|

RE: How do *you* restrict access to Solr?

Dunigan, Craig A.
In reply to this post by Ryan W
Here are my suggestions.  If you’re okay with IP restrictions only, then iptables.  If you don’t have *nix or root access, an Apache proxy server with Allow from <ip addr>.  If you want really, really secure, an stunnel front-end that requires client certs that you install in your browsers.  For us, we have a load balancer with VIPs that restrict access to the internal IP range of the building that houses IT, but not everyone has the luxury of hardware solutions.

From: Ryan W <[hidden email]>
Sent: Monday, March 16, 2020 10:20 AM
To: [hidden email]
Subject: Re: How do *you* restrict access to Solr?

WARNING: This email originated outside of Lands’ End. Please be on the lookout for phishing scams and do not open attachments or click links from people you do not know..

On Mon, Mar 16, 2020 at 10:50 AM David Hastings <
[hidden email]<mailto:[hidden email]>> wrote:

> Honestly? I know this isnt what youre going to want to hear, but security
> through obscurity. no one else knows what port the servers on, and its not
> accessible from anything outside of the internal network.


That doesn't sound like security through obscurity, as long as you are
confident that access to the internal network is limited... to whatever
degree you require. I'd certainly be happy if I could restrict access
based on IP.



> if your solr
> install can be accessed from an external IP you have much larger issues.


> On Mon, Mar 16, 2020 at 10:44 AM Ryan W <[hidden email]<mailto:[hidden email]>> wrote:
>
> > How do you, personally, do it? Do you use IPTables? Basic
> Authentication
> > Plugin? Something else?
> >
> > I'm asking in part so I'l have something to search for. I don't know
> where
> > I should begin, so I figured I would ask how others do it.
> >
> > I haven't been able to find anything that works, so if you can tell me
> what
> > works for you, I can at least narrow it down a bit and do some Google
> > searches. Do I need to learn Solr's plugin system? Am I starting in the
> > right place if I follow this document:
> >
> >
> https://lucene.apache.org/solr/guide/7_0/rule-based-authorization-plugin.html#rule-based-authorization-plugin<https://lucene.apache.org/solr/guide/7_0/rule-based-authorization-plugin.html#rule-based-authorization-plugin>
> >
> > Initially, the above document seems far too comprehensive for my needs.
> I
> > just want to block access to the Solr admin UI, and the list of
> predefined
> > permissions in that document don't seem to be relevant. Also, it seems
> > unlikely this plugin system is necessary just to control access to the
> > admin UI... or maybe it necessary?
> >
> > In any case, what is your approach?
> >
> > I'm using version 7.7.2 of Solr.
> >
> > Thanks!
> >
>
Reply | Threaded
Open this post in threaded view
|

Re: How do *you* restrict access to Solr?

Walter Underwood
In reply to this post by David Hastings
If your data changes slowly and you don’t need to shard, master/slave is great.
It is loosely coupled, so not as complicated as Solr Cloud. Each slave is an exact
clone.

For master/slave, you can put an HTTP server (nginx, etc.) on each server and
proxy traffic to Solr. Then configure Solr to only listen to localhost. The HTTP server
should have plenty of tools for configuring access. The slave servers will contact
the master on the port that the HTTP server uses.

Also, even if you prevent access to the admin UI, a request to /update can delete
all the content. It is really easy. This Gist shows how.

https://gist.github.com/nz/673027/313f70681daa985ea13ba33a385753aef951a0f3

wunder
Walter Underwood
[hidden email]
http://observer.wunderwood.org/  (my blog)

> On Mar 16, 2020, at 8:20 AM, David Hastings <[hidden email]> wrote:
>
> master slave is the idea that you have an indexing server you do all
> indexing to and a search server that replicates the index, to deliver the
> results etc.  if you keep the indexer separate you can tune it differently
> as well as protect the data.  also means you can remove the delete/update
> request handlers from the slave/searcher
>
> yes security by obscurity isnt ideal, but the over head of adding
> authentication to requests i find unnecessary,
>
> On Mon, Mar 16, 2020 at 11:16 AM Ryan W <[hidden email]> wrote:
>
>> On Mon, Mar 16, 2020 at 11:09 AM Walter Underwood <[hidden email]>
>> wrote:
>>
>>> What access do you want to prevent? How do you prefer to authenticate?
>>> How do you manage users or roles? Master/slave or Solr Cloud?
>>>
>>
>> I want to prevent access to the admin UI.
>>
>> I don't want to manage users or roles, preferably.  I have only one user:
>> staff.  I want to prevent the public from accessing the admin UI.  I'd be
>> happy if I could set an IP address whitelist... especially if I don't have
>> to learn a new framework (which I will never use for any other purpose) to
>> do it.
>>
>> I don't know what master/slave is.  These are new concepts that weren't
>> required to secure Solr prior to 7x, and this is my first project using a
>> version after 6x.
>>
>> Thanks!
>>
>>
>>
>>>
>>> wunder
>>> Walter Underwood
>>> [hidden email]
>>> http://observer.wunderwood.org/  (my blog)
>>>
>>>> On Mar 16, 2020, at 7:44 AM, Ryan W <[hidden email]> wrote:
>>>>
>>>> How do you, personally, do it?  Do you use IPTables?  Basic
>>> Authentication
>>>> Plugin? Something else?
>>>>
>>>> I'm asking in part so I'l have something to search for.  I don't know
>>> where
>>>> I should begin, so I figured I would ask how others do it.
>>>>
>>>> I haven't been able to find anything that works, so if you can tell me
>>> what
>>>> works for you, I can at least narrow it down a bit and do some Google
>>>> searches.  Do I need to learn Solr's plugin system?  Am I starting in
>> the
>>>> right place if I follow this document:
>>>>
>>>
>> https://lucene.apache.org/solr/guide/7_0/rule-based-authorization-plugin.html#rule-based-authorization-plugin
>>>>
>>>> Initially, the above document seems far too comprehensive for my needs.
>>> I
>>>> just want to block access to the Solr admin UI, and the list of
>>> predefined
>>>> permissions in that document don't seem to be relevant.  Also, it seems
>>>> unlikely this plugin system is necessary just to control access to the
>>>> admin UI... or maybe it necessary?
>>>>
>>>> In any case, what is your approach?
>>>>
>>>> I'm using version 7.7.2 of Solr.
>>>>
>>>> Thanks!
>>>
>>>
>>

Reply | Threaded
Open this post in threaded view
|

Re: How do *you* restrict access to Solr?

Ryan W
In reply to this post by Dunigan, Craig A.
On Mon, Mar 16, 2020 at 11:32 AM Dunigan, Craig A. <
[hidden email]> wrote:

> Here are my suggestions.  If you’re okay with IP restrictions only, then
> iptables.


Thanks!  Just knowing this is an option helps.  I took a stab at it but it
didn't work initially, but at least now I know there's a reason to keep
trying it.


> If you don’t have *nix or root access, an Apache proxy server with Allow
> from <ip addr>.


I do have root access and can edit the Apache config.  Can I restrict
access in the Apache config?  If so, that would be a great solution.  My
situation is fairly typical.  I have a LAMP environment with Red Hat
linux.  I'm not quite sure how to make my Apache directives specific to the
Solr install.  Again, just knowing this is an option would be helpful.  The
Solr docs don't mention this possibility, I don't think.



> If you want really, really secure, an stunnel front-end that requires
> client certs that you install in your browsers.  For us, we have a load
> balancer with VIPs that restrict access to the internal IP range of the
> building that houses IT, but not everyone has the luxury of hardware
> solutions.
>
> From: Ryan W <[hidden email]>
> Sent: Monday, March 16, 2020 10:20 AM
> To: [hidden email]
> Subject: Re: How do *you* restrict access to Solr?
>
> WARNING: This email originated outside of Lands’ End. Please be on the
> lookout for phishing scams and do not open attachments or click links from
> people you do not know..
>
> On Mon, Mar 16, 2020 at 10:50 AM David Hastings <
> [hidden email]<mailto:[hidden email]>> wrote:
>
> > Honestly? I know this isnt what youre going to want to hear, but security
> > through obscurity. no one else knows what port the servers on, and its
> not
> > accessible from anything outside of the internal network.
>
>
> That doesn't sound like security through obscurity, as long as you are
> confident that access to the internal network is limited... to whatever
> degree you require. I'd certainly be happy if I could restrict access
> based on IP.
>
>
>
> > if your solr
> > install can be accessed from an external IP you have much larger issues.
>
>
> > On Mon, Mar 16, 2020 at 10:44 AM Ryan W <[hidden email]<mailto:
> [hidden email]>> wrote:
> >
> > > How do you, personally, do it? Do you use IPTables? Basic
> > Authentication
> > > Plugin? Something else?
> > >
> > > I'm asking in part so I'l have something to search for. I don't know
> > where
> > > I should begin, so I figured I would ask how others do it.
> > >
> > > I haven't been able to find anything that works, so if you can tell me
> > what
> > > works for you, I can at least narrow it down a bit and do some Google
> > > searches. Do I need to learn Solr's plugin system? Am I starting in the
> > > right place if I follow this document:
> > >
> > >
> >
> https://lucene.apache.org/solr/guide/7_0/rule-based-authorization-plugin.html#rule-based-authorization-plugin
> <
> https://lucene.apache.org/solr/guide/7_0/rule-based-authorization-plugin.html#rule-based-authorization-plugin
> >
> > >
> > > Initially, the above document seems far too comprehensive for my needs.
> > I
> > > just want to block access to the Solr admin UI, and the list of
> > predefined
> > > permissions in that document don't seem to be relevant. Also, it seems
> > > unlikely this plugin system is necessary just to control access to the
> > > admin UI... or maybe it necessary?
> > >
> > > In any case, what is your approach?
> > >
> > > I'm using version 7.7.2 of Solr.
> > >
> > > Thanks!
> > >
> >
>
Reply | Threaded
Open this post in threaded view
|

Re: How do *you* restrict access to Solr?

Ryan W
In reply to this post by Walter Underwood
On Mon, Mar 16, 2020 at 11:40 AM Walter Underwood <[hidden email]>
wrote:

> Also, even if you prevent access to the admin UI, a request to /update can
> delete
> all the content. It is really easy. This Gist shows how.
>
> https://gist.github.com/nz/673027/313f70681daa985ea13ba33a385753aef951a0f3



This seems important.  In other words, my work isn't necessarily done if
I've secured the graphical UI.  I can't just visit the admin UI page to see
if my efforts are successful.



>
>
> wunder
> Walter Underwood
> [hidden email]
> http://observer.wunderwood.org/  (my blog)
>
> > On Mar 16, 2020, at 8:20 AM, David Hastings <
> [hidden email]> wrote:
> >
> > master slave is the idea that you have an indexing server you do all
> > indexing to and a search server that replicates the index, to deliver the
> > results etc.  if you keep the indexer separate you can tune it
> differently
> > as well as protect the data.  also means you can remove the delete/update
> > request handlers from the slave/searcher
> >
> > yes security by obscurity isnt ideal, but the over head of adding
> > authentication to requests i find unnecessary,
> >
> > On Mon, Mar 16, 2020 at 11:16 AM Ryan W <[hidden email]> wrote:
> >
> >> On Mon, Mar 16, 2020 at 11:09 AM Walter Underwood <
> [hidden email]>
> >> wrote:
> >>
> >>> What access do you want to prevent? How do you prefer to authenticate?
> >>> How do you manage users or roles? Master/slave or Solr Cloud?
> >>>
> >>
> >> I want to prevent access to the admin UI.
> >>
> >> I don't want to manage users or roles, preferably.  I have only one
> user:
> >> staff.  I want to prevent the public from accessing the admin UI.  I'd
> be
> >> happy if I could set an IP address whitelist... especially if I don't
> have
> >> to learn a new framework (which I will never use for any other purpose)
> to
> >> do it.
> >>
> >> I don't know what master/slave is.  These are new concepts that weren't
> >> required to secure Solr prior to 7x, and this is my first project using
> a
> >> version after 6x.
> >>
> >> Thanks!
> >>
> >>
> >>
> >>>
> >>> wunder
> >>> Walter Underwood
> >>> [hidden email]
> >>> http://observer.wunderwood.org/  (my blog)
> >>>
> >>>> On Mar 16, 2020, at 7:44 AM, Ryan W <[hidden email]> wrote:
> >>>>
> >>>> How do you, personally, do it?  Do you use IPTables?  Basic
> >>> Authentication
> >>>> Plugin? Something else?
> >>>>
> >>>> I'm asking in part so I'l have something to search for.  I don't know
> >>> where
> >>>> I should begin, so I figured I would ask how others do it.
> >>>>
> >>>> I haven't been able to find anything that works, so if you can tell me
> >>> what
> >>>> works for you, I can at least narrow it down a bit and do some Google
> >>>> searches.  Do I need to learn Solr's plugin system?  Am I starting in
> >> the
> >>>> right place if I follow this document:
> >>>>
> >>>
> >>
> https://lucene.apache.org/solr/guide/7_0/rule-based-authorization-plugin.html#rule-based-authorization-plugin
> >>>>
> >>>> Initially, the above document seems far too comprehensive for my
> needs.
> >>> I
> >>>> just want to block access to the Solr admin UI, and the list of
> >>> predefined
> >>>> permissions in that document don't seem to be relevant.  Also, it
> seems
> >>>> unlikely this plugin system is necessary just to control access to the
> >>>> admin UI... or maybe it necessary?
> >>>>
> >>>> In any case, what is your approach?
> >>>>
> >>>> I'm using version 7.7.2 of Solr.
> >>>>
> >>>> Thanks!
> >>>
> >>>
> >>
>
>
Reply | Threaded
Open this post in threaded view
|

Re: How do *you* restrict access to Solr?

Ryan W
In reply to this post by Susheel Kumar-3
On Mon, Mar 16, 2020 at 10:51 AM Susheel Kumar <[hidden email]>
wrote:

> Basic auth should help you to start
>
> https://lucene.apache.org/solr/guide/8_1/basic-authentication-plugin.html



Thanks.  I think I will give up on the plugin system.  I haven't been able
to get the plugin system to work, and it creates too many opportunities for
human error.  Even if I can get it working this week, what about 6 months
from now or a year from now when something goes wrong and I have to debug
it.  It seems like far too much overhead to provide the desired security
benefit, except perhaps in situations where an organization has Solr
specialists who can maintain the system.
Reply | Threaded
Open this post in threaded view
|

Re: How do *you* restrict access to Solr?

Aroop Ganguly-2
Hi Ryan

You should consider a simple rule based authorization scheme.
Your staff user can be given readonly privileges to everything you want to except the admin ui.

Depending on which version of solr you are on this can be trivial.

- Aroop

> On Mar 16, 2020, at 8:46 AM, Ryan W <[hidden email]> wrote:
>
> On Mon, Mar 16, 2020 at 10:51 AM Susheel Kumar <[hidden email]>
> wrote:
>
>> Basic auth should help you to start
>>
>> https://lucene.apache.org/solr/guide/8_1/basic-authentication-plugin.html
>
>
>
> Thanks.  I think I will give up on the plugin system.  I haven't been able
> to get the plugin system to work, and it creates too many opportunities for
> human error.  Even if I can get it working this week, what about 6 months
> from now or a year from now when something goes wrong and I have to debug
> it.  It seems like far too much overhead to provide the desired security
> benefit, except perhaps in situations where an organization has Solr
> specialists who can maintain the system.

Reply | Threaded
Open this post in threaded view
|

RE: How do *you* restrict access to Solr?

Dunigan, Craig A.
In reply to this post by Ryan W
Setting up Apache is off-topic, but it’s just a matter of ProxyPass to the Solr app URL.  I already gave you the relevant IP restriction configuration directive, “Allow from “.  The rest is in httpd documentation.

From: Ryan W <[hidden email]>
Sent: Monday, March 16, 2020 10:41 AM
To: [hidden email]
Subject: Re: How do *you* restrict access to Solr?

WARNING: This email originated outside of Lands’ End. Please be on the lookout for phishing scams and do not open attachments or click links from people you do not know..

On Mon, Mar 16, 2020 at 11:32 AM Dunigan, Craig A. <
[hidden email]<mailto:[hidden email]>> wrote:

> Here are my suggestions. If you’re okay with IP restrictions only, then
> iptables.


Thanks! Just knowing this is an option helps. I took a stab at it but it
didn't work initially, but at least now I know there's a reason to keep
trying it.


> If you don’t have *nix or root access, an Apache proxy server with Allow
> from <ip addr>.


I do have root access and can edit the Apache config. Can I restrict
access in the Apache config? If so, that would be a great solution. My
situation is fairly typical. I have a LAMP environment with Red Hat
linux. I'm not quite sure how to make my Apache directives specific to the
Solr install. Again, just knowing this is an option would be helpful. The
Solr docs don't mention this possibility, I don't think.



> If you want really, really secure, an stunnel front-end that requires
> client certs that you install in your browsers. For us, we have a load
> balancer with VIPs that restrict access to the internal IP range of the
> building that houses IT, but not everyone has the luxury of hardware
> solutions.
>
> From: Ryan W <[hidden email]<mailto:[hidden email]>>
> Sent: Monday, March 16, 2020 10:20 AM
> To: [hidden email]<mailto:[hidden email]>
> Subject: Re: How do *you* restrict access to Solr?
>
> WARNING: This email originated outside of Lands’ End. Please be on the
> lookout for phishing scams and do not open attachments or click links from
> people you do not know..
>
> On Mon, Mar 16, 2020 at 10:50 AM David Hastings <
> [hidden email]<mailto:[hidden email]<mailto:[hidden email]%3cmailto:[hidden email]>>> wrote:
>
> > Honestly? I know this isnt what youre going to want to hear, but security
> > through obscurity. no one else knows what port the servers on, and its
> not
> > accessible from anything outside of the internal network.
>
>
> That doesn't sound like security through obscurity, as long as you are
> confident that access to the internal network is limited... to whatever
> degree you require. I'd certainly be happy if I could restrict access
> based on IP.
>
>
>
> > if your solr
> > install can be accessed from an external IP you have much larger issues.
>
>
> > On Mon, Mar 16, 2020 at 10:44 AM Ryan W <[hidden email]<mailto:
<mailto:[hidden email]%3cmailto:%0b>> [hidden email]<mailto:[hidden email]>>> wrote:

> >
> > > How do you, personally, do it? Do you use IPTables? Basic
> > Authentication
> > > Plugin? Something else?
> > >
> > > I'm asking in part so I'l have something to search for. I don't know
> > where
> > > I should begin, so I figured I would ask how others do it.
> > >
> > > I haven't been able to find anything that works, so if you can tell me
> > what
> > > works for you, I can at least narrow it down a bit and do some Google
> > > searches. Do I need to learn Solr's plugin system? Am I starting in the
> > > right place if I follow this document:
> > >
> > >
> >
> https://lucene.apache.org/solr/guide/7_0/rule-based-authorization-plugin.html#rule-based-authorization-plugin<https://lucene.apache.org/solr/guide/7_0/rule-based-authorization-plugin.html#rule-based-authorization-plugin>
> <
> https://lucene.apache.org/solr/guide/7_0/rule-based-authorization-plugin.html#rule-based-authorization-plugin<https://lucene.apache.org/solr/guide/7_0/rule-based-authorization-plugin.html#rule-based-authorization-plugin>
> >
> > >
> > > Initially, the above document seems far too comprehensive for my needs.
> > I
> > > just want to block access to the Solr admin UI, and the list of
> > predefined
> > > permissions in that document don't seem to be relevant. Also, it seems
> > > unlikely this plugin system is necessary just to control access to the
> > > admin UI... or maybe it necessary?
> > >
> > > In any case, what is your approach?
> > >
> > > I'm using version 7.7.2 of Solr.
> > >
> > > Thanks!
> > >
> >
>
Reply | Threaded
Open this post in threaded view
|

RE: How do *you* restrict access to Solr?

Phil Scadden
In reply to this post by Ryan W
First off, use basic authentication to at least partially lock it down. Only the application server has access to the password. Second, our IT people thought Solr security insufficient to even remotely consider exposing to external web. It lives behind firewall so do a kind of proxy. External queries are passed to an internal application server which examines, modifies and add security to queries and then passes to SOLR. Results sent back up chain to external application server. I believe variations of this is what is expected. Our deconstruct/reconstruct queries are unusual but it does allow us to use a rights-based access to functionality. Ie general public can do searches against the title,author, abstract. Privileged and internal users can query against the full text of the technical reports.

-----Original Message-----
From: Ryan W <[hidden email]>
Sent: Tuesday, 17 March 2020 03:44
To: [hidden email]
Subject: How do *you* restrict access to Solr?

How do you, personally, do it?  Do you use IPTables?  Basic Authentication Plugin? Something else?

I'm asking in part so I'l have something to search for.  I don't know where I should begin, so I figured I would ask how others do it.

I haven't been able to find anything that works, so if you can tell me what works for you, I can at least narrow it down a bit and do some Google searches.  Do I need to learn Solr's plugin system?  Am I starting in the right place if I follow this document:
https://lucene.apache.org/solr/guide/7_0/rule-based-authorization-plugin.html#rule-based-authorization-plugin

Initially, the above document seems far too comprehensive for my needs.  I just want to block access to the Solr admin UI, and the list of predefined permissions in that document don't seem to be relevant.  Also, it seems unlikely this plugin system is necessary just to control access to the admin UI... or maybe it necessary?

In any case, what is your approach?

I'm using version 7.7.2 of Solr.

Thanks!
Notice: This email and any attachments are confidential and may not be used, published or redistributed without the prior written consent of the Institute of Geological and Nuclear Sciences Limited (GNS Science). If received in error please destroy and immediately notify GNS Science. Do not copy or disclose the contents.
Reply | Threaded
Open this post in threaded view
|

Re: How do *you* restrict access to Solr?

Jan Høydahl / Cominvent
In reply to this post by Ryan W
You can consider upgrading to Solr 8.5 which is to be released in a couple of days, which makes it easy to whitelist IP addresses in solr.in.sh:

# Allow IPv4/IPv6 localhost, the 192.168.0.x IPv4 network, and 2000:123:4:5:: IPv6 network.
SOLR_IP_WHITELIST="127.0.0.1, [::1], 192.168.0.0/24, [2000:123:4:5::]/64"

https://lucene.apache.org/solr/guide/8_5/securing-solr.html#enable-ip-access-control

But please please do not expose Solr, even if secured, to untrusted networks and never to the public internet.

Jan

> 16. mar. 2020 kl. 16:46 skrev Ryan W <[hidden email]>:
>
> On Mon, Mar 16, 2020 at 10:51 AM Susheel Kumar <[hidden email]>
> wrote:
>
>> Basic auth should help you to start
>>
>> https://lucene.apache.org/solr/guide/8_1/basic-authentication-plugin.html
>
>
>
> Thanks.  I think I will give up on the plugin system.  I haven't been able
> to get the plugin system to work, and it creates too many opportunities for
> human error.  Even if I can get it working this week, what about 6 months
> from now or a year from now when something goes wrong and I have to debug
> it.  It seems like far too much overhead to provide the desired security
> benefit, except perhaps in situations where an organization has Solr
> specialists who can maintain the system.

Reply | Threaded
Open this post in threaded view
|

Re: How do *you* restrict access to Solr?

Ryan W
On Tue, Mar 17, 2020 at 6:05 AM Jan Høydahl <[hidden email]> wrote:

> You can consider upgrading to Solr 8.5 which is to be released in a couple
> of days, which makes it easy to whitelist IP addresses in solr.in.sh:
>

Thanks.  That is good news, though it won't help me this time around.  My
application framework (Drupal) doesn't support Solr 8.  I may try Solr 6
again, or take another stab at getting the Basic Authentication plugin to
work in Solr 7.  My Solr install isn't web-accessible, so the only threats
would come from inside the network.



>
> # Allow IPv4/IPv6 localhost, the 192.168.0.x IPv4 network, and
> 2000:123:4:5:: IPv6 network.
> SOLR_IP_WHITELIST="127.0.0.1, [::1], 192.168.0.0/24, [2000:123:4:5::]/64"
>
>
> https://lucene.apache.org/solr/guide/8_5/securing-solr.html#enable-ip-access-control
>
> But please please do not expose Solr, even if secured, to untrusted
> networks and never to the public internet.
>
> Jan
>
> > 16. mar. 2020 kl. 16:46 skrev Ryan W <[hidden email]>:
> >
> > On Mon, Mar 16, 2020 at 10:51 AM Susheel Kumar <[hidden email]>
> > wrote:
> >
> >> Basic auth should help you to start
> >>
> >>
> https://lucene.apache.org/solr/guide/8_1/basic-authentication-plugin.html
> >
> >
> >
> > Thanks.  I think I will give up on the plugin system.  I haven't been
> able
> > to get the plugin system to work, and it creates too many opportunities
> for
> > human error.  Even if I can get it working this week, what about 6 months
> > from now or a year from now when something goes wrong and I have to debug
> > it.  It seems like far too much overhead to provide the desired security
> > benefit, except perhaps in situations where an organization has Solr
> > specialists who can maintain the system.
>
>
12