New UI for SOLR-based projects

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

New UI for SOLR-based projects

Roman Chyla
Hi everybody,

There exists a new open-source implementation of a search interface for
SOLR. It is written in Javascript (using Backbone), currently in version
v1.0.19 - but new features are constantly coming. Rather than describing it
in words, please see it in action for yourself at http://ui.adslabs.org -
I'd recommend exploring facets, the query form, and visualizations.

The code lives at: http://github.com/adsabs/bumblebee

Best,

  Roman
Reply | Threaded
Open this post in threaded view
|

Re: New UI for SOLR-based projects

Shawn Heisey-2
On 1/30/2015 1:07 PM, Roman Chyla wrote:
> There exists a new open-source implementation of a search interface for
> SOLR. It is written in Javascript (using Backbone), currently in version
> v1.0.19 - but new features are constantly coming. Rather than describing it
> in words, please see it in action for yourself at http://ui.adslabs.org -
> I'd recommend exploring facets, the query form, and visualizations.
>
> The code lives at: http://github.com/adsabs/bumblebee

I have no wish to trivialize the work you've done.  I haven't looked
into the code, but a high-level glance at the documentation suggests
that you've put a lot of work into it.

I do however have a strong caveat for your users.  I'm the guy holding
the big sign that says "the end is near" to anyone who will listen!

By itself, this is an awesome tool for prototyping, but without some
additional expertise and work, there are severe security implications.

If this gets used for a public Internet facing service, the Solr server
must be accessible from the end user's machine, which might mean that it
must be available to the entire Internet.

If the Solr server is not sitting behind some kind of intelligent proxy
that can detect and deny aattempts to access certain parts of the Solr
API, then Solr will be wide open to attack.  A knowledgeable user that
has unfiltered access to a Solr server will be able to completely delete
the index, change any piece of information in the index, or send denial
of service queries that will make it unable to respond to legitimate
traffic.

Setting up such a proxy is not a trivial task.  I know that some people
have done it, but so far I have not seen anyone share those
configurations.  Even with such a proxy, it might still be possible to
easily send denial of service queries.

I cannot find any information in your README or the documentation links
that mentions any of these concerns.  I suspect that many who
incorporate this client into their websites will be unaware that their
setup may be insecure, or how to protect it.

Thanks,
Shawn

Reply | Threaded
Open this post in threaded view
|

Re: New UI for SOLR-based projects

Roman Chyla
I gather from your comment that I should update readme, because there could
be people who would be inclined to use bumblebee development server in
production: Beware those who enter through this gate! :-)

Your point, that so far you haven't seen anybody share their middle layer
can be addressed by pointing to the following projects:

https://github.com/adsabs/solr-service
https://github.com/adsabs/adsws

These are also open source, we use them in production, and have oauth,
microservices, rest, and rate limits, we know it is not perfect, but what
is? ;-) pull requests welcome!

Thanks,

Roman
On 30 Jan 2015 21:51, "Shawn Heisey" <[hidden email]> wrote:

> On 1/30/2015 1:07 PM, Roman Chyla wrote:
> > There exists a new open-source implementation of a search interface for
> > SOLR. It is written in Javascript (using Backbone), currently in version
> > v1.0.19 - but new features are constantly coming. Rather than describing
> it
> > in words, please see it in action for yourself at http://ui.adslabs.org
> -
> > I'd recommend exploring facets, the query form, and visualizations.
> >
> > The code lives at: http://github.com/adsabs/bumblebee
>
> I have no wish to trivialize the work you've done.  I haven't looked
> into the code, but a high-level glance at the documentation suggests
> that you've put a lot of work into it.
>
> I do however have a strong caveat for your users.  I'm the guy holding
> the big sign that says "the end is near" to anyone who will listen!
>
> By itself, this is an awesome tool for prototyping, but without some
> additional expertise and work, there are severe security implications.
>
> If this gets used for a public Internet facing service, the Solr server
> must be accessible from the end user's machine, which might mean that it
> must be available to the entire Internet.
>
> If the Solr server is not sitting behind some kind of intelligent proxy
> that can detect and deny aattempts to access certain parts of the Solr
> API, then Solr will be wide open to attack.  A knowledgeable user that
> has unfiltered access to a Solr server will be able to completely delete
> the index, change any piece of information in the index, or send denial
> of service queries that will make it unable to respond to legitimate
> traffic.
>
> Setting up such a proxy is not a trivial task.  I know that some people
> have done it, but so far I have not seen anyone share those
> configurations.  Even with such a proxy, it might still be possible to
> easily send denial of service queries.
>
> I cannot find any information in your README or the documentation links
> that mentions any of these concerns.  I suspect that many who
> incorporate this client into their websites will be unaware that their
> setup may be insecure, or how to protect it.
>
> Thanks,
> Shawn
>
>
Reply | Threaded
Open this post in threaded view
|

Re: New UI for SOLR-based projects

Lukáš Vlček
Nice work Roman!

Lukas

On Sat, Jan 31, 2015 at 4:36 AM, Roman Chyla <[hidden email]> wrote:

> I gather from your comment that I should update readme, because there could
> be people who would be inclined to use bumblebee development server in
> production: Beware those who enter through this gate! :-)
>
> Your point, that so far you haven't seen anybody share their middle layer
> can be addressed by pointing to the following projects:
>
> https://github.com/adsabs/solr-service
> https://github.com/adsabs/adsws
>
> These are also open source, we use them in production, and have oauth,
> microservices, rest, and rate limits, we know it is not perfect, but what
> is? ;-) pull requests welcome!
>
> Thanks,
>
> Roman
> On 30 Jan 2015 21:51, "Shawn Heisey" <[hidden email]> wrote:
>
> > On 1/30/2015 1:07 PM, Roman Chyla wrote:
> > > There exists a new open-source implementation of a search interface for
> > > SOLR. It is written in Javascript (using Backbone), currently in
> version
> > > v1.0.19 - but new features are constantly coming. Rather than
> describing
> > it
> > > in words, please see it in action for yourself at
> http://ui.adslabs.org
> > -
> > > I'd recommend exploring facets, the query form, and visualizations.
> > >
> > > The code lives at: http://github.com/adsabs/bumblebee
> >
> > I have no wish to trivialize the work you've done.  I haven't looked
> > into the code, but a high-level glance at the documentation suggests
> > that you've put a lot of work into it.
> >
> > I do however have a strong caveat for your users.  I'm the guy holding
> > the big sign that says "the end is near" to anyone who will listen!
> >
> > By itself, this is an awesome tool for prototyping, but without some
> > additional expertise and work, there are severe security implications.
> >
> > If this gets used for a public Internet facing service, the Solr server
> > must be accessible from the end user's machine, which might mean that it
> > must be available to the entire Internet.
> >
> > If the Solr server is not sitting behind some kind of intelligent proxy
> > that can detect and deny aattempts to access certain parts of the Solr
> > API, then Solr will be wide open to attack.  A knowledgeable user that
> > has unfiltered access to a Solr server will be able to completely delete
> > the index, change any piece of information in the index, or send denial
> > of service queries that will make it unable to respond to legitimate
> > traffic.
> >
> > Setting up such a proxy is not a trivial task.  I know that some people
> > have done it, but so far I have not seen anyone share those
> > configurations.  Even with such a proxy, it might still be possible to
> > easily send denial of service queries.
> >
> > I cannot find any information in your README or the documentation links
> > that mentions any of these concerns.  I suspect that many who
> > incorporate this client into their websites will be unaware that their
> > setup may be insecure, or how to protect it.
> >
> > Thanks,
> > Shawn
> >
> >
>
Reply | Threaded
Open this post in threaded view
|

Re: New UI for SOLR-based projects

Jan Høydahl / Cominvent
In reply to this post by Roman Chyla
Cool.

For your information, there are multiple existing Solr proxies out there, one of them being mr. Smiley's one in Java. Also in PHP, Node etc. Here is one link, there are others as well
https://github.com/evolvingweb/ajax-solr/wiki/Solr-proxies

--
Jan Høydahl, search solution architect
Cominvent AS - www.cominvent.com

> 31. jan. 2015 kl. 04.36 skrev Roman Chyla <[hidden email]>:
>
> I gather from your comment that I should update readme, because there could
> be people who would be inclined to use bumblebee development server in
> production: Beware those who enter through this gate! :-)
>
> Your point, that so far you haven't seen anybody share their middle layer
> can be addressed by pointing to the following projects:
>
> https://github.com/adsabs/solr-service
> https://github.com/adsabs/adsws
>
> These are also open source, we use them in production, and have oauth,
> microservices, rest, and rate limits, we know it is not perfect, but what
> is? ;-) pull requests welcome!
>
> Thanks,
>
> Roman
> On 30 Jan 2015 21:51, "Shawn Heisey" <[hidden email]> wrote:
>
>> On 1/30/2015 1:07 PM, Roman Chyla wrote:
>>> There exists a new open-source implementation of a search interface for
>>> SOLR. It is written in Javascript (using Backbone), currently in version
>>> v1.0.19 - but new features are constantly coming. Rather than describing
>> it
>>> in words, please see it in action for yourself at http://ui.adslabs.org
>> -
>>> I'd recommend exploring facets, the query form, and visualizations.
>>>
>>> The code lives at: http://github.com/adsabs/bumblebee
>>
>> I have no wish to trivialize the work you've done.  I haven't looked
>> into the code, but a high-level glance at the documentation suggests
>> that you've put a lot of work into it.
>>
>> I do however have a strong caveat for your users.  I'm the guy holding
>> the big sign that says "the end is near" to anyone who will listen!
>>
>> By itself, this is an awesome tool for prototyping, but without some
>> additional expertise and work, there are severe security implications.
>>
>> If this gets used for a public Internet facing service, the Solr server
>> must be accessible from the end user's machine, which might mean that it
>> must be available to the entire Internet.
>>
>> If the Solr server is not sitting behind some kind of intelligent proxy
>> that can detect and deny aattempts to access certain parts of the Solr
>> API, then Solr will be wide open to attack.  A knowledgeable user that
>> has unfiltered access to a Solr server will be able to completely delete
>> the index, change any piece of information in the index, or send denial
>> of service queries that will make it unable to respond to legitimate
>> traffic.
>>
>> Setting up such a proxy is not a trivial task.  I know that some people
>> have done it, but so far I have not seen anyone share those
>> configurations.  Even with such a proxy, it might still be possible to
>> easily send denial of service queries.
>>
>> I cannot find any information in your README or the documentation links
>> that mentions any of these concerns.  I suspect that many who
>> incorporate this client into their websites will be unaware that their
>> setup may be insecure, or how to protect it.
>>
>> Thanks,
>> Shawn
>>
>>