I am fairly new to Solr and I have been researching this for the past day and half and finally turning here.
I have a Solr server up and running and I had my network admin configure a rule in the firewall so that we can access it for queries from my JavaScript application. This works. The issue that I have is that the Solr admin pages is completely open to the world and I have tried everything as described in various posts with the exception of the ZooKeeper method which I don't really want to try coz I am not interested in setting up ZooKeeper and SolrCloud.
Reference post: http://muddyazian.blogspot.com/2013/11/how-to-require-password-authentication.html and some others
What I did was modify jetty.xml in /opt/solr/server/etc and added this
<Call name="addBean">
<Arg>
<New class="org.eclipse.jetty.security.HashLoginService">
<Set name="name">Solr Admin Access</Set>
<Set name="config"><SystemProperty name="jetty.home" default="."/>/etc/realm.properties</Set>
<Set name="refreshInterval">0</Set>
</New>
</Arg>
</Call>
Then I added to web.xml in /opt/solr/server/solr-webapp/webapp/WEB-INF the config below
<security-constraint>
<web-resource-collection>
<web-resource-name>Solr authenticated application</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>Solr Admin Access</realm-name>
</login-config>
then I created a realm.properties file hashed the password according to this post Jetty/SOLR Admin Panel Password
Solr is now secure but everything is password protected, I want my queries to be open and the rest protected. I tried adding different url patterns such as /admin/* , /mycollection/dataimport/* etc but none of those seem to affect the fact that the query is also secure. Reference https://gist.github.com/jstrassburg/9777027
Solr can support Basic authentication for users with the use of the BasicAuthPlugin. An authorization plugin is also available to configure Solr with permissions to perform various activities in the system. The authorization plugin is described in the section Rule-Based Authorization Plugin.
Disabling Basic Authentication You can disable Basic Authentication with bin/solr auth disable . If the -updateIncludeFileOnly option is set to true, then only the settings in bin/solr.in.sh or bin\solr. in. cmd will be updated, and security.
Following the advice of Exclude a JSP from web.xml's security-contraint you can keep your configuration as is, but expose that endpoints that you want to be public available.
So you could add a <security-constraint>
like this to your web.xml, but leave out the <auth-constraint>
for the matched <url-pattern>
. This will make it open to the public. In addition with the basic auth for the rest of your Solr instance, you can then expose step by step the cores or handlers that shall be public.
<security-constraint>
<web-resource-collection>
<web-resource-name>mycollection</web-resource-name>
<url-pattern>/mycollection/*</url-pattern>
</web-resource-collection>
</security-constraint>
A caveat of this is that you will need to add anything that shall be public as an own URL pattern. But this may also be a plus, as you have the option to make fine grained access control to for the collections - e.g. one user per collection.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With