lucene-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Gus Heck (JIRA)" <>
Subject [jira] [Commented] (SOLR-7896) Add a login page for Solr Administrative Interface
Date Thu, 29 Mar 2018 18:16:00 GMT


Gus Heck commented on SOLR-7896:

[~thinkcomp] While this could be implemented, permanent key systems are not very secure. If
they key is lifted (i.e. from browser dev tools) by someone nefarious (think disgruntled employee
for example, or code bug exposing the key on a request), your server is forever compromised.
Unless you have some protocol for regenerating the key regularly, and then getting that out
to the clients that *should* have it, you're hosed. I for one wouldn't want to invest time
in building something like that as it will be eschewed by anyone truly serious about security.

Also as you point out roles are likely to be desirable. But I think we are in danger of mixing
two things here... Authentication and Authorization. My read of the original ticket is that
this was about adding an Authentication check only, and only for a single admin user. A separate
issue designing a fine grained permission-role-user mapping system should be filed if authorization
beyond all or nothing is desired.

The initial password setting routine however sounds good. Perhaps all requests to api or UI
should get redirected to the password setting page when solr is started with passworded admin enabled.


> Add a login page for Solr Administrative Interface
> --------------------------------------------------
>                 Key: SOLR-7896
>                 URL:
>             Project: Solr
>          Issue Type: New Feature
>          Components: Admin UI, security
>    Affects Versions: 5.2.1
>            Reporter: Aaron Greenspan
>            Priority: Major
>              Labels: authentication, login, password
> Out of the box, the Solr Administrative interface should require a password that the
user is required to set.

This message was sent by Atlassian JIRA

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message