lucene-solr-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jan Høydahl <jan....@cominvent.com>
Subject Re: Security Problems
Date Wed, 18 Nov 2015 14:40:42 GMT
I tried out BasicAuthPlugin today.
Surprised that not admin UI is protected.
But even more surprised that only /select seems to be protected for not logged in users.
I can create collections and /update documents without being prompted for pw.

My security.json is https://gist.github.com/janhoy/d18854c75461816fb947

--
Jan Høydahl, search solution architect
Cominvent AS - www.cominvent.com

> 18. nov. 2015 kl. 14.54 skrev Noble Paul <noble.paul@gmail.com>:
> 
> As of now the admin-ui calls are not protected. The static calls are
> served by jetty and it bypasses the authentication mechanism
> completely. If the admin UI relies on some API call which is served by
> Solr.
> The other option is to revamp the framework to take care of admin UI
> (static content) as well. This would be cleaner solution
> 
> 
> On Wed, Nov 18, 2015 at 2:32 PM, Upayavira <uv@odoko.co.uk> wrote:
>> Not sure I quite understand.
>> 
>> You're saying that the cost for the UI is not large, but then suggesting
>> we protect just one resource (/admin/security-check)?
>> 
>> Why couldn't we create the permission called 'admin-ui' and protect
>> everything under /admin/ui/ for example? Along with the root HTML link
>> too.
>> 
>> Upayavira
>> 
>> On Wed, Nov 18, 2015, at 07:46 AM, Noble Paul wrote:
>>> The authentication plugin is not expensive if you are talking in the
>>> context of admin UI. After all it is used not like 100s of requests
>>> per second.
>>> 
>>> The simplest solution would be
>>> 
>>> provide a well known permission name called "admin-ui"
>>> 
>>> ensure that every admin page load makes a call to some resource say
>>> "/admin/security-check"
>>> 
>>> Then we can just protect that .
>>> 
>>> The only concern thatI have is the false sense of security it would
>>> give to the user
>>> 
>>> But, that is a different point altogether
>>> 
>>> On Wed, Nov 11, 2015 at 1:52 AM, Upayavira <uv@odoko.co.uk> wrote:
>>>> Is the authentication plugin that expensive?
>>>> 
>>>> I can help by minifying the UI down to a smaller number of CSS/JS/etc
>>>> files :-)
>>>> 
>>>> It may be overkill, but it would also give better experience. And isn't
>>>> that what most applications do? Check authentication tokens on every
>>>> request?
>>>> 
>>>> Upayavira
>>>> 
>>>> On Tue, Nov 10, 2015, at 07:33 PM, Anshum Gupta wrote:
>>>>> The reason why we bypass that is so that we don't hit the authentication
>>>>> plugin for every request that comes in for static content. I think we
>>>>> could
>>>>> call the authentication plugin for that but that'd be an overkill. Better
>>>>> experience ? yes
>>>>> 
>>>>> On Tue, Nov 10, 2015 at 11:24 AM, Upayavira <uv@odoko.co.uk> wrote:
>>>>> 
>>>>>> Noble,
>>>>>> 
>>>>>> I get that a UI which is open source does not benefit from ACL control
-
>>>>>> we're not giving away anything that isn't public (other than perhaps
>>>>>> info that could be used to identify the version of Solr, or even
the
>>>>>> fact that it *is* solr).
>>>>>> 
>>>>>> However, from a user experience point of view, requiring credentials
to
>>>>>> see the UI would be more conventional, and therefore lead to less
>>>>>> confusion. Is it possible for us to protect the UI static files,
only
>>>>>> for the sake of user experience, rather than security?
>>>>>> 
>>>>>> Upayavira
>>>>>> 
>>>>>> On Tue, Nov 10, 2015, at 12:01 PM, Noble Paul wrote:
>>>>>>> The admin UI is a bunch of static pages . We don't let the ACL
control
>>>>>>> static content
>>>>>>> 
>>>>>>> you must blacklist all the core/collection apis and it is pretty
much
>>>>>>> useless for anyone to access the admin UI (w/o the credentials
, of
>>>>>>> course)
>>>>>>> 
>>>>>>> On Tue, Nov 10, 2015 at 7:08 AM, 马柏樟 <mabaizhang@126.com>
wrote:
>>>>>>>> Hi,
>>>>>>>> 
>>>>>>>> After I configure Authentication with Basic Authentication
Plugin and
>>>>>> Authorization with Rule-Based Authorization Plugin, How can I prevent
the
>>>>>> strangers from visiting my solr by browser? For example, if the stranger
>>>>>> visit the http://(my host):8983, the browser will pop up a window
and
>>>>>> says "the server http://(my host):8983 requires a username and
>>>>>> password...."
>>>>>>> 
>>>>>>> 
>>>>>>> 
>>>>>>> --
>>>>>>> -----------------------------------------------------
>>>>>>> Noble Paul
>>>>>> 
>>>>> 
>>>>> 
>>>>> 
>>>>> --
>>>>> Anshum Gupta
>>> 
>>> 
>>> 
>>> --
>>> -----------------------------------------------------
>>> Noble Paul
> 
> 
> 
> -- 
> -----------------------------------------------------
> Noble Paul


Mime
View raw message