How can I secure Solr 5.3.1 only admin pages

14
votes

I am fairly new to Solr and I have been researching this for the past day and half and finally turning here.

I have a Solr server up and running and I had my network admin configure a rule in the firewall so that we can access it for queries from my JavaScript application. This works. The issue that I have is that the Solr admin pages is completely open to the world and I have tried everything as described in various posts with the exception of the ZooKeeper method which I don't really want to try coz I am not interested in setting up ZooKeeper and SolrCloud.

Reference post: http://muddyazian.blogspot.com/2013/11/how-to-require-password-authentication.html and some others

What I did was modify jetty.xml in /opt/solr/server/etc and added this

<Call name="addBean">
  <Arg>
    <New class="org.eclipse.jetty.security.HashLoginService">
      <Set name="name">Solr Admin Access</Set>
      <Set name="config"><SystemProperty name="jetty.home" default="."/>/etc/realm.properties</Set>
      <Set name="refreshInterval">0</Set>
    </New>
  </Arg>
</Call>

Then I added to web.xml in /opt/solr/server/solr-webapp/webapp/WEB-INF the config below

<security-constraint>
    <web-resource-collection>
      <web-resource-name>Solr authenticated application</web-resource-name>
      <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
      <role-name>admin</role-name>
    </auth-constraint>
  </security-constraint>

  <login-config>
    <auth-method>BASIC</auth-method>
    <realm-name>Solr Admin Access</realm-name>

  </login-config>

then I created a realm.properties file hashed the password according to this post Jetty/SOLR Admin Panel Password

Solr is now secure but everything is password protected, I want my queries to be open and the rest protected. I tried adding different url patterns such as /admin/* , /mycollection/dataimport/* etc but none of those seem to affect the fact that the query is also secure. Reference https://gist.github.com/jstrassburg/9777027

1
securitysolrjetty
I stumbled on this myself. As of 5.4, some more role-based security features have been added, and I've managed to lock down reads and updates using rules as described here. However, the admin panel itself is still wide open. All we want to do is require basic auth to access anything in Solr 5.Dan Fitch
See also: stackoverflow.com/questions/33263535Dan Fitch
Aha. Shortly after posting the bounty, I see that this answer actually does have a solution, but it only works for SolrCloud. Solr does not yet support Basic auth in standalone mode. I'm assuming they have a ticket for this in the APF JIRA, but I can't find it.Dan Fitch
You did not mention in your post how and where you created the realm.properties. When you would add this, you would not be reliant on the reference posts any more, making this post self-sustaining.cheffe

1 Answers

3
votes

Following the advice of Exclude a JSP from web.xml's security-contraint you can keep your configuration as is, but expose that endpoints that you want to be public available.

So you could add a <security-constraint> like this to your web.xml, but leave out the <auth-constraint> for the matched <url-pattern>. This will make it open to the public. In addition with the basic auth for the rest of your Solr instance, you can then expose step by step the cores or handlers that shall be public.

<security-constraint>
  <web-resource-collection>
    <web-resource-name>mycollection</web-resource-name>
    <url-pattern>/mycollection/*</url-pattern>
  </web-resource-collection>
</security-constraint>

A caveat of this is that you will need to add anything that shall be public as an own URL pattern. But this may also be a plus, as you have the option to make fine grained access control to for the collections - e.g. one user per collection.