Thank you Tuan and Mark for your insight, which was / is very helpful.

Another thing I'm going to do is allow the access on a slave index, so any mistakes or malicious action would have minimal repercussions.

Best,
Anna


On Mon, May 28, 2012 at 4:55 PM, Mark Triggs <mark@dishevelled.net> wrote:
Hi Anna,

I think you want to be a bit careful about how much of Solr you make
generally available.  There's a thread on the solr-user list from a
while back that discusses this:

 http://lucene.472066.n3.nabble.com/Questions-about-Solr-s-security-td3471133.html#a3471723

and even access to the '/select' handler can be enough to inadvertently
give access to the other index-modifying request handlers.

A variation on Tuan's suggestion might be to use Apache + mod_proxy +
mod_auth_basic/mod_authn_file to require a username/password to access
Solr--assuming you only have a small number of users needing access, and
that they're not actively out to get you :)

If you need to provide access more broadly (or if your users *are* out
to get you), you could leave Solr firewalled off and write a custom
webapp to provide controlled access to the bits they need.  In addition
to using the usual '/select' handler for firing searches, you can use
the FieldAnalysisRequestHandler to produce your own version of the
"Analysis" page shown by Solr admin:

 http://lucene.apache.org/solr/api/org/apache/solr/handler/FieldAnalysisRequestHandler.html

It might not be enabled in the VuFind solrconfig.xml, but I think you
would just need to add a new solrconfig.xml entry like:

 <requestHandler name="/analysis/field" class="solr.FieldAnalysisRequestHandler" />

to activate it.  Then something like:

 curl -s 'http://localhost:8080/solr/biblio/analysis/field?analysis.fieldname=title&analysis.fieldvalue=hello+world&wt=json' | python -mjson.tool

Should give you more than you ever wanted to know about how queries are
analysed :)

Cheers,

Mark


anna headley <anna3lc@gmail.com> writes:

> Hi vufind-tech and solrmarc-tech,
>
> Currently I have solr access blocked by the firewall.  But I want to allow
> access to search results so that librarians can experiment with relevance
> ranking.  And I'd like to allow access to the solr admin page (I don't
> think there is a form to change the index there) for anyone that wants to
> see the stemming information.
>
> So I want to find a way to open the solr port, but lock down access to the
> solr /update url so that it's accessible only from localhost.
>
> I will be looking into Tomcat configuration and the like, but if you are
> already doing something like this I'd appreciate any advice!  And if
> there's anything else I should be careful to lock down, I'd appreciate that
> advice as well.

--
Mark Triggs
<mark@dishevelled.net>